Overview of the Current Cybersecurity Infrastructure
Bangladesh’s digital landscape has expanded rapidly in recent years, bringing both opportunities and risks. Over 132 million people in Bangladesh now use the internet, fundamentally transforming daily life and business. In response, the government has introduced key legal frameworks and institutions to secure this growing digital ecosystem. The Digital Security Act (DSA) of 2018 and the Cyber Security Act (CSA) of 2023 were enacted to address cybercrime and cybersecurity issues, and an interim Cyber Security Ordinance 2024 has been drafted to further strengthen cyber governance. Bangladesh established agencies like the Digital Security Agency (under the ICT Division) and the national Computer Incident Response Team (BGD e-Gov CIRT), which coordinate cybersecurity efforts and incident response. A new unit called Bangladesh Cyber Security Intelligence (BCSI) has also been created to bolster proactive defenses. These developments, along with a National Cybersecurity Strategy (2021–2025), signal that cybersecurity is being taken seriously at policy levels.
Despite these initiatives, Bangladesh’s cybersecurity infrastructure faces significant implementation challenges. Experts note that while laws exist, enforcement has lagged; previous administrations focused the laws more on controlling speech than on truly improving security readiness. Coordination among stakeholders is still a work in progress. Government, industry, and civil society must work in concert to build a resilient cyber ecosystem capable of withstanding increasingly sophisticated threats. As of 2025, the country finds itself at a crossroads: digital services and data are growing exponentially, yet protective measures struggle to keep pace. This mix of progress and gaps defines the current state of cybersecurity in Bangladesh.
Strengths and Advantages of Bangladesh’s Cybersecurity Strategy
Bangladesh has made notable strides in fortifying its cybersecurity posture in recent years. One key strength is the commitment at the policy level – the government has passed comprehensive legislation and guidelines aimed at cyber protection. The Cyber Security Act 2023 (and its proposed 2024 Ordinance) provides a legal framework to address cyber threats and holds perpetrators accountable. Additionally, sector-specific regulations like the Digital Commerce Operation Guideline 2021 help secure e-commerce transactions in the country. These legal measures, alongside improved law enforcement responses, contributed to Bangladesh jumping 25 places to rank 53rd (out of 194 countries) in the ITU’s Global Cybersecurity Index 2020 – a testament to strengthened commitments across legal, technical, and organizational pillars.
Another advantage lies in the institutional framework and international collaboration that Bangladesh is developing. The national CIRT (BGD e-Gov CIRT) actively monitors threats and has shown the ability to respond to incidents – for example, swiftly taking down a major data leak in 2023 once alerted. Bangladesh is aligning its cybersecurity strategies with global standards, even working to harmonize policies with international norms such as the European Union’s Digital Services Act. This openness to global best practices ensures the country is not operating in isolation when tackling cyber risks.
Bangladesh’s cybersecurity strategy also benefits from growing awareness and public-private initiatives. Government bodies and NGOs have launched nationwide awareness programs to build a “cyber-secure culture.” The Bangladesh Computer Council’s Cyber Security Awareness Programme educates citizens on common threats and protective measures. Meanwhile, campaigns like “Cyber Safe Bangladesh” (led by non-governmental groups) target students, teachers, and parents to promote safe online behavior. Collaborative platforms such as Cyber-Maitree 2023 foster cooperation between government agencies, industry stakeholders, and the public to enhance skills and resilience at the grassroots level. These efforts are gradually improving general cybersecurity hygiene and have laid a foundation for a more security-conscious society.
Key Weaknesses and Vulnerabilities in the System
Despite the progress, Bangladesh’s cybersecurity system suffers from several critical weaknesses and vulnerabilities that undermine its overall effectiveness. A major challenge is the gap between policy and implementation. While laws exist on paper, enforcement is inconsistent. The prior regime was criticized for enacting laws like the DSA 2018 and CSA 2023 primarily to curb free speech rather than to proactively address technical security issues. As a result, these laws have “struggled with practical execution due to insufficient resources and coordination”, leaving many provisions unimplemented. For instance, guidelines issued to protect “Critical Information Infrastructure” (CII) under the Digital Security Act were not strictly followed – a fact highlighted by the 2023 ransomware attack on Biman Airlines, which occurred even after the government had declared Biman a protected CII and provided security directives. This illustrates an endemic weakness: policy is not always translated into practice.
