As Sri Lanka rapidly embraces digital technology across government, business, and society, cybersecurity has emerged as a cornerstone of national resilience. In recent years, the island nation has faced defacement of government websites by hacktivists, data breaches at financial institutions, and other cyber incidents that underscore growing threats. These events highlight why a robust cybersecurity system is essential not only for protecting sensitive information, but also for safeguarding national security, public services, and economic stability in Sri Lanka’s digital era. This blog post provides a comprehensive overview of Sri Lanka’s cybersecurity ecosystem – from its organizational structure and core components to its key strengths, critical weaknesses, and performance against global cyber threats. We will also examine case studies of major cyber incidents, discuss how cybersecurity intersects with national security and development, and suggest recommendations to build a more resilient, modern cybersecurity framework. The aim is to offer an insightful yet accessible analysis suitable for general readers, technical professionals, and policymakers alike.
Structure of Cybersecurity in Sri Lanka ’s Infrastructure
Government Agencies and Frameworks: Sri Lanka’s cybersecurity infrastructure is anchored by several government agencies with defined roles. The foremost is the Sri Lanka Computer Emergency Readiness Team – Coordination Centre (Sri Lanka CERT|CC), established in 2006 as the national center for cyber incident response. Sri Lanka CERT|CC operates under the Ministry of Technology (formerly under the ICT Agency or other relevant ministries) and acts as the country’s apex body for cybersecurity coordination. It handles incident response, issue alerts and advisories, conducts training, and develops policies to mitigate cyber threats across public and private sectors. Over the years, CERT has supported e-government initiatives (since 2009) and partnered with various agencies to improve cybersecurity readiness. In fact, Sri Lanka CERT led the creation of the first national Cyber Security Strategy in 2016, identifying key strategic pillars such as critical infrastructure protection, legislative framework, capacity building, awareness, and public-private partnerships.
Another pillar of the government’s approach is the National Cyber Security Strategy and Policy. The country launched its first 5-year cybersecurity strategy in 2018, which ran through 2023, marking the first coordinated national approach to address cybercrime, data breaches, and digital threats across sectors. This initial strategy focused on raising awareness, establishing basic technical standards, and building institutional capacity (especially in government) to handle cyber threats. Building on that foundation, a new National Cyber Protection Strategy 2025–2029 was approved in mid-2025 to update and strengthen Sri Lanka’s cyber defenses. Developed by Sri Lanka CERT with support from the World Bank, the 2025–2029 strategy concentrates on six core areas: (1) legal and regulatory reforms, (2) knowledge and skills enhancement, (3) cyber readiness and resilience, (4) incident response capabilities, (5) international cooperation, and (6) domestic coordination across stakeholders. Notably, the strategy emphasizes civilian digital infrastructure, deliberately excluding military/intelligence domains to maintain transparency and public trust. The civilian-focused strategy is meant to protect government and private sector systems, critical national information infrastructure, and citizen data, while military cyber defense is handled separately by the defense establishment.
Sri Lanka’s government is in the process of overhauling its cybersecurity governance framework through new legislation. A comprehensive Cyber Security Bill was drafted to fill longstanding legal and institutional gaps. This bill – now enacted as the Cyber Security Act (as of 2023/24) – establishes a dedicated “Cyber Security Agency of Sri Lanka” as the apex regulatory body for cybersecurity. The objectives of the law include effectively implementing the national cybersecurity strategy, preventing and responding to cyber threats, protecting critical information infrastructure (CII), and formalizing the institutional framework for cyber oversight. According to an official cabinet decision briefing, the law empowers the new Cyber Security Agency to coordinate with other supporting institutions and introduces legal requirements to secure critical infrastructure and “create a formal cybersecurity environment” in the country. The Ministry of Technology was tasked with spearheading this effort, reflecting the government’s recognition that cybersecurity is both a technology and a national security priority. Alongside the civilian cybersecurity law, Sri Lanka also moved to bolster military cyber defense via a proposed Defence Cyber Command Act, aimed at formalizing cyber units within the tri-forces (Army, Navy, Air Force) and police to address cyber-terrorism and cyber warfare threats. Together, these parallel efforts mark a significant structural evolution: one framework to secure civilian cyberspace and critical infrastructure, and another to enhance cyber capabilities for national defense.
Several specialized units and agencies complement the work of CERT and the future Cyber Security Agency. Within law enforcement, the Sri Lanka Police’s Cyber Crime Unit (CCU) under the Criminal Investigation Department (CID) investigates hacking, malware incidents, online fraud, and other cybercrimes. The police CCU operates a digital forensics lab and has trained officers certified in forensic analysis to handle electronic evidence. Victims of cybercrime can directly report incidents to this unit, including via an online e-reporting portal. For financial crimes and fraud (some of which overlap with cybercrime), the Financial Crimes Investigation Division (FCID) handles complex cases including those with digital evidence. On the preventive side, Sri Lanka’s ICT Agency (ICTA) has initiated projects like the National Cyber Security Operations Center (NCSOC) – a centralized Security Operations Center planned to monitor threats to government networks and critical systems in real time. As of 2025, operationalizing this NCSOC is a priority, intended to provide 24/7 monitoring and incident response coordination at a national level. Another emerging component is the National Certification Authority, which Sri Lanka CERT has begun establishing to support a trusted digital identity ecosystem (issuing digital certificates for secure e-services and communications).
Sri Lanka’s legal infrastructure for cybersecurity and cybercrime is also taking shape as part of the broader system. Key laws include the Computer Crimes Act No. 24 of 2007, which criminalizes unauthorized access, hacking, malware, denial-of-service attacks, and similar offenses. There is also the Payment Devices Frauds Act No. 30 of 2006 to combat payment card fraud and electronic financial scams. These laws, alongside provisions in the Penal Code (strengthened by amendments in 2005, 2006, and 2018) for offenses like child pornography, have provided the basic prosecutorial tools for cybercrime over the past decade. However, recognizing the need for modernization, the government has been updating its legal regime. By 2019, work was underway to finalize new cybersecurity legislation (now completed via the Cyber Security Act) and a comprehensive Data Protection law. The Personal Data Protection Act No. 9 of 2022 was passed in March 2022, creating Sri Lanka’s first framework for privacy and data security. Under this law, a Data Protection Authority (DPA) was established in 2023 to regulate the processing of personal data and enforce data security obligations in both public and private sectors. This addition to the institutional landscape intersects with cybersecurity, since protecting sensitive citizen data (e.g. in government databases or banking systems) is a critical aspect of the country’s overall cyber resilience. In summary, Sri Lanka’s government cybersecurity apparatus consists of a national CERT, supportive policy bodies (Ministry of Technology and ICTA), law enforcement cyber units, sectoral regulators (like the Central Bank for financial cyber risk and the new DPA for data security), and newly legislated agencies and frameworks (the Cyber Security Agency and related strategies) to tie everything together.
Private Sector and Public-Private Initiatives: A significant portion of Sri Lanka’s critical information infrastructure – such as telecommunications networks, banking and financial systems, transportation, and utilities – is operated by private or semi-governmental entities. As a result, public-private partnerships (PPPs) form a crucial component of the country’s cybersecurity ecosystem. Many private sector organizations that own vital infrastructure have invested in their own cybersecurity measures, given the risks to their operations. For example, major banks, telecom companies, and tech service providers maintain IT security teams, comply with industry standards, and conduct regular security audits. This private sector expertise and capability is an asset that complements government efforts. Collaboration mechanisms have been encouraged through policy; Sri Lanka’s national cybersecurity policies explicitly highlight the importance of industry-government partnerships in defending critical infrastructure and sharing threat information. In practice, this has led to joint initiatives such as financial sector cybersecurity workshops and information-sharing between CERT and banking security teams to combat threats like electronic fraud. A notable example of a private-sector driven institution is TechCERT, Sri Lanka’s first and largest private Computer Emergency Readiness Team. TechCERT was originally formed as a pioneering project of the country’s domain registry and now provides cybersecurity services (incident response, audits, training, etc.) to businesses and even government organizations on a consultancy basis. TechCERT operates in parallel to Sri Lanka CERT, effectively extending response capabilities to the wider economy. Both Sri Lanka CERT and TechCERT are members of international bodies like the Asia Pacific CERT (APCERT) network, illustrating a blend of public and private participation in global cyber cooperation forums.
