KATHMANDU: The official website of the Department of Passports was hacked and defaced by a Turkish group on June 27, 2017. The defaced website was not retrieved even after 12 hours, and displayed a note that threatened the government to adhere to the hackers’ demands.
The note read, ‘government database and data’ would be disclosed if the hackers’ demands were not met. While officials at the Department of Information Technology (DoIT) did not really buy the threats, to an average Nepali, the hackers’ note represented vulnerability and irresponsibility from the government’s side.
Most social media users in Nepal took time to react and comment on the issue, but the concern soon lost its audience to never ending ‘promo garbage’ perpetuated in social media. However, it is important to understand that national cyber security is not a subject to be taken lightly. That said, it is wrong for us to blame only the government for not taking measures to combat cyber security threats as the users are equally capable of posing threats to a cyber-system.
In an effort to combat cyber threats, the government has separated a budget of Rs 4.98 billion to bring in better servers and create reliable applications. According to Director General of DoIT, Birendra Kumar Mishra, they are working to introduce a set of directives that will work to institutionalize cyber laws. However, given the time factor required in implementing government directives, better results have yet to be seen.
Youths more vulnerable to cyber crimes
However, Samir Gautam, a professional working on cyber security, said government officials seemed to be lacking an updated training when it comes to tackling the ever-increasing cyber threats. “While almost all government offices have an IT department, policy makers oftentimes are from non-technical background and they fail to see the cyber security threats.”
This, Samir added, makes the officials reluctant in terms of making active efforts in patching cyber threat issues. “Their reluctant nature to update an already established site/application in fear that something might go wrong puts the entire system under threat.”
Not only that, the government is in practice of giving site development projects to lowest bidders. This tendency costs the security of the website since compromises are made to reduce the cost of applications and sites development.
“In addition, there exists a tendency for project managers to be replaced while the application is still being developed, which reduces any possibility of IT professionals finding backdoor or other security obstacles,” said Samir, adding, “Majority of government websites can be found sharing one server. And, if one website is hacked, other sites can be exposed to risk as well.”
Another professional working on cyber security, Nirmal Dahal, pointed out that it was troublesome for the government to trust abroad-based developers to develop official government websites. The websites of Nepal Telecommunication Corporation (NTC) and Department of Transport Management (DoTM) were made in India.
Apart from legal difficulties, Nirmal suggested the government to develop its core applications within the country. This, in the future, will reduce the possibility of serious cyber-attacks once the country has been fully digitized, he said.
In regards to the website of the Passport Department, Nirmal said, “I think the Turkish hackers got hold of the website through content injection. Content injection was a persistent security issue in wordpress too.”
Since Nirmal was not in the recovery team, there was not much that he could comment. He, however, added that if he were in the recovery team, he would make it a point to dig deeper into why, how and from where the site was hacked. Understanding the root cause of any criminal activity is essential in demotivating the future perpetrators, he said.
Hacking is not only done for monetary gain. Hackers earn bitcoins, which can be later used to make illegal payments and manage online transactions. Sandeep Gupta, a web-expert, said, “If your device or network is targeted, you can pay the demanded ransom and get back your system, as happened with Swiss National Bank (SNB).”
However, there are newbies that hack devices and websites to learn, who are more dangerous because “they can dump your devices and sites for their resume at the stake of permanently deleting the database.” Recovery process then takes a lot of time.
It is also increasingly popular among newbies to use somebody else’s device to plan a mass attack, said Sandeep. “Users might never know if their computer is being used by hackers. The least they do when their computer slows down as a result of hacking is format the device, which doesn’t solve the problem.”
Sandeep pointed out that the users also made it easy for hackers to hack into and deface important sites of the country. From not reporting to the Central Bureau of Investigation (CBI) on being hacked to publicly sharing the vulnerability status of government-level websites, users seem to be neglecting the fact that these threats could get bigger before the government can recover from the backlash.
“What happens when we tell the whole world that our property is not secure enough? It consequently opens space for national as well as international hackers to exploit our sites and destroy our database,” Sandeep said.