Delivering security and trust in cyberspace

By Kiyoshi J. Berman

The EC-Council Cyber Security Summit 2015 was held in Colombo for the third consecutive year. This event was co-organised by CICRA Consultancies and Daily FT. The Chief Guest of the event was Harin Fernando, Minister of Telecommunications and Digital Infrastructure. 

The keynote address on delivering security and trust in cyberspace was presented by Sameer Sharma, the Senior Advisor, International Telecommunication Union, Regional Office for Asia-Pacific Bangkok. 

“Greater connectivity also brings with it greater risk, not least the risk of losing trust and confidence in the networks we rely on, and the risk of losing trust and confidence in our ability to communicate securely. In recent past some high-profile revelations, widely covered in the international media, about surveillance activities, have highlighted the lack of trust and the need for agreed norms and principles to rebuild confidence,” he said

For these reasons we need a multi-level response to cyber-security challenges at an International, regional and national level. The ITU has taken steps to face these challenges through the World Summit on the Information Society (WSIS) which is the framework of international Cyber security.  The WSIS happened in two phases, in 2003 in Geneva and 2005 in Tunis.  

ITU was identified as a sole facilitator of the Action Line C5: Building confidence and security in the usage of ICTs, and as such was tasked by world leaders to coordinate Cyber security efforts at the global level. In 2007, the Global Cyber security Agenda (GCA) was launched by ITU Secretary General. In 2008, the ITU Membership endorsed the GCA as the ITU-wide strategy on international cooperation, he added.

Highlighting the importance of the Global Cybersecurity Agenda, Sharma said: “GCA is designed for cooperation and efficiency, encouraging collaboration with and between all relevant partners, and building on existing initiatives to avoid duplicating efforts. GCA builds upon five pillars, which are Legal Measures, Technical and Procedural Measures, Organisational Structure, Capacity Building and International Cooperation.  Since its launch, GCA has attracted the support and recognition of leaders and cyber security experts around the world.”

He also spoke about the activities carried out as a part of the Sri Lanka-ITU collaboration. Some of the highlighted events were the ITU-TRCSL Symposium on Cloud Computing held earlier this year, inauguration and connecting all schools partnering with Ministry of Education, private sector and ITU.

Sri Lanka’s role in cyber security

Muhunthan Canagey, the Managing Director/CEO of the ICT Agency of Sri Lanka, shared his views on Sri Lanka’s role in cyber security. 

“The new Government’s aim is to get all State buildings linked across the country. A project is being carried out for linking up 3,500 State buildings with 100 megabyte connectivity to each other and to an information back bone of 100 gigabytes across all 25 districts. This would mean any State official would be able to work across any of the State buildings irrespectively of their location. So if you have an appointment at the Ministry of Finance and let’s say then you have to go for a meeting at the Ministry of Foreign Affairs or our ministry, with the same login you would be able to work across all ministries. Now that’s the type of environment we are bringing in, and while we do that we are also ensuring that the citizens will be able to engage themselves on government related services. These are all e-services and by 2018 we intend to have the entire Government e-services available for citizens allowing them get all their services across mobile platform. That’s the vision we have to move forward.

“The next step that the ICTA will actually do is to work forward along with the financial institutions in the country through the national payment platform for Government payments starting with the Sri Lankan Customs as the first payment service. This would allow citizens to tap all bank accounts into one app and be able to make transfers and payments across all Government portfolios.”

“This all sounds fancy and the way to move forward. But on the other side we have to consider the cyber security aspect while we keep opening our doors, there are more threats coming in. The SL-CERT, a subsidiary of ICTA does an enormous amount of work in ensuring citizens are protected on a day-to-day basis. They have large volumes of hacks that are reported to them. ICTA takes cyber security very seriously and we are the first in South Asia to enter the Budapest Convention; the cross-border contractual agreements which will be taking place in this regard,” he added.

He further mentioned that most organisations in Sri Lanka do not have a cyber security culture or concept of cyber security within the organisation. “That needs to change. We need to bring Cyber security into our lives, our culture because everything we do is going to be online and in the future we really need to take this area forward. We are planning to implement the National Security Operations Centre (SOC) by March 2016” 

Muhunthan also pointed out that it’s time for organisations to benefit from the skills of young people who have high technical knowledge and know-how of hacking and defending against them. 

Panel discussion highlights policy direction and reforms for ICT industry

Following the main presentations at the inaugural session of the Cyber Security Summit, a panel discussion was where Telecommunications and Digital Infrastructure Minister Harin Fernando got an opportunity to outline the new Government’s vision and plans for the ICT industry.

