Cybersecurity as Ceremony More questions arising from the CoPF’s report



 

  • What actually worked is buried in an annexure, and it is frankly mortifying. The Ministry’s own submission records that the Federal Reserve Bank, Citibank and JPMorgan notified the Central Bank of anti-money-laundering (AML) concerns, returned funds and fraud. 
  • A foreign correspondent-bank screening caught, repeatedly, what every domestic control missed, and when the Ministry asked the Central Bank for the facts behind its own pre-payment observations, the Bank declined
  • A fraudulent payment instruction for just over 4 million Euros to Germany - worth more, at prevailing rates, than the entire loss the report deals with in its title - simply vanishes from the narrative. At the time of writing, this is a 1.5 billion rupee payment



This weekend, journalist Namini Wijedasa writing in the Sunday Times reported that Sri Lanka CERT had invited bids for a comprehensive cybersecurity solution - a malware analysis, and threat-hunting lab serving at least 250 government organisations, with, amongst other things, the detection of credential leaks within 24 hours, takedowns of impersonation accounts across Facebook, Instagram, LinkedIn, TikTok and X, and alerts on geotargeted phishing.   

It is, on paper, a serious acquisition, and as the bid noted, part of a strategy Cabinet approved as long ago as 2019.   

Conversely, on 26 November 2025, officials of the Central Bank’s Finance Department noticed that a beneficiary on a debt repayment to Export Finance Australia was not Export Finance Australia at all, flagged possible money-laundering concerns, and told Ministry of Finance officials to reconfirm the account details with the lender.   

Those officials went back to the fraudsters’ email thread instead. No threat-hunting platform, at any price, can address the really rancid, and retrograde institutional cultures that facilitate cybersecurity breaches – which is the norm across Sri Lanka’s public administration.  

The Committee on Public Finance (CoPF) report tabled last week, anatomising the theft of US$2.5 million from Treasury debt repayments, underscores this – in addition to the statements by MP Dr Harsha de Silva in parliament tabling the report.   

A Cabinet-approved information and cybersecurity policy had required multi-factor authentication, patching, secure email and incident-response planning since 2022.   

Incredibly, a KPMG audit conducted with CERT in December 2024 found things as basic as multi-factor authentication absent, and weak passwords in use at the Ministry of Finance. CERT instructed critical institutions to connect to the National Cyber Security Operations Centre in March 2025, October 2025, January 2026, and again in March 2026.   

The Ministry had still not connected by June 2026 - after the theft, after the parliamentary hearings, and after four written instructions.  

I had this in mind when I responded on social media to CERT’s new bid, and asked whether the real issue is the absence of cybersecurity solutions or the inability to enforce CERT’s observations in ministries, and departments that treat its findings as optional, at best.  

The infrastructure decision that made the theft possible are incredible, in the fullest sense of the word. The government created the Public Debt Management Office (PDMO) in November 2024; the KPMG–CERT audit condemned the Ministry’s security posture within weeks.   

Officials nonetheless housed the new office’s email and server space on the External Resources Department’s systems - the environment running Microsoft Exchange 2016, which stopped receiving security updates that October - with a seconded ERD IT officer, and the PDMO’s own server procurement remained incomplete on 23 June 2026, three months after the fraud came to light.  

In what beggars belief, reviews in January, and April 2026 found vulnerabilities persisting, which means the office managing the sovereign debt of a country emerging from default continued operating from a known-compromised environment after the theft.   

The CoPF report records each of these facts separately, but doesn’t question who decided to build a new debt office on condemned infrastructure, or why nothing changed afterwards.  

What actually worked is buried in an annexure, and it is frankly mortifying. The Ministry’s own submission records that the Federal Reserve Bank, Citibank and JPMorgan notified the Central Bank of anti-money-laundering (AML) concerns, returned funds and fraud.  

JPMorgan’s fraud prevention team blocked a fraudulent payment to India outright. A foreign correspondent-bank screening caught, repeatedly, what every domestic control missed, and when the Ministry asked the Central Bank for the facts behind its own pre-payment observations, the Bank declined, on the ground that disclosure “may impede the effective execution of Government instructions”.   

The one layer of defence that functioned belongs to other countries’ banks. Sri Lankan institutions that spectacularly failed will not even share information with each other about how, indicating how a culture of arrogance, obduracy, and impunity prevails even considering colossal financial losses that are very likely unrecoverable.  

The CoPF report’s silences are telling.   

A fraudulent payment instruction for just over 4 million Euros to Germany - worth more, at prevailing rates, than the entire loss the report deals with in its title - simply vanishes from the narrative. At the time of writing, this is a 1.5 billion rupee payment. 

The CoPF report records that a fraudulent UK payment was suspended, and a Belgian payment, initially red-flagged, reached the correct account, but then moves on. It never says whether the German payment went out, whether anyone recovered it, or whether the creditor got paid through other means. No conclusion mentions it; no recommendation covers it. If the money left the Treasury’s account, the headline figure, and the case the report is primarily anchored to, understates financial loss to country by more than half. If officials caught it in time, the report should say so, since that outcome would itself be evidence about which controls worked.   

