Widespread digital technology has no doubt made our lives a lot easier. Fixing an appointment with the doctor, shopping, paying utility bills, filing income tax, and transferring funds from one account to another can all be done very easily online. Checking emails and logging on to Facebook for daily updates about friends and family have become an integral part of our everyday routines. Gradually, even small groceries and stores, along with other private and public services, are being digitised.

Growing problem

On the one hand, digitisation of a system makes it easier to access. But on the other, it opens up avenues for serious cybercrimes if these systems are not well protected. In earlier days, war was considered a significant threat against the world’s stability and security. Now, there has been a paradigm shift in the perception of global threat and insecurity. Most threats to different countries now emerge from cyberspace. Cybersecurity, cybercrime, or cyberwarfare are a growing concern all over the world.

The recent banking fraud by two Bangladeshis in Sanima Bank is a glaring example of how such threats have arrived on our shores. The Bangladeshis were successful in breaching the bank’s network and transferring funds to their respective accounts. Due to the growing threat of such cyber breaches, a few months ago, the agenda of cybercrime was placed for the first time in a ministerial meeting of home ministers of the Saarc countries. Indian Prime Minister Narendra Modi also raised concerns about cybersecurity while addressing the 69th session of the UN General Assembly. In underdeveloped countries, cybersecurity incidents, crimes, or acts of war are simply treated as human acts or omissions but it is an issue that is more complex than that.

A dynamic system

In practice, cybersecurity primarily addresses those types of attacks, breaches, or incidents that are targeted, sophisticated, and difficult to detect or manage. The focus of cybersecurity is on what has come to be known as advanced persistent threats (APTs), cyberwarfare, and their impact on enterprises or individuals. Despite the common use of the term, cybersecurity needs to be aligned with all aspects of information security within an enterprise. This includes management, governance, and insurance. In this sense, the overall notion of security is systematic rather than linear, acknowledging that the notion of being secure is a transient state that requires maintenance and continuous improvement to meet the needs and requirements of stakeholders.

Cybercrime and widespread attacks has become a societal issue, as opposed to the former technical perspective on hacking and purely technical countermeasures. Cybercrime and related attacks or breaches target the weakest link in a system. As a result, cybersecurity must be understood as a system of interdependent elements and links between these elements. Optimised cybersecurity requires a complete understanding of this dynamic system and the realisation that security, governance, and management cannot be seen in isolation. For instance, China has recently removed American devices from their long-standing list for government offices in order to protect themselves from cyberattacks.

Crafting a cyberstrategy

In Nepal, we still understand cyberattacks as a technical issue and assume that they will be dealt with by technocrats. This shows that we have yet to understand the impact of such attacks. Cybersecurity, in relation to information security, requires an explanation because it is misunderstood by most in Nepal. In a broad sense, cybersecurity encompasses all that which protects enterprises, individuals, and the state system from intentional attacks, breaches, and incidents, as well as their consequences. When we analyse our situation we need to answers a few difficult questions. Do we have a planned response in place to cope with such threats? Are there any proactive methods in place to prevent cyberattacks? Do we have a Computer Emergency Response Team (CERT)? The answer to all these questions is in the negative.

However, a step has been taken in the right direction with the establishment of the Information Technology Security Emergency Response Team-Nepal (ITSERT-Nepal). Likewise, the first International Conference on Cybersecurity, held in February in Kathmandu, was also a positive sign that could pave the way for dealing with the impacts of cybercrimes.

Still, Nepal continues to digitise new sectors without proper plans, policies, and frameworks to protect against cyberattacks. As the importance of e-governance is gradually being realised, it is important to keep organisational information assets secure. Most organisations realise that there is no one solution to secure systems and data; instead a multilayer security strategy is required. One of the layers that many organisations are including in their strategy today is the creation of a CERT. The role of the government in doing so is crucial. Government officials should be aware of the impact of a cyberattack. For that, it needs to form a team of experts from the field of information security and cybersecurity to draft a framework and compliance standards that could be helpful in minimising such threats. The team members should have technical skills, behavourial skills, experience, and qualifications required to devise sound cybersecurity strategies that will help create a secure cyberspace for all of us.

Mainali is Information Security Officer at Nepal Bank Ltd