Submit your Article

What comes to your mind when you think of Nepal? Highest snow-capped mountains, the birthplace of Shakyamuni Buddha, diverse cultures and traditions, etc. 

Of late, Nepal is striving to make a new identity and earn another feather in her cap. The country is gradually earning a reputation as a hub for the IT industry and digital technology. Nepal is adopting information technology, e-governance, and online banking, online food delivery, ride-sharing, digitalized government services and many other cutting-edge technologies big time. From the private to the government sector, digitalization is increasing from central to local levels. I remember the first time when I went to a village development committee in the district of Dang to apply for citizenship. At that time, the VDC office did not even have a desktop computer, leave alone other advanced digital devices and an internet connection. To my pleasant surprise, when I visited my local ward office in Dang recently, I found office staff using computers and every task, from payroll to applications, computerized. 

With increasing digitalization, one of the important questions that comes to mind is, ‘Are our systems secure enough?’ We cannot undermine the security of our digital systems. From the private to the government sector, most systems are susceptible to cyberthreats. The number of cyber incidents is increasing day by day, targeting financial institutions, government agencies, the healthcare industry and other critical government infrastructure. According to industry reports, phishing attacks, social engineering, ransomware and DoS attacks are some of the most common cyberattacks that Nepal has been facing. 

So, what does Nepal need to protect her systems from cyberthreats? The country needs a cybersecurity strategy that bridges the gaps between policy and practice.

That’s where cyberdefense comes in. 

Cyberdefense encompasses practices, processes, policies and strategies designed to secure networks, data, and infrastructure against potential threats from cyberattackers. With the advancement of modern technology, new challenges and threats are emerging in novel ways. Recently, the National Security Artificial Intelligence Security Center published a joint cybersecurity information sheet in collaboration with various international agencies, which are enhancing their digital infrastructure security through partnerships with internationally-recognized agencies.

The global war strategies and the ways of war are changing day by day. These days, wars involve armies as well as cyberattacks. Many countries are investing in their defense systems, artificial intelligence and cybersecurity, and modernizing their technologies. The United States of America, Russia, China, the United Kingdom and the Netherlands are investing in cyberdefense and strengthening their cyber capabilities. Israel, Iran, North Korea, France and Australia are not lagging behind, either. These countries are working on strengthening their cyberdefenses. If any country wants to attack another directly using her military force, the cyberarmy or state-sponsored attackers will first target the defense systems, critical infrastructure, power grids, telecommunications and other vital areas of the target country, disconnecting the targeted country from others and making it easier to invade.

Are we prepared to deal with these types of cyberthreats from global space? Nepal needs to be prepared at the technological level, in policy, and in diplomatic relations. For a robust cybersecurity defense, Nepal needs to have updated policies and regulatory frameworks, public-private collaboration, and cooperation with international agencies to combine various cyberdefense strategies. Government and private organizations should invest in capacity-building of their employees on cybersecurity awareness. If we see the trends of attacks per industry, healthcare, financial institutions, insurance agencies, government data centers, government IT infrastructure and defense are the most sought-after targets of state-sponsored attackers or black-hat hackers. There are multiple financial organizations that we are getting news about online regarding data breaches, hacking, phishing and many other issues in our Nepal banking organizations.

So, how can we deal with these challenges? 

Let’s have a robust and updated “policy development and legal framework” first. Although we have different cybersecurity guidelines and legal frameworks, they are not enough. Proper research and exercises are still necessary. Currently, we have policies such as the National Cybersecurity Policy 2015, Information Technology Policy 2010, ETA 2008, and the Nepal Rastra Bank’s Cyber-Resilience Guidelines 2023. However, as cyberthreats and technology types rapidly evolve, we need to update the guidelines accordingly.

The next question to ponder over is “How competent are our technical human resources” vis-a-vis the process of cybersecurity and information technology? How much budget is available for capacity-building of staff? Most business organizations do not have a specific technical department concerned with cybersecurity. Most corporate offices overlook the IT department. They need to keep in mind that the IT department is not only for the installation of software, network devices and repair and maintenance of computers. My suggestion is that these organizations should invest money in capacity-building of their cyber teams and non-IT teams, and conduct regular security awareness training for their staff regarding different types of threats.

