Hackers knocked down Nepal government websites for five hours last Saturday in a brazen display of contempt towards the country's cyber security systems. The Nepal Government National Portal and 500 other websites with the .gov.np domain name went offline. Databases of the immigration and passport management systems under the Government Integrated Data Centre (GIDC) were disrupted due to what is known as a Distributed-Denial of Service or D-DoS attack. Tribhuvan International Airport in Kathmandu was crippled. The immigration desks at the arrival and departure lounges were unable to provide travel clearances to hundreds of passengers, and several international flights were delayed for at least three hours as a result. Luckily, it was the weekend, and vehicle registration, land revenue and driving licence issuance were closed, and didn't have to face the humiliation of being shut down by attackers.

Sporadic cyber attacks of varying magnitude on government websites have lately become a common feature worldwide. Powerful countries blame their strategic rivals when such incidents take place. Nepal has experienced such disruptions in the past, but this one went deep. As usual, officials at the National Information Technology Centre (NITC) that operates the GIDC have vowed to track down the culprits. But it is easier said than done.

Nepal ranks 94th among 194 countries in the Global Cyber Security Index published by UN specialised agency the International Telecommunication Union. Apart from large-scale hacking incidents like the recent one, Nepal’s cyberspace is generally considered to be insecure, with widespread and repeated incidents of online swindling, banking fraud and ATM theft, cyber bullying, data theft, violence against weaker sections of society and revenge porn. But Nepal has not equipped itself well to protect its cyberspace from malicious attacks.

What is at risk?

Fortunately, or unfortunately, Nepal does not have large military or strategic installations dependent on information technology for their operation. But critical services like banking, aviation, health, education and government service delivery depend on cyber security for unhindered online operations.

Perhaps the most vulnerable is Nepal’s financial sector worth about Rs5.5 trillion, nearly 115 percent of the national GDP, with more than 16 million customers enjoying banking, insurance and remittance services. The aviation sector, in terms of contribution to the national economy, is relatively small; but due to its almost absolute dependence on information and communication technology (ICT) for operations, any disruption results in instant chaos. Government services are at higher risk of attack and may retard the pace of ICT adoption.

Needless to say, Nepal is ill-prepared to handle cyber crimes and cyber attacks. Legal and institutional arrangements are inadequate. A National Cyber Security Policy was drafted in 2016 but has not been enforced. A revised version was circulated among government agencies, but it is yet to be implemented. The Electronic Transaction Act 2008, IT Policy 2010 and ICT Policy 2015 are key legal arrangements to govern the sector. But their implementation and coverage remain suboptimal, to say the least.

As regards the institutional set-up, the Department of Information Technology is the nodal government agency, but the industry barely feels its presence. The government’s regulatory body, the Nepal Telecommunications Authority, has announced the establishment of a “fire-fighting” squad named the Computer Emergency Response Team, but its procedures are yet to be formulated. There are a few private sector initiatives, but their presence was not felt during the latest crisis.

The Cyber Bureau is perhaps the most dedicated unit under the Nepal Police to deal with all aspects of cyber crime. Its mandate includes investigating cyber crime, coordinating among the stakeholders to promote cyber security, investigating cyber attacks on sensitive infrastructure, preparing manpower to handle cyber crime, and functioning as the national and international coordinating unit to contain such offences.

Lack of specialists

Even then Nepal is severely constrained in developing its capacity to contain high-tech crimes like D-DoS and hacking. Lack of human resources is the biggest bottleneck. According to an estimate, there are fewer than 100 specialists, including about three dozen in the Cyber Bureau of Nepal Police, trained in detecting and foiling cyber crimes like system disruption and hacking. Rapidly growing global demand for such manpower is causing massive brain drain, which is one of the reasons for the shortage locally.

ICT infrastructure is inadequate and poor. Mass awareness about risky behaviour like sharing critical personal information online is limited. Even at the corporate level, awareness about the importance of setting up remote data recovery terminals (DRTs) is limited. Massive use of pirated software, even in rich industries like banking, is intensifying the risk of data theft and potential cyber attacks.

Chronic underinvestment, both public and private, in three key sub-sectors of technology development, namely human resources, infrastructure and no-lag technology adoption, has put Nepal in a pitiful state. According to National Statistics Office data, Nepal’s ICT sector contributes only about 2.2 percent to the national GDP, which is very low compared to even moderately developed economies. India and China's ICT sectors contribute 13.4 and 16.2 percent respectively to the GDP. Their cyber security protocols and regimes are far better fortified.

For Nepal, protecting whatever limited success it has achieved in the ICT sector from attacks is increasingly becoming daunting. The porousness of our government websites has already been exposed. Nepal's government and ICT industry should act swiftly to install safeguard systems to prevent possibly more vicious cyber attacks in the future.