Have an incident ? Report Here

Cyber Security Situation in Nepal – Dr. Ramhari Subedi

  • Home/Blog/Cyber Security Situation in Nepal – Dr. Ramhari Subedi
  • Cyber Security Situation in Nepal – Dr. Ramhari Subedi

    Technological advancement in society has increased over time. As a result, lifestyles are continually and phenomenally revolutionized. Through the invention of the Internet and growth in the field of IT technology performing a different type of activities we perform using computer and handheld devices online has been made possible and phenomenally emerged the entire world to a global village.

    In Nepal, news and reports of cyber security breaches had been regularly broadcasted to the public many times in the past and recent days by the Medias and Police department. It has been very risky and challenging critical IT environment Nepal faces today despite their high regard for security and privacy, relevant policies regarding cyber security in Nepal are still not able to address the growing security breach concerns of the cyber users.

    The cyber security policies and their role in minimizing the threats they experience on their network infrastructure and on the facets that can be improved on to ensure security. For the country of Nepal, it is important to know that the information regarding issues and concerns on the existing cyber security policies in understanding the inability to ensure minimal risks of cyber security breach in Nepal, as reflected in the country’s sensitive risk of cybercrimes on the rise, despite their high concern for security and privacy.

    In Nepal, public, private, and nonprofit entities are all in the process of introducing Information and Communication Technology (ICT) to improve their computing performance which was introduced in 2008. The e-policy in Nepal targets the use of ICTs in program and services delivery as well as the use of information infrastructures to improve overall internal administrative processes and procedures. To support the e- policy initiative, several legal instruments have been crafted and the necessary

    institutional mechanism has been created. However, the issue of digital divide at both the individual and institutional levels is obvious in Nepal. Still, even with these issues, Nepal is, in general, optimistic about the role that ICTs can play in overall economic improvement and poverty alleviation.

    ICTs are a fairly new phenomenon in Nepal. In addition, while many users are becoming attracted to what ICTs can do, ICT users in general lack knowledge in technical cyber security. It is important that all cyber users have this knowledge, especially in Nepal, because of reports of heightened risk of cybercrimes users are increasingly at risk of being exposed to cyber security threats.

    The source for Internet service providers (ISPs) has demonstrated that the number of Internet users has an annual incremental increase of 50%. In 2000, there were only 35,000 users. The number had grown 10 times by 2009, which has shown that there is indeed a growing trend for ICT applications and Internet consumption in Nepal.

    An employee of business organizations already uses approximately 30% of Internet services in Nepal. International organizations and private home users use Internet services approximately 20% each. Moreover, the number of computer users around rural areas is increasing due to the opportunities provided by schools, colleges, and computer training institutes.

    The Nepalese, as members of the Asian community, regard privacy with high importance; thus, more sophisticated security policies are expected. Security, as an important aspect of upholding privacy, is an important aspect that cyber users consider when performing online tasks. Security has been proven to be an important factor considered by computer and Internet users in Asia; many cyber users are raising concern regarding cybersecurity in the region, specifically Nepal.

    In developing countries like Nepal, three areas have been identified related to cybersecurity threats: (a) poor digital access, (b) institutional instability, and (c) regime instability. However, cybersecurity policies in Nepal still cannot address the cybersecurity threats and issues in the country. It was found through my research I conducted in Nepal that the majority of the people mainly believed that there are ineffective cybersecurity policies as no proper cyber law in Nepal has been implemented. Based on the survey, 67% provided this perception. There is no proper cyber law in Nepal. If an individual commits a cyber-crime, there is very little chance that the Nepal government can do in terms of enforcing the legal policies.