Beyond TechCERT, there are several local cybersecurity firms and consultancies offering services such as penetration testing, digital forensics, security training, and compliance certification. These companies often partner with government agencies to hold awareness programs and skills development workshops. For instance, private firms have co-organized the annual Cyber Security Week/Summit in Colombo alongside Sri Lanka CERT and industry associations, which brings together experts from both sectors to share best practices. Professional bodies and academia also play a role: the University of Colombo’s School of Computing hosts a Digital Forensics Centre that has assisted law enforcement investigations since 2011. Universities are now incorporating cybersecurity into curricula, producing graduates with relevant skills, while tech community groups and NGOs run campaigns on cyber safety (for example, the Information Technology Society of Sri Lanka – ITSSL – has been active in highlighting vulnerabilities and advocating for better cyber hygiene in media). These civil society contributions are part of the broader cybersecurity ecosystem.
Nevertheless, effective public-private collaboration in cybersecurity is not without challenges. Experts have noted that some companies remain hesitant to share information about cyber incidents or involve government out of concerns over reputational damage, loss of control, or mistrust about data handling. Addressing these concerns is an ongoing process. The government’s new Cyber Security Agency, once fully operational, is expected to establish formal channels for threat intelligence sharing and incident reporting that protect confidentiality while enabling faster collective responses. In summary, Sri Lanka’s cybersecurity structure is a multi-stakeholder network: the government provides central strategy, coordination, and legal enforcement; the private sector brings technical capacity and operational control over critical systems; and together they seek to build resilience through cooperation. This structural mix is still evolving, guided by recent policies to create a more integrated framework for cybersecurity governance by the end of this decade.
Key Strengths of Cybersecurity in Sri Lanka ‘s System
Despite being a relatively small and developing nation, Sri Lanka has made notable strides in strengthening its cybersecurity posture. Several advantages and strengths can be identified in its current system:
- Established National CERT and Expertise: The early establishment of Sri Lanka CERT|CC in 2006 gave the country a head start in building cyber defense expertise. Over nearly two decades, Sri Lanka CERT has become a trusted focal point for handling incidents and advising organizations on security best practices. It has issued security alerts, responded to myriad cyber incidents, and developed guidelines that align with international standards. The institution’s longevity and experience are assets; for example, CERT’s work on cyber hygiene guidelines and policies under the first national strategy laid important groundwork for today’s efforts. Furthermore, Sri Lanka’s active participation in the global CERT community (such as APCERT and FIRST memberships) means it can draw on international threat intelligence and support when needed. The country’s technical capacity in areas like digital forensics is also bolstered by skilled professionals in CERT, the Police CCU, and private firms who have kept pace with global developments. This growing pool of experts contributed to Sri Lanka scoring full marks (9/9) on “education and professional development” in one cyber readiness index, indicating strength in cybersecurity training initiatives.
- Legal Framework and Policies (Emerging Strength): Sri Lanka has recognized the importance of a solid legal foundation for cybersecurity. The Computer Crimes Act 2007 was enacted relatively early, providing law enforcement the ability to prosecute hacking and other offenses within Sri Lankan jurisdiction. Building on that, the government has moved to modernize its laws through recent legislation. The passage of the Personal Data Protection Act in 2022 created the first regime for data privacy and security, aligning with international principles like the EU’s GDPR and mandating organizations to protect personal data. Perhaps the most significant development is the approval of the Cyber Security Bill (2023), which when implemented establishes a dedicated Cyber Security Agency and a comprehensive regulatory framework for cybersecurity. This demonstrates high-level commitment to updating laws and institutional structures to meet evolving cyber threats. Indeed, the new Cyber Security Strategy 2025–2029 puts strong emphasis on legal modernization, acknowledging the urgency of updating outdated laws and introducing new regulations to tackle threats like data breaches, ransomware, and digital espionage. In addition, Sri Lanka benefits from specific laws targeting niche cyber issues (such as the Payment Devices Frauds Act for credit card scams) and has amended existing laws (Penal Code, etc.) to cover online harms like child exploitation. Collectively, these legal tools – while still being fine-tuned – form a strengthening framework that supports cybersecurity objectives and enforces accountability.
- National Strategy and Institutional Commitment: The launch of consecutive National Cybersecurity Strategies is a clear strength, signaling sustained political will to address cyber risks. The first strategy (2018–2023) was a learning experience that raised awareness at senior levels of government and started capacity-building programs. The second strategy (2025–2029) shows a *“renewed focus on safeguarding critical digital infrastructure in an era of growing cyber threats”*. It was developed with international expertise (World Bank support) and centers on critical areas such as improving incident response, enhancing public-private cooperation, and developing a skilled cybersecurity workforce. By identifying priority areas and setting goals, these strategies provide a roadmap that guides resource allocation and reforms. Notably, the strategy process has actively involved various stakeholders (government, academia, industry), increasing buy-in and shared responsibility. The strategies also align Sri Lanka’s practices with global best practices, as seen in the incorporation of themes like critical infrastructure protection and international collaboration which mirror those in other nations’ strategies. This alignment helps Sri Lanka tap into global capacity-building programs. For instance, under a Council of Europe initiative, over 200 Sri Lankan judges were trained on cybercrime and electronic evidence handling by 2019, improving the judiciary’s capability to deal with cyber cases. Such achievements stem from the strategic approach championed by national policy.
- International Collaboration and Diplomatic Engagement: Despite limited resources, Sri Lanka has actively engaged in international cybersecurity efforts, which has strengthened its system through external support and knowledge exchange. The country became a Party to the Budapest Convention on Cybercrime, an international treaty that facilitates cross-border cooperation on cybercrime investigations. This commitment improves Sri Lanka’s ability to obtain evidence or assistance from other countries in prosecuting cybercriminals, and vice versa. Sri Lanka CERT has also fostered partnerships with global entities – for example, it received technical input from the World Bank in formulating the latest strategy, and it is an operational member of CERT networks that share threat intelligence regionally and worldwide. In terms of cyber diplomacy, Sri Lanka has taken a proactive regional role. It was noted as taking a leading part in “South-South collaboration” by helping initiate discussions between the Council of Europe and representatives of countries like Fiji, Nepal, and others to improve cybersecurity cooperation. Regionally, Sri Lanka is a member of the Colombo Security Conclave (CSC) – a multilateral initiative with India, Maldives, Bangladesh and others – where one of the key areas of cooperation is cybersecurity and critical infrastructure protection. Through the CSC, Sri Lanka benefits from joint cyber drills, technical expertise from larger countries like India, and intelligence sharing that enhances its readiness against threats that often transcend borders. All these collaborations add layers of strength to Sri Lanka’s cybersecurity capabilities, ensuring it is not operating in isolation.
- Gains in Global Cybersecurity Rankings: A tangible reflection of Sri Lanka’s improving cyber defense posture is its performance in global cybersecurity indices. In the Global Cybersecurity Index (GCI) published by the International Telecommunication Union, Sri Lanka’s ranking and tier have risen in recent evaluations. The country was ranked 83rd in the world in the 2020 GCI report (and 84th in 2018). Following the implementation of its first cybersecurity strategy and related initiatives, Sri Lanka has now been classified as a “Tier 2 – Advancing” country in the latest GCI 2024 assessment, achieving a score in the range of 85–95 out of 100. This Tier 2 status indicates a strong commitment to cybersecurity across multiple pillars – legal measures, technical measures, organizational measures, capacity development, and cooperation. In fact, the GCI report highlighted that Sri Lanka’s strengths were notably in the Legal, Technical, and Capacity Development pillars, where it scored highest, even exceeding the average performance of the Asia-Pacific region in some areas. The country’s improvement was attributed to effective implementation of its national strategy by Sri Lanka CERT in recent years. For example, under the legal pillar, Sri Lanka’s new laws and policies likely boosted its score; under technical, the existence of active CERTs (both Sri Lanka CERT and sectoral ones like TechCERT) and cybersecurity frameworks contributed; under capacity building, the training programs and awareness campaigns (such as cybersecurity education in schools and public awareness drives) earned full points. This international recognition serves not only as validation of Sri Lanka’s efforts but also as an advantage in credibility – it can attract more international support and investment in the cyber domain knowing that the country is serious about cybersecurity.
