Where Does Sri Lanka Stand on Cybersecurity and Online Safety? A Close Look at the New Bills of 2023

  1. Introduction: 

In an era marked by our growing reliance on technology, the significance of Cybersecurity and Online Safety cannot be emphasized enough. As we navigate the digital landscape, the potential risks and threats associated with cyber attacks loom ever larger. These threats can manifest in various forms, ranging from the theft of sensitive information to financial losses and, in the worst cases, disruption to critical infrastructure.

The introduction of the Cybersecurity Act and the Online Safety Act No. of 2023 in Sri Lanka underlines the nation's commitment to addressing these evolving challenges comprehensively. These legislative measures create a structured and strategic approach to Cybersecurity and Online Safety, establishing institutions such as the Cybersecurity Regulatory Authority and the Online Safety Commission to protect the interests of all Sri Lankans in the digital realm. Through these initiatives, the government aims to safeguard critical national information infrastructure, assess security risks, and enhance public awareness. This proactive stance is essential to ensure a secure and resilient cyber space for the benefit and safety of all citizens in the Democratic Socialist Republic of Sri Lanka.

  1. Establishment of the Cybersecurity Regulatory Authority of Sri Lanka

The Cybersecurity Regulatory Authority of Sri Lanka is established under the Cybersecurity Act, No. of 2023. The Act provides for the establishment of the Authority as the apex institution responsible for all matters relating to civilian aspects of cybersecurity. The Authority is responsible for ensuring the effective implementation of the national information and Cybersecurity strategies, and Cybersecurity policies as approved by the Cabinet of Ministers. It is also responsible for identifying and designating critical national information infrastructure, conducting security risk assessments, audits and vulnerability assessments of such infrastructure, and ensuring compliance with the procedures and timelines specified by rules made by the Authority. The Authority is governed by a Board of Directors appointed by the Minister in charge of the subject of Digital Infrastructure and Information Technology, and the Board is responsible for the management and administration of the affairs of the Authority.

  1. Cybersecurity: Definition and Scope

Cybersecurity, at its core, entails a broad range of practices and measures focused on safeguarding computer systems, networks, and sensitive data from unauthorized access, theft, and damage. Importantly, its scope extends beyond individual devices to encompass the protection of a nation's information infrastructure. The Act defines cybersecurity as the safeguarding of information during its transit, processing, and storage against various forms of cyber threats. This includes activities intended to secure cyberspace and applies to all computer systems, programs, related devices, critical infrastructure, cybersecurity service providers, and civilian aspects of cybersecurity within the public and private sectors.

  1. Background: Understanding the Current Landscape

As the world becomes increasingly reliant on digital technology, the importance of cyber-security in Sri Lanka cannot be overstated. The country has made significant progress in this field in recent years, with various stakeholders, including government entities, businesses, and individuals, working together to mitigate cyber threats. Here's an overview of the current cybersecurity landscape in Sri Lanka:

  1. Government Initiatives and Regulations:
  • Sri Lanka Computer Emergency Readiness Team Coordination Center (CERT|CC): CERT|CC is the primary government agency responsible for coordinating responses to cybersecurity incidents, raising awareness, and promoting cybersecurity best practices.
  • Ministry of Digital Technology and Enterprise Development: This ministry plays a central role in formulating policies and strategies related to digital technology, including cybersecurity.
  • Law Enforcement Agencies: The police and other law enforcement bodies are involved in investigating and prosecuting cyber crimes under the Computer Crimes Act and other relevant legislation.
  • National Cybersecurity Policy: Sri Lanka introduced its National Cybersecurity Policy in 2020, which outlines a comprehensive framework for addressing cybersecurity challenges. It focuses on critical areas such as risk management, international cooperation, and the development of a skilled cybersecurity workforce.
  • Cyber Resilience and Cybersecurity Bill: The government introduced the Cyber Resilience and Cybersecurity Bill in 2021 to strengthen the legal framework for cybersecurity. The bill addresses critical issues, including the protection of critical information infrastructure and international cooperation in dealing with cyber threats.
  1. Regulatory Bodies:
  • Telecommunications Regulatory Commission of Sri Lanka (TRCSL): TRCSL oversees and regulates the telecommunications and internet service providers in Sri Lanka, ensuring compliance with cybersecurity regulations.
  • Data Protection Authority: This authority is responsible for enforcing data protection and privacy laws in the country, including the Personal Data Protection Act (PDPA).
  1. Legal Framework:

Key Milestones in Sri Lanka's Cybersecurity Journey

  • 2003: Formation of the Sri Lanka Computer Emergency Readiness Team (SLCERT)

The SLCERT was established as the national agency responsible for coordinating responses to cybersecurity incidents. This marked the first concrete step towards addressing cyber threats in Sri Lanka.

