FCO Cyber security capacity building programme

This is a project funded by UK Foreign and Commonwealth Office (FCO).

The purpose of the project was to deliver a coherent portfolio of transformational projects, building on previous efforts, to reduce the cyber threat to the UK by helping the partners to develop their own cyber security capacity – since cyberspace is borderless, we collectively become stronger when each country improves its own defences.

The philosophy behind this project is Strengthen and Enhance Sri Lanka’s cyber security to Reduce threats to the UK.

The long-term impact would be:

  1. Ensure safe and secure critical Information Infrastructure to improve Government-wide ICT usage and establish confidence among citizens to use ICT based services.
  2. Ability to secure the nation from cyber security incidents in an increasingly efficient manner to reduce threats to UK from Sri Lanka
  3. Build Sustainable cyber security framework to better protect vulnerable sections of the community (women and children) and minimize them being victims of internet abuse.

Following activities, were conducted through this project:

Procurement of Cybercrime investigation resources for Sri Lanka CERT | CC
  • Procured two digital forensics analysis software licenses
  • Three staff members of Sri Lanka CERT | CC were trained on use of Encase Forensics software tools.
Provided training for staff of Sri Lanka CERT | CC
  • Web App Penetration Testing and Ethical Hacking in Dubai (United Arab Emirates)
  • Network Security and Penetration testing (Malaysia) - 6 members of staff
  • Certified Hacking Forensics Investigator (CHFI) Training and Certification - 3 members of staff
  • Advanced web hacking defence (Malaysia) - 2 members of staff
  • SANS - Hacker Tools, Techniques, Exploits and Incident Handling (Singapore)- 2 members of staff.
  • Mobile hacking and security training (Malaysia) - 3 members of staff.
Development of National Cyber Security Strategy for Sri Lanka
  • Workshop for main stakeholders with the UK resource person
  • Main stakeholder meeting
  • Four stakeholder workshops
Awareness programmes delivered for government organisations and general public
  • Awareness program on Information Security Policy Development delivered for CIO’s of government institutions
  • 2 x full-day awareness programs on Internet Safety for government officers
  • Full-day program on “Social Media related incident handling and open source investigations” for police officers
  • Full-day Information security awareness workshop for law enforcement officers
  • Cyber forensics training for CID officers (Indian Resource person)
  • Cyber forensics training for CID officers (resource person from Thailand)
  • Printed 6,500 cyber safety posters for distributing among schools. Handed over the printed flyers to the MoE which they distributed through zonal centres.
  • Develop TV advertisements for CSW 2017 and telecasted.
  • Developed a number of cyber security awareness video clips for publishing on social media
Project Duration

December 2016- March 2018

Government Website Audit Initiative

Sri Lanka CERT | CC implemented a project to conduct security audits for 120 government websites in order to identify possible security vulnerabilities and provide recommendations to address the possible security threats. The project was carried out to make the government websites secure and trustworthy so that government officers are confident enough when delivering information through their websites. Further the project increased the awareness of public staff on the importance of ensuring the security of government websites.

Sri Lanka CERT | CC hosted two awareness programs that were aligned with the government website audit initiative for the Heads of the government departments and ministries, in order to emphasise the importance of ensuring website security. It is a responsibility of each government institution to fix the identified vulnerabilities of their website and to ensure its security.

The project was started by conducting initial assessments for government websites and once the government organization fixed the identified vulnerabilities the re-assessments were carried out to ensure that the vulnerabilities were rectified.

The initial assessments were successfully completed for 120 websites, and as of 31st December 2019, 49 government organizations were able to fix the vulnerabilities of their websites while 9 organizations decided to build new websites.Sri Lanka CERT | CC is following up with the rest of the organizations to ensure that they fix these vulnerabilities.

This website audit initiative was conducted during the period 2018 -2019.

National Certification Authority (NCA) of Sri Lanka

With the rapid deployment of digital services and expansion of e-Government initiatives to deliver citizen services in the country, electronic transactions in Sri Lanka will grow substantially in the near future. This increases the probability of identity theft, financial fraud and other security breaches. Therefore, the requirement to authenticate citizens as well as organizations involved in digital transactions becomes pivotal.

Digital certificates ensure that there is a mechanism to reliably and securely prove the origin, receipt and integrity of information and also to identify the parties involved in a digital transaction. The use of digital certificates also enables users to achieve transaction confidentiality and integrity using the public key cryptosystem and the hash function.