Another vulnerability is the acute shortage of skilled cybersecurity professionals and technical resources in the country. Experts warn that limited technical expertise and an inadequate cybersecurity workforce are among Bangladesh’s biggest hurdles. In many organizations, cybersecurity teams are understaffed or non-existent, leading to poor threat detection and response capabilities. This skills gap is exacerbated by insufficient training and awareness within organizations. Security leaders note a pervasive “weak security culture” – many companies treat cybersecurity as a checklist for compliance rather than as a continuous process of risk management. Consequently, organizations often take a reactive stance, patching issues only after incidents occur, instead of investing in prevention. Phishing scams and social engineering succeed frequently due to low user awareness, and basic cyber hygiene practices are not uniformly observed.
A related weakness is the reliance on outdated systems and foreign technologies without developing local capacity. Bangladesh’s critical sectors (government agencies, banks, energy, etc.) often run on legacy IT infrastructure with known vulnerabilities. Modern security tools like advanced threat intelligence platforms are not widely adopted, and many entities have yet to migrate to secure cloud architectures. Alarmingly, the country currently depends almost entirely on foreign cybersecurity products and solutions, which, as one industry CEO noted, is “not sustainable” in the long run. This dependency can delay responses to threats and limits the growth of an indigenous cybersecurity industry.
Moreover, coordination and information-sharing between stakeholders remain weak. Public and private sector collaboration is still in early stages – organisations tend to operate in silos with minimal sharing of threat intelligence. Communication gaps and “trust issues hinder open sharing of threat intelligence,” leaving private sector expertise underutilized in national defense. There is no robust centralized platform for different institutions to report and learn about emerging threats in real time. This fragmentation means that systemic vulnerabilities (for example, a malware campaign or a critical software bug) may not be communicated promptly across all affected parties.
Finally, the regulatory framework itself has had shortcomings that create vulnerabilities. The 2023 Cyber Security Act blurred the line between cybercrime and cybersecurity management, leading to ambiguities in enforcement. Critics argue that legal efforts focused too heavily on censorship and surveillance powers, rather than on safeguarding data and critical networks. Even the draft Cyber Security Ordinance 2024, intended to be an improvement, has been faulted for “vague provisions, unchecked powers,” and failing to address new-age threats like AI-driven deepfakes. Notably, the draft law overlooked certain critical sectors (like transport and healthcare) in its scope, leaving gaps in national cyber defense coverage. It also does not require organizations to notify the public of data breaches, meaning incidents can remain hidden and lessons unlearned. These legal and policy gaps, combined with poor enforcement, contribute to an environment where attackers can exploit loopholes and organizations may not be fully compelled to strengthen security.
Bangladesh’s Cybersecurity Effectiveness in the Global Landscape
On the global stage, Bangladesh’s cybersecurity system can be described as evolving but still maturing relative to more developed cyber powers. The country has indeed improved its standing in international evaluations; as mentioned, it climbed to 53rd place globally in the ITU’s Cybersecurity Index by 2020, with a strong overall score of 81.27 out of 100. This improvement reflects progress in areas such as legal measures and capacity building. In fact, Bangladesh stands out as an outlier among least-developed countries for demonstrating high commitment to cybersecurity, according to the ITU, even reporting the development of a nascent national cybersecurity industry. Regionally, Bangladesh now ranks 11th within the Asia-Pacific in cyber preparedness, ahead of many peers in South Asia and only trailing more advanced economies.
However, despite these gains, Bangladesh remains behind the global leaders in cybersecurity. For perspective, neighboring India leapt to rank 10th in the same index, and countries like the US, UK, Singapore, and South Korea dominate the top positions with near-perfect scores. Bangladesh’s score indicates that while foundational elements are in place, there is significant room for improvement in technical capabilities and operational coordination. The effectiveness of Bangladesh’s cybersecurity defenses has yet to be proven against sophisticated threat actors on a consistent basis. For example, the 2016 Bangladesh Bank heist (orchestrated by international hackers) exposed that the nation’s financial cybersecurity was far below global standards, resulting in one of the largest cyber thefts in history. Incidents like that have placed Bangladesh under the spotlight, demonstrating how vulnerabilities in one country’s systems can have worldwide repercussions.