  • 2006: The Computer Crimes Act

Sri Lanka introduced the Computer Crimes Act, making it a criminal offense to engage in cybercrimes such as unauthorized access to computer systems, data interference, and electronic fraud.

  • 2013: The National Cybersecurity Strategy

In 2013, Sri Lanka launched its National Cybersecurity Strategy, which aimed to provide a comprehensive approach to cybersecurity. This strategy laid the foundation for future developments in the field.

  • 2018: Establishment of the Sri Lanka CERT|CC

Building upon the work of SLCERT, Sri Lanka established the Sri Lanka Computer Emergency Readiness Team Coordination Center (CERT|CC) to enhance its capabilities in responding to and preventing cyber threats.

  • 2019: The Personal Data Protection Act (PDPA)

The Personal Data Protection Act was enacted, providing legal provisions for the protection of personal data. This was a significant step in aligning Sri Lanka's data protection laws with international standards.

  • 2020: National Cybersecurity Policy

Sri Lanka unveiled its National Cybersecurity Policy, which focuses on critical areas such as risk management, international cooperation, and the development of a skilled cybersecurity workforce.

  • 2021: Cyber Resilience and Cybersecurity Bill

The Cyber Resilience and Cybersecurity Bill was introduced in Parliament, further strengthening the legal framework for cybersecurity. It addressed areas like critical information infrastructure protection and international cooperation in dealing with cyber threats.

5. The main objectives of the Cybersecurity Act & Online Safety Act of Sri Lanka

  • The Objects of the Act, as stated in the Cybersecurity Act, No. of 2023, are: 

(1). To establish the Cybersecurity Regulatory Authority of Sri Lanka as the apex institution responsible for all matters relating to civilian aspects of cybersecurity. 

(2). To ensure the effective implementation of the national information and cybersecurity strategies, and cybersecurity policies as approved by the Cabinet of Ministers. 

The Act also provides for the protection of critical national information infrastructure in order to address the cybersecurity threats challenging Sri Lanka, and to provide for matters connected therewith or incidental thereto. 

  • The objectives of the Online Safety Act of Sri Lanka. 

(a) to protect persons against damage caused by communication of false statements or threatening, alarming, or distressing statements; 

(b) to ensure protection from communication of statements in contempt of court or prejudicial to the maintenance of the authority and impartiality of the judiciary; 

(c) to introduce measures to detect, prevent and safeguard against the misuses of online accounts and bots to commit offenses under this Act; and 

(d) to prevent the financing, promotion, and other support of online locations that repeatedly communicate false statements of fact in Sri Lanka. 

Therefore, the main objectives of the Online Safety Act of Sri Lanka are to protect individuals from harmful statements, ensure the protection of the judiciary, prevent the misuse of online accounts and bots, and prevent the financing and promotion of online locations that repeatedly communicate false statements of fact.

6. Powers, duties and functions of the Authority

The Cybersecurity Regulatory Authority of Sri Lanka has several powers, duties, and functions as outlined in the Cybersecurity Act, No. of 2023. These include: 

  1. Identifying and designating critical national information infrastructure. 
  2. Conducting security risk assessments, audits, and vulnerability assessments of such infrastructure. 
  3. Ensuring compliance with the procedures and timelines specified by rules made by the Authority. 
  4. Conducting and managing cybersecurity services for government institutions and other relevant sectors on request.
  5. Imposing charges and levies as shall be prescribed by regulations for any service rendered by the Authority. 
  6. Entering into agreements with or engaging in any activity, either alone or in conjunction with local or international organizations for the purposes of this Act. 
  7. Representing Sri Lanka internationally in matters relating to cybersecurity in accordance with the government procedures. 
  8. Facilitating the domestic implementation of international legal obligations to which Sri Lanka is a party, in order to ensure the effective implementation of cybersecurity strategies and cybersecurity policies. 
  9. Promoting awareness among citizens and in relevant sectors regarding the risks in cyberspace.
  10. Engaging in capacity building to protect the identity, privacy, and economic assets in cyberspace. 

