‘Around the globe, digital
technologies have evolved into a powerful economic tool that has
improved quality of life of citizens and transformed the way that
governments, businesses, and citizens connect, engage, and access
information and services. Many societies are now dependent on digital
technologies which has led these technologies to be considered as a
fundamental social infrastructure.
Along with their numerous benefits digital technologies also brings
with them numerous cyber threats. The global number of cyber security
incidents recorded in 2015 is 59.06 million1. A study estimates that
the total annual cost of all data breaches by 2019 will be $2.1
trillion which is almost four times the estimated cost of breaches in
20152. In Sri Lanka, The Sri Lanka Computer Emergency Readiness Team |
Coordination Centre (Sri Lanka CERT|CC) has received 3907 cyber
security related incidents in 2017, which is a significant increase
In this context, we, the government of Sri Lanka, seeks to show our
commitment to keep the nation safe, secure and prosperous, by
introducing Sri Lanka’s first Information and Cyber Security Strategy
which will be implemented over period of five years from 2018 to 2023.
Our strategy aims to create a resilient and trusted cyber security
ecosystem that will enable le Sri Lanka
Our strategy is
underpinned by six pillars:
1. Establishment of a
governance framework to implement national information and cyber
2. Enactment and
formulation of legislation, policies, and standards to create a
regulatory environment to protect individuals and organizations in the
3. Development of a
skilled and competent workforce to detect, defend and respond to cyber
with public authorities to ensure that the digital government systems
implemented and operated by the them have the appropriate level of
cyber security and resilience
5. Raising awareness and
empowering citizens to defend themselves against cyber crimes
6. Development of
public-private, local-international partnerships to create a robust
Thrust # 1: Establishment
of the Governance Framework
In 2006, the government of Sri Lanka established Sri Lanka CERT|CC as
the single trusted source of advice on the latest threats and
vulnerabilities affecting computer systems and networks, charged with
the responsibility of providing technical support in responding to and
recovering from Cyberattacks. Sri Lanka CERT was established under the
Information and Communication Technology Agency (ICTA) of Sri Lanka,
and comes under the purview of the Ministry of Telecommunication and
As the complexity of the cyber security ecosystem increases, the
government of Sri Lanka recognizes the necessity of introducing a
national information and cyber security strategy to cope with emerging
threats. It is a high-level top-down approach to information and cyber
security that establishes a range of national objectives and
priorities that should be achieved in a specific timeframe.
In line with the strategy, a National Information and Cyber Security
Agency will be established. The Agency will be responsible for
overseeing the implementation of the cyber security strategy, setting
national polices, facilitating the protection of critical national
infrastructure, educating citizens, building a pioneering technology
competent workforce, and promoting industry development
“Our strategy is to
establish a powerful agency which oversees the overall implementation
of the information and cyber security strategy of Sri Lanka, and to
establish specialized subordinate agencies for effectively battling
emerging cyber threats”
1.1. Establishment of the
National Information and Cyber Security Agency of Sri Lanka (NICSA)
NICSA will be established as the apex institution for all cyber
security related affairs in Sri Lanka. The Agency mandate shall be to
oversee the implementation of the national information and cyber
1.1.1. Agency shall be governed by a high-level committee which
comprises of the representatives of Ministries involved in the Defence,
Justice, Finance, ICT and Telecommunication, Media, and Public
Administration. The Head of the Agency shall represent the National
Security Council of Sri Lanka.
The agency shall,
1.1.1. Function as the command and control body to promote this
strategy and play a leading role in implementing cyber security
initiatives set forth in this strategy.
1.1.2. Provide technical support for law enforcement authorities in
conducting digital forensic investigations.
1.1.3. Build the capacity of sectoral CERTs and facilitate Sri Lanka
CERT|CC to coordinate with sectoral CERTs for sharing incident
information, best practices and other security related information.
1.1.4. Provide technical support to government bodies such as
Ministries, authorities, boards, corporations etc.
1.1.5. Disseminate emerging cyber threat warnings to all Sri Lankans.
1.1.6. Act as a certification body issuing licenses for firms
conducting information security related services.
1.2. Institutions Under the NICSA
1.2.1. We will continue to operate Sri Lanka CERT|CC as the National
CERT to protect users in the public and private sector organizations
and the general public by providing up-to-date information on
potential threats and vulnerabilities and by undertaking computer
emergency response handling services.
1.2.2. We will set up a 24 X 7 Cyber Security Call Center with a focus
on assisting citizens, government organizations, and private firms to
respond to cyber security incidents.
1.2.3. We will set up a National Cyber Alert System with the
involvement of Internet Service Providers (ISPs) and Telcos to deliver
targeted, timely, and actionable information to Sri Lankans and to
educate citizens on how to secure their computer systems.
1.2.4. We will establish a Digital Forensic Lab to conduct digital
forensic investigations and examinations in the areas of computer
forensics, mobile forensics, audio forensics, video forensics and so
1.2.5. We will establish the National Cyber Security Operating Centre
(NCSOC) for monitoring threats to digital government applications,
critical information infrastructure, and critical systems of private
1.2.6. We will establish the National Certification Authority (NCA) by
addressing the limitations of the existing certificate authorities.
1.2.7. We will establish a Research Unit for developing, coordinating
and stimulating continuous research activities in the fields of
Strategic Policy Research, Information Security Research, Cyber
Security and Technology related research.
1.2.8. We will appoint Chief Security officer positon and Information
Security officers for public service (Refer Thrust Area 3).
1.3. Monitoring and Evaluation (M&E) Framework
A comprehensive results based M&E framework will be developed to
assess and measure the performance of the outcomes and outputs as a
result of the implementation of the strategy.
To be continued.....
Invitation to Public Comments on Cyber Security Strategy. Please add
Dr. Kanishka Karunasena,
Research and Policy
Development Specialist, Sri Lanka CERT