In terms of international norms, Bangladesh’s policies have occasionally drawn concern from global observers. The 2023 Cyber Security Act was criticized for being incompatible with international best practices around digital rights and due process. Its broad provisions even risked penalizing legitimate cybersecurity research, which alarmed foreign firms. The current interim government appears aware of these issues and is expected to revise the law to better align with global standards in cybersecurity and privacy. This willingness to reform is crucial for Bangladesh’s global credibility. Going forward, Bangladesh’s effectiveness will be measured by how well it can integrate into global cybersecurity efforts – such as sharing threat intelligence, participating in international cyber drills, and adhering to frameworks like the Budapest Convention on cybercrime or the guidelines of the ITU. In summary, Bangladesh is making its way up the cybersecurity ladder, but to compete globally, it must accelerate improvements in both its defenses and its governance of cyberspace.
Recent Cyber Incidents and Case Studies in Bangladesh
Real-world cyber incidents in Bangladesh illustrate the challenges the country faces and highlight areas requiring improvement. Below are several notable case studies and data points from recent years:
- Bangladesh Bank Heist (2016): In February 2016, hackers infiltrated the central bank’s systems and used the SWIFT network to try to steal nearly $1 billion from Bangladesh Bank’s account at the New York Federal Reserve. While most transfers were blocked, $81 million was successfully diverted and stolen. This infamous incident, attributed to a state-sponsored group, exposed glaring security gaps (such as lack of firewalls and poor network segregation) in the bank’s IT infrastructure. It was a wake-up call that prompted banking authorities worldwide to tighten interbank transfer security.
- Government Data Leak (2023): In mid-2023, a major breach of a Bangladeshi government website exposed the personal data of over 50 million citizens. The leaked information included full names, phone numbers, email addresses, and national ID numbers. Investigations revealed that the Office of the Registrar General, Birth & Death Registration (BDRIS) website had a vulnerability that allowed this data to be openly accessible – it was not an active attack but a result of weak security practices. Upon discovery by an independent researcher, the e-Gov CIRT took the site offline and the government scrambled to patch the flaws. This incident underscored inadequate protection of citizen data and led to public outcry over the state of cybersecurity in government portals.
- Biman Airlines Ransomware Attack (2023): In March 2023, the email server of Biman Bangladesh Airlines (the national flag carrier) was hacked and crippled by a ransomware attack. Hackers seized control of the server on March 17, knocking out Biman’s internal email communications for days. Alarmingly, Biman initially did not inform the government or seek immediate help, and only convened an internal emergency meeting with no effective resolution. A government cyber team later intervened and found that Biman had failed to implement mandatory security guidelines despite being classified as critical infrastructure. This case highlighted the risks to critical services (aviation, in this instance) and the consequences of non-compliance with cybersecurity protocols.
- National ID Database Breaches (2023): In 2023, multiple leaks related to the National ID (NID) database made headlines. In one case, data of Smart NID card holders surfaced on a Telegram channel, where anyone could retrieve an individual’s full profile by inputting their NID number and date of birth. The Election Commission, custodian of the NID data of 120 million voters, alleged that one of the 174 authorized agencies with access had leaked the data. Earlier that year, the BDRIS website leak (described above) had already exposed millions of NID numbers. These breaches raised serious concerns about how securely government bodies share and manage citizens’ personal data. They also drew criticism when it emerged that no punitive action was taken against the responsible organizations. Observers noted that, unlike other countries that impose hefty fines for such negligence (Singapore fined its health system $750k for a patient data breach), Bangladeshi authorities issued little more than warnings. The lack of accountability in the aftermath of these breaches was seen as a missed opportunity to enforce stricter data protection standards.
- Banking Sector Threats: Bangladesh’s banks continue to be prime targets of cyberattacks. In 2019, hackers stole around $3 million by exploiting ATMs of three Bangladeshi banks using cloned cards abroad. More recently, Bangladesh Bank (the central bank) had to temporarily shut down some of its online systems in August 2023 due to threat alerts, reflecting the ongoing fear of cyber heists. A government surveillance in 2022 found 3,639 payment card details of Bangladeshi bank customers on the dark web, indicating widespread credential theft. Moreover, studies revealed that over half of Bangladeshi banks are at high cyber risk, with many still running vulnerable services and lacking advanced security infrastructure like Security Operations Centers. These incidents in the financial sector emphasize the need for urgent security upgrades and better adherence to standards (e.g., PCI-DSS for card security) across banks.
Each of these cases has provided hard-learned lessons. They have exposed technical vulnerabilities (unpatched software, weak authentication, poor network isolation), procedural failures (not following security guidelines, not reporting incidents promptly), and governance issues (no consequences for negligence). While Bangladesh has responded to some incidents by forming inquiry committees and updating policies, the recurrence of breaches suggests that more systemic changes are needed to truly uplift the country’s cybersecurity resilience.