These powers, duties, and functions are exercised, discharged, and performed by a Board of Directors appointed by the Minister in charge of the subject of Digital Infrastructure and Information Technology.

The powers, duties, and functions of the Online Safety Commission.

  1. To issue directives to persons, service providers or internet intermediaries, who have published or communicated or whose service has been used to communicate any prohibited statement, requiring them to provide to persons who have been adversely affected by any prohibited statement, an opportunity of responding to such prohibited statement; 
  2. To issue notices to persons who communicate false statements that constitute offenses under this Act, to stop the communication of such statements; 
  3. To issue directives to persons who communicate prohibited statements under this Act, to stop the communication of any such statements; 
  4. To issue notices to any internet access service providers or internet intermediary to disable access to an online location which contains a prohibited statement by the end-users in Sri Lanka or to remove such prohibited statement from such online location; 
  5. To refer to the appropriate court for its consideration any communications that may be in contempt of court or prejudicial to the maintenance of the authority and impartiality of the judiciary, and to provide such assistance as may be required from any court in respect of any matter so referred to such court; 
  6. To make recommendations to service providers, internet intermediaries, and internet access service providers to remove prohibited statements; 
  7. To maintain an online portal containing information to enlighten the public of the falsity of any statement; 
  8. To specify declared online locations in terms of the provisions of this Act, and make recommendations to disable access to the information disseminated through such online location; 
  9. To carry out such investigations and provide such services upon being directed by any court; 
  10. To issue codes of practice by way of rules for service providers and internet intermediaries who provide internet-based communication services to the end-users in Sri Lanka; 
  11. To register, in such a manner as may be specified by rules made under this Act, the websites providing social media platforms to the end-users in Sri Lanka; 
  12. To consult, to the extent the Commission considers appropriate, any person or group of persons who or which may be affected, or likely to be affected, in the discharge of its powers and functions; 
  13. To advise the Government, as the Commission deems appropriate, on all matters concerning online safety in Sri Lanka, within the purview of this Act. 

Therefore, the Online Safety Commission has a wide range of powers and functions, including issuing directives and notices, making recommendations, maintaining an online portal,

7. Development of Cybersecurity Infrastructure

In addition to legislative measures, Sri Lanka has also developed its cybersecurity infrastructure. The following developments showcase the country's commitment to cybersecurity:

  • Education and Training:
  • Academic Institutions: Universities and technical institutes in Sri Lanka offer cybersecurity training and education programs. These institutions contribute to building a skilled cybersecurity workforce.
  • Certifications and Workshops: Various cybersecurity certifications and awareness workshops are available to individuals and professionals, helping to enhance their knowledge and skills in the field.
  • Public Awareness Campaigns:
  • Privacy Advocacy Groups: These organizations work to protect individuals' privacy rights and advocate for stronger data protection and cybersecurity measures.
  • Educational and Awareness Initiatives: Various NGOs and civil society groups undertake initiatives to raise awareness about cybersecurity and responsible online behavior among the public.
  • Collaboration with International Organizations: 
  • International Law Enforcement Agencies: Sri Lanka collaborates with international law enforcement agencies to combat cybercrime that may have cross-border implications.
  • International Cybersecurity Organizations: Sri Lanka is actively involved in international cybersecurity forums and organizations that promote information sharing, best practices, and cooperation in tackling global cyber threats.
  • Private Sector Involvement:
  • Business Preparedness: Sri Lankan businesses, particularly larger enterprises and financial institutions, have recognized the importance of cybersecurity. Many have dedicated IT security teams and robust security measures in place to protect their digital assets.
  • Cybersecurity Service Providers: The private sector in Sri Lanka includes cybersecurity service providers that offer a range of solutions, including awareness training, threat detection, incident response, and consultancy services to businesses.

8. Regional Differences: Examining the Variations in Cybersecurity and Online Safety Across Different Regions

Sri Lanka, like many other countries, is not homogeneous in its approach to cybersecurity and online safety. Different regions within the country exhibit variations in their readiness to counter cyber threats and protect individuals and organizations in the digital landscape. This  delves into the regional differences in cybersecurity and online safety across Sri Lanka.

