Strengthening Nepal’s cyberdefenses

What comes to your mind when you think of Nepal? Highest snow-capped mountains, the birthplace of Shakyamuni Buddha, diverse cultures and traditions, etc. 

Of late, Nepal is striving to make a new identity and earn another feather in her cap. The country is gradually earning a reputation as a hub for the IT industry and digital technology. Nepal is adopting information technology, e-governance, and online banking, online food delivery, ride-sharing, digitalized government services and many other cutting-edge technologies big time. From the private to the government sector, digitalization is increasing from central to local levels. I remember the first time when I went to a village development committee in the district of Dang to apply for citizenship. At that time, the VDC office did not even have a desktop computer, leave alone other advanced digital devices and an internet connection. To my pleasant surprise, when I visited my local ward office in Dang recently, I found office staff using computers and every task, from payroll to applications, computerized. 

With increasing digitalization, one of the important questions that comes to mind is, ‘Are our systems secure enough?’ We cannot undermine the security of our digital systems. From the private to the government sector, most systems are susceptible to cyberthreats. The number of cyber incidents is increasing day by day, targeting financial institutions, government agencies, the healthcare industry and other critical government infrastructure. According to industry reports, phishing attacks, social engineering, ransomware and DoS attacks are some of the most common cyberattacks that Nepal has been facing. 

So, what does Nepal need to protect her systems from cyberthreats? The country needs a cybersecurity strategy that bridges the gaps between policy and practice.

That’s where cyberdefense comes in. 

Cyberdefense encompasses practices, processes, policies and strategies designed to secure networks, data, and infrastructure against potential threats from cyberattackers. With the advancement of modern technology, new challenges and threats are emerging in novel ways. Recently, the National Security Artificial Intelligence Security Center published a joint cybersecurity information sheet in collaboration with various international agencies, which are enhancing their digital infrastructure security through partnerships with internationally-recognized agencies.

The global war strategies and the ways of war are changing day by day. These days, wars involve armies as well as cyberattacks. Many countries are investing in their defense systems, artificial intelligence and cybersecurity, and modernizing their technologies. The United States of America, Russia, China, the United Kingdom and the Netherlands are investing in cyberdefense and strengthening their cyber capabilities. Israel, Iran, North Korea, France and Australia are not lagging behind, either. These countries are working on strengthening their cyberdefenses. If any country wants to attack another directly using her military force, the cyberarmy or state-sponsored attackers will first target the defense systems, critical infrastructure, power grids, telecommunications and other vital areas of the target country, disconnecting the targeted country from others and making it easier to invade.

Are we prepared to deal with these types of cyberthreats from global space? Nepal needs to be prepared at the technological level, in policy, and in diplomatic relations. For a robust cybersecurity defense, Nepal needs to have updated policies and regulatory frameworks, public-private collaboration, and cooperation with international agencies to combine various cyberdefense strategies. Government and private organizations should invest in capacity-building of their employees on cybersecurity awareness. If we see the trends of attacks per industry, healthcare, financial institutions, insurance agencies, government data centers, government IT infrastructure and defense are the most sought-after targets of state-sponsored attackers or black-hat hackers. There are multiple financial organizations that we are getting news about online regarding data breaches, hacking, phishing and many other issues in our Nepal banking organizations.

So, how can we deal with these challenges? 

Let’s have a robust and updated “policy development and legal framework” first. Although we have different cybersecurity guidelines and legal frameworks, they are not enough. Proper research and exercises are still necessary. Currently, we have policies such as the National Cybersecurity Policy 2015, Information Technology Policy 2010, ETA 2008, and the Nepal Rastra Bank’s Cyber-Resilience Guidelines 2023. However, as cyberthreats and technology types rapidly evolve, we need to update the guidelines accordingly.

The next question to ponder over is “How competent are our technical human resources” vis-a-vis the process of cybersecurity and information technology? How much budget is available for capacity-building of staff? Most business organizations do not have a specific technical department concerned with cybersecurity. Most corporate offices overlook the IT department. They need to keep in mind that the IT department is not only for the installation of software, network devices and repair and maintenance of computers. My suggestion is that these organizations should invest money in capacity-building of their cyber teams and non-IT teams, and conduct regular security awareness training for their staff regarding different types of threats.

Let’s invest in the technical enhancement of public and private organizations. How many corporate offices conduct VAPT (Vulnerability Assessment and Penetration Testing) and IS audits? Every organization needs to have an ICT policy or guidelines clearly outlining the requirement for VAPT and IS audits. This can be the first layer of defense, which can help prevent major financial and reputational disasters. So, let's question ourselves: Have we ensured that our Personally Identifiable Information (PII), Financial Information (FI) and other sensitive data are encrypted using advanced encryption standards? Have we maintained secure communication protocols? We need to stay updated on this because the medium of cyberthreats is constantly evolving.

The government should invest in advancing the defense system with cutting-edge cybersecurity programs. Enhancing the system with cyberthreat intelligence and investing in artificial intelligence and machine learning will help predict cyberterrorism, cyberattacks and mitigate cyberthreats. Nepal can collaborate and cooperate with various international diplomatic agencies, cybersecurity standard organizations and national as well as international agencies for threat intelligence-sharing. Cybersecurity should be a common goal. During my tech journey, I have worked with different international companies in fintech, insurtech and healthtech. These organizations have followed various international standard compliances like GDPR, HIPAA, PCI DSS and many other ISO standards.

So, where are we in terms of standard compliance? Nepal has policies and standards, but they are not enough. As cyberthreats and cyberterrorism evolve, we need specific industry-based regulatory guidelines for banking and fintech organizations, the health industry, government-sensitive data, e-commerce, insurance agencies and many others. It is common to hear about governmental website hacking cases. This is an urgent issue and a red alert for these agencies, the government, and regulatory bodies to invest in research and policy development.

Summing up, let’s strengthen Nepal’s cyberdefense with robust policies, investing in capacity-building of human resources, and collaborating and cooperating with international organizations through cyber-diplomacy and public-private partnerships. Investing in new technologies such as artificial intelligence, machine learning, blockchain and threat intelligence-sharing is crucial. Nepal can enhance her cybersecurity by adopting these measures to protect her IT infrastructure, sensitive national data, and digital infrastructure, paving the way for a secure digital future.

The author, a student of MSc IT (Cybersecurity) at Islington College, Kathmandu, works at Technofex Nepal