- Focus on Critical Sectors and Infrastructure: Another strength is the increasing focus on securing critical national infrastructure and essential services. The government has explicitly identified Critical National Information Infrastructure (CNII) sectors – such as banking and finance, telecommunications, power and energy, transportation, healthcare, and government services – that require priority protection. Sri Lanka CERT and ICTA have been working on guidelines and frameworks for these sectors. For instance, there is a Cybersecurity Policy for Government Institutions that sets baseline security standards across the public sector. The Central Bank of Sri Lanka, as a regulator, has also issued directives for financial institutions on cybersecurity (e.g. requiring banks to implement robust security controls and report major cyber incidents). The advantage here is that key sectors are not being left to fend for themselves; there is an effort to institutionalize protection for essential services that citizens rely on daily. A concrete example is the development of the National Cyber Security Operations Center (NCSOC) which, once fully functional, will monitor critical infrastructure on a national scale to detect attacks early and coordinate responses. Similarly, in the power sector, Sri Lanka has worked with international partners to assess and improve the cybersecurity of its electricity grid and water supply systems, acknowledging that a cyber-physical attack on these could be devastating. By prioritizing critical infrastructure resilience, Sri Lanka is building a strong defensive backbone that is considered a best practice globally.
- Human Capital and Awareness Initiatives: Lastly, Sri Lanka’s cybersecurity strength is gradually bolstered by its human capital development and growing public awareness. The inclusion of cybersecurity topics in university curricula and professional courses has produced a cadre of cybersecurity professionals (many of whom hold international certifications and have exposure abroad). Government and private sector have conducted numerous training sessions and workshops to upskill IT staff in secure network management, incident response, and forensic investigation. The judiciary and law enforcement have also been trained to handle cyber issues, as noted earlier with the judges’ training program. At the user level, Sri Lanka CERT runs awareness campaigns such as Cybersecurity Month activities, issues advisories in local languages about common threats (like phishing scams or social media safety), and maintains an online safety website for the public. Such efforts mean that, over time, more Sri Lankans are aware of cyber risks. While challenges remain in reaching the entire population, there is a positive trend of increasing “cyber hygiene”. In fact, during assessments, Sri Lanka scored well on education and awareness aspects of cybersecurity readiness. This is a strength because even the best technologies can fail if users are not informed; by working to create a cybersecurity-conscious culture, Sri Lanka is addressing the human element of security which is often the weakest link elsewhere.
In summary, Sri Lanka’s cybersecurity system benefits from institutional maturity in CERT, an evolving robust legal/policy framework, active international engagement, demonstrated political commitment, and targeted efforts to secure critical sectors and develop human capacity. These strengths provide a solid platform upon which Sri Lanka can tackle current threats and continue improving its cyber resilience.
Critical Weaknesses and Vulnerabilities in the Ecosystem (Cybersecurity in Sri Lanka)
Despite the progress, Sri Lanka’s cybersecurity ecosystem faces significant weaknesses and vulnerabilities that pose ongoing challenges. Identifying these gaps is crucial for charting a path forward. Key areas of concern include:
- Outdated Infrastructure and Technical Vulnerabilities: Many government and organizational IT systems in Sri Lanka run on outdated software or have not been hardened against cyberattacks. This makes them susceptible to known exploits. A series of cyber incidents in recent years has exposed these weaknesses. For example, in early 2021, hackers managed to poison the DNS records of multiple Sri Lankan domains – including high-profile ones like Google.lk – and redirect users to defaced webpages. This incident, which essentially hijacked the country’s domain registry infrastructure for a few hours, revealed gaps in DNS security and monitoring. Around the same time, at least 10 other government and commercial websites were defaced or disrupted by hacktivists exploiting poor security on web servers. Similarly, the ease with which attackers defaced the Sri Lankan Prime Minister’s official website in 2021 (redirecting visitors to a bogus site with cryptocurrency content) indicated weak access controls on that site’s hosting platform. These cases suggest that basic security best practices (like timely patching, strong authentication, secure configurations) have not been uniformly implemented across all digital infrastructure. Legacy systems used in some ministries or public services may not support modern security measures, yet they remain in operation due to resource constraints. This technical debt leaves many entry points open for attackers.
- Limited Cybersecurity Workforce and Skills Shortage: Sri Lanka suffers from a shortage of skilled cybersecurity professionals relative to the growing demand. While there are competent experts within CERT, the police, and major private companies, the overall talent pool is small. Retaining cybersecurity talent in the public sector is especially challenging – higher salaries in the private sector or opportunities abroad often lure away trained individuals. This brain drain, exacerbated by the country’s recent economic difficulties, means government agencies might not have enough specialized personnel to secure their systems or to staff the new Cyber Security Agency at full strength. Workforce limitations also exist in breadth: outside Colombo and major organizations, many IT staff lack advanced cybersecurity training. Smaller companies and government departments in rural areas may have IT generalists who are not equipped to handle sophisticated cyber threats. The result is uneven security postures and slower responses to incidents, especially outside the core entities. The government recognizes this weakness; the 2025–2029 strategy explicitly prioritizes developing a skilled cybersecurity workforce and spreading knowledge through education and awareness. However, building expertise takes time, and for now the skills gap remains a vulnerability.
- Absence of a Centralized Authority (Until Recently): Until the recent enactment of the Cyber Security Act, Sri Lanka lacked a central authority or regulator dedicated to cybersecurity. Sri Lanka CERT has functioned as a de facto coordinating body, but it did not have regulatory powers to enforce standards across all sectors. The absence of an empowered central agency led to fragmentation and oversight gaps. Different sectors had uneven levels of preparedness – for instance, banks are relatively well-regulated on IT security by the Central Bank, but other critical sectors like healthcare or transportation did not have a specific agency driving cybersecurity improvements. Additionally, without a central authority, incident reporting was largely voluntary. Many cyber incidents likely went unreported or underreported, reducing the ability to learn from and collectively respond to threats. Even severe breaches were sometimes kept quiet by organizations. In the notorious 2025 Cargills Bank data breach case (discussed in detail in the next section), the bank’s initial disclosure downplayed the severity of the attack and there was a conspicuous lack of media coverage for over a week. This culture of silence can be partly attributed to the lack of clear mandates for disclosure and a centralized body to collect and announce such information. According to a 2023 analysis, Sri Lanka scored a zero in the National Cyber Security Index for the category of protecting digital services, reflecting these institutional gaps. The same report noted that “as of 2023, Sri Lanka still does not have a cybersecurity authority” and that this lack of attention contributed to several breaches and hacks in recent years. The new Cyber Security Agency is intended to fix this weakness, but it will take time to become fully operational and effective.
- Regulatory and Policy Gaps: While Sri Lanka has some cybersecurity-related laws, there have been notable gaps and outdated provisions. The Computer Crimes Act 2007, for example, predates the social media revolution and the rise of threats like ransomware and sophisticated cyber espionage; it does not comprehensively address all modern cybercrime scenarios. There is no specific legislation that required critical infrastructure operators to implement certain cybersecurity standards (until regulations under the new law are issued). Moreover, Sri Lanka did not have mandatory breach notification requirements until the Data Protection Act – and even that only applies to personal data breaches and is just coming into force. This regulatory gap means organizations haven’t been legally compelled to report incidents or invest in cybersecurity to the extent necessary. In 2019, drafting of the Cyber Security Bill was meant to address these gaps by introducing a regulatory framework and CII protection obligations. However, bureaucratic delays meant that for several years the Bill was in limbo, leaving an interim period where cyber governance relied on patchwork measures. According to one digital rights overview, Sri Lanka’s lack of a comprehensive cybersecurity law and authority created a “significant legal gap” in its cyber defense until the recent approvals of the Bill and Policy. Furthermore, enforcement of existing laws has room for improvement. For instance, the Computer Crimes Act provisions have been used relatively sparingly, and law enforcement often resorts to general laws for cyber-related offenses. Prosecuting complex cybercrimes can be slow due to limited prosecutorial expertise (there is no specialized cybercrime prosecution unit in the Attorney General’s department). All these factors indicate that the regulatory ecosystem is still catching up to the fast-evolving threat landscape, and that lag represents a vulnerability.