Western Province

As the economic and technological hub of Sri Lanka, the Western Province, which includes the capital city, Colombo, and its surrounding areas, is the most advanced region in terms of cybersecurity and online safety. Key characteristics include:

  • Concentration of Businesses: The Western Province hosts the highest number of businesses, many of which prioritize cybersecurity investments and employ dedicated IT security professionals.
  • Access to Resources: This region benefits from easier access to resources, including cybersecurity training programs and state-of-the-art technology solutions.
  • Government Initiatives: The government has established cybersecurity awareness programs and initiatives, and these often have a stronger presence in the Western Province.

Central Province

The Central Province, home to the city of Kandy, demonstrates varying levels of cybersecurity readiness. Key characteristics include:

  • Educational Institutions: The region hosts several universities and technical colleges, contributing to the development of cybersecurity skills and knowledge.
  • Digital Divide: While urban areas have good access to cybersecurity resources, rural areas in the Central Province may experience a digital divide with limited access to online safety measures.

Southern Province

The Southern Province, known for its beaches and tourism, presents a mixed picture of cybersecurity and online safety. Key characteristics include:

  • Tourism Industry: Businesses in the tourism sector may have less focus on cybersecurity compared to urban areas, making them vulnerable to cyber threats.
  • Awareness Gaps: Online safety awareness among the general public in this region may not be as high as in more urbanized areas.

Northern and Eastern Provinces

The Northern and Eastern Provinces, which are recovering from the effects of the civil conflict, face unique challenges in terms of cybersecurity and online safety. Key characteristics include:

  • Infrastructure Development: These regions may have limited access to advanced technology and infrastructure, impacting cybersecurity readiness.
  • Rebuilding Efforts: As these areas rebuild, efforts to improve digital infrastructure and cybersecurity awareness are ongoing but face challenges due to historical factors.

9. Challenges and Future Prospects

Sri Lanka's regional differences in cybersecurity and online safety reflect varying levels of development, access to resources, and awareness. To address these disparities, it is essential for the government and relevant stakeholders to consider regional contexts and tailor cybersecurity initiatives accordingly.

  1. The Imperative of Cyber Awareness:

In the modern digital age, where technology permeates every aspect of our lives, cybersecurity awareness is paramount, especially in a country like Sri Lanka. Cybersecurity awareness serves as the foundational pillar for ensuring online safety and protecting individuals, businesses, and the nation's critical infrastructure. Here are some key reasons why cybersecurity awareness is of utmost importance in Sri Lanka:

  • Protection from Evolving Threats:

As technology advances, cyber threats become increasingly sophisticated and diverse. Cybersecurity awareness is crucial in preparing the population to identify and mitigate emerging threats, helping to safeguard against potential future attacks.

  • National Security and Geopolitical Considerations:

Cybersecurity is critical to national security, and Sri Lanka's strategic position in the Indian Ocean region makes it an attractive target. Cybersecurity awareness is essential to protect the nation from geopolitical cyber threats.

  • Safeguarding Critical Infrastructure:

Sri Lanka's critical infrastructure, such as power grids, transportation systems, and healthcare facilities, is reliant on digital technology. Cybersecurity awareness is crucial to prevent cyberattacks on these essential services, which can have severe consequences for the nation.

  • Data Privacy and Personal Security:

As more personal data is shared online, individuals must be aware of the importance of data privacy and their own personal security. Awareness campaigns can empower people to protect their sensitive information.

  • Enhanced Global Collaboration:

By demonstrating a commitment to cybersecurity awareness, Sri Lanka can foster international collaboration, participate in global cybersecurity initiatives, and gain access to shared threat intelligence and best practices.

  1. Empowering Cybersecurity Awareness and Digital Inclusivity: 

A Forward-Looking Agenda for Sri Lanka.

In the coming years, Sri Lanka has the opportunity to take its cybersecurity awareness efforts to the next level and ensure a more uniform and comprehensive approach to cybersecurity and online safety. 

