The Auditor General’s report highlights government bodies’ lax attitude towards cybersecurityThe annual report released by the Office of the Auditor General revealed that government bodies are exposed to cybersecurity risks because of their disregard for the existing rules and guidelines.
The annual report released by the Office of the Auditor General revealed that government bodies are exposed to cybersecurity risks because of their disregard for the existing rules and guidelines. Only one government body was found to have complied with the criteria set for software used in their IT systems, the Auditor General reported.
“It's dangerous when government bodies themselves are using software that doesn’t meet the prescribed legal standards,” the report states.
The failure of government offices to adequately secure their systems had been highlighted in the Auditor General’s report last year as well. Although there are several directives in place for the security and management of the government’s IT system, authorities are repeatedly found to have a lax response when it comes to cybersecurity. These directives have laid security frameworks and also require government websites to have security vulnerability audit.
But the recurring spate of attacks on government websites shows that authorities haven’t been complying with the existing security framework. Since the 2015 hacking of the website of the country’s President, several dozen government websites have been broken into, including the Office of the Attorney General and the Department of Passports. Six months ago, the Tribhuvan International Airport’s website was compromised by hackers.
Experts say computer and software systems will always be vulnerable to existing and future threats, but the failure to comply with the basic security framework leaves IT systems vulnerable to the breach of sensitive information collected for passports, voters’ registration and driving licences.
“There is ample opportunity for anyone who wants to destroy or play with data stored in the government’s IT system,” said Hempal Shrestha, an IT expert. “Not complying with even the basic security framework increases the risk manifold.”
Officials, however, say the lack of funds for software development hinders their work while putting data security at risk. Speaking to the Post before her retirement in March, Election Commissioner Ila Sharma had said that her office doesn’t have the budget to build a data centre to store biometric information. “Neither is there money to invest in software to set up a web-based centralised database,” she said.
Failure to comply with the security and management guidelines for IT systems also compromised the usability of data collected by government bodies. In 2008, the Election Commission started collecting voter information with photos and fingerprints in order to curb fraudulent voting, gathering massive biometric data on voters. The data is now crammed into the Election Commission’s servers.
“We had to compress several of the biometric data because of limited storage infrastructure,” Surya Prasad Aryal, an under-secretary at the Election Commission, told the Post last month. “And this might have compromised the quality of the fingerprints which aren’t available in the original high-resolution format anymore.”