    The country’s cyberlaw progress has moved very slowly because email and computer transactions are not considered trustworthy by the government. The country does not utilize the same level of technology as other developed countries. The Nepal government believes that passwords can be easily guessed, thus leading to the hacking of user’s accounts, which is largely due to outdated IT systems being used by high- profile government agencies. Part of the problem is that Nepal citizens tend to make easily-guessed passwords using numbers and information significant in their lives, including their first and last names, birthdays, phone numbers, and locations. The Nepal police department is working with the outdated Cyber Law Act of 2006/2007. Since the legislation (Electronic Media Act) was passed in 2006/2007, there has been little to no cyber law reform, which is crucial for staying up-to-date on information regarding changing technology. Lawson cyber-matter should be updated frequently and regularly.

    Nepal faces a general lack of policy, up-to-date software, and IT knowledge which has led to frequent spamming, fishing, and password piracy issues. These problems indicate a very ineffective cyber policy based on the perceptions of IT professionals. Another observation was that there are effective cybersecurity policies as institutions have been established to prevent crimes; 17% of professionals believed that there are effective cybersecurity policies in Nepal. According to the Central Investigation Bureau (CIB) Department, the government punishes individuals who commit cybercrimes, with consequences based on the level of the crime committed. The Cyber Law Act of 2006/2007 declared hacking, stealing data, pirating software, and posting defamatory information online as being criminal and civil offenses. Under this law, the government can punish cyber-offenders with up to five years of imprisonment and/or a fine of up to$1,000 depending on the severity. According to CIB, the agency keeps systematic records of the reported crimes.

    The police department has also claimed that awareness programs are being conducted in many locations on a regular basis. Conversely, the banking sector claims to have appropriate security measures in place. This sector claims to utilize primarily genuine software, VPN access for branches, firewalls, awareness programs for employees, password updating policies, proper backup systems, and high availability with SAN and VMware technologies. They also claim that all systems are being updated regularly; however, there are some locations in Nepal where the ATMs are still using Windows XP as an operating system. Microsoft stopped supporting Windows XP in April of 2014 after it was identified that the operating system has the highest number of vulnerabilities. Meanwhile, based on the survey, 11% IT professionals also believed that there were ineffective cybersecurity policies for the institutions as they feel unavoidable of receiving cyber threats and viruses. IT professionals perceived that the computer devices used on many college campuses could easily transfer viruses, as most had pirated antivirus software installed on those devices. Pen-drive is largely to blame for the transferring of viruses because the software does not detect malware. It is not fully scanned by the anti-virus software. Many citizens of Nepal are not aware of how to conduct a virus scan on their devices. 6% of IT professionals believed that the country is lagging behind other countries in technology sector due to ineffective policies.

    It was found through the observation that the decision of minimizing the risks of cybersecurity would incur extra costs, primarily the reason why the users have not made concrete efforts to ensure their cyber safety. 44% of the study shared this major perception. Professionals stated that using genuine versions of operating systems would create additional costs because they are generally more expensive. For example, computer parts cost about $150, antivirus software is about $30, a genuine operating system is about $150, and if the user wishes to add SQL Apache this would cost an additional $200. The total can be anywhere between $350 and $400 compared to $200 for pirated software. It is common practice for the sellers of the devices to provide customers with both a pirated and genuine software option. Companies and institutions are unwilling to fully invest in cybersecurity unless they are able to realize immediate benefits.

    Another perception why cybersecurity policies are not maximized for the safety of the users was the lack of awareness with regard to security on the users’ end. The security has not improved because the preventive actions the government has taken still largely depend on the clients or users. IT professionals also commented that there was a perceived lack of awareness on the part of parents. Many parents are unaware of their children’s online activities, which often include misusing social networks such as Facebook, Twitter etc. and sharing passwords, activities, and statuses without understanding the consequences. The lack of awareness of the users is one of the main reasons why minimizing security risks have been difficult for the government to pursue.

    Most cybercrime cases are never reported. In the majority of cases, victims themselves are unaware that they have become victims. There was also the issue of the unwillingness of the old generation to see changes, this the interference of ensuring minimal risks of the cybersecurity breach in Nepal is not achieved. Professionals also shared that because of the generation gap or the fear of change, cybersecurity policies have not been implemented properly. Many government agencies and companies are afraid to upgrade software due to not understanding how it works. Participants also cited language barriers and lack of education as other potential issues. Members of an older generation tend to hold power in government agencies which can sometimes lead to a lack of willingness to change.

