Last month’s blackout of 13 government websites sparked a much-needed debate around cybersecurity in Nepal. Under the shadow of the blackout, the government made a push for systems around digital tax collection and payment gateways. While these services would help nudge Nepal towards a long overdue digital revolution, they also open up Nepali cyberspace to increased risk. Past cyber-attacks on websites in Nepal have primarily been motivated by mischief but as more sensitive data finds space on digital servers, these motivations might change.

As Nepal goes digital, vital questions around the safety of information arise. How safe is Nepal’s cyberspace seems to be a question with difficult answers. While there has been a recognition of the need for cybersecurity, along with relevant policies, problems abound in the Nepali digital sphere, say cybersecurity professionals.

“In all countries, cyberspace is vulnerable,” says Narayan Koirala, managing director of Eminence Ways, a local cybersecurity company. “The only difference is that developed countries have strong policies and regulatory bodies to enforce cybersecurity laws. Nepal is currently developing a cybersecurity policy but the main problem stems from regulation. Currently, the only government agency that does a good job of policing cyberspace is Nepal Rastra Bank.”

Nepal Rastra Bank currently enforces mandatory annual Information Security (IS) audits for all its Class A, B and C banks. Nepali banks have fallen victim to security breaches in the past, which in response has led to the development of stronger information security practices. But with various other sectors going digital, information from governmental departments like the Licencing Department, the Office of the Auditor General, or the Citizenship Department are now at risk of being breached and the data used for nefarious purposes. In the age of big data, this information would be invaluable to different third-party agencies. Without reliable watchdogs to ensure the safety of such data, they would be open to data theft and security breaches.

But as much as regulatory bodies, government agencies and private companies too need to understand the need for cybersecurity. Most Nepali companies don’t have an in-house security expert, and network security is usually seen as part of the IT department, regardless of if it employs a security professional. Major network infrastructure aside, even daily office software do not go through regular security checks and updates. During the development of new digital services, security is often an afterthought, considering how many companies don’t even conduct security checks on account of their expense.

Hackers can use multiple entryways to gain access to sensitive data, and one of them could be badly coded applications that don’t adhere to cybersecurity frameworks. Regarding the recent bout of security breaches of our government websites, Koirala says that the blame doesn’t fully lie with the National Information Technology Centre (NITC), since it just provides server space. Responsibility for the security of the website hosted on the server lies squarely with the company that develops it, further emphasising the fact that software development in Nepal also needs to have mandatory security checks.

Many private technology companies like F1Soft have strict guidelines when it comes to cybersecurity. F1Soft has developed mobile banking apps for many banks while also operating their own digital wallet service, eSewa.

“We apply best industry practices for authentication and encryption for securing data. All services have industry standard data storage mechanisms and also implement disaster recovery practices,” says Subash Sharma, CEO of F1Soft International Pvt. Ltd. “The only problem is that technology keeps evolving but security measures don’t. We need efforts to go into security research and make people aware about the importance of investing and implementing security protocols.”

Most security breaches don’t take place when data is in transit so its important to secure storage systems, says Bijay Limbu Senihang, CTO of Vairav Technologies.

“Data is most vulnerable when it’s stored within systems with weak security,” says Senihang. “Data is encoded during transfer which makes it extremely difficult to decode, but stored data is an easier target for data theft.”

Amidst a lack of notice from the NITC regarding the recent website blackout, many cybersecurity professionals suspect a Distributed Denial of Service (DDOS) attack, but Senihang believes otherwise.

“After the blackout, we checked out the website’s DNS [Domain Name System] addresses and they all came up blank. Even during a DDOS attack, the DNS address should come up, but it didn’t, pointing to either a misconfigured system or a malware attack. It was like there was nothing on the servers at all,” he says.

Senihang also points to another glaring issue in Nepal’s cyberspace security: skilled manpower.

“Currently, there are only 50-60 cybersecurity professionals working in Nepal,” he says. There are few, if any, courses around cybersecurity offered by Nepali universities. The government has made it mandatory for all government agencies to employ an IS officer, but Nepal doesn’t have required human resource to fill these positions and ensure better cybersecurity.

There is also a general lack of understanding on “cyber hygiene” amongst Nepali internet users, say cybersecurity professionals. Simple security measures like two-step verification for emails and social media, or identification of malicious links could go a long way in ensuring a safer internet for users. As internet usage matures in Nepal, it is also essential that users understand the internet and employ personal measures to stay safe. In the current age, staying secure on the internet requires more than just a strong password, but even that appears to be lacking among Nepali users, say analysts. More awareness campaigns need to be targeted to both early and late adopters of the internet to ensure user-side safety.

With the KP Sharma Oli government’s push to build ‘smart’ cities and take government services and data digital, there is a monumental need for cybersecurity in Nepal. Securing our cyberspace isn’t simply a problem that can be resolved at the policy level—a more blanket approach is needed to secure digital information and internet use across all levels. Conversations around cybersecurity appear to be pushing the government to prioritise cybersecurity, but the implementation of a proper policy might be more difficult than we think. Instead, the government seems more concerned with regulating social media and policing the internet.

Rana has been writing about technology for the past nine years. He writes about technology from the purview of modern consumerist culture while also exploring the nuances of its social and behavioural effects on people.