The Nepal Telecommunications Authority has passed the Cyber Security Bylaw 2020 which aims to protect information and communication systems from cyber attacks and other associated risks.

It requires telecommunication and internet service providers to make use of national and international cyber risk information sharing platforms to receive and share information regarding security issues, vulnerabilities and cyber threat intelligence.

The purpose of the platform is to establish a cyber security community in Nepal to facilitate the detection and prevention of cyber attacks by sharing cyber threat intelligence information.

ATM heists resulting from compromised switching systems, distributed fund transfers into legitimate user accounts, and the hacking of the SWIFT system are the best known cases of data breaches in Nepal in the recent past.

These schemes were discovered and well publicised, but there are dozens of instances of card skimming, loss of personally identifiable and proprietary data and money laundering that were either resolved and unreported, or proceeding undetected, according to reports.

As digitisation grows in Nepal, it is inevitable that increasingly vast amounts of data across the public and private domains will also be at risk.

Nepal Telecommunications Authority Director Min Prasad Aryal said that with the rapid growth in information and communication technology, the number of criminal activities including cyber attacks has also gone up; and to overcome such potential risks, the new legislation contains provisions that service providers should follow.

“This includes establishing a cyber security community, a periodical audit of IT systems, and use of protection measures by complying with international standards,” Aryal told the Post. Security audit reports need to be submitted to the authority every six months.

“Obviously, to make the system secure, service providers should invest in security. The higher the investment cost of technological infrastructure, the more secure the system will be,” he said.

Internet service providers say that updating technological infrastructures as per the bylaw will require resources and time amid the ongoing Covid-19 crisis.

Since Nepal’s IT industry is small, immediate installation of technological infrastructure as envisaged in the new rule will take time, said Bhoj Raj Bhatta, president of the Internet Service Providers’ Association. “We have also asked for government support as upgrading the existing system may cost a lot of money.”

Advocate Baburam Aryal, who specialises in cyber law, said that service providers had been using systems based on their own internal policy as per the directives issued by the telecom regulator.

In the absence of laws, many system securities are being ignored, and the new bylaw requires compliance, he told the Post.

“The new bylaw has been passed so that customer data does not get stolen, hacked or used for fraudulent activities and customer rights are protected with a secured system,” he said.

According to the bylaw, service providers should map and analyse organisation communication and data flows for possible security threats. They should routinely assess their suppliers who supply equipment or third-party partners in the audit, and test the results to confirm they are meeting their contractual security obligations.

For data security and privacy, service providers should apply encryption techniques for data transit. The firms should adopt data masking, anonymising techniques or encryption for customer data, and use hash/encryption to store sensitive data.

Service providers should have a non-disclosure agreement with their employees, vendors or third parties to prevent copying, reproducing, distributing or selling of licensee’s digital data without the consent of the licensee. The customer’s digital data should not be shared with the vendor or any other third party without the consent of the customer— except to government law enforcement agencies like the police.

Telecom and internet companies should have an updated copy of a document where all its technological assets like hardware, software and license are recorded, and segregated details as per usage, location, version, owner, purchaser and date are listed.

The licensee should have the employee’s related policy addressing proper handling of social media, usage of official devices, personal devices and proper handling of official email/accounts and information.

As per the bylaw, the organisation needs to change the password every 90 days.

Service providers should act proactively as the first line of defence to protect their customers from known attacks. The firms should follow the common best security practices defined by—system administration networking and security, centre for internet security while using open source such as general public licence, Berkeley software distribution license for the operating system, applications, antivirus or anti-malware.

Service providers should encourage using ‘pretty good privacy’ or digital signature in email communication, documents, letters and other applications.

Similarly, service providers should have an internal security audit team for regular network, system, critical infrastructure audit.

Narayan Koirala, software engineer and managing director of Eminence Way, has worked on cyber security for more than a decade. He said that the new bylaw has incorporated the network, software, security, human resource security and monitoring part, which is laudable as it would enhance the security system. Similarly, enforcement of audit timing, security assessment timing, security operation centre, continuous monitoring, asset management and identification in the new legislation are good, he added.

“The law, however, should be updated according to the time.” He said that the new rules would definitely have an impact on Nepal’s burgeoning IT industry at a time when service providers are not investing in upgrading their systems.

"Nepal Telecom has its own IT policy, but with the implementation of the new bylaw, it will strengthen the security system for both companies and their customers," said Managing Director Dilli Ram Adhikari.