Govt issues cybersecurity advisory to prevent hacking, data theft

The National Cybersecurity Center under the Ministry of Communication and Information Technology has issued an advisory on cybersecurity for government employees. The center issued the advisory for users of government information technology systems with the aim of preventing issues such as website hacking and data theft. The advisory comes in the wake of incidents of unauthorized access to government websites and servers. This has led to criticism that the government’s security systems are weak.

In January last year, Nepal government’s main server had faced cyberattacks leading to disruptions of hundreds of government websites across the country. The websites went offline due to distributed denial of service (DDoS) attacks—a subclass of denial of service (DoS) attacks. Likewise, in 2023, similar cyberattacks hit international travel due to the shutdown of the immigration server. Around 1,500 government websites were shut down on that day due to cyberattacks on the government’s only central data bank at the Government Integrated Data Centre (GIDC). Hackers recently put up data from the Ministry of Federal Affairs and General Administration for sale on the dark web for $50.

The eight-page advisory covers the security of government office websites, applications, servers, storage, and networks, as well as the security of desktops, laptops and printers in offices. It also includes guidance on password management and security, internet browsing security, email and phishing attacks, removable media, mobile security and social media security.

The center has advised employees to change passwords for government office information systems every three months, keep mobile phones outside during sensitive discussions and not to install any games on office computers, among others.

The advisory states that government office websites must implement a security framework, regularly backup and archive data, implement a business continuity plan, conduct mandatory security audits at least once a year, keep source codes updated and secure, and ensure that the source codes of information technology systems, including emails used in the organization, are updated and secure.

Likewise, it has advised employees to set passwords according to a non-trivial password policy, making them difficult to guess. It also mentions implementing network segmentation to secure servers and other network devices related to data and services, installing SSL certificates on websites and applications, and setting up access control and door lock systems, as well as IP cameras in data centers and server rooms.