Taking ctrlFor a secure and functioning Digital Nepal, the government should engage local programmers
When the Government of Nepal (GoN) embarked on its (heavily romanticised) ‘Digital Nepal’ campaign in August this year, it claimed that it would ‘pave the way for a fully digitised e-governance system.’ In the past few months, we’ve seen traces of this promise manifesting in new initiatives such as the government’s digitised national ID and biometrics system and the ongoing replacement of traditional driving licenses with smart licenses. While these steps look promising on paper, four months down the line, several digital blunders and oversights suggest that the government’s push towards a Digital Nepal may have been made prematurely. The blunders highlight the need for the government to seek more solutions in cybersecurity.
Take the smart card licenses as an example. 600,000 ‘smart driving licenses’—all of which the state had promised to distribute by the end of November—have not even been printed yet due to technical glitches in the Department of Transportation Management’s (DoTM) server system. Those without licenses continue to wave flimsy printed paper receipts at traffic police officers to indicate their license status. Prior to the printing process, the DoTM continually halted the online application process due to technical errors on the website. So much for ‘smart’ Nepal.
For another indicator of the premature push towards e-governance, peruse through GoN’s ‘National Portal’ for a few minutes. Several links, including the social media buttons on the bottom of the page, are broken. Some links are simply misplaced. For example, people who want to learn more about ‘NCO,’ a non-government organisation committed to improving the lives of children throughout Nepal’—which is described under the ‘Welfare’ page of the website—will be rather confused to find that the link leads to a website titled ‘New Orleans Startups: The Future of Big Easy.’
Not just a blunder
Such blunders may seem minor but when presented against the government’s grand proposal for a Digital Nepal, they not only appear unprofessional but also highlight GoN’s glaring lack of technical expertise. More importantly, when governmental websites and initiatives reveal their technical weaknesses in such an overt manner, their systems are more susceptible to hacking. And based on Nepal’s recent hacking history, it’s clear that cyber security continues to be a pressing and overlooked issue that Digital Nepal has not entirely addressed.
In July 2017, 58 government-run websites were hacked by the International hacking group, ‘Paradox Cyber Ghosts,’ in allegedly under three minutes. In November last year, Lazarus, a team of hackers based in North Korea, hacked NIC Asia Bank’s SWIFT server in Nepal, managing to place a payment for over Rs. 640 million. The same group targeted the Central Bank of Bangladesh in 2016 and managed to steal $81 million. And just two months ago, the Tribhuvan International Airport was compromised by a hacker operating from Indonesia. The website remained out of service for more than two days as hackers boasted about their achievement on their social networking sites. International cyber security monitoring organisations have also recognised Nepal’s lapses in cybersecurity. Nepal is currently ranked 108th out of 122 countries in the National Cyber Security Index, trailing three ranks below Afghanistan and 73 ranks below India. It seems as though the digital frontier is the only sector of governance that Prime Minister KP Sharma Oli has spared from his undying obsession with national security.
The issue is even more alarming now that the government is collecting gargantuan amounts of data on citizens. Biometric information—including a copy of everyone’s fingerprints and national identity card numbers—will allegedly be stored in the government’s central servers. Video footage collected by the 2,772 CCTVs in Nepal will also be stored in governmental systems. For a secure and functioning Digital Nepal, as the government has envisioned, immediate action must be taken to ensure that cybersecurity is of first priority.
While the government claims to have their own auditing team based in the Ministry of Communication and Information Technology, there’s a lot more that could be done to improve digital security. Obvious approaches include using standard web security features like encryption and DDOS protection. However, security is a process, which requires more than just a ‘set it and forget it’ approach. In order to be taken seriously in the digital sphere, the government needs to continually include independent auditors and web security experts in the process of building and maintaining digital systems.
One promising approach to maintain cybersecurity is a ‘Bug Bounty Program.’ These programs have become commonplace among Silicon Valley giants. How it works is the government creates a tiered reward system for individuals who find vulnerabilities (also known as ‘bugs’) in a digital system. For example, if an individual discovers a vulnerability in the license database that allows private data to be stolen, they are incentivised to report it to the government to fix rather than sell it to shady hackers or criminals to exploit.
The program not only improves cybersecurity but also engages (and rewards) local programmers and ethical hackers in the Digital Nepal initiative. Rather than relying on the clearly limited expertise of in-house governmental programmers, the relevant ministries should support information technology experts in Nepal by actively engaging security practitioners in their digital initiatives.
Nepal’s first ever hacking conference, which was hosted last month by Threat Nix Pvt. Ltd, included sessions on bug bounty reward programs. Based on reviews from programmers who attended the conference, it’s clear that participants were not only thoroughly engaged but were also eager to find solutions.
Programmers in Nepal, from companies like Threat Nix and The Cloud Factory, have developed security and programming solutions for companies as large as Google. There is plenty of talent here to fuel a more safe and blunder-free Digital Nepal—the government just needs to tap into it.
- Paudel is a Kathmandu-based freelance programmer.