The Electronic Transactions Act No, 19 of 2006, amended by Act No. 25 of 2017, provides the legal basis for a national framework, with legal recognition for electronic signatures, including digital certificates.

Pursuant to the Extraordinary Gazette No. 2147/58, dated 30th October 2019, Sri Lanka Computer Emergency Readiness Team (Sri Lanka CERT | CC) has been designated as the Certification Authority under section 18 of the Electronic Transactions Act No. 19 of 2006 to perform the functions of the National Certification Authority (NCA).

Therefore, National Certification Authority (NCA) of Sri Lanka was established as a project of Sri Lanka CERT|CC to facilitate secure electronic transactions that ensure delivery of secure and reliable electronic services to the citizens and also to assist to achieve the government policy on secure cross border electronic transactions and hence enhance the business index of the country. It is the overall governance as well as the standard setting entity required for the smooth and effective functioning of Certification Service Providers (CSPs) in the country. CSPs are entities which provide electronic signature and digital certification services, as per the provisions of the Electronic Transactions Act No. 19 of 2006 (as Amended). The Root CA of National Certification Authority is the highest-level Certification Authority in Sri Lanka.

The Key Generation Ceremony, the formal function to generate the Root certificate of the NCA, was held on 14th February 2020.

Currently NCA is undergoing the extensive audit to obtain Seals for the latest WebTrust standards, WebTrust for CA and WebTrust for SSL Baseline with Network Security.

NCA of Sri Lanka is planning to embed its root certificate with the web browsers and other selected applications.

Further information on NCA can be found on https://www.nca.gov.lk/

National Cyber Security Operations Centre (NCSOC)

Aligned with rapid Digitalization of the Economy, the Government Network implementation has taken an accelerated implementation approach. With the increase in Digital Infrastructure development and usage, Cyber threat levels and attacks are increasing every day. Sri Lanka CERT | CC has commenced the implementation of NCSOC that is designed for early detection and prevention of cyber threat ensuring security, reliability and availability of Government systems and infrastructure. Sri Lanka CERT | CC has been mandated to be the focal point for preventing, protecting against and responding to cyber security threats and vulnerabilities within Sri Lanka’s ICT infrastructure.

Typically, a SOC is the people, processes and technologies involved in providing situational awareness through the detection, containment, and remediation of IT threats. A SOC manages incidents for the enterprise, ensuring that they are properly identified, analysed, communicated, actioned/defended, investigated and reported. The SOC also monitors applications to identify a possible cyber-attack or intrusion (event) and determine if it is a real, malicious threat (incident), and if it could have a business impact.

Proposed NCSOC Solution Design and Architecture

The National Cyber security operations centre is equipped with hardware and software which has the capability of Big Data Analytics that will help security monitoring, analysis and response in an effective manner.

NCSOC Main Services
  • Early Detection System
  • Vulnerability Management Service
  • Web Defacement Detection Service
  • Advance Data Analytics System (ADAS)
  • Threat Intelligence
  • Forensics
Conceptual Diagram
NCSOC objectives

The requirement of having the NCSOC is to monitor the information systems of the government networks and block any malicious activities and facilitate error free, uninterruptible services to the general public.

The SOC resources will be used to protect those institutions that provide critically important citizen services such as Power and Water Supply, Customs, Immigration and Ports Services etc. that pose a threat to national security.

Engage with competent individuals from government and private sector to create a pool of resources and thereby create a strong consultative arm over a period of time.

Provide a low cost advanced monitoring service to the government institutions in order to protect their network systems from cyber-attacks.

Serve as the central body to monitor the network security of Government institutions.

Proactively discover ongoing breaches and be well prepared for major incidents.

Composition of target beneficiaries/stakeholders
  • Government/private organizations that offer online citizen services
  • General public
Current status of the project

This project has been approved for a period of 3 years.

The following tasks are in progress.

  • Procuring the Hardware for NCSOC data centre
  • Procuring the Co-location for NCSOC Hardware Data centre
Implementation of NCSOC

Implementation, Technical Support and Collaboration: Sri Lanka CERT | CC

Line Ministry: Ministry of Technology

National Information and Cyber Security Strategy of Sri Lanka (2019-2023)

The Government of Sri Lanka, committed to keeping the nation safe, secure and prosperous, introduced the first National Information and Cyber Security Strategy, which is implemented over a period of five (05) years from 2019 to 2023. This strategy aims at creating a resilient and trusted cyber security ecosystem that will enable Sri Lankan citizens and other parties to realize the benefits of digital technologies for upgrading their livelihood by facilitating socio-economic development.

