Featured News

Today, I am honored to address you on a subject of utmost importance: the Significance of Cybersecurity. In an age where our world is becoming increasingly connected through technology, understanding the critical role of cybersecurity is more vital than ever. We will delve into several facets of this topic, ranging from the local to the global, to understand the multifaceted importance of cyber protection.

1. Significance of Cybersecurity for a Country:

First and foremost, let us appreciate the profound significance of cybersecurity at a national level. We often take for granted the intricate web of interconnected digital infrastructure that underpins our modern way of life. From the uninterrupted supply of electricity to the seamless operation of transportation systems, from reliable healthcare services to stable financial markets, these crucial systems are heavily reliant on technology. Any breach or disruption of these systems can lead to catastrophic consequences, jeopardizing the very stability and prosperity of a nation.

Imagine a scenario where cyberattacks successfully target a country's civil infrastructure, causing massive disruptions in power grids, transportation, and healthcare systems. This would not only inconvenience citizens but also have cascading effects on the economy, potentially leading to widespread panic. It's essential to acknowledge that this is not just a theoretical possibility but a real and present threat.

2. Impact on the World by Cyber Attacks:

The impact of cyberattacks extends far beyond the borders of individual nations. According to Cybersecurity Ventures, global cybercrime losses are projected to reach a staggering $10.5 trillion annually by 2025. To put this into perspective, in 2022, global losses due to cybercrime reached a colossal $8 trillion.
Let's break down the categorization of these losses for the year 2022 by the type of cyberattack:

• Phishing Attacks: Phishing attacks, which involve sending fraudulent emails or text messages impersonating legitimate sources such as banks or credit card companies, accounted for $4.3 billion in losses in 2022. The objective is to deceive the victim into clicking on a malicious link or opening an attachment, enabling the installation of malware on the victim's device.
•  Malware Attacks: Malware attacks, which are broad-spectrum attacks involving malicious software that can damage or disable computers and devices, caused losses of $2.7 billion in 2022. Malware can be introduced through various means, including clicking on a malicious link, opening an attachment, or downloading an infected file.
• Data Breaches: Unauthorized access or theft of sensitive data, such as personal information, financial data, or trade secrets, led to losses of $2.4 billion in 2022. These data breaches can result from a range of factors, including system vulnerabilities, hacking, and social engineering.
• Ransomware Attacks: Ransomware attacks, involving the encryption of a victim's computer or device with a demand for a ransom payment in exchange for the decryption key, accounted for $1.8 billion in losses in 2022.
• Business Email Compromise (BEC): BEC attacks, where fraudulent emails appear to be from company executives or trusted sources, caused $1.7 billion in losses in 2022. The aim is to trick the recipient into transferring money or revealing confidential information.
• Other Attacks: Other forms of cybercrime, encompassing identity theft, intellectual property theft, denial-of-service attacks, and more, amounted to $2.1 billion in losses in 2022.

3. Cyber Attacks in South and Southeast Asia:

The vulnerability of our region, South and Southeast Asia, is striking. According to the Kaspersky Global IT Security Risks 2023 report, this region bore the brunt of cyberattacks in 2022, with countries like India, Vietnam, and Indonesia suffering the most. Phishing, malware, and ransomware emerged as the most common types of cyberattacks.

• Phishing Attacks: These attacks, mimicking legitimate sources in fraudulent emails or text messages, constituted 38% of cybercrime losses in South and Southeast Asia in 2022. Phishing attacks aim to trick victims into clicking on malicious links or opening attachments to install malware on their devices.
• Malware Attacks: Malware attacks contributed to 30% of cybercrime losses in the region in 2022. Malware, a broad term encompassing malicious software, can damage or disable computers and devices. It can infiltrate systems through various means.
• Ransomware Attacks: Ransomware attacks were responsible for 22% of cybercrime losses in South and Southeast Asia in 2022. These attacks involve encrypting a victim's computer or device and demanding a ransom payment in exchange for the decryption key.
• Other Attacks: Data breaches, business email compromise (BEC), and denial-of-service attacks comprised 10% of cybercrime losses in the region in 2022.
  

4. Sri Lanka's Readiness to Face Cyber Threats:

Now, let's turn our attention to Sri Lanka's readiness to confront the growing challenge of cyber threats. The country has established a robust legal framework to address cybercrimes and protect personal data.

• Computer Crimes Act No. 24 of 2007: This comprehensive legislation criminalizes a wide range of cyber offenses, including unauthorized access to computer systems, data breaches, hacking, malware attacks, and many more. It has been in force since 2007 and has been instrumental in prosecuting numerous cybercrimes.
• Personal Data Protection Act No. 9 of 2022: This Act, passed in March 2022, is expected to come into force in 2023. It sets out rigorous requirements for the collection, use, storage, and disclosure of personal data. Moreover, it grants individuals the right to access, correct, and delete their personal data.
  The implementation of these laws is not just a formality; it is a significant step in safeguarding our nation's data and infrastructure. Furthermore, it brings Sri Lanka closer to international standards on data privacy and security.

