Over 7 million devices are already infected with ransomware in SL

At 8e Edition of the Annual Cyber ​​Security Summit, TRCSL Managing Director Oshada Senanayake said that more than seven million devices in Sri Lanka are already infected with some form of ransomware. The chief executive made the comments as Sri Lanka braces for 5G as more connected devices join the internet.

It’s no secret that Sri Lanka is not at the top of the list of resilient countries when it comes to cybersecurity. The past two years alone have shown how unprepared Sri Lanka is as a country, whether it is a contact tracing app with security vulnerabilities or a hack into the registry. In the LK area, it is clear that cybersecurity needs to be higher on the priority list at the national level.

Now, as 5G nears commercial adoption on the island, the question of Sri Lanka’s cyber readiness has a more daunting answer. Why? Because 5G means more connected devices, more infrastructure, and the use of technologies such as software-defined networking (SDN) and network functions virtualization (NFV). This dramatically increases exposure to cybersecurity threats.

Therefore, according to Senanayake, it is imperative that Sri Lanka “develop a comprehensive national strategy to improve our cybersecurity preparedness.”

What do you mean by comprehensive national strategy?

What does even a comprehensive national cybersecurity strategy look like? Singapore’s Cyber ​​Security Strategy 2021 report is a good indication of what this could become at a high level. Senanayake himself admits that the current institutional framework in Sri Lanka is inadequate to tackle national cyber risks. This ranges from a lack of preparedness to respond to cyber incidents to a lack of capacity at the government level to deal with cybersecurity issues.

As such, the development of a comprehensive national strategy results in,

  • Develop an institutional framework to define and execute the strategy
  • Create a legal framework to enable enforcement
  • Design a governance model to align cyber priorities between government and private organizations
  • Oversee execution and invest in a capacity building strategy that will enable execution

But strategy doesn’t mean much without proper implementation in place. This is where a national cybersecurity agency with the right mandate comes in. Here, the agency would play a key role in establishing the legal framework required for an inclusive cybersecurity framework at the national level.

In the context of 5G, Senanayake also highlighted the need to implement global network security standards among operators. After all, with 5G comes a whole new set of technologies and infrastructure changes, both physical and digital. Each component of the overall ecosystem requires different security requirements. Additionally, it introduces new security challenges with technologies like SDN and NFV, as well as more IoT use cases.

Wait, what about 4G?

While there is a lot of consideration for 5G and its potential, 4G will continue to play a central role in markets like Sri Lanka. In fact, as 5G is commercially implemented, the previous generation 2G, 3G and even 4G technologies will continue to coexist. So, previous generation vulnerabilities such as geolocation, denial of service or call and SMS interception attacks will still be a problem. In other words, security considerations must be taken into account for all these generations of networks while facilitating the transition and interworking between them.

This is where frameworks like the Network Equipment Security Assurance Scheme (NESAS) are important. NESAS, defined by the 3GPP and the GSMA in collaboration, is an industry-wide security assurance framework that aims to improve security levels in the mobile industry, including 5G. Hence Senanayake’s call to implement global network security standards.

IoT security will also be a critical part of strengthening security in the 5G era. In 2018 alone, there were at least 800,000 vulnerable devices, according to the GSMA.

Of course, in the context of Sri Lanka, it goes a step further. The subject of cybersecurity must be addressed by all stakeholders, from government and businesses to individuals.

The security objective of CERT in six areas

To this end, Dr Kanishka Karunasena, Head of Research, Policy and Projects of the Sri Lanka Cyber ​​Emergency Preparedness Team (SL CERT), pointed out that his organization has already identified six key areas for the strategy. of the island in terms of information and cybersecurity for the period 2019-2023. period. This includes,

  • Establishment of a governance framework
  • Local-International Public Private Partnerships
  • Legislation, policies and standards
  • Awareness and empowerment of citizens
  • Competent workforce
  • Resilient digital government and infrastructure

This is the basis for the creation of a cybersecurity agency (CSA) through the cybersecurity law. According to Karunasena, the CSA will be the main institution for everything related to civil cybersecurity. The Cybersecurity Law and the Data Protection Bill are currently in the process of being enacted. More recently, the Data Protection Bill has been approved and published in the Official Journal of the Parliament.

Go digital and cybersecurity

While this is an important and healthy direction to promote a digital future, Sri Lanka has a long way to go in terms of cybersecurity. Senanayake acknowledged this when speaking about the state of cybersecurity in the country. Although he hopes Sri Lanka should be in the list of the top 20 cyber-resilient countries in the world. Sri Lanka currently ranks 84th in the Global Cybersecurity Index of more than 180 countries, according to the 2020 ITU report. Even in the APAC region, Sri Lanka has 15e over 19 countries.

It is imperative to continue to focus on this area in a landscape where the APAC region experiences a higher rate of malware and ransomware attacks than the rest of the world. In fact, countries in the APAC region are 80% more likely to be the target of cyber attacks. Now, with 5G on the horizon, the need for a holistic approach to cybersecurity on the part of all stakeholders, including users, is more important than ever.


Source link