- Insufficient Incident Response Capacity: Responding effectively to cyber incidents requires both coordination and speed, two areas where Sri Lanka has faced challenges. Sri Lanka CERT has a competent team, but as the national CERT it must cover the entire country with limited manpower – a daunting task as incidents scale up. Until the NCSOC is fully in place, there is no 24/7 unified monitoring center; CERT mostly relies on notifications from affected parties or international alerts to learn of incidents. This reactive posture means sophisticated attacks could go undetected for long periods. Indeed, in some past incidents, compromises were only noticed when external actors pointed them out or when attackers themselves announced their exploits. The 2025 Cargills Bank hack again is illustrative: the attackers exfiltrated data for days and the leak only became widely known due to social media buzz rather than an early official announcement. Similarly, in the 2021 domain hijack incident, the domain registry reacted and resolved it in a few hours, but it’s unclear if proactive monitoring could have caught the DNS issue even sooner. Coordination across agencies in incident response is another weak point. Without a formal cyber crisis management plan, responsibilities can be blurry when an incident affects multiple sectors. For example, a major cyberattack on national infrastructure might involve CERT, ICTA, the affected industry regulator, law enforcement, and possibly defense/intelligence if attribution points to a state actor – coordinating all these quickly is challenging without pre-established protocols. While ad-hoc collaboration does happen (CERT and the telecom regulator TRCSL worked together during the 2021 .LK domain attack), the process can be improved. Additionally, not all organizations have internal incident response teams or disaster recovery plans, meaning they rely heavily on external help from CERT or private consultants, which can delay containment. This limited incident response capacity – both in detection and in multi-stakeholder response – remains a vulnerability especially as cyber threats targeting Sri Lanka grow more complex.
- Inconsistent Cybersecurity Awareness and Culture: On the societal level, Sri Lanka faces challenges in ensuring a broad culture of cybersecurity awareness. Digital literacy varies widely across the population, and as of 2021 less than half of Sri Lankans were using the internet. While increasing connectivity is good, it also means many new users (often in rural or less-educated demographics) may not be well-versed in online safety practices, making them easy prey for phishing, scams, and misinformation. The Engagemedia digital rights report notes that the average Sri Lankan often shares personal information online without caution. Moreover, issues like online gender-based violence are significant – with a high prevalence of harassment and abuse reported, yet low reporting rates. This indicates that the public isn’t fully aware of recourse or protective measures available, which is a weakness from a cybersecurity perspective (cyber safety of citizens is part of the broader ecosystem). In the corporate realm, smaller businesses often lack awareness or resources to implement good cybersecurity, thinking “it won’t happen to us.” This can lead to supply-chain vulnerabilities where attackers breach a less secure small supplier to ultimately access a larger target. Senior management awareness in organizations, though improving, can also be inconsistent – some companies might under-invest in security until a major incident forces their hand. The reluctance of media to report on breaches (as seen in the Cargills case where mainstream media stayed silent initially) might stem from a cultural tendency to avoid publicizing security failures, but it hampers public awareness. All in all, while strides have been made in cybersecurity education, an ingrained security culture is not yet pervasive in Sri Lanka. Human error – whether through falling for scams or misconfiguring systems – continues to be a top vulnerability.
- Economic Constraints and Resource Limitations: Sri Lanka’s ongoing economic challenges also indirectly weaken its cybersecurity readiness. Budgetary constraints mean that government agencies might delay important security investments (such as replacing end-of-life systems or purchasing advanced monitoring tools) due to cost. Cybersecurity often competes with other urgent needs in a developing economy. In times of financial crisis, funding for training programs, cybersecurity drills, and hiring additional experts can be among the first cuts. This resource limitation is a structural weakness. For example, the plan to implement a state-of-the-art NCSOC or fully equip the Cyber Security Agency with cutting-edge technology might face delays or scaling down if funds are not allocated consistently. Additionally, economic hardship can increase the insider threat risk – disgruntled or financially stressed employees might be more susceptible to bribery or coercion by malicious actors. It can also drive skilled professionals to seek jobs abroad (as mentioned earlier), exacerbating the talent drain. While not a technical vulnerability per se, these economic factors create an environment where cybersecurity might not get all the attention and investment it requires, leaving gaps by default.
- Geopolitical and Cyber Espionage Risks: Sri Lanka’s strategic position in South Asia and the Indian Ocean, coupled with its engagements with global powers (China’s investments, Indian partnerships, etc.), make it a potential target for state-sponsored cyber espionage or digital interference. There is evidence that South Asian countries, including Sri Lanka, have been caught in the crossfire of larger cyber conflicts. In late 2024, for instance, Russian hackers infiltrated the infrastructure of a Pakistani hacking group to access sensitive information from South Asian government and military targets. This kind of incident suggests that even if Sri Lanka is not the primary target, its networks or data can be compromised as part of wider espionage campaigns in the region. Similarly, Sri Lanka hosts projects by various foreign nations (like port and energy infrastructure) which could be of interest to cyber saboteurs or intelligence agencies. The weakness here is that Sri Lanka’s cyber defenses – still developing – may not fully guard against sophisticated Advanced Persistent Threat (APT) groups that possess far greater resources. Intelligence reports globally have noted rising cyber operations by state-linked hackers (from China, North Korea, Iran, etc.) and these often include phishing campaigns, malware intrusions, and supply-chain attacks that smaller nations struggle to defend against. In Sri Lanka’s case, while there haven’t been widely publicized espionage incidents, the threat is likely present. The country might also be used as a cyber operations staging ground by malicious actors due to potentially weaker law enforcement or oversight (e.g., hosting command-and-control servers on Sri Lankan soil if monitoring is lax). If Sri Lanka’s internet infrastructure is misused by hackers, it could face reputational damage and added pressure from international partners to tighten controls – essentially turning a security gap into a diplomatic issue.
In summary, Sri Lanka’s cybersecurity ecosystem, while improving, is undermined by technical vulnerabilities in aging systems, a shortage of skilled personnel, previously weak central governance, patchy regulations, reactive incident response, inconsistent awareness, limited resources, and exposure to sophisticated global threat actors. These weaknesses mean that Sri Lanka remains vulnerable to cyberattacks and must address these pain points to build a truly resilient cyber framework.
Effectiveness in the Global Threat Context and Regional Cyber Diplomacy (Cybersecurity in Sri Lanka)
Given the strengths and weaknesses outlined, how effective are Sri Lanka’s cybersecurity efforts in the face of global cyber threats and the currents of digital geopolitics? This question is multi-faceted: it involves looking at Sri Lanka’s ability to thwart or respond to cyber threats that are increasingly transnational and often orchestrated by powerful actors, as well as examining Sri Lanka’s role in international and regional cybersecurity cooperation.
Facing Global Cyber Threats: The modern cyber threat landscape is characterized by advanced ransomware gangs, state-sponsored hackers, global hacktivist movements, and cybercriminal networks that operate across borders. Sri Lanka, like any connected nation, is not immune to these threats. In fact, the country has already been touched by global cybercrime waves – for instance, Sri Lankan computer users and companies were impacted by the WannaCry ransomware attack in 2017 and other malware outbreaks that indiscriminately hit hundreds of countries. The real test of Sri Lanka’s cybersecurity effectiveness is how well it can prevent such incidents or minimize damage when they occur. So far, the track record is mixed. On one hand, Sri Lanka CERT has successfully handled numerous routine incidents and helped contain damage. The quick resolution of the 2021 domain hijack (restoring DNS functioning within hours) shows a certain level of agility. On the other hand, the massive breach of Cargills Bank in 2025 – where 1.9 terabytes of data were stolen by a ransomware group (likely “Hunters International”, a rebranded offshoot of the notorious Hive group) – indicates that determined global attackers can still inflict severe harm. In that case, Sri Lanka’s defenses at the bank and perhaps oversight by regulators failed to thwart or early-detect a major intrusion. It highlights that while basic cyber hygiene is improving, targeted attacks using advanced methods can bypass existing security.
