Nepali state, organizations remain highly vulnerable to cyberattacks

In September 2020, Nepal Police arrested five Chinese nationals who were trying to withdraw cash with cloned debit cards. The accused had hacked the Nepal Electronic Payment System (NEPS), an interface that allows the transaction of money deposited in a bank by using cards issued by other member banks. Similarly, in March 2020, the food-delivery company Foodmandu had a data breach. A Twitter handle named ‘Mr. Mugger’ revealed the data of its 50,000 customers and disclosed links associated with the data. 

Of late even Nepali celebrities have become victims of cyber-attacks. Actor-director Dipashree Niraula is a recent victim. Last month, her Facebook page was hacked and hackers asked her for Rs 10,000 in ransom to let her have it back. (On April 6, the cyber cell of Nepal Police arrested a 14-year-old from Parsa district for the crime.) Another actor Saroj Khanal’s account got hacked at the same time. In this case, the hacker contacted one of Khanal’s close friends, pretending to be Khanal, and tried to get the friend to deposit money into the hacker’s bank account. 

These are not isolated incidents. Cyberattacks such as data breaches, ATM hacks and social media hacks have become common owing to the vulnerabilities and weaknesses in Nepal’s cybersecurity capabilities. The ethical hackers, cybersecurity researchers, and IT experts ApEx talked to said Nepal’s cyber-space was riddled with loopholes. 

Karna Bahadur Shrestha, a faculty in Computers and IT Department at Aryan School of Engineering and Management, feels the state of cybersecurity in Nepal is abysmal. Most Nepali internet-based digital systems are vulnerable as even renowned organizations and companies do much bother about users’ data privacy; nor do most government agencies.   

The main problem is ignorance of potential cyberattacks. There is no vulnerability testing during the development of digital systems. “People are more concerned about operation than security of their systems,” Shrestha says. 

The vulnerability of Nepal’s cyberspace makes it an easy target for hackers, explains Ismam Ansari, an IT professional and computer engineer from Mahottari. The vulnerability owes to poor network monitoring, inadequate security against phishing attacks, and weak authentication management, he explains. “Weak cybersecurity means chances are high that someone will hack into your digital system,” Ansari adds. 

Proportional risks

Likewise, Nirmal Dahal, Head of Security and co-founder at CryptoGen Nepal, an IT security service, has been in the field for over five years. “The progress in IT brings proportional risks.” Dahal says. “The multiplying opportunities and platforms online have also enhanced the risk of cyber-offenses.” 

While almost every organization looks for ways to provide digital services, they are less bothered about making their online systems secure. There are also no strict cyber laws to prevent misuse of data. The few available laws and guidelines do not cover most threats, Dahal explains. 

Nepal is gradually becoming aware of the need for cybersecurity. “In the past, only banks used to perform security assessments. But now other corporate and government sectors have also started such assessments,” he says. 

Akash Basnet, a certified ethical hacker and computer operator at the Ministry of Law, Justice and Parliamentary Affairs says the main culprits are outdated software, lack of knowledge as well as technical expertise. “Many Nepali websites can be easily penetrated as they have zero protection measures,” he says.  

Narey Vai (also known as Narapisach), a 17-year-old security researcher who was arrested earlier this year for leaking data of Vianet users, says the Nepali cyberspace is defenseless. “If you have a mobile phone SIM card or are connected to the internet, your privacy has been exposed,” Narey Vai says. “The financial and government sectors are the most vulnerable.” Annual Vulnerability Assessment and Pen Testing are keys to locating a system’s vulnerabilities, but Nepali companies seldom undertake them, he says. 

Binit Ghimire, another web developer and ethical hacker from Chitwan, says the condition of cybersecurity in Nepal is pitiful, with frequent cyber-attacks such as website defacements, ATM hacks, and data breaches. “I think the security has improved significantly in the government’s digital systems but other government websites are still vulnerable,” he adds. Moreover, in recent years, data breaches of private and non-government companies as well as start-ups have surged. Also, Ghimire points out, the level of awareness about cybersecurity is still rudimentary.  

Loopholes and losses 

Lax cybersecurity hits victims financially by contributing to either direct losses (ATM hacking, unsolicited financial transactions) or indirect losses (loss of trust).

Most cyber-attacks contribute to financial losses, according to Shrestha. One big reason hackers attack a website, app or a digital system is to earn money. “But such attacks can also lead to harassment and sexual abuse,” Shrestha adds.

As we have become more reliant on services that leave digital footprints, the number of cyberattacks has tripled over the last decade, Dahal says. This in turn sullies brand image, and leads to the loss of resources, data, and money. “Financial services have become the most targeted industry,” Dahal says. 

Kushal Ghimire, a lecturer in computer applications at Koshi Saint James College, Itahari, suggests the IT sector incorporates skilled human resources on cybersecurity. “The digital systems should also be regularly updated to meet global standards,” he says. Clear and concise laws regarding cybersecurity and their strict implementation would help too. 

Awareness is, again, the key, according to Ghimire. It is necessary to make people aware of the technology they use regularly. They must learn about security measures and the dire consequences of failing to take precautions.

For Shrestha, the first line of defense is making security a major concern while developing a digital system. Quality inspections are required for government systems that are more vulnerable. He suggests it is about time schools and colleges included cybersecurity as a course of study. 

People, or users, are the weakest links in any network, Dahal adds. You could include every security aspect into your network and yet the smallest of errors could undo all preparations. He says security starts at home. “For example, a simple pep talk at the dinner table on phishing will ensure your parents don’t click suspicious links on social media.”

Basnet agrees that there are loopholes in any digital system. The secret is to find them early. “That’s where ethical hackers come handy. They can find the vulnerabilities and take immediate action,” he says. As most people today use some form of social media, says Dahal, they should be aware of the basic security measures like two-factor authentication. 

Binit Ghimire’s suggestions differ to an extent. “At first, every organization with digital presence must carry out frequent internal security audits, and outsource their audits and penetration testing activities to cybersecurity companies,” he says. Ghimire also highlights the need for employees to protect themselves from “human hacking” which involves luring people into divulging sensitive information. Bug bounty programs can help as well as it encourages unethical hackers to turn white in their quest for rewards.