Let’s invest in the technical enhancement of public and private organizations. How many corporate offices conduct VAPT (Vulnerability Assessment and Penetration Testing) and IS audits? Every organization needs to have an ICT policy or guidelines clearly outlining the requirement for VAPT and IS audits. This can be the first layer of defense, which can help prevent major financial and reputational disasters. So, let's question ourselves: Have we ensured that our Personally Identifiable Information (PII), Financial Information (FI) and other sensitive data are encrypted using advanced encryption standards? Have we maintained secure communication protocols? We need to stay updated on this because the medium of cyberthreats is constantly evolving.

The government should invest in advancing the defense system with cutting-edge cybersecurity programs. Enhancing the system with cyberthreat intelligence and investing in artificial intelligence and machine learning will help predict cyberterrorism, cyberattacks and mitigate cyberthreats. Nepal can collaborate and cooperate with various international diplomatic agencies, cybersecurity standard organizations and national as well as international agencies for threat intelligence-sharing. Cybersecurity should be a common goal. During my tech journey, I have worked with different international companies in fintech, insurtech and healthtech. These organizations have followed various international standard compliances like GDPR, HIPAA, PCI DSS and many other ISO standards.

So, where are we in terms of standard compliance? Nepal has policies and standards, but they are not enough. As cyberthreats and cyberterrorism evolve, we need specific industry-based regulatory guidelines for banking and fintech organizations, the health industry, government-sensitive data, e-commerce, insurance agencies and many others. It is common to hear about governmental website hacking cases. This is an urgent issue and a red alert for these agencies, the government, and regulatory bodies to invest in research and policy development.

Summing up, let’s strengthen Nepal’s cyberdefense with robust policies, investing in capacity-building of human resources, and collaborating and cooperating with international organizations through cyber-diplomacy and public-private partnerships. Investing in new technologies such as artificial intelligence, machine learning, blockchain and threat intelligence-sharing is crucial. Nepal can enhance her cybersecurity by adopting these measures to protect her IT infrastructure, sensitive national data, and digital infrastructure, paving the way for a secure digital future.

The author, a student of MSc IT (Cybersecurity) at Islington College, Kathmandu, works at Technofex Nepal

Information technology has become one of the most rapidly developing fields, and every business organization, nation, and many other institutions are shifting toward digitalization. It has become a blessing for all, transforming the traditional approaches to business, bureaucracy and working culture into digital formats. There was a time when sensitive and confidential government information was kept in books and on paper, but now, from the central to the local level, government organizations are increasingly digitized. The government’s responsibility is to protect confidential and sensitive data, as well as important infrastructure, from cyberthreats.

Cybersecurity and cyber diplomacy have become major topics of discussion in public forums, yet concrete steps and a clear path have not been established by policymakers. These discussions should be prioritized by Nepal's think tanks, policymakers, parliament, cabinet, and bureaucracy. However, they have not yet become top agendas for these stakeholders. There is an increasing rate of cybercrime in Nepal, including financial theft, identity theft, phishing attacks, cyberbullying, data breaches and Denial of Service (DoS) attacks. According to records from 2022, Nepal ranked 94th on the global cybersecurity index, which measures four main criteria: Cybersecurity, economic safety, physical and infrastructure safety, and social safety.

In terms of cybersecurity and cyber diplomacy, Nepal faces challenges but also opportunities for improvement. Diplomatic agendas concerning global security diplomacy often revolve around protecting digital infrastructure, sensitive and confidential data, banks, defense systems and critical infrastructure from cyberthreats, both domestic and international. It’s crucial to recognize that safeguarding against cyberthreats isn’t solely about national sovereignty and security but also about societal well-being. The definition of protecting national sovereignty, defense, and security is evolving with technological advancements. To effectively address these challenges, Nepal needs a multi-faceted approach to cybersecurity policy. This approach should encompass technical measures, a robust policy framework, and international cooperation. By engaging with other nations and organizations, sharing best practices, and collaborating on cybersecurity initiatives, Nepal can strengthen its cybersecurity posture and better protect its digital assets and citizens.