The Strategy identifies six (6) strategic thrust areas as follows:

  1. Establishment of a governance framework to implement National Information and Cyber Security Strategy
  2. Enactment and formulation of legislation, policies and standards to create a regulatory environment to protect individuals and organizations in the cyber space
  3. Development of a skilled and competent workforce to detect, defend and respond to cyber attacks
  4. Collaboration with public sector authorities to ensure that the digital government systems implemented and operated by them have the appropriate level of cyber security and resilience
  5. Raising awareness and empowering citizens to defend themselves against cybercrimes
  6. Development of public-private, local-international partnerships to create robust cybersecurity ecosystem

The National Information and Cyber Security Strategy of Sri Lanka (2019-2023) can be downloaded from the below link.

The Action plan is developed to show the expected outputs, outcomes and the activities to achieve each thrust area. The action plan is currently being implementing successfully through numerous projects and the action plan can be found on the below link.

Surveys being conducted by Sri Lanka CERT | CC

  1. Public Officers’ Information and Cyber Security Readiness Assessment
  2. Cyber Security Professional’s Supply and Demand Assessment
  3. Assess the Information and Cyber Security Readiness of the Critical Infrastructure Service Providers
  4. National Survey on Citizens Awareness on Information Security and Cyber Security & to establish the Cyber Security Readiness of Most Vulnerable Communities

Public Officers’ Information and Cyber Security Readiness Assessment

Over the past decade, many ICT applications have been built to increase the efficiency and the effectiveness of public administration. However, in the recent years the number of cyber-attacks has been increased by making a significant impact to the economies across the globe.

In battling cyber-attacks, organizations around the world are focusing heavily on protecting hardware infrastructure and software applications. However, there is a lack of attention being paid to the human aspects which is commonly understood as the weakest aspect of cybersecurity. Many organizations underestimate the human factor in information and cyber security though people’s understanding, knowledge, and perceptions on information and cyber security is critical for protecting digital systems in organizations. Globally accepted research reveals that 7 out of 10 employees lack the awareness, skills and knowledge to prevent cybersecurity incidents.

In Sri Lanka, it is also an accepted fact that the public officers’ awareness of information and cyber security is insufficient. However, no proper study has been conducted to date, in order to access the public officials’ readiness for information and cyber security. Therefore, Sri Lanka CERT | CC launched a survey of public sector employees to assess their Information Security and Cyber Security readiness to work in a digital government environment. Findings of the survey will be used to develop a strategy to enhance overall competence of Information Security and Cyber Security..

Cyber forensics training for CID officers (Indian Resource person)
  1. Conduct a national survey to assess the public officers’ readiness on information and cyber security, and
  2. Develop a national strategy to enhance the public officers’ overall competence of information and cyber security. In battling cyber-attacks, organizations around the world are focusing heavily on protecting hardware infrastructure and software applications. There is however a lack of attention paid to the human aspects which is commonly understood as the weakest aspect of cybersecurity. Many organizations underestimate the human factor
Current Status of the Project

Having followed an open tender process, the Project has been awarded to Multi-Tech Solution (Pvt) Ltd. The Questionnaire and other materials have been finalized with the approval of Sri Lanka CERT|CC. The survey presently ongoing for the organizations which are in a position to facilitate the conduct of online data gathering, due to the COVID-19 health restrictions.

Cyber Security Professional’s Supply and Demand Assessment

With the rapid development of Information and communication technology during the past few decades, online service delivery and online social engagements have grown exponentially. Along with the numerous rewards that digitalization provides, there are threats and risks emerging where it is almost impossible to eliminate the negative impacts. Financial institutions, defence agencies and the government institutes have become the primary targets of the attackers in recent times. Hence cyber threats need to be identified early and preventive measures taken well in advance. Most of the attacks turn out to be successful due to lack of awareness and the lack of required skills of the personnel that are responsible for operating these ICT systems.

In this context, it is necessary to ensure the availability of knowledgeable and highly skilled professionals in the information and cyber security domain in order to protect, detect, defend and respond to these cyberattacks. Research conducted by universities, research institutes and other academic organizations show that there is a vacuum in information security experts in the field globally. A skills gap analysis conducted by Information Systems Audit and Control Association (ISACA) in 2016 estimated a global shortage of 2 million cybersecurity professionals by 2019. As per the Global Cyber Security Index (GCSI), Sri Lanka requires to expend much effort on building overall human resource capacity to combat emerging cyber threats.

