Despite ranking 115th in economical prowess, Nepal outshines most countries in cybersecurity slackness. We find out what germinated this awful reputation…

Guess which country ranks fourth globally in terms of mobile malware attacks, accounting for almost one-third of the world’s such attacks. The USA? Canada? How about China? Wrong.

According to one cybersecurity company’s metrics, the trophy goes to Nepal in the Himalayas! The figures are also in alignment with those of the Nepal Telecommunications Authority’s (NTA) MIS statistics, based on 16.67 million Nepalese connected to the Internet in 2019.

In 2017, 58 of the government’s 58 government websites were hacked by a group, called Paradox Cyber Ghost. That same year, NIC Asia Bank’s SWIFT (Society for Worldwide Interbank Financial Telecommunications) system was attacked. About US$4.4m was siphoned off from user accounts to six different countries in the attack. All these attacks were carried out by different groups in a span of just six to eight months, thereby pointing to the loopholes in the country’s national cybersecurity framework.

Toothless regulations, negligible resolve

It is widely acknowledged that the Nepal government has “toothless” regulations to deal with cybercrimes, and the lack of skilled cybersecurity specialists in the country just adds to the risks.

According to Arun Khatri, CEO of Digital Network Solution, an IT security solutions provider from Nepal: “There is a lot of scope for enhancing cybersecurity in Nepal. This is despite the fact that there have been a few initiatives by the government over the last few years. In 2019, the government had introduced the Digital Nepal Framework, but still a lot of work has to be done.”

One year after the framework’s announcement, the director of the Nepal Telecommunications Authority (NTA), Min Prasad Aryal, announced that cybercrime rates had gone up with the rapid growth in information and communication technology: “To overcome such risks, new legislation contains provisions that service providers should follow. This includes establishing a cybersecurity community, a periodical audit of IT systems, and use of protection measures by complying with international standards.”

The security audit reports need to be submitted to the authority every six months: “Obviously, to make the system secure, service providers should invest in security. The higher the investment cost of technological infrastructure, the more secure the system will be,” Aryal had said.

Two steps forward, one step back

Despite this declaration, numerous hacking incidents have occurred since: ATM heists resulting from compromised switching systems; distributed fund transfers into legitimate user accounts; and other hacking incidents have continued to haunt Nepal in the recent past. A major reason for this, Khatri pointed out, is that initiatives are implemented in silos and not in a consolidated manner.

“The national identification project has been under way for the last couple of years, but is yet to be implemented. It makes KYC processes extremely difficult for especially the banking industry,” Aryal noted. As for the ‘silos’ model, Subas Chandra Khanal, an Information Security Officer of Sanima Bank in Nepal, concurred: “We are lagging behind in a lot of cybersecurity infrastructure and regulations. Interoperability is still a major issue in the banking and financial services and insurance (BFSI) sector in Nepal. Hackers find it lucrative to attack banking set-ups. We need to do a lot in terms of robotic processes, automation, blockchain, etc.”

Khanal said Nepal is way behind what its South-east Asian neighbors are doing in QR payments, virtual and electronic commerce, eKYC, etc. “There should be innovation and more stringent rules and regulations in place. We need a robust framework to protect BFSI customers’ data so as to match the global benchmarks.”

Cross-sector collaboration needed

Regarding the country’s lag behind its neighbors, Digital Network Solution’s Khatri felt that the government, telecom sector, BFSI players and enterprises all have to work in unison to close the gap and achieve the desired digital transformation. He lamented: “Nepali enterprises are not disrupting enough in the cybersecurity domain,” and further elucidated that the government’s efforts have been ad hoc when it comes to cyber technology: “Nothing is consolidated. Also, there is not much use of the public-private-partnership model in projects like e-passport, national ID, e-payment gateway. Rural areas are still left out by ISPs, which is again a cause for concern.”

“People should understand the importance of personal data and that it’s not just a government prerogative. The government should work on cybersecurity regulations and draft policies as soon as possible. The telecom authority should be aware of the latest threats and there needs to be consistent efforts to enhance the technology framework,” Khatri opined.