However, it’s worth noting that Sri Lanka’s situation is not unique – even developed nations have fallen victim to similar breaches. The key is how Sri Lanka learns and adapts. For example, the government did quietly acknowledge that the Cargills incident might be the largest data breach in Sri Lankan history, which could spur stronger regulations on banks’ cybersecurity and breach disclosure. In terms of trends, global ransomware and data-theft extortion have been on the rise (a global 38% increase in cyberattacks was noted in 2022 over the prior year), meaning Sri Lanka’s institutions must prepare for more such attacks. The effectiveness of Sri Lanka’s cybersecurity will depend on improving baseline defenses (to fend off mass attacks) and developing capabilities to confront more sophisticated threats (APTs). Right now, one might assess that Sri Lanka is reasonably effective against run-of-the-mill threats – for instance, there is decent public awareness about phishing and common scams, and CERT’s advisories often mitigate these. But against high-end threats (like state-backed hacking or complex supply chain attacks), Sri Lanka’s effectiveness is limited and reliant on external support. The fact that Sri Lanka now scores well on capacity building but lower on international cooperation (as per the GCI analysis) suggests it has room to deepen intelligence-sharing with allies to better anticipate global threats.
Digital Geopolitics and Cyber Diplomacy: Sri Lanka’s cybersecurity stance cannot be separated from its geopolitical context. Situated in a region where cyber tensions are escalating – be it due to India-Pakistan rivalries, great power competition in the Indian Ocean, or the presence of Belt-and-Road digital infrastructure projects – Sri Lanka must navigate carefully. Encouragingly, Sri Lanka has engaged in cyber diplomacy to advance its security interests. Joining the Budapest Convention, as noted, plugged it into a global network of cooperation on cybercrime. Moreover, Sri Lanka has not shied away from calling for more international collaboration on cybersecurity in forums like the United Nations (Sri Lanka has participated in UN discussions on responsible state behavior in cyberspace). Regionally, the Colombo Security Conclave (CSC) has emerged as an important platform. Within the CSC, Sri Lanka collaborates with India, Maldives, Bangladesh and others specifically on cybersecurity among other areas. This collaboration is quite practical: India, which has more advanced cyber capabilities, shares technical know-how and conducts capacity-building programs for CSC members to strengthen their cyber resilience. Joint cybersecurity drills and exercises under the CSC help Sri Lankan teams practice responding to incidents in coordination with neighbors, which is vital if a malware outbreak or coordinated attack hits multiple countries simultaneously.
Another aspect of cyber diplomacy is information sharing on threats. For example, if one country in the region detects a phishing campaign targeting government officials, passing that information quickly to others can prevent a breach elsewhere. There have been moves to establish secure channels for such exchanges between Sri Lanka and partners like India. Additionally, Sri Lanka is part of the Commonwealth Cyber Declaration and works with organizations like the Asia-Pacific Network Information Centre (APNIC) and APCERT for regional internet security initiatives. All this indicates a recognition in Sri Lanka that cyber threats are global, and defenses must be collaborative. It also shows effectiveness in leveraging partnerships; by aligning with India’s cybersecurity efforts and those of other friends, Sri Lanka extends its own defense perimeter.
That said, cyber diplomacy can be delicate. Sri Lanka has to balance relationships – for instance, cooperating on cybersecurity with Western countries and India, while also maintaining ties with China (which might be sensitive about data sharing due to big power rivalry). The EngageMedia report implies that Sri Lanka’s cyber policy is now trying to catch up, as previously there was a vacuum that potentially left it out of important regional initiatives. Now, with the Cyber Security Bill and policy “recently approved” as of 2023, Sri Lanka can present itself as a willing and prepared partner in international cybersecurity projects.
Measuring Effectiveness: One way to gauge effectiveness is through real-world outcomes. Sri Lanka fortunately has not suffered any publicly known catastrophic cyber incident on critical infrastructure (for example, a crippling attack on the national power grid or telecommunications backbone). Avoiding such a scenario thus far could be due to a combination of being a smaller target and some effective preventive measures. The continuous defacements and breaches, while serious, have been more of a nuisance or financial damage rather than existential threats. From a national security perspective, Sri Lanka’s cyber efforts have so far prevented cyber incidents from escalating into major national security crises. For example, even when hacktivists defaced multiple government sites in 2014 and 2021, these were embarrassing and highlighted political issues (hackers in 2021 posted messages about corruption and human rights) but they did not result in destruction or permanent loss of critical data. This indicates a partial effectiveness: adversaries with political motives have found vulnerabilities to make statements (pointing to security lapses), yet those adversaries either did not aim for or did not achieve a deeper penetration to cause large-scale harm.
In the arena of regional cyber stability, Sri Lanka’s effectiveness can also be seen in its contribution to collective security. By improving its own defenses, Sri Lanka reduces the likelihood of being the “weak link” through which regional attacks can propagate. Also, by participating in dialogues like the Colombo Security Conclave, it helps shape norms and cooperative measures that enhance regional trust and reduce misunderstanding in cyberspace. Cyber diplomacy efforts such as signing MoUs with countries like India on digital and cyber cooperation (e.g. there was an MoU on cooperation in ICT including cybersecurity signed in recent years) indicate proactive steps to strengthen bilateral ties in this domain. These diplomatic moves can be very effective in the long term for establishing rapid assistance mechanisms – for instance, Sri Lanka could call on Indian expertise in the event of a major cyber incident, just as it would offer help to a neighbor if needed.
However, Sri Lanka must still catch up to global best practices. Its cyber defense is effective in pockets but not uniformly. The Global Threat Environment today includes nation-state cyberattacks (like those by Russia, China, North Korea, etc., often pursuing espionage or disruption) and global cybercrime cartels (targeting banks, businesses, and individuals worldwide). Sri Lanka’s military and intelligence cyber units are relatively nascent; the Defence Cyber Command is being formalized, which means until it’s fully up, the country might be less prepared to detect or deter state-sponsored intrusions aimed at defense or espionage targets. For instance, if a foreign APT were attempting to spy on Sri Lanka’s government or exfiltrate sensitive military data, how effective would the current system be at stopping them? That remains a concern. Joining hands with international cyber operations (like information sharing with CERT India or INTERPOL) can partially mitigate this, but the capability gap is there.
In conclusion, Sri Lanka’s cybersecurity efforts have shown measured effectiveness – clear commitment and progress domestically, and an increasing voice in regional cyber cooperation. The country has been resilient enough to avoid cyber catastrophe, yet it continues to grapple with sophisticated threats that require more advanced solutions. As digital geopolitics heat up, Sri Lanka’s true test will be in maintaining a neutral, secure cyber posture while leveraging partnerships to bolster its defense. The next few years, with the new Cybersecurity Agency and strategy in action, will likely determine whether Sri Lanka can move from being reactive to being proactively effective against global cyber threats.
Case Studies of Major Cyber Incidents in Sri Lanka
Examining specific cyber incidents involving Sri Lankan institutions (or originating from Sri Lanka) provides concrete insights into both the vulnerabilities in the system and how entities have responded. Below are several notable case studies that illustrate the cybersecurity challenges Sri Lanka has faced:
1. The 2025 Cargills Bank Data Breach – Sri Lanka’s Largest Reported Data Breach: In March 2025, Cargills Bank, a mid-sized commercial bank in Sri Lanka, fell victim to a major cyberattack by a ransomware gang. The group, calling itself “Hunters International,” infiltrated the bank’s network around March 20, 2025. Unlike typical ransomware attacks that encrypt systems, this attack seemed to prioritize data theft. Over a few days, the hackers exfiltrated a massive trove of sensitive data – later revealed to be approximately 1.9 terabytes of files – before making ransom demands. When the bank did not (or could not) pay, the attackers started dumping the stolen data on a dark web forum by March 24–25. This breach is considered the largest in Sri Lankan history in terms of data volume and sensitivity. The leaked files included extensive personal data: scans of thousands of customers’ national identity cards and passports, KYC forms and even video recordings of the bank’s digital account opening process, internal documents like employee signature specimens and confidential memos, and even personal documents of top executives and board members. High-profile individuals were caught up in the leak; for example, copies of IDs belonging to the bank’s board and parent company leadership, such as prominent business figures and even a former Chairman of Sri Lanka’s Data Protection Authority, were exposed.
