Mitigating the Risk of Cyber Crime in Sri Lanka

August 24, 2020        Reading Time: 7 minutes

Reading Time: 7 min read

Image Credits: rawpixel.com/freepik

*Natasha Perera

The rising levels of cybercrimes are a major threat to global and national security. For instance, with the spread of the coronavirus affecting thousands of people all around the world, it has also led to the emergence of cybercriminals taking advantage of the COVID-19 pandemic to further their own aims. Action Fraud, UK’s national fraud and cybercrime reporting center claimed that there have been 105 coronavirus-related reports since 1st February 2020, with total losses reaching nearly £970,000.¹ And according to Barclays Bank data, there has been 66 per cent increase reported scams in the UK from January to July 2020.² Over the years, it was believed that threats to cybersecurity, managed by shadow lone black hat hackers were minor crimes such as the misuse of personal information. However, major cyberattacks carried out by large organized crime rings with highly-trained developers, have created security concerns towards nations, thus, enhancing a global rift between political, economic, and social issues.

It is important for Sri Lanka to learn and recognize vulnerabilities in order to help prevent or minimize the effects of future cybercrimes. Therefore, this LKI Blog will discuss the dangers of cybercrimes and explore how Sri Lanka is currently tackling cybercrimes with the help and cooperation of key actors. At the same time, it

Sri Lanka and Cyber Security

Sri Lanka can be identified as a soft target for cybercriminals. The 24th edition of Microsoft’s Security Intelligence Report³ includes core insights and key trends derived through data gathered between January 2018 to January 2019 from diverse sources. The report is a reflection on last year’s security events and includes an overview of the security landscape, lessons learned from the field, and recommended best practices. According to the report, cryptocurrency mining malware where cybercriminals seek illicit profits by using victim’s computers to mine cryptocurrency coins such as Bitcoins have increased in Sri Lanka, where it was 283% higher than the global average and 229% higher than the Asia Pacific average, the highest encounter rate in the region. According to the study, ransomware encounters in Sri Lanka were 100% more than the global average. While the global malware encounter rate has decreased by 34%, the malware encounter in Sri Lanka was 109% more than the global average. The spread of the Internet of Things (IoT) and exposure to connectivity has also created the path for cybercrime, hence, allowing cyberattacks to become major actors in international relations.

As mentioned, cybercriminals are like shadows, they have the power and capability to directly impact entities and disrupt societies with a single click and disappear without a trace. The information they attain becomes their weapon. Poor cyber security protocols and weak partnership links between entities would lead to several cybercrimes, hence, threatening international security and stability. Being resilient requires individuals at a higher level in a hierarchical organization to recognize the importance of avoiding and proactively mitigating risks. Accordingly, Sri Lanka proposed the Cyber Security Act under the National Cyber Security Strategy of Sri Lanka, which is being finalised by Sri Lanka Computer Emergency Readiness Team (SLCERT), as a comprehensive framework to prevent and manage cyber security threats and incidents effectively, and protect critical information infrastructure.⁴ This bill creates the legal framework for setting up a National Cyber Security Agency (NCSA), which will be the central apex body responsible for all cyber security activities.⁵ Hence, by conducting cyber risk assessments with the available technological assets, Sri Lanka can identify liabilities and easily mitigate future risks. (Figure 1). In order to do so, this LKI Blog will present recommendations that can be taken to build a cyber-resilient society. (Figure 2).

Figure 1: A General Model for a Cyber Risk Assessment ⁶

Figure 2: Policy Recommendations

Note: Compiled by LKI.

Recommendations to Enhance Cyber Security in Sri Lanka

Private-Public Partnership

The Cyber Security Act will act as the central point of contact for cyber security information in Sri Lanka and will provide necessary advice to government agencies, private organizations in regard to cyber security matters. According to the Information and Cyber Security Strategy of Sri Lanka (2019 – 2023), SLCERT plans to cooperate and create development of public-private and local-international partnerships. In order to promote a closer collaboration between private and public organisations, steps should be taken to educate the public, adopt a common strategy to share information, and develop effective mechanisms to achieve cyber-readiness.⁷

By establishing said steps, it would help both parties to communicate efficiently and build a system that would aid in reducing global cybercrimes. At the same time, it should be understood that the relationship between these two vastly different entities should be mostly transparent, and intelligence should be shared equally. Moreover, the strengths and weaknesses both the public and private sector bring to the table would help to fill in gaps that each sector might face, thus achieving their goal of creating a resilient cyber space. While they can improve transparency and accountability, new technologies can also provide authoritarian regimes with new means to monitor citizens and create a more harmless cyber environment in Sri Lanka.

Cyber Security Education Programmes

The government is planning to set up a government CERT (GCERT) or a digital government protection unit, a Citizen CERT, and Military CERT to create a resilient, trusted cyber security ecosystem and enable citizens to realize the benefits of digitization.⁸ Hence, by doing so, the Government of Sri Lanka could increase the standard and access to local graduate cyber security education programs, fund training centres which would help provide digital skills to citizens in the region, or set up a fund for digital innovation projects.⁹ The government should create workshops with Computer Emergency Response Teams (CERTs) based in Sri Lanka, including TechCERT, SLCERT, and FINCSIRT, in order to educate citizens on e-literacy.

Spreading awareness among citizens on the consequences of data breaches, identifying and reporting a cybercrime, and the effects of a nation-wide cyber-attack would provide several benefits for Sri Lanka. One, being the investment in human capital, in the sense by educating more individuals, it would spread interest and help in expanding cyber protection teams. Two, cyber security education programs spread awareness of risks and opportunities presented by the digital age, allowing Sri Lankans to learn how to protect their online identities and be cautious of using cyberspace. Third, creating new opportunities for employment and political participation.