    The competition between IT professionals became a barrier to achieving a full protection from cyber risks. Another factor was competition between professionals, highlighting a lack of support to reduce and solve cybersecurity issues because of personal and business interests. There is a sense that if companies make individuals more aware of ways to maximize cybersecurity they may lose their businesses.

    It was determined that the self-awareness and literacy of the users are the main protections and answers deemed by the IT professionals to develop more efficient actions in minimizing the risks of a cybersecurity breach in Nepal. 67% of IT professionals stated this perception. Self-awareness and the literacy of users are crucial to solving and achieving the goal of minimizing the risks of cybersecurity breaches in Nepal.

    Users should be made aware of the rules of cybersecurity to have a more effective system is not only the schools but also the country as a whole. Providing proper training and sharing knowledge will also help to minimize the risks. Management should provide continuous support and awareness, and users should carefully protect their accounts and passwords. Passwords should not be saved on any computer or be stored openly where they can be seen. Users should frequently change and update passwords with different letters and numbers. Security can be improved by avoiding unauthorized software. Additionally, the existing Cyber Act of 2006/2007 should be reconsidered for reform. Many individuals in Nepal are not aware of the country’s cyber laws. The government should make such information available in order for citizens to be aware of the consequences. Professionals also suggested that cyber laws should be strictly enforced. Large-scale companies such as Microsoft, Apple, RedHat and other major companies should also reconsider pricing, particularly making products more affordable. Poorer countries such as Nepal should not be charged the same prices as those of more developed nations. Participants also commented that it would be helpful to have a data center in Nepal so as to eliminate the use of servers in other countries.

    The government should strengthen the cybersecurity policies; this was 44% of IT professionals stated that the government should focus on and target cyber policies and maintain a strong security process while strengthening the rules and regulations and enforcing the law. They also indicated that cyber cafés, public locations with internet access, should be closely monitored. The government should also make it mandatory for cyber cafés to keep records of user logins and logouts, as many of the locations are unregulated. The government should take more action against piracy. The existing legislation is inadequate in a number of ways. For example, the law does not cover some of the most common forms of cyber-crime such as Social Medias, and as a resultrespondents suggested amending the cyber law. Participants added that maintainingstrong and skilled IT employees in Nepal for both the government and private sectorwould be useful. Many skilled IT engineers are being outsourced for higher wages in other developed countries.

    The traditional response of installing anti-viruses that can block inadequate internet sites to reduce the risks of cybersecurity breaches. Users have to install the genuine version of anti-virus software to prevent viruses from contaminating the computers. Another preventive major could be that in order to have access to Wi-Fi a user must log in, which adds a level of security to the system. Users, staff members, and administrators should be assigned and allocated a certain amount of bandwidth and management teams should carefully watch over the different systems being used.

    Private sector and the Nepalese government to bring their focus and target in strengthening the cybersecurity policies of Nepal, considering how their economy and society is now technologically advanced and dependent. My findings based on IT professionals were that currently, the Nepalese government is ineffective in producing and implementing policies to make their society who are largely internet users feel safe and protected. The key hindrance to maximizing the means for cybersecurity was the total investment or costs that the changes for protection may incur. Lastly, IT professionals believed that self-awareness and literacy of the users are the main answers to the cybersecurity issues looming today.

    These solutions can be utilized to improve the overall state of cybersecurity not only in Nepal but in other countries in need of a similar policy development as well. With the inevitable advancement of computer technology and the use of the internet all over the world, an interested person could help spread the awareness for a safer and more protected employment of the internet for different functional purposes. A smarter use of the internet can be another implication for the stakeholders; awareness of safe-internet uses thus the reduction of cyber risks and crimes. The general decline of cyber issues with the internet users, becoming more aware and educated of the dos and don’ts when surfing and browsing the internet.

    Dr. Ramhari Subedi

    Subedi.ramhari@gmail.com