In a timely move for a country that is becoming more and more dependent on the digital world, the Government of Nepal released advisory notes on January 21, 2025, with the goal of strengthening cybersecurity and protecting IT-related materials and equipment. It signaled a rising awareness of the country's vulnerabilities and emphasized the significance of cyber safety. Nepal, a landlocked nation in South Asia, has enthusiastically embraced the IT revolution, yet systemic issues like corruption are hindering its advancement, making technology both a blessing and a curse. Questions overflow as IT becomes a hub for corruption and poor management: How secure is Nepal against cyberattacks? How does it address the growing issues in this field, and what is its regulatory framework?This article delves into Nepal’s cybersecurity landscape, weaving in data analytics, global practices, and the road ahead.
Nepal’s Cybersecurity Landscape: A Mixed Bag
There is no denying Nepal's digital transformation. According to the Nepal Telecommunications Authority (NTA), over 90% of people had internet access by the middle of 2024, and there were over 30 million internet users, a startling increase from just 35,000 in 2000. E-commerce, mobile banking, and e-governance have all benefited from this expansion, but Nepal is now more vulnerable to cyberattacks. Over 16,000 cybercrime complaints were filed with the Nepal Police's Cyber Bureau between 2019 and 2023. The number of instances increased thrice, from 2,301 in 2019-2020 to 6,297 in 2022–2023, highlighting the growing dangers.
The threat landscape is dominated by ransomware, phishing, and hacking. Nepal's vulnerabilities are brought to light by high-profile events like the 2017 hack of 58 government websites by the "Paradox CyberGhost" organization and the January 2023 Distributed Denial of Service (DDoS) attack that rendered 1,500 government websites inoperable. The latter event revealed serious weaknesses in the Government Integrated Data Centre (GIDC) by interfering with services at Tribhuvan International Airport. The National Information Technology Centre (NITC) asserted that no data was compromised in the 2023 attack in spite of these breaches; nevertheless, this assertion was viewed with mistrust because there was no thorough forensic study.
According to the 2020 Global Cybersecurity Index (GCI), Nepal scored 44.99 out of 100, placing it 94th out of 182 nations worldwide. While this is an improvement above its 2018 ranking of 106th, Nepal still trails regional rivals Bangladesh (53rd, 81.27 points) and India (10th, 97.5 points). Nepal received the best score (15.61) for legal measures but the lowest score (4.26), out of the five pillars used by the GCI to evaluate nations: technical measures, organizational measures, capacity development, legal measures, and cooperation. This data depicts a country with good intentions but poor implementation.
The Regulatory Framework: Progress and Pitfalls
The Electronic Transactions Act (ETA) of 2008 is the cornerstone of Nepal's cybersecurity initiatives, which are based on a jumble of laws and regulations. The ETA, which was created to control online transactions, tackles cybercrimes like hacking and data breaches but is unable to combat contemporary concerns like ransomware or advanced persistent threats (APTs). Critics claim that because of a lack of technical experience and overworked authorities like the Cyber Bureau, which manages 60 to 70 complaints each day with inadequate resources, enforcement is still lax and the language is vague.
Controlling cyber conflict
The National Cyber Security Policy (NCSP) 2080 was passed by the Cabinet in August 2023, marking a watershed moment as Nepal's first dedicated cybersecurity law. The NCSP aspires to build a "resilient cyberspace" by establishing provincial Computer Emergency Response Teams (CERTs), encouraging ethical hacking, and improving digital literacy among vulnerable populations such as women, children, and the elderly. The January 2025 advisory notes expand on this by advising firms to safeguard IT equipment, use up-to-date software, and report occurrences promptly. However, the policy's broad reach has generated concerns regarding execution, particularly given Nepal's history of well-crafted plans that fail in practice.
The planned National Internet Gateway (NIG), which would centralize all internet traffic under government supervision, is a controversial clause in the NCSP. Digital rights activists, such as Digital Rights Nepal, caution that although it is presented as a cybersecurity tool, it may resemble authoritarian models like China's Great Firewall or Cambodia's NIG, restricting internet freedom and permitting surveillance. Trust in the regulatory process is further damaged by the absence of public consultation on this section, which was not included in the 2021 draft. Implementation of NCP with high priorities will be in favor of cyber security of Nepal.