  • Infrastructure Development:
  • Digital Inclusivity: To ensure equitable access to cybersecurity resources, Sri Lanka should prioritize digital inclusivity by extending reliable internet access to less-developed regions. This involves investing in broadband infrastructure and expanding the reach of affordable internet services to remote areas. In doing so, it can bridge the digital divide and empower underserved communities with access to online safety resources.
  • Cybersecurity Training Centers: Establish cybersecurity training centers in underserved regions to provide access to cybersecurity education, resources, and experts. These centers can offer workshops, training programs, and resources to individuals, businesses, and local governments, fostering digital literacy and security awareness.
  • Public-Private Infrastructure Collaboration: Encourage public-private partnerships to jointly fund and develop digital infrastructure projects in remote areas. These partnerships can lead to the establishment of cyber resilient infrastructure that benefits both local communities and businesses.
  • Education and Awareness:
  • Regional Awareness Campaigns: Recognize that knowledge about cybersecurity might be limited in certain regions. Design and launch region-specific awareness campaigns that cater to the unique needs, languages, and cultural contexts of these areas. These campaigns should emphasize the practical aspects of cybersecurity, such as secure online shopping, social media safety, and the use of strong passwords.
  • School and College Outreach: Collaborate with educational institutions in less-developed regions to incorporate cybersecurity awareness programs into their curricula. These programs can educate students about the importance of online safety, responsible digital citizenship, and potential career opportunities in the field of cybersecurity.
  • Community Engagement: Facilitate community engagement programs and workshops that target local populations. These workshops can be conducted in partnership with local leaders, community organizations, and religious institutions, reaching a wider audience with valuable cybersecurity information.
  • Government Support:
  • Regional Cybersecurity Task Forces: Encourage the formation of regional cybersecurity task forces or committees comprising government officials, cybersecurity experts, and local leaders. These task forces can assess the unique challenges and vulnerabilities in each region and develop region-specific cybersecurity initiatives.
  • Funding Allocations: Allocate government funding and resources to support cybersecurity initiatives in less-developed regions. This financial support can be used to establish cybersecurity training centers, organize awareness campaigns, and build digital infrastructure.
  • Regulatory Flexibility: Provide regulatory flexibility to accommodate the specific needs of less-developed regions. This could include tailored regulations that encourage private sector investment in underserved areas, especially in the realm of digital infrastructure and cybersecurity education.

By focusing on infrastructure development, education, and government support tailored to the needs of different regions, Sri Lanka can ensure that cybersecurity awareness and online safety efforts are accessible and effective across the entire country. This approach will empower all citizens and businesses to protect themselves in the digital age, bridging the digital divide and promoting digital resilience throughout the nation.

10. Conclusion: Assessing Sri Lanka's Progress in Cybersecurity and Online Safety

Sri Lanka's steadfast commitment to cybersecurity and online safety is exemplified by both the Cybersecurity Act of 2023 and the Online Safety Act of 2023. The creation of the Cybersecurity Regulatory Authority and the establishment of the Online Safety Commission, along with stringent legal provisions and educational initiatives, signify significant leaps toward a more secure digital environment. As the nation continues to evolve its approach to cybersecurity, its ability to effectively navigate and mitigate new challenges will be paramount in ensuring online safety for all citizens and securing critical national information infrastructure. Sri Lanka's progress in these domains reflects its unwavering dedication to creating a safer and more secure digital future for all.

References:

  1. Cybersecurity Bill Sri Lanka 13-07-2023
https://cert.gov.lk/wp-content/uploads/2023/08/Cyber-Security-Bill-13-07-2023.pdf
  1. Online Safety Bill Sri Lanka 15-09-2023
Statement on the Proposed Online Safety Bill 
  1. Online Safety Bill, LinkedIn Article by Mr. Asela Waidyalankara
https://www.linkedin.com/posts/aselawaid_online-safety-draft-bill-activity-7109721215145058304-rVFp?utm_source=share&utm_medium=member_desktop
  1. Cyber Security Bill of Sri Lanka, LinkedIn Article by Mr. Asela Waidyalankara 
https://www.linkedin.com/posts/aselawaid_draft-cybersecurity-bill-of-sri-lanka-activity-7094223416542576640-FvgT?utm_source=share&utm_medium=member_desktop
  1. News Article - The Morning
https://www.themorning.lk/articles/bnIP5QKlT5FOwST38tLg
  1. News Article - The Morning
https://www.themorning.lk/articles/YlEYphnPqfIHNV8JQzgm
  1. LinkedIn Article by Mr. Asela Waidyalankara 
https://www.linkedin.com/posts/aselawaid_report-called-over-cyberattack-on-sri-lankan-activity-7107585358162268160-tsgp?utm_source=share&utm_medium=member_desktop
A Talos Consulting (PVT) LTD initiative
© 2023, Cybersafe. All Rights Reserved.