Understanding the future and state of cyber security

Or, does the Secretariat or their experts know that if the secure equipment provision is not followed, it can be stolen through a backdoor, malware? We have no policies, procedures or standards to secure sensitive information infrastructure, information technology systems and equipment of sensitive agencies. Due to this, there is a danger that anything can happen to a mobile, laptop or computer given to a specific person by the government.

There are many incidents of cyber attacks and risks. However, writing or speaking about it is accused of spreading panic. We have also closed the National Risk Report, which was prepared by studying publicly available data on cyber security, after similar allegations were made recently. The report gave some insight into how vulnerable our public bodies are in the area of ​​cyber security. Lately, some pressured not to release that report and it became a challenge to get the data. The report sent a negative message that Nepal is very insecure about cyber security. Our aim was to make the nation aware. That's why we have reached the point of not issuing threat reports until there are laws or strong standards regarding cyber security.

While there is only a cyber security policy in Nepal, the government has currently drafted a bill on information technology and cyber security. Since we are in a situation where we do not have a cyber security law, this effort should be appreciated and the bill should come into law soon. But since two-four important topics are missing in the proposed bill, it seems necessary to include them. The bill does not specify where to report

cyber attacks, how many days to report them, and the punishment for concealing cyber attacks without reporting them. Due to this, there is a risk of people avoiding the law and not bringing the incident forward. The bill does not mention that concealing the incident is also a crime. Since our country does not have a regulation on sharing information on cyber threats, there should be a provision for this in the proposed bill. Cyber ​​threat information sharing in the cyber security field means informing each other about cyber risks and vulnerabilities in systems so that it is easier to avoid and defend against attacks. If you give such information to foreign companies, they will be happy. In Nepal, there is a practice of looking at such cyber security researchers in a wrong way and threatening them.

The bill calls for the establishment of a National Cyber ​​Security Center. But its work, duties and rights include issues such as approving risks, creating technical standards related to cyber security and submitting them to the board of directors. The Center should be empowered to study and investigate incidents of cyber attacks. Until now, the police are involved in such incidents, the Cyber ​​Bureau investigates, but there is no agency to further assist the Bureau. Therefore, when there is a national level incident, the center should be taken along with it as an effective investigation body and not just a bureau.

The definition of sensitive information infrastructure has not been disclosed in the bill. The definition is incomplete because the government has not defined critical infrastructure. Similarly, the bill does not include the subject of data protection. It is not clear whether to make a separate law for this or to keep it in this one. If there is no separate law, it should be included in it. Which data will be allowed to be kept in Nepal and if the data has to be taken out, which process will be followed, what are the practices to be followed to keep the data safe, what action will be taken if the data is misused or cannot be kept safe.

What is the current state of cyber security, we do not have a proper basis to determine whether our data is safe or not. What are the data and cyber security standards used in government agencies? There is no basis on which benchmark to work. The law is finally being made. Other guidelines will come after the law is made. Only then can we say how our public or private details (data) are in terms of security compared to the specified baseline. If there is no basis for evaluating the state of cyber security, it is also confirmed that the state of cyber security and data security in such a place is weak.

Among the regulators, Nepal Telecommunication Authority and Nepal Rastra Bank have made some arrangements regarding cyber security. The authority has made a policy effort to protect the information technology systems and infrastructure of telecommunications and internet service providers from cyber attacks and risks by making cyber security regulations in 2020. Since the regulation was made only three years ago, the field also does not have much experience in cyber security and data protection. Another regulator, National Bank, issued Information Technology Guidelines in 2012 and Cyber ​​Resilience Guidelines last August. Both of these are not necessarily applicable but are only suggestive guidelines for institutional governance.

In Nepal, the main problem faced by cyber security researching professionals or organizations like us is the lack of knowledge and policy arrangements related to 'Information Sharing'. During the investigation, if we find that the system of a public body is being cyber-attacked or its data is stolen and sold on the dark web and we report it to the concerned body, we are challenged. It is done as if you have done it yourself. In most cases, the researcher is being framed. Therefore, cyber security researchers today prefer not to disclose information about vulnerabilities to any public or private entity.

Instead of catching the criminal, there are examples of bringing researchers to the police station, interrogating them, bringing them into the scope of suspected criminal activities, and keeping some of them in the police station for a day or two. This is wrong. Research involves analyzing publicly available data. Unauthorized access to private and internal information of any organization in the name of study is not permitted. For example, 13/14 hundred cases published by the Cyber ​​Bureau can be analyzed and studied, but the private details of a private company cannot be studied without permission.

Nepal's cyber security sector is a market worth around 40 to 42 million dollars. If you add the government sector to this, it becomes a market worth 150 million dollars. About $50 million worth of cyber security services and goods are consumed in Nepal. According to the current manpower and capacity, Nepal is likely to be able to export cyber security services and cyber security products worth 200 to 300 million dollars. But if favorable laws and laws are made for this sector and there are good programs like training and incubation centers for the production of skilled manpower, up to 3/400 million dollars can be exported.

Currently, the manpower of this sector is being produced entirely by private and even by educational institutions affiliated with foreign universities. The contribution of government universities to producing manpower in the field of cyber security is only 5 percent at most. If a well-known cyber security company from abroad says, 'I will invest heavily in Nepal, give me 1,000 employees', we are in a situation where we cannot meet that demand. Therefore, along with the private sector, now it is time for government educational institutions to emphasize on the production of skilled manpower related to cyber security.