The incident shocked Sri Lanka’s financial sector. What makes this case particularly illustrative are the systemic issues it highlighted. Firstly, the bank’s initial response was less than transparent – on March 21, in line with stock exchange rules (since the bank is listed), Cargills Bank notified the Colombo Stock Exchange of an “unauthorized access to a peripheral system,” claiming no impact on core operations. This statement vastly understated the severity of what was happening. Only after the hackers publicly leaked data did the bank file a more candid disclosure on March 25 acknowledging that an unauthorized party claimed to have accessed and shared files. This delay and minimization meant customers and the public were left in the dark for critical days. It was not until a local tech community page and social media posts sounded the alarm on March 29 that the broader public realized the magnitude of the breach. Mainstream media outlets were conspicuously silent initially, possibly due to the bank’s influence or reluctance to report unverified leaks. The government too did not make immediate public statements, though behind the scenes officials acknowledged it as an unprecedented breach.
From a cybersecurity standpoint, post-incident analysis (including leaked internal audit reports) suggested multiple weaknesses in the bank’s defenses – unpatched systems, poor network segregation, and lax device controls were among issues that possibly allowed the attackers to break in. The attack was ultimately attributed to Hunters International, which analysts believe was a rebrand of the infamous Hive ransomware group dismantled earlier in 2023. This shows how global cybercriminal operations adapt and continue to target vulnerable organizations worldwide. The Cargills breach served as a wake-up call in Sri Lanka about the importance of proper incident disclosure and the need for robust data protection practices. It likely accelerated efforts to operationalize the Data Protection Authority (as personal data was clearly at risk) and to enforce stricter cybersecurity oversight in the finance sector. It also demonstrated the interplay between cybersecurity and public trust – the silence around the incident created criticism once the truth came out, emphasizing that clear communication is part of effective incident response.
2. The 2021 National Website Defacement Attacks – DNS Hijacking and Hacktivism: In early 2021, Sri Lanka experienced a wave of cyberattacks that mainly involved website defacements and a significant DNS hijack. On February 6, 2021, an unnamed group of hacktivists managed to compromise the .lk domain registry (the system that controls Sri Lankan domain names). By poisoning DNS records, they redirected numerous Sri Lankan websites to rogue pages under the hackers’ control. Notably, even Google.lk – the local search page for Google – was affected, along with Oracle.lk and various smaller business and news sites. Visitors to those addresses were taken to a page with messages from the attackers. The defaced pages carried slogans and statements highlighting a range of social and political issues in Sri Lanka: government corruption, ethnic and religious discrimination, underpayment of plantation workers, missing journalists, and militarization, among others. The timing was symbolic; the attack came two days after Sri Lanka’s Independence Day (Feb 4th), and the hackers titled their page “Really Freedom?” – directly questioning the state of the country’s freedom and governance.
This incident underscores how hacktivists can leverage technical vulnerabilities (in this case, DNS security weaknesses) to amplify their message. From a technical angle, the swift compromise of the LK Domain Registry indicated that either an admin credential was breached or a vulnerability in the registry software was exploited. The Telecommunications Regulatory Commission and Sri Lanka CERT quickly reacted by alerting the public and working to fix the DNS entries. According to officials, the issue was resolved by 8:30 AM the next morning, limiting the defacement window. Nevertheless, the fact that core internet infrastructure like the country domain registry was penetrated was concerning. Later in May 2021, a second wave of attacks occurred: on May 18, websites of the Health Ministry, Energy Ministry, a major state university, and even the Chinese Embassy in Colombo were defaced. A group calling itself the “Tamil Eelam Cyber Force” claimed responsibility. This pointed to a politically motivated campaign, likely tied to Tamil nationalist or sympathizer elements, as May 18, 2021, coincided with the anniversary of the end of Sri Lanka’s civil war – a date observed by Tamil groups as a day of remembrance.
Additionally, on June 3, 2021, the official website of then Prime Minister Mahinda Rajapaksa was hacked and altered to redirect visitors to a site displaying cryptocurrency content. That attack was not accompanied by political slogans like the others, but it further embarrassed the government’s cyber readiness. The Information Technology Society of Sri Lanka (ITSSL) commented that the PM’s site was hacked such that any visitor would be sent to a different page, implying possibly a malicious script or redirect was inserted into the site.
The 2021 series of attacks, often collectively referenced, demonstrated a few points: (a) Political grievances were being fought in cyberspace, using Sri Lanka’s own digital assets as the canvas; (b) Basic web security (up-to-date CMS, strong passwords, etc.) was lacking in many government sites, enabling even relatively low-sophistication attacks like defacements; and (c) Sri Lanka’s incident response was reactive – CERT and others did respond and fix issues, but they couldn’t prevent the initial breaches. After these incidents, authorities reportedly issued warnings to other website owners about patching vulnerabilities. It likely also fed into the rationale for creating a coordinated ops center (NCSOC) to monitor government web services more closely.
3. The 2019 Social Engineering Bank Heist Foiled (An Example of Cybercrime Response): While not as publicized as the above, Sri Lanka was tangentially involved in one of the world’s biggest cyber-heist attempts – the Bangladesh Bank SWIFT robbery of 2016. In that event, North Korean hackers attempted to steal almost $1 billion via fraudulent SWIFT messages; most transfers were blocked, but about $81 million got sent to accounts in the Philippines. Lesser known is that some of the laundered money was to be directed to Sri Lanka: one transfer of $20 million to a Sri Lankan NGO was part of the scheme, but a typo in the transfer instructions (writing “fandation” instead of “foundation”) raised suspicion and led to that Sri Lankan transfer being stopped. This incident, while external, put Sri Lanka’s financial cybersecurity on notice. It spurred the Central Bank of Sri Lanka to review the security of its own systems and of commercial banks’ international transfer protocols. In the aftermath, Sri Lankan banks strengthened their authentication processes for SWIFT transactions, and the Central Bank set up a specialist unit to monitor digital banking risks. The effective blocking of the fraudulent transfer to Sri Lanka (due to a vigilant Deutsche Bank staff noticing the typo) was luck more than design, but the lesson was taken seriously – that Sri Lanka could be a target or pawn in global cyber-financial crimes.
Additionally, Sri Lankan law enforcement has dealt with various internet scams and financial cybercrimes domestically. For example, in 2020-2021 there were cases of phishing scams targeting Sri Lankan bank customers via SMS and email, and a notable bust of a group that was hijacking people’s social media accounts to run fraud. The effectiveness of responses in these cases often came down to police cyber units tracking digital footprints and coordinating with service providers (sometimes overseas) to apprehend perpetrators. Each successful takedown of a cybercrime ring adds to confidence in the system, but conversely, unsolved cases erode trust.
4. Insider Threat and IT Sabotage Cases: There have also been a few incidents pointing to the insider threat in Sri Lanka. One example is a case (circa 2019) where an IT security analyst was caught hijacking a cyber attack to divert ransom payments to himself. While the full details are complex, it involved an employee exploiting an ongoing cyberattack for personal gain. This highlights that sometimes the threat comes from within, and emphasizes the need for internal controls and monitoring even among trusted staff.
5. Cyberattacks on Critical Infrastructure (Hypothetical Near-Misses): Sri Lanka has been fortunate not to have a confirmed major attack on infrastructure like power or transport. However, there was an incident in 2022 where the website and systems of the Ceylon Electricity Board (CEB) experienced a cyber intrusion that forced the IT team to take certain systems offline (reports suggested it was a ransomware attempt). It did not result in blackouts or physical damage, but it served as a warning shot. The incident led to the CEB collaborating more closely with Sri Lanka CERT to audit their network and improve defenses. As part of regional cooperation, Sri Lanka’s energy sector started information-sharing with counterparts in India to learn from India’s experience of frequent cyber probes on its grid by suspected state actors. These “near-misses” are important case studies too – they show areas of vulnerability (e.g., industrial control systems that might not have been originally designed with security in mind), and ideally prompt proactive strengthening before a disaster occurs.