Cybersecurity concerns are not limited to national issues; they have become global issues. Nepal should engage in diplomatic dialogue with other nations, focusing on cyber diplomacy, negotiations, and agreements to combat cyberthreats across borders. State-sponsored attacks have become increasingly common, frequently making headlines. These attacks originate from one country targeting another or from state-sponsored cyberthreat groups. Their objectives include espionage, the destruction of critical infrastructure such as nuclear power plants, transportation, electricity, dissemination of political messages and more.

We might have heard about the news of more than 1500 government websites going down due to a cyberthreat, which took over 3.5 hours to restore the servers. This incident marked one of the biggest cyberthreats for Nepal. It’s the responsibility of our government to protect our sensitive and confidential data. International agencies have ranked Nepal as one of the high-risk countries in terms of cyberthreats.

Nepal maintains diplomatic relations with over 100 countries and is a member of various international agencies such as the United Nations, World Bank, Asian Development Bank, SAARC, BIMSTEC, and the Belt and Road Initiative (BRI).

Nepal should raise cyber diplomatic agendas in international forums and with other countries to protect critical infrastructure and develop international cooperation to combat cyberthreats. Situated between two digital powerhouses, India and China, Nepal can serve as a bridge for cyber dialogue and collaboration between South and East Asia. By fostering positive relationships with neighboring nations and actively engaging in regional initiatives like the South Asian Association for Regional Cooperation (SAARC), Nepal can position itself as a key player in shaping the cybersecurity future of the region.

The government should prioritize the formulation of comprehensive cyber security strategies at all levels, including policymakers and think tanks. Although the Cabinet endorsed the National Cybersecurity Policy in 2023, it requires further refinement and updates to align with technological advancements. Additionally, the government should prioritize capacity-building for human resources and enhance threat intelligence sharing mechanisms. Cybersecurity and cyber diplomacy have become hot topics, and the government and its relevant departments need to take them more seriously. If we look at bureaucracy and the defense system, we are still following traditional approaches, and this agency plays a major role in cybersecurity. The government should take immediate action to amend policies, such as incorporating cybersecurity modules into the public commission examination system. Moreover, cybersecurity education should be made mandatory at the university level for all faculties, and there should be a dedicated cybersecurity examination module in the PSC examination.

Although Nepal Police has established a Cyber Bureau, there is a shortage of human resources for cyber defense. The government needs to take this matter seriously and focus on capacity-building within the Nepal Police Cyber Department and the army's defense sector. Alternatively, the government can explore public-private partnerships for cyber-defense, investigation, enforcement of cybersecurity standards, and establishing a cyber-defense task force. If these options are not feasible, the government should consider establishing a dedicated cyber-defense task force and recruiting highly skilled staff at the section officer level. Numerous well-established organizations, such as CryptoGen, Vairav Tech, Eminence Ways, Security Pall, Logpoint, and many freelancers are already engaged in similar work with international companies.

Nepal can initiate cybersecurity and cyber diplomatic agreements with SAARC nations and prioritize these agendas at the UN assembly. The objectives include exchanging cyberthreat intelligence, enhancing cyber incident response and mitigation capabilities, promoting research and development, building capacity, and pledging not to support state-sponsored attacks or target critical infrastructure systems of other nations.

Policy recommendations

• Think tank organizations such as PRI, Daayitwa, IIDS, and other stakeholders should establish dedicated departments and prioritize research and development related to cybersecurity and cyber diplomacy. They should actively advise the Nepal government on policy formation and maintain ongoing dialogue on these matters.
• The government should establish dedicated departments for cyber threat intelligence and cyber-defense, or enhance the capacity of the existing cyber bureau. It should make cybersecurity training mandatory for staff members of Nepal Police, Nepal Army, and the bureaucracy to promote awareness. Additionally, every department staff should be required to undergo security awareness training twice a year, as insider threats pose significant challenges to every office.
• Nepal government’s Department of Foreign Affairs should continue dialogue and delegations with countries that have diplomatic agreements for cyber dialogue. It should also engage in international forums to ensure compliance with global standards.
• Universities should prioritize the development of international standards and updated syllabus in the education system. They should focus on capacity-building for university students and make cybersecurity modules mandatory at the secondary and lower secondary levels.

The author is pursuing an MSc in Cybersecurity at Islington College and has over 4 years of working experience in the field of software development