Enhancing Cyber Diplomacy

Cyber diplomacy is the use of diplomatic resources and the performance of diplomatic functions to secure national interests with regard to cyberspace.¹⁰ Nations should build strategic partnerships and engage multilaterally to carry out collective acts and cooperate against shared threats in order to confront cyber warfares.¹¹ Sri Lanka as a member of BIMSTEC, attended the 2nd BIMSTEC Think Tanks Dialogue on Regional Security ‘BIMSTEC Security Challenges: Building a Cooperative Framework held on 27-28 November 2019, aimed to continue the robust interaction and deliberations by regional Think Tanks and strategic communities towards formalizing security cooperation in the BIMSTEC region.¹² During the Session V: Cyber Security: Need for Cooperation Between the BIMSTEC States to Counter-Cyber Security Threats concerns were expressed over the growing cyber threats, including threats to critical information infrastructure as well as increasing malicious use of ICTs. And initiatives taken on cyber security measures in their respective countries were also highlighted. With the aid of such initiatives practicing capacity building, it has both enabled better cooperation and persuaded countries to understand the underlying threats of cyber space.

By enhancing collaboration and elevating cooperation, vulnerable nations who lack knowledge and understanding of how to handle cyberspace threats would have the opportunity to gather information from countries with prior knowledge. Moreover, cyber diplomacy should be conducted in all or in part by diplomats, by meeting bilateral formats (such as the US-China dialogue) or multilateral fora (such as in the UN).¹³ Because they as diplomats get the opportunity to interact with several non-state actors, including leaders of internet companies, technology entrepreneurs, or civil society organizations.

With the cooperation of key actors in cyber security, Sri Lanka is determined to understand the importance of cyber security and protect the future of cyberspace. Thus, by establishing and improving cooperation between key actors with the implementation of private-public partnership, enhancing cyber diplomacy, and cyber security education programmes, Sri Lanka has the ability to create and execute new policies to create a more secure cyber environment.

Notes

¹Goodley, S. (2020). Social disease: how fraudsters adapt old scams to exploit coronavirus. [Online] The Guardian. Available at: https://www.theguardian.com/money/2020/mar/29/coronavirus-social-disease-fraudsters-adapt-old-scams [Accessed 01 April 2020].

²Williams, H. (2020). Scams jump 66 per cent during lockdown as fraudsters take advantage of nation’s uncertainty. [Online] The Independent. Available at: https://www.independent.co.uk/news/business/news/scams-rise-coronavirus-lockdown-fraud-warning-a9678291.html [Accessed 21 August 2020].

³Microsoft. (2019). Microsoft Security Intelligence Report Volume 24. Microsoft 365. [Online] Available at: https://info.microsoft.com/ww-landing-M365-SIR-v24-Report-eBook.html?lcid=en-us
[Accessed 08 April 2020].

⁴Ministry of Defence. (2020). Govt. to bring new laws to combat emerging cybercrimes. [Online] Defence News. Available at: http://www.defence.lk/Article/defence_article/837 [Accessed 08 April 2020].

⁵Perera, A. & Wattegama, C. (2019). Sri Lanka’s unsung cyber security champions [Online] Daily FT. Available at: http://www.ft.lk/columns/Sri-Lanka-s-unsung-cyber-security-champions/4-677891 [Accessed 09 April 2020].

⁶World Economic Forum. (2017). Future of Digital Economy and Society System Initiative- Advancing Cyber Resilience Principles and Tools for Boards: In collaboration with The Boston Consulting Group and Hewlett Packard Enterprise. [Online] Available at:  http://www3.weforum.org/docs/IP/2017/Adv_Cyber_Resilience_Principles-Tools.pdf [Accessed 28 February 2020].

⁷Vithana, N. (2020). Creating a ‘Cyber Resilient’ society. [Online] Daily FT. Available at: http://www.ft.lk/columns/Creating-a-Cyber-Resilient-society/4-695120
[Accessed 28 February 2020].

⁸Daily News. (2019). Digital government protection unit soon. [Online] Available at: https://www.dailynews.lk/2019/03/26/business/181273/digital-government-protection-unit-soon [Accessed  09 April 2020].

⁹Langendorf, M. (2020). Digital stability: How technology can empower future generations in the Middle East. European Council on Foreign Relations. [Online] Available at: https://www.ecfr.eu/publications/summary/digital_stability_how_technology_can_empower_future_generations_middle_east  [Accessed  29 March 2020].

¹⁰Barrinha, A. & Renard, T. (2017). ‘Cyber-diplomacy: the making of an international society in the digital age’. Global Affairs. 3(4-5): 353-364. [Online] Available at: https://www.tandfonline.com/doi/pdf/10.1080/23340460.2017.1414924?needAccess=true                        [Accessed 27 February 2020].

¹¹Painter, C.(2018). ‘Diplomacy in Cyberspace: The rise of the internet and cyber technologies constitutes one of the central foreign policy issues of the 21st century’. The Foreign Service Journal. [Online] Available at: https://www.afsa.org/diplomacy-cyberspace  [Accessed 27 February 2020].

¹²Vivekananda International Foundation (2020). BIMSTEC Security Challenges: Building a Cooperative Framework- 2nd BIMSTEC Think Tanks Dialogue on Regional Security ‘BIMSTEC Security Challenges: Building a Cooperative Framework; Conference Proceedings. Chanakyapuri, New Delhi, 27-28 November.

¹³Supra note 8.

---

*Natasha Perera is a Communications Assistant at the Lakshman Kadirgamar Institute of International Relations and Strategic Studies (LKI) in Colombo. The opinions expressed in this piece are the author’s own and not the institutional views of LKI, and do not necessarily reflect the position of any other institution or individual with which the author is affiliated.