Through these case studies, a few common threads emerge: Sri Lanka’s institutions have been targeted by both financially motivated cybercriminals and politically or ideologically motivated attackers. In many instances, weak security practices (old software, weak passwords, insufficient network monitoring) made the attacks possible. The responses, while eventually resolving the immediate issues, often revealed delays or lack of readiness in detection and public communication. Each incident has however contributed to incremental improvements – whether it’s a bank upping its security after a breach, or the government allocating more funds to cybersecurity after public embarrassment.
Case studies also underline how cybersecurity is tied to other aspects – the Cargills breach raised issues about data governance and transparency; the hacktivist defacements were entwined with political grievances and free expression online; financial attack attempts connected Sri Lanka to global crime syndicates; and potential infrastructure attacks bring national security into play.
Sri Lanka’s challenge is to learn from each of these incidents and ensure that the same type of attack is not allowed to succeed twice. For example, after 2021, one would hope the .LK domain registry is far more secure so that a DNS hijack is unlikely to recur. After 2025, one would expect banks to be extremely vigilant about patching and monitoring, so that a similar large breach would be much harder. In essence, every case study is a costly lesson – and the country’s cybersecurity maturity will be reflected in how well those lessons are applied moving forward.
Cybersecurity, National Security, and Development: Intersection with National Priorities
Cybersecurity in Sri Lanka does not exist in a vacuum – it profoundly intersects with national security, economic development, critical infrastructure, and digital governance. Understanding these intersections is crucial for appreciating why cybersecurity has become a top-tier policy issue and how it influences broader national goals.
Cybersecurity as a National Security Imperative: In the 21st century, national security isn’t just about physical defense; it also encompasses protecting a nation’s digital territory and assets. Sri Lanka recognizes that cyber threats – whether espionage, sabotage, or propaganda – can directly impact national security. The proposal of a dedicated Defence Cyber Command Act in 2021, aiming to empower military and law enforcement cyber units, was explicitly justified by the need to counter terrorists and hostile actors leveraging cyberspace. The government noted that electronic communication via cyberspace “may directly influence national security,” hence the need for comprehensive legislation and capability in this area. This indicates that Sri Lanka views a secure cyber domain as essential to safeguarding state secrets, military communication, and even public order (for instance, preventing terror groups from spreading propaganda or recruiting online). There have been concerns about groups with violent intent using Sri Lankan cyberspace – for example, during the Islamic State’s rise, authorities monitored online activities to prevent recruitment of locals via social media. Also, misinformation campaigns and fake news on social platforms have posed security challenges by inciting communal tensions. During the political unrest in 2022 (when protests led to a change in government), a barrage of social media disinformation was observed, some attributed to organized campaigns. National security agencies had to scramble to counter false narratives that could lead to violence. This shows cybersecurity overlaps with information security – protecting the country from malicious influence operations is now part of the security apparatus’s job, requiring technical monitoring and quick reaction online as much as on the ground.
Moreover, Sri Lanka’s critical defense and intelligence systems are themselves reliant on digital infrastructure. From military communication networks to databases of sensitive intelligence, all need protection against cyber intrusions. A breach in those could undermine sovereignty. Thus, part of Sri Lanka’s national cybersecurity strategy, while civilian-oriented publicly, likely includes strengthening classified networks and developing cyber defense tactics (potentially in collaboration with friendly nations’ defense agencies). The intersection is clear: if an enemy state or terrorist organization crippled Sri Lanka’s financial system or power grid through a cyberattack, it would be as damaging as a physical attack – hence, cyber defense is now integral to national defense.
Economic Development and the Digital Economy: Sri Lanka’s aspirations for economic development are closely tied to digital transformation. Initiatives to build a “Digital Sri Lanka” by 2030 emphasize expanding e-commerce, digital payment adoption, tech startups, and IT-BPO industries as growth drivers. However, the success of a digital economy hinges on trust and security. If consumers fear online transactions due to fraud, or if businesses suffer frequent cyberattacks, digital growth will stall. Therefore, cybersecurity is an enabler of economic development. For instance, the National Digital Economy Strategy 2030 explicitly mentions that “safe, trusted, and inclusive services” rely on actions related to cybersecurity, safety, and privacy. One of its key performance indicators is to improve Sri Lanka’s ITU Cybersecurity Index ranking from 83rd to 60th by 2025, highlighting the belief that better cybersecurity will support the digital economy’s expansion.
A concrete economic intersection is the ICT industry – Sri Lanka has been building a reputation as an outsourcing destination for software services. Global clients will only offshore work (especially involving data) to Sri Lanka if they are confident in the country’s cybersecurity regime. Any perception that Sri Lanka is not cyber safe could lead to loss of business in the tech sector. Similarly, tourism now involves digital systems (online bookings, digital nomads visiting etc.), and ensuring those platforms are secure is part of providing a safe environment for economic transactions.
At a macro level, the cost of cyberattacks can weigh on the economy. Cyber incidents can impose financial losses (banks losing money, companies paying ransoms, recovery costs) and also intangible costs like reputation damage and reduced investor confidence. A major breach in a leading Sri Lankan company could make foreign investors wary about investing in local firms until improvements are made. On the flip side, robust cybersecurity can be a selling point – for example, if Sri Lanka positions itself as having strong data protection and cyber laws, it might attract data-centric businesses or position Colombo as a financial hub with secure digital infrastructure. Thus, cybersecurity strategy is intertwined with economic strategy.
Protection of Critical Infrastructure: Many critical infrastructures – power plants, electricity grids, water supply systems, transportation networks (like railways, airlines), telecommunications, and health care systems – are increasingly digitized and connected. They form the backbone of both national security and daily life. The intersection with cybersecurity is direct: these systems must be shielded from disruption. Sri Lanka’s policies have started to reflect this. The government’s cybersecurity efforts prioritize Critical National Information Infrastructure (CNII) protection. For instance, the Cyber Security Bill mandates creating regulations for the protection of critical information infrastructure and formalizing how those operators must secure their systems. A cyber incident on critical infrastructure could be devastating: imagine a hacker taking down the national power grid for an extended period or tampering with the control systems of a major dam or the air traffic control at the airport. The country has fortunately not experienced such nightmare scenarios, but minor incidents (like attempted attacks on the electricity board’s IT systems) serve as warning shots.
The national security aspect overlaps here too – critical infrastructure sabotage could be an act of war or terrorism. So protecting them is both a civilian and military concern. This is why frameworks for critical infrastructure protection often involve intelligence agencies and the military working alongside civilian CERT teams to share information about threats. In Sri Lanka, ensuring the telecom network is secure also has a geopolitical angle, given controversies around equipment from different countries (Sri Lanka, like others, must weigh cybersecurity in decisions such as whether to allow certain foreign vendors for 5G networks, balancing cost vs. security concerns voiced by allies).
Another dimension is disaster management: Sri Lanka is prone to natural disasters (tsunamis, floods). If critical systems are resilient to cyberattacks, they are likely more resilient to other disruptions too. Conversely, being hit by a cyberattack during a natural disaster would compound the crisis. Therefore, cybersecurity of critical infrastructure is part of national resilience planning.
Digital Governance and Citizen Services: Sri Lanka has been digitizing governance – from e-Government portals to digital ID initiatives and online public services (like revenue licenses, passports, etc.). Cybersecurity intersects here by affecting citizens’ trust in e-governance. If a government website is hacked or a government database leaked, it directly erodes public confidence in digital services. For example, in 2019, there was a breach in a database of Sri Lanka’s voters or license holders (hypothetically speaking), it would make headlines and people might think twice about providing information online. The President’s Media Division website hack in 2013 and others in 2014 (where over a hundred government sites were defaced) did raise questions back then about how secure government online services are.