In Sri Lanka, to date, there is a severe lack of initiatives to address the domestic shortage of cybersecurity experts. Therefore, Sri Lanka CERT | CC aims to conduct a national level survey to analyse the gap between the supply and demand of information and cybersecurity professionals in the industry. Results of this analysis will be utilized by Sri Lanka CERT|CC to formulate appropriate strategies and policies to fill the supply and demand gap of cyber security professionals of the country.

Objectives of the Study
  1. Data gathering and Analysis of the supply of professionals for Information Security and Cyber Security related job roles.
  2. Data gathering and Analysis of the demand for the Information Security and Cyber Security professionals in the job market.
  3. To analyse the gap between supply and demand of information and Cyber Security professionals.
  4. Formulate an operational strategy to fill the gap between supply and demand of Information Security and Cyber Security professionals in Sri Lanka.
Current Status of the Project

Following an open tender process, the project was awarded to IPID. Questionnaires and other materials were finalized with the approval of Sri Lanka CERT | CC. At the moment survey is on hold due to the COVID-19 heath restrictions that have been imposed.

Assess the Information and Cyber Security Readiness of the Critical Infrastructure Service Providers

Sri Lanka has advanced rapidly over the past decade in developing various digital government initiatives. Multimillion rupee investments made on various digital government initiatives have helped Sri Lanka to advance from 101st (2008) to 79th position (2016) in the e-Government Development Index. To date there are about 500 government websites and more than 50 e-services facilitating citizens to obtain services through the Internet. e-Administrative applications have been developed by public institutions that maintain critical national infrastructure with the aim of increasing the organizational efficiency thereby providing better services for citizens. Organizations that are involved in providing nationally important services such as water, electricity, ground and air transportation, financial, communication, manufacturing, and health for example are widely considered as the organizations maintaining critical national infrastructure. These organizations increasingly rely on digital government systems (e-administrative systems, computer networks and Internet) to deliver essential services to the citizens.

Although digital government initiatives promise tremendous benefits for citizens and government, they can also be subjected to various cyberattacks such as malware attacks, unauthorized access, and denial of service attacks. Cyber-attacks on digital government services can cause significant disruptions to the public service delivery, and thereby destroy public confidence. Our citizens will not embrace digital government, if their information cannot be securely maintained in the government information systems. It is, therefore, essential to adopt an appropriate operational strategy to ensure security of digital government systems and critical information infrastructure.

Prior to the implementation of such a strategy, it essential to understand the overall readiness of critical infrastructure service providers. Sri Lanka CERT | CC therefore conducted this survey in order to;

  • identify the organizations maintaining critical infrastructure,
  • identify the critical information infrastructure and severity of failures,
  • overall readiness of critical information infrastructure of critical infrastructure providers, and
  • develop an operational strategy to increase the readiness of the information and cyber security of the identified organizations.
Objectives of the Study
  1. To identify and define the CI service providers across different sectors of the country
  2. To identify the CII operated by CI service providers
  3. To assess the level of risk for individual CII of CI providers and rate them based on the risk and impact
  4. To assess the level of readiness of CII of CI providers
  5. To draft an operational strategy to increase the readiness of the information and cyber security of the CI providers.
Current Status of the Project

Project has been awarded to KPMG (Pvt) Ltd following an open tender process. Sixty-four organizations were identified for the initial survey of identifying Critical Services (CI). Audits of more than fifty organizations were completed and the survey for identifying CI is ongoing for the remaining organizations. Identifying Critical Information Infrastructure (CII) is the second phase of the project and will be commenced after completing the first phase of Identifying CIs.

National Survey on Citizens Awareness on Information Security and Cyber Security & to establish the Cyber Security Readiness of Most Vulnerable Communities.

The Internet has become important for all aspects of daily life including education, work, and participation in society. A considerable segment of society is becoming more and more dependent on the Internet thereby becoming more vulnerable to cybercrime. A major reason for such vulnerabilities to cybercrime is lack of awareness among citizens about possible cyber threats and its consequences. Theft of identity, stealing of credit card numbers, and privacy violation and unauthorized access on social media for example are commonly caused due to the lack of awareness of citizens. It is, therefore, essential to raise citizens’ awareness about emerging cyber threats and empower them with the knowledge and skills necessary to defend themselves against evolving cyber threats. Prior to the proposing of any strategy Sri Lanka CERT | CC aims to conduct a baseline assessment to assess Sri Lankan citizens’ awareness, attitudes and behaviours on information and cyber security related affairs.