Recommendations for Enhancing Bangladesh’s Cybersecurity
To strengthen Bangladesh’s cybersecurity system and mitigate vulnerabilities, a multi-pronged approach with specific, actionable steps is necessary. Below are key recommendations:
- Invest in Capacity Building: Address the skills shortage by developing cybersecurity talent domestically. This could include incorporating cybersecurity courses in university curricula, offering incentives for professional certifications, and partnering with international experts for training programs. By boosting the number of qualified cybersecurity professionals, Bangladesh can improve security monitoring and incident response across all sectors.
- Enforce Standards and Accountability: Establish stricter enforcement of cybersecurity standards, especially for critical information infrastructure. Regulatory bodies should mandate regular security audits for banks, telecom operators, utilities, and government departments. Organizations that fail to meet baseline security requirements or that negligently expose data should face penalties or sanctions, as is common internationally. Clear liability and consequences will motivate compliance. For example, requiring banks to implement Security Operations Centers and adhere to PCI-DSS standards for payment security can significantly reduce fraud.
- Strengthen Legal Frameworks with Data Protection: Update and refine laws to better protect data and privacy. Bangladesh urgently needs a robust data protection law aligned with global standards (similar to the EU’s GDPR) to safeguard personal information. The upcoming cyber law revisions should incorporate provisions for breach notification (so that citizens are informed of data leaks) and protections for whistleblowers who report cyber incidents. Ensuring that the legal framework focuses on security outcomes rather than censorship will also help build trust in the system.
- Improve Public-Private Collaboration and Threat Intelligence Sharing: The government should facilitate platforms for information exchange on cyber threats between public agencies, private companies, and international partners. Establishing a joint cybersecurity task force or regular forum can break down silos. Encouraging companies to share anonymized threat data with a national CERT or intelligence hub will help create an early warning system for attacks. Building trust is key – the government can start by actively engaging industry cybersecurity experts in policymaking and response planning.
- Modernize and Secure Critical Infrastructure: Upgrade outdated technology in critical sectors (energy, finance, transportation, healthcare) to more secure, modern systems. This includes patching or replacing legacy software, segmenting networks, and deploying advanced threat detection tools (such as intrusion detection systems and Security Information and Event Management platforms). Regular penetration testing and risk assessments should be conducted on infrastructure like power grids and financial networks to uncover weaknesses before attackers do. New threats like attacks on IoT devices and AI-driven exploits must be anticipated and defenses adapted continuously.
- Foster a Cybersecurity Culture: Move organizations away from a mere compliance mentality to a culture of proactive security. Top management in both government and business should champion cybersecurity as a priority. This means regular staff training on cyber hygiene, phishing simulations to raise awareness, and integrating security considerations into all IT projects from the start. Cybersecurity should be seen not as a one-time feature but as an ongoing process – as one expert put it, “Cybersecurity is not a feature. It is a process”, requiring vigilance and continuous improvement. Recognizing and rewarding good security practices internally can reinforce this culture change.
- Reduce Over-Reliance on Foreign Solutions: Encourage the growth of a local cybersecurity industry and local innovation. Bangladesh can incentivize startups and tech firms to develop indigenous cybersecurity products and services (for instance, encryption tools, secure communication apps, etc.). This not only reduces dependency on foreign technology but also creates local expertise. Public-private partnerships could fund research and incubation for cybersecurity solutions tailored to Bangladesh’s context. In parallel, when foreign solutions are used, knowledge transfer should be ensured so that local teams can manage and maintain these systems autonomously over time.
- Enhance International Cooperation: Cyber threats often transcend borders, so Bangladesh should actively engage in international cooperation. Joining global networks like FIRST (Forum of Incident Response and Security Teams) or collaborating with other national CERTs can improve capabilities. Bangladesh could seek technical assistance and best-practice exchanges through bodies like the ITU, and participate in regional cybersecurity drills or exercises to test and improve its preparedness. Such engagement will also help keep Bangladesh’s policies and defense techniques up to date with global trends.
By implementing these recommendations, Bangladesh can significantly bolster its cybersecurity defenses. The journey to a secure digital nation is an ongoing process that requires commitment from all levels – from government policymakers down to the individual internet user. With strong governance, capacity building, and a collaborative ethos, Bangladesh can move towards a “Smart Bangladesh” with truly smart cybersecurity measures, ensuring that its digital future is both innovative and secure for all citizens.