40 govt. sites vulnerable to cyber-attacks due to weak passwords, outdated technology - SLCERT official

• To be protected under National Cyber Security Operations Centre

By Pranavesh Sivakumar

Around 40 government sites are found with outdated technology, weak passwords and vulnerable to cyber-attacks, and they will come under the monitoring and protection of the National Cyber Security Operations Centre, under an initiative of Sri Lanka Cyber Emergency Readiness Team (SLCERT), SLCERT’s Senior Information Engineer Charuka Damunupola, said. 

 “Still in the early stages of onboarding government organizations. Currently, we don’t have any capability to monitor any government website before it suffers a cyber-attack. That’s the main purpose of establishing an operation centre,” he said.  

“In the initial stage, we are planning to onboard 40 government organizations identified. These places run critical and vulnerable systems. Mainly, what we’re planning is, after we establish it, in the first phase, we’ll be deploying agencies across these state organizations to monitor 24/7 for any cyber-attacks or threats,” he added.  

Already in the established stage, this move is now in the testing phase, with only a few sites going through trial-and-error. After that, they intend to onboard the rest of the organizations and also recruit software analysts and staff.  

In the early stages now, they’re striving to launch in the next couple of months.   

“The matter is now lying with the Attorney General department at review stage. We’re hoping it would be passed in parliament, and the act would be approved,” he said.  
Last year alone, there were eight cases related to government website hacking, including document printing, the meteorology site, the Education Ministry site and few other provincial-level sites.  

Explaining the causes, “In every case what we’ve understood, their technology stack used to develop the site is very outdated. These sites have been updated or had security patches for so many years. That’s the main reason. They’re using very old technologies and vulnerabilities are large. They also have undergone a vulnerable assessment process recently”.  
Asked why only government sites, he said private entities have their own agency and protection methods in place. When it comes to government organizations, they’re really finding it difficult to establish monitoring methods, even at the most basic levels.  

“That’s why in the first phase, we’re planning and onboarding only for state sites,” he added.   

Citing a simple example, he went on, “We’ll say you’ve a secured website. But still if your administrators are using weak passwords, that’s not going to help the whole system. No matter how much firewall is in place, if the administrators are going to easy or weak passwords, it’s not going to help. Hacking attempts will bypass all these security systems.”

Currently, they have issued an information and cyber security policy exactly relevant only for state entities, however, in order to enforce it, there is no law or act that will enable any authority to enforce it.