To oversee the implementation of the Personal Data Protection Act, Sri Lanka has established the Data Protection Authority (DPA), comprising a board of experts from law, engineering, accounting, and information technology. Although the DPA is not yet fully operational, the government has made substantial progress in setting it up. In July 2023, the government appointed a seven-member board of directors for the DPA. The DPA is expected to commence full operations in early 2024, with vital responsibilities such as developing guidelines, investigating complaints, imposing penalties, and raising awareness of data protection rights among individuals and organizations.

The establishment of the DPA is a monumental milestone for data protection in Sri Lanka. It is poised to play a pivotal role in ensuring the protection of personal data and giving individuals control over their personal information. Until it becomes fully operational, organizations in Sri Lanka are still required to comply with the provisions of the Personal Data Protection Act that have already come into effect. This includes obtaining consent from individuals before collecting, using, or disclosing their personal data.

Additionally, there are several other laws in Sri Lanka that may be relevant to cybercrimes and data protection, such as the Electronic Transactions Act No. 19 of 2006, the Intellectual Property Act No. 36 of 2003, the Telecommunications Act No. 27 of 1996, and the Payment Devices Frauds Act No. 30 of 2006.

The Central Bank of Sri Lanka introduced the Banking Act Directions No. 16 of 2021 to strengthen technology risk management and resilience for licensed banks. Additionally, ICTA and Sri Lanka CERT issued the "Information Security Policy for Public Institutes in Sri Lanka" in 2022, providing a framework to protect public institute information and systems from cyber threats.

Moreover, Sri Lanka is in the process of drafting a new Cybersecurity Act, expected to further bolster the country's legal framework to combat cybercrime and protect personal data.

5. Organizations Upholding Cybersecurity in Sri Lanka:

• Now, let's take a closer look at the key organizations established by the government to uphold cybersecurity within Sri Lanka:
  Sri Lanka CERT (Computer Emergency Readiness Team): As the national focal point for coordinating responses to cyber incidents, Sri Lanka CERT plays a pivotal role in ensuring the cybersecurity of critical information infrastructure. It leads in responding to and mitigating cyber threats.
• FinCSIRT (Financial Sector Computer Security Incident Response Team): Focusing on the financial sector, FinCSIRT is dedicated to enhancing the cybersecurity posture of financial institutions and safeguarding sensitive financial data.
• Cyber Crimes Unit: This specialized unit within the Sri Lanka Police is tasked with investigating and prosecuting cybercrimes. Its expertise is vital in identifying and bringing cybercriminals to justice.
• National Child Protection Authority: This authority is dedicated to the safety and protection of children under 18. It plays a critical role in combating crimes against minors, including those that occur in digital spaces.
  Each of these organizations plays a distinct and indispensable role in upholding cybersecurity in Sri Lanka, contributing significantly to the nation's resilience against cyber threats.

6. Contribution of the Tech Industry:

To conclude, it's essential to recognize the critical role that the tech industry in Sri Lanka can play in enhancing the country's cybersecurity posture. The technological sector can actively contribute in several ways:

• Developing and Deploying Cybersecurity Solutions: Technological firms can innovate and deploy cybersecurity solutions to protect the nation's critical infrastructure, businesses, and individuals from cyberattacks. This encompasses the development of new security technologies, such as AI-powered intrusion detection systems, and the improvement of existing technologies like firewalls and encryption.
• Educating and Training the Public: The tech industry can participate in public awareness campaigns, educational programs, and training sessions for businesses and individuals. By enhancing digital literacy and cybersecurity knowledge, we can empower citizens to protect themselves and their organizations.
• Collaborating with the Government and Law Enforcement: Tech companies can form partnerships with the government and law enforcement agencies to combat cybercrime. This involves sharing information about cyber threats, developing joint strategies, and assisting in investigations and prosecutions.
• Supporting Cybersecurity Research and Development: By funding research projects, providing access to data and resources, and collaborating with academic researchers, the tech sector can advance the field of cybersecurity. Research and development are key to developing innovative solutions that stay ahead of evolving cyber threats.
  To illustrate the tech sector's potential role, consider these examples:
• A cybersecurity company could develop an AI-powered intrusion detection system that aids businesses in identifying and responding to cyberattacks more quickly and effectively.
• A cloud computing provider might offer security awareness training programs to help its customers safeguard their data and systems.
• A telecommunications company could collaborate with law enforcement to develop a new system for tracking down and prosecuting cybercriminals.
• A technology university could establish a cybersecurity research center to pioneer new and innovative cybersecurity solutions.
  In conclusion, cybersecurity is not a concern limited to governments and cybersecurity experts; it is a collective responsibility that encompasses the entire nation, including the tech industry. Together, we must work diligently to safeguard our digital infrastructure, protect our data, and secure our future in this age of technology.
  I also wish to thank CICRA and Daily FT, the organizers of this event for coming together to create an awareness about the importance of cyber security in Sri Lanka. They have taken the mantle of this niche sector and has been doing a yeoman service for the past nine years to educate us of the importance of cyber security.
  

Thank you for your attention and let us all stand united to fortify the digital resilience of Sri Lanka.