State of cyber security
No one, it seems, takes cyber security seriously in Nepal. Not the government or its ministries whose websites are frequently hacked. Not the law enforcement agencies which are slow (and often clueless) about reported cybercrimes. And certainly not the banks and financial institutions (BFIs) that are still reluctant to invest in securing their computer networks and online systems, even though more and more bank transactions have shifted online. In the latest case of breach of insecure bank computer networks, hackers broke into NIC Asia Bank’s SWIFT money transfer system and transferred an as yet unspecified amount of money to various accounts around the world. The exact scale of the loss is hard to pin as both NIC and Nepal Rastra Bank, the main regulator of the banking sector, have been rather tight-lipped about the whole affair. Whatever the actual monetary loss, it pales in comparison to the systemic risks to our online banking networks the theft suggests. There is also clearly more to the NIC cyber heist than its management and the main regulator would have people believe.
Beyoncé, Taylor Swift could have historic night at Grammys
One reason they have chosen not to speak could be their fear that if the actual scale of the cyber heist is disclosed, there could be a panic among NIC customers. True, there is always that fear, and it is the central bank’s responsibility to ensure that people continue to have faith in the banking system. But time has also clearly come for the central bank to crack a whip on BFIs for their manifest laxity in their cyber systems. For instance, NIC made a grave error when it allowed the computers that handle SWIFT operations to be used for other purposes, including private browsing, giving hackers a convenient way into the system. Since banks are the repositories of savings of common folks, it is in public interest to secure vital banking networks against outside threats, be it from computer hackers or currency speculators. The banks that fail in this vital duty must be punished. Time has also come to better secure government online services, like the passport service of the Department of Passports whose website was hacked earlier this year. Considering that Nepal is preparing to issue biometric identity cards to all its nationals, and which will contain all kinds of individualized information, this was no small breach.
Nepal enacted the Electronic Transactions Act (2008) precisely to deal with the emerging cyber crimes. But its implementation has been weak. From the time of the Act’s promulgation, Nepal Police has been saying that it plans to set up a separate cyber bureau to deal exclusively with cybercrimes and ensure better cyber security. Nearly a decade on, the bureau remains confined in the imagination of top cops. This again goes to show how lightly the Nepali state takes cyber security. In the wake of NIC Asia heist, there can be no justification for any more delays. In 2016, around 3.2 million debit cards of various banks in India were hacked via a malware. A cyber attack of similar scale could take down the whole banking system of Nepal.