Cybersecurity: A strategic imperative for NepalDigital advancements are proceeding in the absence of a holistic and integrated approach to managing cybersecurity threats.
At its core, cybersecurity is prudent risk management for a digital world. With an increasing number of Nepalis adopting digital platforms, this is the domain to which service providers, consumers and policymakers need to dedicate more time and serious resources. The stakes are high as Nepal’s reputation as a credible partner in the global digital economy rides on our ability to adequately safeguard the bits and bytes of information that travel across our networked infrastructure. To the credit of Nepal’s banking community, the Nepal Police and Central Bank, the impact of cyber events thus far have been contained through combinations of early detection and rapid response. But far more needs to be done to guard against increasingly complex cybercrimes proactively.
Thus far, the tactical approach to cybersecurity as a compliance issue has sufficed, but this will not always be the case. As events of the recent past have shown, markets like Nepal are more exposed to sophisticated, resourceful and motivated groups of individuals whose sole purpose is to exploit digital vulnerabilities; mostly for financial gain. This is a serious issue that requires a well-coordinated and strategic approach rather than discrete, event-driven, and reactive responses. Nepali institutions have come a long way over the past five years, but a decisive shift to proactive prevention, sound methodology, and post-incident remediation remains to be realised.
The case of ATM heists resulting from a compromised switching system; the case of distributed fund transfers into legitimate user accounts; and the hacking of the SWIFT system are the best-known cyber events from the recent past. These schemes were discovered and well-publicised but there are dozens of instances of card skimming, loss of personally identifiable and proprietary data, money laundering, etc. that were either resolved and unreported, or proceeding undetected.
The point here is not to engage in hyperbole but to confront a new reality: that cybercriminals are some of the most innovative individuals alive and are at least as determined to succeed as those who are out to stop them. Unfortunately, the nature of information technology and digitisation is such that the odds are overwhelmingly in favour of the criminals. These individuals only have to succeed once but the protectors of the private and public interests have to succeed always. At a minimum, efforts directed at monitoring and mitigating cyber risks should be prioritised and adequately resourced; especially so in countries like ours that are fertile stomping grounds for cybercriminals.
Private sector or public sector, the stakes are high. From where the private sector sits, the need to guard against cybercriminals is front and centre and a reputational imperative. The damage that cyber events can inflict on financial institutions goes beyond monetary losses and includes the opportunity cost of foregone future business. Once a counterparty’s credibility is called into question, the mission of re-establishing trust can’t be accomplished easily. But the process of losing that trust, if not sufficiently guarded, can be less than a few keystrokes away.
In essence, the electronic payments industry is a digital superhighway of networked nodes and capillaries, each with its vulnerabilities. No one wants to be connected to a poorly guarded financial institution because the entire network is only as strong as its weakest link. The private sector must move beyond its reliance on point-in-time audits and compliance checkboxes to a continuous and systematic programme of internal threat monitoring and mitigation supplemented by random (and frequent) external, third-party validation. There are signs of movement in this direction but the speed at which change is taking place is inadequate.
The analogy of the weakest link applies equally to the public sector. The trust that any citizen puts in the Nepal government's ability to manage cyber risks goes as far as the last known event and is disproportionately influenced by the government's handling of the incident. From national IDs to machine-readable passports, to the central bank’s newly installed real-time gross settlement system, the pace of digitisation is growing. Great news, indeed, but also worrisome because digital advancements are proceeding in the absence of a holistic and integrated approach to managing cybersecurity threats.
There are also layered perspectives when it comes to private data that is under government stewardship. There are national security imperatives that should require certain data sets and networks to be tested and secured at all times, using national assets and resources. There are also political imperatives including the very fabric of how democracies function that need to be safeguarded (also using national resources), continuously.
As digitisation grows in Nepal—and this is inevitable—so will the collection of increasingly vast amounts of data across the public and private domains. Preventing this data from being used for nefarious purposes and/or our systems from being penetrated is a national security priority. And this can only be accomplished through the drafting and implementation of cybersecurity policies and procedures that are designed to protect every aspect of digital infrastructure-software, hardware, personal devices, government-issued assets, etc. across the public and private domains. Policy drafting must proceed in earnest and be driven centrally by the national government with feedback from national, international parties and standard-setting bodies.
Also, our current approach to managing cyber risks is too fragmented, compliance-driven, and resource-starved to be effective beyond the boundaries of any single organisation, which in our highly networked world, does little more than provide a false sense of security. Our attitudes must evolve from a tactical to a strategic outlook on cybersecurity, and our chronic over-reliance on international brands to build, deploy and test systems of national significance must also change decisively.
What do you think?
Dear reader, we’d like to hear from you. We regularly publish letters to the editor on contemporary issues or direct responses to something the Post has recently published. Please send your letters to [email protected] with "Letter to the Editor" in the subject line. Please include your name, location, and a contact address so one of our editors can reach out to you.