The first question was where Sri Lanka stands in terms of cyber security and what areas we need to invest in. Answering that question Sameer Sharma replied, “According to the Google Cyber Security index and what we see in the cyber security arena in Sri Lanka, there is no doubt that Sri Lanka takes this seriously as you have the SL CERT and the legal framework is strengthened by the Budapest Convention.”

The second question was how to take technology to the rural areas of Sri Lanka. In reply to that, Fernando said that only around 20% of Sri Lanka uses smart phones and only around 60% of them use internet on these smart phones. “This rate has to be increased and to make online services available to them. Now Sri Lanka is going to implement fibre optics for faster internet and the digital infrastructure will be developed. However, the number of people using the internet has to be increased through awareness programmes. We need to bring it to a level where even farmers would use Google weather before going out for farming.”

The next question was posed to Muhunthan Canagey regarding the role played by ICTA to encourage organisations to integrate cyber security into their culture. “ICTA is not an organisation. It’s a facilitator to the industry irrespective of whether their State or private sector organisations. We are taking great efforts to make organisations aware of cyber security issues. Private sector organisations need to realise that our competition is no longer local but it’s global. So if Sri Lanka is to move forward to revolutionise the digital infrastructure and go into the global space, we need to start thinking different.”

From a policy perspective, the new Government has promised one million jobs more and how does ICTA work towards this endeavour?  Harin Fernando replied: “Sri Lanka has around 1,500 IT graduates passing out every year and graduates from foreign universities who come back to Sri Lanka. At ICTA we are planning to utilise these talents for IT related jobs and improve the export BPO sector of Sri Lanka far beyond just having call centres and software companies. Investors coming from abroad are going to be interested when they see the numbers.  Also we are planning to increase the population that use smart phones.”

The next question was posed to Sameer Sharma regarding the challenges in developing a knowledge-based economy and demand for digital services. “The IT industry should partner with the Government. There are many countries which have come up with national broadband policies which have actually paved the way for the industry to boom. The industry has the technology, they have the know-how and they need the Government policies and support. The most important thing is to remove policy barriers. Rather than the Government being like a traditional policeman, they need to partner with the industry and facilitate them.”

What is preventing Sri Lanka from following proper standards whether in the payment industry, COBIT, etc., and drive it to the stock exchange where investor confidence increases? Canagey replied: “Standards is a motion that has to come from the top and that’s the type of culture we want. The level of education has to be improved for this. For instance, in the banking industry we bring forward non-collateral based lending. That is one area whether the Minister and Ministry of ICT is going to work very closely to make sure that if you want to start a software company and you want to go and take a loan and they ask  you to bring your house as collateral which is not fair. This is what we need to change but not just for IT, the whole eco-system needs to change. There’s a multi-strategy that needs to work out. Let’s not worry about what has happened in the past. Let’s move forward. Let’s incubate and accelerate knowledgebase economy, get rid of collateral based lending and also build in a culture that incorporate youth and develop policy making. We will change this culture to bring in technological revolution in this country.”

What is Sri Lanka planning to do to prevent brain drain? Answering that Harin Fernando said: “Brain drain is natural but we are planning to develop the infrastructure, provide more opportunities and create an environment where young graduates want to give back to the country. We also plan to encourage more people who have already migrated to come back and join our workforce.”

Guest of Honour Arjuna Mahendran, Governor Central Bank of Sri Lanka, spoke about the cyber security challenges posed to banks.

“Money laundering, that is the movement of funds illegally for or in exchange of prohibited articles those transactions have to be monitored through some sort of cyber system. Then you have other types of crime related to the misuse of funds within financial institutions has to be sufficiently regulated. Using electronic systems can pose a threat to the stability of electronic systems as a whole. This has gathered increasing attention with the emergence of ‘flash trading’. This is about how people have traded commodities, equities or bonds and increasingly being connected. The speed at which transactions take place with fractions of seconds can determine if the trader will profit, whether you can get in front of the rest of the queue and thereby make huge amounts of money. When we have traders on electronic systems who have ill-intent, it can cause damage. These are a very broad generalisation of the sorts of risks that we as regulators need to address to ensure that our little banking system is Sri Lanka is reasonably robust and not open to systemic or other types of risk,” he said. “We have several pieces of legislation to ensure that these types of crimes don’t take place and technology that can detect risks. That alone won’t help we need to have trained people who are able to spot risks and act upon them. Until you have that you can’t really expect the machine to do the job for you,” he added.