Securing cyberspace is hard work because the internet architecture was designed to promote connectivity, not security. The founders focused on making it work, not worrying much about threats as the network was affiliated with the military. As hackers turned up, layers of security, from anti-virus programmes to firewalls, were added to try to keep them at bay.

The average time between an attacker breaching a network and its owner noticing the intrusion is around 205 days. Like most statistics touted by the cyber-security industry, it is little more than a guesstimate. But there is no doubt that criminals and pranksters are thriving by attacking computers and networks, that government is struggling to cope, and that cyber security businesses offering answers are charging high fees.

Steep penalties

Among many things, the penalties for getting cyber-security wrong are steep. Ropier providers are helped by the fact that government agencies, especially at the senior executive level, are usually ill-informed about what they are buying. Understanding how attackers work and what they are after is hard. A few senior government executives have enough technical background or understanding to understand encryption or security architecture. Sharing data about attacks would help other agencies become more informed but carries risks of its own—as one may breach customer privacy by doing so, and publicising an attack highlights what may look like incompetence (in the absence of what disclosure is required when cyber-attacks happen).

The cyber-attack of January 27, 2023 on the National Information Technology Center (NITC), hosted Information Technology (IT) systems poses a serious risk to citizen data and Nepali society in terms of the ability of national institutions to safeguard their citizen’s data and provide seamless public service. The cause of the attack is still unknown, with only the guesswork that it might be a “Distributed Denial of Service (DDoS)” attack. For the technologically adept, DDoS software is available for free. As well as roping in collaborators, most attackers use botnets: Vast networks of virus-infected computers that obey secret commands from a faraway “bot-herder”. A typical botnet in the past comprised infected single computers, mostly in emerging countries. Now the bot herders have learned to commandeer massive corporate or public-sector computers. These have more processing power and better internet connections. Whereas big attacks once used tens of thousands of zombie computers, this year’s assaults on banks employed only about 1,200.

What neither the government’s NITC, Department of Information Technology nor Nepal Telecom Authority measures deal with directly is the shortage of qualified and experienced cyber-security specialists. A gloomy review of the Nepal government’s cyber security practices by several cyber security watchdogs said the skills gap could take over 20 years to bridge. Colleges tend to lack suitable courses, and able specialists may have acquired criminal records during their past lives as hackers.

Most of the government Computer Emergency Response Teams have become dysfunctional and lack resources and a clear vision in terms of their role and responsibilities. Furthermore, Nepal’s infrastructure is poorly defended against such cyber-skirmishing. It is amply clear that the people working at NITC have not been trained in basic cyber hygiene. The problem goes beyond NITC, with a big political push to connect more things ever to the internet with no proportionate growth in cybersecurity capacity. One is to focus on fixing such dysfunctional institutions, which have a habit of being right at the heart of things.

For most governments, when it comes to responding to cyber-attacks, attribution is the first problem. Attribution—detecting an enemy’s fingerprints on a cyber-attack—is still tricky, so officials are reluctant to point the finger of blame publicly. It is difficult to assign responsibility without revealing intelligence capabilities that will, in turn, allow foes to improve their defences and make spying on them harder. First-rate cyber powers have developed sophisticated techniques for identifying perpetrators by analysing what is known in the business as “sources and methods”. Unfortunately, these cyber capabilities are not available in the country while cybersecurity continues to be a lucrative business for suppliers.

Cybersecurity committee

Governments worldwide use committees to defer tricky decisions or make work for bureaucrats; but in Nepal, the craze is reaching new heights. The country’s love of gabfests is not new; the trend has been accelerating under a series of past political leadership. On February 23, 2023, a cybersecurity high-level committee was created to assist the Ministry of Communication and Information technology in coping with its workload. There are two broad types of committees: Those investigating earlier policy failures, and those examining future policy options. In the past, most committees have been formed with broad terms of reference, and public consultations. The intent is that this committee will examine the latter—future policy options.

There is a good reason for the formation of a cybersecurity task force committee, but also a bad one. The good reason is value for money. If the committee brings in concrete national cybersecurity priorities on budget and time, and the upkeep of cybersecurity is coordinated, then it is likely to offer value for money.

The flawed reason is that the task force is a way of massaging public expenditure in IT accounting figures. The unstated practice for some parts of the public sector in IT has been creating significant national technical debt and budget overruns for the country. It is preferred to other sorts of investment funding because it is kept off the public balance sheet. The technology reform is long overdue in Nepal; the whole argument about value for money has been distorted because people have known that expenditure accounting has been dubious with incomplete IT implementation. The sums involved do not appear that big, given the new, supersized Nepal’s public deficits and debt.

The composition of the members of the cybersecurity committee manifests if any concrete decisions will emerge. The government’s likes for chin-stroking contemplation reflects the difficulty it has in getting anything done concerning information technology, offering public services using ICT, and managing the critical issues of cybersecurity. Many experts in cybersecurity express concerns that most of the appointed members are novices in cybersecurity, and admit politicisation of national cybersecurity issue. Whilst the bureaucrats prefer to remain silent on the issue, the politicians believe in applying a “political patch” to the “cybersecurity challenge” of the country. Even the most high-powered committee would struggle to find a workaround. However, the government’s determination to discuss problems to death creates the illusion of action and even conveys concern.

We must build a resilient governing structure that can quickly and effectively respond to hacks. It won’t do any good if it takes years to patch not only IT systems but also other hacks in educational systems and procurement, or if a legislative becomes so entrenched that it cannot be patched for political reasons. The rules and laws of society need to be as patchable as our computer systems. Unless we can hack the processes of hacking itself, keeping its benefits and mitigating its costs and inequalities, we will continue to struggle to survive the technological future offered by digital Nepal.