12 April 2020, NIICE Commentary 4061
Manish Jung Pulami
Nepal, as a developing country, must opt towards an improved security system, for effective and efficient utilization of resources. A secure organizational information asset in the present interconnected world is a true challenge that becomes more difficult with each new IT-based product and each new global IT threat.
The internet service in Nepal started in 1993 in a venture of Royal Nepal Academy of Science and Technology (RONAST) and Mercantile Office System (MOS). Nepal Telecommunications Authority’s (NTA) MIS indicates that there were 16.67 million Nepalese connected to the internet till 2019 who uses it for almost all sorts of applications and work-related stuff, for professional services, IT services, entertainment, social media and chatting, and e-Commerce. However, most of the people are unaware of cybersecurity, especially about maintaining privacy, lack of judgment about which information should be shared and use of pirated software. Government of Nepal has weak structures and regulations regarding cybercrimes together with lack of skilled specialists of cybersecurity. As a result, cybercrimes such as ATM attacks, POS attacks, Distributed Denial of Service, Ransomware, Spear Phishing, Privacy Leaks, Data Breaching, and Social Media related crimes, dissemination of false information and others have been increasing in Nepal. In the fiscal year 2018/2019 (until 13 June), 180 cases of cybercrime were registered in Nepal, among which 125 cases were from the Kathmandu Valley alone and 55 cases from outside the valley.
Before 2006, the cybercrimes were dealt under the Public Offence Act. Later, “Electronic Transaction Act 2063 (ETA 2008)” was authenticated and published in 2006 as a cyber-law which protects the user against the cybercrimes. ETA has criminalized cybercrime such as piracy, destroying and altering of computer source code, unauthorized access in computer materials, damaging any computer and information system, publishing illegal materials in electronic form, disclosing confidentiality, committing computer fraud, abetment to commit computer-related offence and accomplice of offence. Although the law is present, it does not address the changing elements and dynamics of the rapidly growing internet. Other than ETA, Nepalese cyber law regime governing the cybercrime is Banking Offence and Punishment Act 2008, Children’s Act 1992, Some Public (Crime and Punishment) Act 1970, The Patent, Design and Trademark Act 1965, Copyright Act 2002, and Consumer Protection Act 1998. As for the organizational measure for cybersecurity, Cyber Bureau of Nepal Police and Kathmandu District Court is responsible for investigating and prosecuting the cybercrime respectively.
In response to the increasing cyber crimes in Nepal, an independent Computer Emergency Response Team (CERT) under supervision and monitoring of Ministry of Communication and Information Technology is proposed by Department of Information Technology (DoIT) to deal with cybersecurity threats, identify and respond to cyber risks and to collaborate with security operations center teams conducive to establish detection rules and coordinate responses. The CERT is to publish security alerts, perform security audits and assurances, conduct cybersecurity awareness and training, perform analysis and forensic investigations of cyber incidents, response to cybersecurity incidents and coordinate with local and global agencies towards cybercrime.
The DoIT, Training, Research and Development Sector have formed CERT Committee under the regulation of Director General of DoIT for the design and implementation of CERT. CERT Committee is the juncture of different concerned authority regarding cybersecurity of Nepal, including the members from the Office of the Prime Minister and Council of Ministers, Ministry of Home Affairs, Ministry of Communication and Information Technology, Ministry of Law, Justice and Parliamentary Affairs, Nepal Rastra Bank, NTA, Nepal Army, Nepal Police and Office of Controller of Certification. The committee is responsible for addressing the upcoming IT Umbrella ACT of Nepal, and also in authority for identification of IT Infrastructure, Hardware and Software as well as the Security tools for the CERT. Currently, CERT related services are being provided by the DoIT in line with NPCERT, such as IT system audit, website and web application audit, vulnerability assessment and penetration testing, cybersecurity awareness and training, and IT system security-specific training for building the capacity of the team member.
There is a necessity of international harmonization in context to cybersecurity. Lack of appropriate cybersecurity strategy creates an opportunity for the attackers to easily compromise the systems and then carry out the serious attacks even in the developed countries. Also, it is difficult to prosecute the attacker if the attack is performed from a country whose regulation does not address the violated regulations of the country where the attack took place. As for international cooperation, Nepal is a member of the ITU-IMPACT initiative and has access to relevant cybersecurity services.
In general, cybersecurity strategy should be able to ensure confidentiality, integrity and accessibility of electronic information and services provided in cyberspace, safeguard electronic communication networks, information systems and critical infrastructure against incidents and cyber-attacks, and protect personal data and privacy. Furthermore, resilient national cybersecurity requires a strategic shift in national security policy paradigm. Regarding the future national security threats, Nepal should consider the aspects of cyber threats or maybe cyberwarfare with both the states and non-state actors. Preparedness for strong cybersecurity policies will not only help Nepal to mitigate the threats in the cyberspace but also challenges in the border and physical security.
For strengthening the cybersecurity in Nepal, the guidelines governing the data protection, intellectual property, privacy, cybercrime and cyber terrorism should be established and revised in the judicial body. Moreover, ‘zero-trust security strategy’, summarized as ‘trust no one, verify everything’ policy can be implemented with secure browsing solutions to modernize the cybersecurity strategy of Nepal. For small institutions and firms, the government can create a custom cybersecurity plan to ensure proper protection and coverage against losses from cyber-attacks. Technically, application whitelisting and blacklisting, server and user application hardening, and software-based application firewall and blocking incoming network traffic can be used to prevent the execution of unapproved/ malicious data access, theft, exposure, corruption and loss. Besides, user awareness education and cyber insurance can complement technical mitigation strategies to reduce cyber threats in Nepal.
Manish Jung Pulami is Master’s Student at Department of International Relations and Diplomacy, Tribhuvan University, Nepal. He was Research Fellow at Institute of South Asian Studies, Sichuan University, China.
Photo Courtesy: https://i.imgur.com/XKf3PKF.png