Nepal's Push to Tackle Cybersecurity ChallengesITSERT-NP's Pant on Establishing Security Policies in Nepal
Nepal witnessed a disastrous earthquake this year, affecting more than 10,000 lives, leaving more than 1,50,000 homeless, plus a $3.5 billion loss for the economy and a major compromise of infrastructure.
This natural disaster has only increased the challenge for the newly-established Information Technology Security Emergency Response Team, ITSERT-NP, for protecting Nepal's critical infrastructure against growing vulnerabilities, plus establishing an incident response mechanism.
"There is a huge task ahead of ITSERT, formed late last year to help build a more secure environment," says Rajan R. Pant, chairman of ITSERT-NP.
"Unfortunately, Nepal currently cannot address the security breach concerns," he says.
Security awareness materials must be created to anticipate future threats and find ways to defend against them, he says.
Toward this end, ITSERT is exploring options for forming an information sharing mechanism, educating the government and key security stakeholders and also associating with international CERTs to drive awareness and build an incident response plan.
In this interview with Information Security Media Group, Pant shares his future plans. He offers insights on:
- Cybersecurity challenges and agenda;
- Future course of action to establish a cybersecure ecosystem;
- Regulatory mandates and security policy guidelines
Pant was earlier responsible for PKI in developing countries and, later, IT Controller at the ministry of science and technology, Government of Nepal. An MBA specialising in quantitative techniques and computer management from Shivaji University, Maharashtra, he holds an LLB degree from Tribhuvan University, Kathmandu, Nepal. He is a certified CEH, ISO 27001 ISMS Lead Auditor.
Rajan is Ex-General Secretary, Computer Association of Nepal, and Member, Management Association of Nepal.
ITSERT's Cybersecurity Agenda
GEETHA NANDIKOTKUR: Nepal experienced loss of many lives in the recent earthquake. What is the state of Nepal's information security/cybersecurity?
RAJAN R PANT: There are lessons learned from the earthquake. However, such situations only increase our infrastructure challenges, create network problems and make our data more vulnerable due to exposure. Unless people face an issue, there wouldn't be a need to find a solution. So also with infrastructure security and cybersecurity. There's a huge task ahead of ITSERT, formed late last year towards building a more secure environment.
Our agenda was to create awareness and understand security nuances. We, along with law enforcement groups, looked at the nature of cybercrime and threats Nepal faces. Statistics show that we face cybercrime threats via email, facebook defacement, ATM and internet banking fraud, e-mail theft, data hack and online fraud and impersonating profiles. Currently, Nepal is unable to address the growing security breach concerns.
Knowledge regarding cybersecurity policies and understanding cybersecurity risk is lacking. The critical challenges are:
- Lack of information security policy;
- No proper cyber law;
- Policy makers do not feel the importance of security;
- Lack of national cybersecurity and information security strategy for the nation;
- Lack of interdepartmental coordination ;
- Lack of awareness among users;
- Lack of government processes.
This only reinforces the need to increase the pace of incident handling and awareness programs.
Banking Transaction Threats
NANDIKOTKUR: With Nepal facing threats and frauds from online banking, what is the plan to combat these? What is ITSERT's role?
PANT: ATM and internet banking frauds, email thefts and threats are increasing. There are acts such as Banking Offence and Punishment Act, 2064, Banks and Financial Institutions Act, 2063, Nepal Rastra Bank Act, 2058, The Companies Act, 2063, Contract Act, 2056, The Electronic Transactions Act, 2063 and Nepal GEA Security Architecture in the country, but these do not address the security flaws in the transaction system.
The reason is the lack of two-factor authentication methods for a secure transactions, as followed in other geographies. Banks have established only single-factor, password-based transactions, and not second factor OTP. ITSERT is organizing a banking security payment transaction conference soon to educate CISOs and network administrators, compliance teams and others on the importance of having two-factor authentication and other security standards in securing the payment gateway and also share best practices.
Regulations & Guidelines
NANDIKOTKUR: Can you throw some light on the regulatory mandates and policy guidelines on security by the government?
PANT: It is rather sad to say the government is just not thinking about information security or cybersecurity. There are a few initiatives taken regarding application development for some administrative functions and PKI, but none about security of the applications or evolving a security policy for the nation. We have been trying to influence the government to start an official CERT to track cybercrime and issue guidelines for reporting crimes. We tried to establish forensic measures along with law enforcement groups to detect crime, but we have a long way to go. Ministry level intervention is critical to establish a cyber law for the country - or rolling out internet user's policy. We are lobbying with the government to initiate this.
ITSERT's Game Plan
NANDIKOTKUR: What then is ITSERT's future course of action in establishing a cybersecure environment?
PANT: My recommendation to the government of Nepal and India and the security fraternity is to establish SAARC-level CERTs for security governance. There should be equal participation of the government, industry bodies similar to those in India such as DSCI, NASSCOM etc., the private sector and academia through public and private partnership for prescribing a cybersecurity framework and research.
Establishing an information sharing platform is very critical between security practitioners and CERTs of Nepal and India; we are working towards this. We'd involve the 60 Nepal CISOs to drive awareness about cybersecurity and use of technology in thwarting attacks. We are in the process of availing Asia Pacific Computer Emergency Response Team membership, issuing mandates on information security audit for banks and other financial institutions with the help of regulatory authorities to reduce risk.