In what’s non-negotiable for any meaningful cybersecurity investigation, the CoPF’s report does not show any digital forensic analysis or evidence: no imaging of the compromised server, no examination of mailbox rules or authentication logs, no registration history for the lookalike domains.   

Bizarrely, the CoPF’s report is based on what was provided to it – which seems to have been emails printed out, and shared by the entities involved in the fraudulent transactions. The Sinhala aphorism “ a” (Like consulting the thief’s mother for a prophecy. ) springs to mind. This has no evidentiary basis whatsoever, because it is impossible to determine from selected emails what actually transpired, the provenance of any given conversation or decision, and how systems actually were breached (if at all).  

The CoPF’s strongest causal claim about how the attackers got in rests on timing alone: Exchange 2016 stopped receiving security updates on 14 October 2025, the fraud commenced a month later, and this, the report declares, is “far more than a coincidence”.   

Though somewhat understandable given that it is out-of-scope, the CoPF report is completely silent about the Postal Department’s financial theft, which compounds a structural issue.   

US$625,000 remitted to the United States Postal Service vanished through a phishing scheme executed in three tranches over two years - a test transfer of around $900 in 2024, more than $400,000 in February 2025, nearly $190,000 in October 2025 - without anyone detecting anything amiss. The loss surfaced at a Cabinet media briefing in late April.   

A magistrate directed CERT to conduct on-site forensics, but no suspects have been identified. Since then, months of absolutely nothing from government. No public updates, no interim findings, no parliamentary accounting, no Police statements, no CoPF report. As leading cybersecurity expert Asela Waidyalankara asked recently in a column: if Parliament and the COPF had not pushed on the Treasury theft, would the facts have surfaced at all?  

The gov.lk ransomware attack of 2023 – 5,000 accounts, months of official emails lost, outdated Exchange infrastructure again - barely registered as a crisis. And on 9 June, as I have written elsewhere, Public Security Minister Ananda Wijepala revealed in Parliament a foreign exchange fraud of an altogether different magnitude: around US$ 85 million moved offshore under the guise of imports that never arrived, involving over 26,000 telegraphic transfers through nearly 230 bank accounts, and over 100 shell companies registered, exploited and shuttered within months.   

There’s a common pattern to all this. Unless money visibly disappears, a breach is an IT matter; when money does disappear, an investigation is announced, silence resumes, and impunity reigns.

So what use is CERT’s new tender? There’s no doubting the state plainly needs the capacity it describes, but there’s little to no hope institutional cultures will change through technical investments alone.   

Waidyalankara is right that a strategy without law operates in a hard threat environment with soft instruments, and that seven years of legislative delay has stopped being administrative, and become negligence.   

But the corrective is not the draft Cybersecurity Act of 2023, which I have analysed in significant detail: a bill that’s absolutely draconian, and serving the whims of the Ministry of Defence. The draft from three years ago enables warrantless, self-certified searches, ISP-mediated access to citizens’ devices, and a CERT absorbed into a presidentially controlled authority featuring coercive powers aimed at citizens. None of this would have done nothing at all to prevent or stop what the CoPF report deals with.   

The real danger is that the Treasury theft, the postal department fraud and the revelations by MP Wijepala become the pretext for rushing a really bad cybersecurity law through, just as the Online Safety Act was passed, against the advice of nearly everyone who understood it.   

Sri Lanka needs a cybersecurity law that binds public institutions to standards, gives an independent authority the power to enforce them, and mandates honest incident reporting. The surveillance of citizens is not security of the state.  

Sri Lanka’s accelerated push towards digitalisation is important, but what the President, Dr Hans Wijayasuriya, and MP Eranga Weeraratne say to great fanfare exists in a parallel reality to actual conditions, challenges, and cultures in Sri Lanka. That is precisely why CoPF’s record of institutional failures matter. The government asks citizens to entrust highly sensitive personally identifiable information to digital public infrastructure is demonstrably incapable of protecting its own debt repayments, postal remittances, public records, and public finances. How do they think this will track? Public trust is the substrate on which every digital ambition rests, and each colossal financial loss undermines it. The COPF’s first recommendation now hands the matter to criminal investigation, which must determine - in the report’s own framing - whether officials colluded in the theft or were “ignorant, incompetent, and negligent”.   

Unless these investigations conclude in public, and quickly - naming exactly what happened, why, to whom, and when, shaming those careless or complicit, and with what consequence - the CoPF’s referral ironically risks contributing to a process of impunity, and forgetting, with every CERT procurement little more than ceremony, every statement by the CBSL, and ERD as theatre, and the next colossal financial theft or data loss already in the making.  

Plus ça change, plus c’est la même chose.  

*The more things change, the more they stay the same.      

 


  Comments - 0


You May Also Like