The number of people working in cyber security field in Nepal is between 200 and 500. Nepali manpower is working in big companies as cyber security experts in America, Canada and other countries. In Nepal, colleges including Slington are preparing 250 to 300 cyber security manpower every year. Many of them enter the private and government sectors. The government should prioritize the cyber security products they develop and the services they provide. But so far the government has tried to implement any big projects related to information technology, it seems that products and services have been brought from abroad in all of them. There is a mentality that Nepalis cannot, they do not have that level of competence. While we have a company like Fusemachine which is listed on the American stock exchange 'NASDAQ'. We also have a company like Cloud Factory that works for Microsoft. It is not possible to understand why the Nepalese government and the experts here have ignored it.

Cyber ​​security is still a new topic for both the private and government sectors of Nepal. For defense and security administration, they will need many different products and technologies according to their needs. For that, first of all, we should start manufacturing products together with indigenous cyber security companies. Rather than paying 4/5 million dollars to a foreign company to bring goods, it is cheaper and more beneficial to make services and products according to the needs in cooperation with local universities, private colleges or cyber security service companies. When taking the service of a foreign company, the repair service is not immediately available, the Nepali people are said to be 'quick eyes'. Our products are 30 percent cheaper than foreign products.

Cyber ​​security in Nepal now includes antivirus software, intelligent detection systems, and vulnerability assessment tools. Companies like ours have created cyber security monitoring products. Other such companies are coming, which have made compliance management systems and risk management software. Some have started building AI-based cyber security products from blockchain security. Now there are at least 8/10 companies in Nepal, which are making various products related to cyber security. From foreign companies that are making cyber security products by opening branch offices in Nepal, there are also Nepali companies that are making products for foreign customers. Our company has been selling cyber security products in Bangladesh, Dubai, Indonesia.

In recent times, the government seems to be interested in the development of the information technology sector and the promotion of the digital economy. From the election manifestos of political parties to the annual budget, policies and programs and other common resolutions, the topics of e-governance, information technology service export are also covered. But all these are limited to sweet talk. In the budget of the current financial year, the government had provided that companies opened with the purpose of exporting information technology services would be allowed to open liaison offices abroad. The new system of Nepal Rastra Bank also said that IT companies can directly transfer funds to their accounts abroad. After hearing this, neither the Ministry of Finance nor the official of the National Bank could inform us about the process of opening a branch so that some of our companies reach the global market. There was a response that no one knew about it, which is the body that has to go to get permission.

The Digital Nepal Framework was created to transform the country digitally, but it did not include the subject of cyber security. While digitization is everywhere, cyber security is being left out. Indian Prime Minister Narendra Modi has said that Digital India will be incomplete without cyber security. Since digital Nepal will also be incomplete without cyber security, it is important to prioritize it in the government, private, individual and collective manner.

Due to the war going on in Eastern Europe and Middle Eastern countries, there is a lot of hacktivist group activity in the world right now. Due to this, D-DoS attacks on the information technology systems of government agencies are happening again and again. Malware attacks are increasingly targeting the private sector. Called info stealer malware, it steals browser tokens and history. Stealing a browser's token makes it possible to bypass the two-factor authentication security measures our various platforms employ. Info stealer malware is being infected through social networks like Facebook, WhatsApp and cracked software. This level of attack is significantly increased.

In 2018, the government established NITRT (National Information Technology Emergency Response Team) to identify and defend against such cyber security attacks before they occur. NITERT is only activated if a government system is attacked. No other agency has created such an emergency response team. The Nepal Telecommunication Authority had announced the formation of a Computer Emergency Response Team (CERT) two years ago, but it was not implemented. No other regulatory body has such a group. We do not have the practice of informing others, exchanging information, and notifying service users to be alert when a cyber attack occurs. If there is an attack on the system of a financial institution, the regulator of the financial sector and the regulator of the telecommunication sector should come together and find a solution to that incident, but so far such coordination has not been found.

Nowadays, it is said that cyber security is a work-stopping topic, it is not necessary. It is heard that only 40 percent of the private and public sector need it, while the remaining 60 percent say that cyber security is useless, and that companies are exaggerating to increase business. Two or three years ago there was no such understanding, now it seems strange to see that even our corporate sector, government and regulatory bodies consider cyber security as an obstacle. They don't understand its importance. Therefore, literacy should be started from the top level about cyber security in Nepal, cyber security arrangements should be made mandatory in the agencies.

As more people are becoming aware of cyber security in Nepal, organizations are not aware of that ratio. For example: our bank and digital wallets are cyber security certified but the regulator Nepal Rastra Bank itself is not certified. Not only the National Bank, none of the regulatory and government agencies are certified in cyber security. Now it is important to make organizations aware of cyber security before disseminating information to the general public.

From the Prime Minister's Office, all ministries, divisions, departments and regulatory bodies should first be literate on this matter. As soon as they protect their devices and systems, it is easy to instruct others to 'protect them'. Who will believe when you order others to be safe when you are not safe yourself? The process of cyber security assurance should start from the top, not the bottom.

– Limbu is the Chief Executive Officer of Bhairav ​​Technologies.