Objectives of the Study
  1. To understand the citizens’ perceptions and awareness about emerging cyber threats.
  2. To understand the Most Vulnerable Communities’ perceptions and awareness about emerging cyber threats.
Current Status of the Project

According to a recommendation given by National Planning Division (NPD), Sri Lanka CERT|CC decided to conduct the survey with the support of Department of Census and Statistics (DCS). Accordingly, an MOU has been drafted and send to DCS. The entire survey will be conducted by DCS. The survey instruments and other related documents for the survey have been drafted by DCS and the reviewing process is ongoing in order to finalize this nationwide survey.

Cyber Resilience for Development (Cyber4Dev)

This EU funded project will aim at increasing the security and resilience of critical information infrastructure and networks supporting the critical services of third countries (Africa and Asia) while ensuring compliance with human rights and the rule of law, through the adoption and implementation of a comprehensive set of policy, organizational, and technical measures. Sri Lanka was selected as a priority/beneficiary country.

The specific objectives of this project are to ensure;
  1. countries have increased political will to act on cybersecurity
  2. provide the necessary support to devise a new cybersecurity strategy or assist the implementation of an existing strategy
  3. countries have established democratic and inclusive multi-stakeholder governance structures for developing and implementing a cybersecurity strategy
  4. countries/regions have stronger, more effective collaborative relationships on cybersecurity and incident handling.
  5. countries/regions have improved CSIRT capability and more effective collaborative relationships with the EU for information sharing and incident response.
  6. countries have improved coordination between authorities in charge of cybersecurity and cybercrime.
  7. countries have included measures to protect human rights, rule of law and vulnerable individuals within their cybersecurity strategies/policies/laws.
  8. EU trading partners have improved cybersecurity and better conditions for growth.
  9. The EU is helped to counter cyber threats and foster the cyber resilience of the EU and its partners.
In order to meet the objectives mentioned above, an action plan was designed to deliver the following three outputs;
  • Output 1: Strengthened Cybersecurity Policy, Strategical, and Coordination Frameworks

    Increased awareness of decision-makers on cyber security issues and facilitation of adoption and implementation of consistent, holistic and actionable national cybersecurity strategies in priority countries. The engagement in this field shall be based on a multi-stakeholder approach that promotes the establishment of appropriate coordination frameworks and structures amongst public sector entities themselves and also with the private sector, both at policy and operational levels, while ensuring compliance with the rule of law and good governance principles.

  • Output 2: Increased Cybersecurity Incidence Response Capabilities

    Increased local operational capacities to adequately prevent, respond to and address cyber security incidents through strengthened Computer Security Incident Response Teams and improved formal and informal cooperation in the national cyber ecosystem of priority countries.

  • Output 3: Fostered Networks of Cyber Expertise and Cooperation

    Intensified awareness and promotion of cybersecurity good practices globally on the basis of EU expertise and increased trust and enhanced regional, trans-regional and international cooperation on cyber security issues through the promotion of formal and informal networks for sharing of best practices and incident information.

Implementing Partners:
  • Foreign and Commonwealth Office (FCO), UK
  • Dutch Ministry of Foreign Affairs (MFA), NL
  • Estonian Information System Authority (RIA), EE
Cyber4Dev has supported Sri Lanka CERT | CC to conduct following activities;
International collaboration:

Participation support for;

  • FIRST TC and TF-CSIRT meeting (Estonia)
  • Program on Industrial Control Systems (ICS) Cybersecurity (Japan)
  • ITU Cyber Drill for Asia-Pacific and CIS Regions (Malaysia)
  • APCERT AGM and Conference 2019 (Singapore)
  • CyberUK 2019 Conference (UK)
  • e-Gov Conference (Estonia)
  • EU Cyber Forum (Belgium)
  • FIRST AGM and Conference (Scotland)
  • nCSIRT capacity building workshop (UK)
  • APRICOT conference (Australia)
Awareness creation:
  • Sending experts and resource persons for CSW 2018
  • Cyber4Dev launch program
  • Sending experts and resource persons for CSW 2019
  • Funding FaceBook awareness campaigns including the promotion CSW
  • Conducting workshops for CSW 2019
Support for national projects:

Implementation support for the implementation of National Cyber Security Strategy action plan and in particular the implementation of NCSOC

Project Duration

42 Months

Project period

Mid 2018-2021