By Chandeepa Wettasinghe
Sri Lanka will experience a massive wave of cyber attacks in the near future due to inadequate prevention methods and privacy laws as well as non-compliance, according to the state’s Computer Emergency Response Team Co-ordination Centre. (CERT|CC).
“In Sri Lanka, major attacks have not made the headlines yet, but in my view it will happen in the near future,” CERT|CC CEO Lal Dias said at a seminar held at the National Chamber of Commerce.
He was of the opinion that inadequate and ineffectively implemented cyber security will leave entities and individuals open to attack by hackers.
Poorly developed applications and websites are a major vulnerability, and Dias said that organizations developing their own applications should adhere to secure coding practices.
He said that despite 2007’s Computer Crimes Act being enforced, very few crimes have been reported.
“Banks would rather hush up attacks than report them due to publicity. But if the banks reported to CERT, we won’t publicize and help them investigate,” he noted.
CERT|CC Senior Information Security Engineer Roshan Chandraguptha also confirmed the comment, saying banks value reputation above all else in fear of losing public confidence. Dias however said banks do conduct security drills which other organizations should adopt while also stressing the need to implement easily understood cyber security policies and educate staff on it. He went on to say that untrustworthy employees also contribute towards a weak cyber security system, as evident in past scandals concerning Edward Snowden and Chelsea Manning, and that entering into Non-Disclosure Agreements are not adequate in light of such incidences.
According to him, part of the problem is also the advancement of technology, along with which cyber attacks also evolve and CERT|CC has been playing a game of catch-up.
“I’m not sure how well we are doing but we are trying, the fraudsters are always one step ahead of us,” Dias stressed.
However, he said his organization is prepared to help others develop much needed well-documented security policies according to the national standards. It can provide consultation with security reviews, vulnerability assessment and penetration testing, and advise on information security policies. CERT|CC is also able to help victims with after attack response; conducting digital forensics and incident handling, while proactively increasing awareness with workshops, seminars and conferences, alerts, and a knowledge base.
Chandraguptha meanwhile mentioned that CERT|CC only acts in such capacities and does not police, which is the responsibility of the CID’s Computer Crimes Division.
CERT|CC has already established the computer security incident response team (CSIRT) to help the sensitive banking sector share information on cyber crime anonymously among each other and hopes to extend CSIRT services to military bodies, ICT and standards institutions. Government Universities and Banks, as well as banks, financial institutions and corporates from the private sector are partnering up with CERT|CC to reduce cyber crime while departments, agencies and e-Sri Lanka, and SMEs and start-ups respectively are not part of it. CERT|CC will kick off its National Cyber Security Week 2014 on October 1 with the 7th National Conference on Cyber Security which will be held at BMICH, to be followed by multiple workshops during the course of the week.