Current Practices: Strengths and Weaknesses
Nepal's cybersecurity procedures combine obvious flaws with small victories. The Computer Emergency Response Team (CERT-NP), which is supervised by the Department of Information Technology, carries out audits, vulnerability assessments, and awareness campaigns. By bringing together IT specialists and providing quick incident response, the newly established Information Technology Security Emergency Response Team (ITSERT-NP) in 2024 seeks to close gaps. These organizations, however, are not as large or sophisticated as their counterparts, such as India's CERT-In, which uses real-time analytics and AI-driven threat detection.
The private sector's initiatives are still in their early stages, but they are rising. Banks, which are ideal targets for hackers as Nepal shifts to digital payments, are implementing two-factor authentication and endpoint security. However, small and medium-sized firms (SMEs), which are critical to Nepal's economy, frequently use antiquated systems and cannot afford comprehensive protection. According to a poll conducted by the Federation of Nepalese Chambers of Commerce and Industry in 2023, 67% of SMEs lack basic cybersecurity practices, making them vulnerable to phishing and data breaches.
Public awareness remains a weak link. Despite government promotions, many Nepalis use readily guessable passwords or pirated software, which increases the risks. The Nepal Cybersecurity Scholarship Programme(NCSP)'s emphasis on education is a step forward, but execution is lacking—only 12% of rural schools offer IT literacy programs, according to a 2024 Ministry of Education report.
Challenges: Corruption, Capacity, and Connectivity
Corruption undermines cybersecurity efforts and has a lasting impact on Nepal's IT industry. Scandals involving IT procurement, including overpriced contracts for software or hardware, change of IT equipment & system, take money away from vital infrastructure improvements. IT-related graft was mentioned as a rising worry in a 2022 Transparency International study that rated Nepal 110th out of 180 nations in its Corruption Perceptions Index. Because of this misallocation, government systems-such as the often-attacked“. gov.np” domain-that are operating on antiquated platforms make easy targets for hackers.
Capacity limitations make the issue worse. According to ITSERT-NP estimations, Nepal has a scarcity of qualified cybersecurity workers, with less than 500 certified specialists across the country. There are few training programs, and talent is diverted overseas by brain drain. This disparity is reflected in the GCI's capacity development score of 9.60, which is significantly lower than India's 19.5. Computer education is taught in schools without computers and computer literate teachers. Non-technical people leading IT related organizations is also the main reason for it.
Connectivity issues are also a major concern. Although internet usage is widespread, rural regions have inadequate infrastructure, with average speeds of 10 Mbps compared to 50 Mbps in metropolitan areas (NTA, 2024). Because distant areas continue to be cut off from updates and alarms, this digital gap impedes the adoption of cybersecurity across the country.
Global Practices: Lessons for Nepal
International leaders can serve as role models for Nepal. One example is Estonia, a tiny country with a strong digital economy. Following a 2007 hack, Estonia achieved a GCI score of 99.5 by enforcing cybersecurity training in schools, implementing blockchain for secure e-governance, and building a state-of-the-art CERT. Nepal might follow suit by giving public-private partnerships (PPP) and capacity building top priority.
India's strategy, which combines CERT-In's proactive monitoring with a robust legislative framework (IT Act, 2000), has reduced breaches in its financial sector, which Nepal's banking sector may learn from it. To safeguard its telecom and hydropower industries, Nepal should follow Singapore's Cybersecurity Act of 2018's need for frequent assessments of key infrastructure.
According to Cybersecurity Ventures, the global cost of cybercrime is expected to increase from $3 trillion in 2015 to $10.5 trillion by 2025. Even while Nepal has a modest proportion, a single breach might destroy its fragile economy, particularly SMEs, which account for 22% of GDP.
The Road Ahead: Challenges and Opportunities
Three major obstacles stand in the way of Nepal's cybersecurity progress: implementing the NCSP, preventing IT corruption, and closing the skills gap. If the proposed NIG is not balanced with rights protections and openness, it runs the risk of alienating citizens. Emerging risks that are already affecting developed countries, such as AI-driven attacks and IoT vulnerabilities, are coming soon and call for preventative measures.
But there are lots of opportunities. Intent is indicated in the 2025 advisory notes, and Nepal's defenses may be strengthened by regional collaboration with ASEAN or India. Modernizing infrastructure, investing in local talent, and cultivating a cybersecurity-aware society might turn Nepal from a victim to a digital contender.
In conclusion, Nepal is at a crossroads. Its ability to survive cyberattacks is dependent on putting policies into effect, cleaning out corruption, and learning from the world. As the digital frontier grows, so does Nepal's determination to protect it-for its people, economy, and future.
