While it is one of the oldest CERTs in the region, Sri Lanka Computer Emergency Readiness Team and Coordination Centre (CERT|CC) has also carved out a reputation for being one of Asia Pacific’s most adaptable CERTs as it keeps pace with the constantly evolving cybersecurity landscape.
It was established by the Information and Communication Technology Agency (ICTA) in 2006 to fulfil a recommendation by the ICTA’s Information Security Working Group to form a National Centre for Cybersecurity for the purpose of protecting the information infrastructure of Sri Lanka.
“Our mandate in the beginning was to make sure all government departments had a cybersecurity policy in place, as well as to test and secure a range of e-governance applications the ICTA was rolling out at the time,” recounts Lal Dias, Sri Lanka CERT|CC’s CEO. Lal was recruited to the position after 25 years as a computer operations manager and advisor, largely for financial institutions.
“However we’ve evolved into something quite different.”
Developing capacity within sectors
This evolution started in 2009 with Sri Lanka CERT|CC’s decision to extend its assistance to banks and law enforcement agencies.
“The banks kept asking the police for help, who would then come to us. We ended up setting up a forensic lab, which to my knowledge has never been done by any other CERT, and started doing digital forensics investigations for the police,” Lal says.
In the following years, Sri Lanka CERT|CC worked with multiple sectors including telecommunications, education and defence to establish sector-based Computer Security Incident Response Teams (CSIRTs).
“The first CSIRT we set up was for the banks,” he says. “That CSIRT had two objectives. The first was to ensure all the banks shared threat intelligence information on a 24/7 basis. So, if one bank was compromised, they would share this information with the others to ensure they could all take necessary precautions to protect their systems. This information was anonymously shared because banks don’t want to publicize information that could alarm their customers and shareholders, causing reputational damage.
“The other objective was to establish a base-line security standard, which the central bank audits each year.”
Lal says empowering sectors to take responsibility for their cybersecurity has taken the onus off Sri Lanka CERT|CC to be the sole digital defender for Sri Lanka. It is a model they have sought to establish among government departments as well.
“We want to be enablers. We only have enough resources to employ 15 staff, so we have to develop awareness and capacity, and allow it to grow organically, which it has done. The .lk domain registry set up their own CERT (Tech CERT) and a number of other private companies have set up cybersecurity businesses,” he says.
“We encourage their establishment and existence as it means there is more awareness and resources available.”
Building awareness is key to becoming ready for attacks
Awareness building has become a primary focus for Sri Lanka CERT|CC in recent years and largely stems from the change the team has imposed on the ‘R’ in CERT.
“We now call ourselves the Computer Emergency Readiness Team as opposed to a Computer Emergency Response Team. We’d prefer to be ready for emergency situations rather than responding to them,” says Lal.
“Every time someone comes to us with an incident we say ‘ok, we will fix the problem and here’s the information you need to make sure it won’t happen again’.”
Sri Lanka CERT|CC also run several national awareness programs including an annual Cyber Security Week, which was started in 2008.
“We are continually running workshops, hackathons, and challenges for schools and the corporate sector. Educating young people has become more important with the rise of social media; we run a call centre that answers 50-100 calls per day and the majority of the complaints are about social media issues,” Lal says.
“We also work very closely with law enforcement and the judicial system. ICTA has a Director/Legal Advisor who serves on our Board of Directors and he regularly runs workshops with judges and we are helping the police force establish a computer crimes unit in every police station across the country.
“Most CERTs in the world don’t offer this range of services but we’ve gone beyond the traditional concept of a CERT to become a truly national Centre for Cybersecurity.”
Challenges ahead
Not resting on their laurels, Lal says Sri Lanka CERT|CC are continuing to look at ways to increase their impact. They recently became signatories of the Budapest Convention on Cybercrime (the first country in the South Asia region to do so) and are working closely with ICTA to establish a National Security Operations Centre (N-SOC) in the next 12 months.
They are also sharing their lessons with other developing economies in the region, including Tonga CERT, which credits Sri Lanka CERT|CC for helping them become the first Pacific economy to launch a national CERT.
“Ultimately cybercrime is borderless, and unless we all play our part and help each other out by sharing our experience and tech intelligence, we’ll forever be playing catch-up.”
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.