Government officials don’t have an official explanation for why government websites were down on SundayCybersecurity experts say the nearly daylong blackout of government sites could have possibly been the doing of malicious actors who tied up the sites’ resources and prevented legitimate users from accessing the sites by flooding the government server which, they say, is highly vulnerable to security risks.
The first working day of the week turned out to be an unusually busy one for the National Information Technology Centre after almost all government websites became inaccessible early Sunday morning.
The centre, which falls under the Ministry of Communication and Information Technology and hosts all government websites, initially said the sites would be up and running almost immediately, but the error message on the sites remained for more than six hours.
Shree Chandra Sah, director of the Department of Transport Management, was among the several government officials who called the centre more than once on Sunday to report the issue. The department’s driving licence application system, one of the handful of online services offered by the government, was affected by the daylong website shutdown.
There is an alternative portal to access the online application system but, according to Sah, not everyone might be aware of it.
“The shutdown probably caused a lot of difficulty for people who don’t know about the different portal,” said Sah.
Cybersecurity experts say the nearly daylong blackout of government sites could have possibly been the doing of malicious actors who tied up the sites’ resources and prevented legitimate users from accessing the sites by flooding the government server which, they say, is highly vulnerable to security risks.
“If it is an intentional attack, it is probably because the attacker knows the government resources isn’t sufficient to handle such large traffic at once,” said Saroj Lamichhane a cybersecurity expert.
There are services capable of scaling up protection simultaneously when large traffic comes in through such denial-of-service attack. But such services are costly and the government bodies’ continued lax response and attitude towards cyber security only adds to the risk which, experts say, could have resulted in Sunday’s shutdown.
Similar concerns were also raised in the Auditor General’s latest annual report in April, which revealed how government bodies are exposed to cybersecurity risks because of their disregard to existing rules and guidelines. Only one government body was found complying with the criteria set for softwares, the Auditor General had found.
“It's dangerous when government bodies themselves are using softwares that don't meet the standards prescribed by law,” states the report.
But Sunil Paudel, the executive director of the centre, says such technical issues and challenges are “part and parcel” of the evolving cybersecurity process which Nepal is trying to strengthen.
“Every organisation, whether it is the CIA or big airlines, has faced the kind of problem we did today,” said Paudel without getting into the specifics of what caused the blackout on government sites. “We will have to be more vigilant in the future to ensure this doesn’t happen again.”
However, the recurring spate of attacks on government websites shows that authorities have not been complying with the existing security framework. Since the 2015 hacking of the website of the country’s President, several dozen government websites have been broken into, including the Office of the Attorney General and the Department of Passports.
Six months ago, the Tribhuvan International Airport’s website was compromised by hackers.
Experts say computer and software systems will always be vulnerable to existing and future threats, but the failure to comply with the basic security framework could lead to the breach of sensitive government information and personal details of citizens collected for passports, voters’ registration and driving licences, among others.
“There is ample opportunity for anyone who wants to destroy or play with data stored in the government’s IT system,” said Hempal Shrestha, an IT expert. “Not complying with even the basic security framework increases the risk manifold.”