The government is also working on a new digital national identity card system. Ensuring that such a system is secure is paramount because it will hold personal data of essentially the entire population. A breach or manipulation of a national digital ID system could be catastrophic – it could enable identity theft on a mass scale or undermine the integrity of identification. This shows how cybersecurity and digital governance are two sides of the same coin. The ICTA and other bodies have to bake in security and privacy by design in all new e-governance projects.
Moreover, cybersecurity intersects with governance in terms of surveillance and privacy. As the government ramps up cybersecurity, it must balance it with citizens’ rights. There have been concerns from human rights groups that some cyber laws or digital regulations could be misused to curb free speech (for instance, surveilling social media under the guise of cybersecurity to identify dissent). EngageMedia’s overview mentioned crackdowns on online activists and arrests under various laws. So, an important governance challenge is ensuring that cybersecurity measures (like monitoring internet traffic for threats) do not infringe on democratic freedoms. Achieving security while upholding privacy and freedom of expression is a delicate policy dance – one that Sri Lanka’s lawmakers and civil society are actively engaged in as new laws like the Cyber Security Act and Data Protection Act come into play.
Cybersecurity and National Development Goals: Cybersecurity also supports broader development goals such as Sri Lanka’s ambition to become an education hub or an innovation hub. If universities are connected globally and doing research, they need secure networks to collaborate (imagine a scenario where a university’s research is stolen by cyber espionage – it would dissuade global partnerships). In the business climate, the World Economic Forum’s indices or the World Bank’s ease of doing business now consider digital security as part of infrastructure quality. If Sri Lanka aims to attract more digital nomads or foreign direct investment in tech, demonstrating strong cybersecurity is key.
Additionally, consider critical sectors like healthcare. The Covid-19 pandemic pushed a lot of healthcare into digital (telemedicine, digital vaccine certificates, etc.). Ensuring those systems are secure (so that health records aren’t hacked, or fake vaccine certificates can’t be made) is part of both healthcare service delivery and national health security.
In terms of strategy documents, Sri Lanka clearly acknowledges these intersections. The National Cyber Security Strategy and the Digital Economy Strategy both stress that cybersecurity is essential for Sri Lanka’s national development – from securing digital finance and e-commerce to protecting citizens online so they can reap digital benefits without harm. They also note that without cybersecurity, the push for a cashless society or smart government could backfire if people lose trust after cyber incidents. Therefore, significant investments in cybersecurity capacity (operations centers, training, laws) are justified not only to prevent crime but to enable progress.
In summary, cybersecurity in Sri Lanka is tightly interwoven with national security (preventing cyber warfare and espionage, keeping the country safe), economic progress (ensuring a trusted environment for commerce and innovation), critical infrastructure reliability (keeping the lights on and transport running), and effective digital governance (delivering services and protecting citizens’ data). Sri Lanka’s policymakers increasingly view cybersecurity as a foundational layer that supports all other national priorities. A lapse in cybersecurity can derail these bigger goals, so building a resilient cybersecurity framework is in effect an investment in the country’s overall future.
Recommendations for a Resilient and Modern Cybersecurity Framework
Addressing the current challenges and fortifying Sri Lanka’s cybersecurity for the future will require concerted effort across multiple fronts. Based on the analysis above, here are actionable recommendations to build a more resilient, modern cybersecurity framework in Sri Lanka:
1. Expedite the Operationalization of the Cyber Security Agency and Strengthen Governance: With the Cyber Security Act now approved, it is critical to stand up the Cyber Security Agency of Sri Lanka (CSA) as soon as possible and empower it to coordinate national efforts. This agency should establish clear mandates: set and enforce cybersecurity standards across government and critical sectors, act as a central hub for threat intelligence sharing, and lead national incident response in coordination with CERT. Key steps include appointing strong, qualified leadership to the CSA, staffing it with skilled professionals (possibly drawing secondees from CERT, academia, and industry in the interim), and providing it with adequate funding. The CSA should immediately work on creating a comprehensive regulatory framework – for example, issuing guidelines on minimum security controls for critical infrastructure operators, and rolling out a national cyber incident reporting mechanism that mandates timely disclosure of significant breaches to authorities (and where appropriate, to the public). Having a central authority will also help streamline public-private partnerships, as the private sector will know whom to interface with on cybersecurity initiatives. In parallel, the government should establish a National Cyber Security Council or Task Force that includes representatives from all key stakeholders (defense, ICTA, CERT, Central Bank, telecom regulator, private sector, etc.) to meet regularly and advise on high-level cyber policy and crisis situations. This will ensure whole-of-government and whole-of-society coordination on cybersecurity strategy.
2. Enhance Critical Infrastructure Protection and Incident Response Capabilities: Sri Lanka must prioritize securing its critical information infrastructure by instituting a robust Critical Infrastructure Protection (CIP) program. This involves first finalizing the identification of CII sectors and entities, if not already done, and conducting comprehensive risk assessments for each sector. Sector-specific cybersecurity standards (possibly adapted from international standards like ISO 27001, NIST framework, or the EU NIS directive) should be mandated. Regular audits and penetration testing of critical systems (power grid SCADA systems, telecom switches, banking payment systems, etc.) should be carried out, with results reported to the CSA or relevant regulator. Importantly, establish sectoral CERTs or ISACs (Information Sharing and Analysis Centers) for major sectors – for instance, a Financial Services CSIRT under the Central Bank, or an Energy ISAC that connects the power, oil, and gas companies for sharing threat intel. These sectoral bodies would work closely with Sri Lanka CERT|CC, effectively acting as force-multipliers in incident response.
Furthermore, speeding up the implementation of the National Cyber Security Operations Center (NCSOC) is vital. The NCSOC should be equipped with modern SIEM (Security Information and Event Management) and threat detection tools to monitor government networks and other volunteered critical networks in real time. A 24/7 watch and early warning system can drastically reduce response times. In the event of an incident, Sri Lanka needs well-drilled procedures: a National Cyber Incident Response Plan should be formulated, delineating roles of CERT, CSA, police, military, and private sector partners during a major cyber crisis. Regular cyber crisis exercises (simulating, say, a widespread power grid attack or a malware outbreak) should be conducted to test and refine these plans. Practicing in peace time ensures smoother execution in an actual emergency. The country could seek partnerships with more advanced countries to assist in such exercises – for example, inviting experts from India’s CERT-In or Singapore’s Cybersecurity Agency to co-host drills or share best practices would be beneficial.
3. Invest in Capacity Building and Retention of Cyber Talent: Tackling the workforce limitation is a long-term effort, but steps can be taken now. First, expand cybersecurity education and training: encourage universities to launch specialized degree programs in cybersecurity (if they haven’t already) and update computer science/IT curricula to include mandatory cybersecurity modules. Scholarships and incentives (like bonding schemes) can be offered to students who specialize in cybersecurity and then serve in government roles for a few years. This helps funnel talent into public sector needs. For the current workforce, scale up professional training – Sri Lanka CERT and private entities can organize frequent training workshops on topics like secure network administration, malware analysis, incident response, and so on, targeting IT staff across government and key industries. International certifications (like CISSP, CISM, CEH, GIAC, etc.) should be promoted by perhaps subsidizing exam costs for Sri Lankan professionals, to raise the skill benchmark.
Equally important is talent retention. The government might consider creating a special cadre or scheme for cybersecurity professionals in public service with higher salary scales or other perks to reduce the brain drain. Career development paths should be clearly outlined so that talented individuals see a future in staying. If budget constraints are an issue for salaries, another approach is leveraging diaspora and international volunteers – e.g., invite Sri Lankan cybersecurity experts abroad to contribute through short-term fellowships or remote consulting for government projects (many may be willing to help their home country in advisory roles). Building a patriotic narrative around defending the nation in cyberspace could help morale and retention as well.
Additionally, cultivate a broader base of “cyber aware” professionals. Launch a Cybersecurity Awareness Program that goes beyond just end-users: for example, a program that certifies and upskills local IT service providers and MSPs (Managed Service Providers) in cybersecurity best practices. Since many small businesses and even government offices depend on third-party IT contractors, ensuring those providers are security-conscious will raise the overall security posture.
4. Improve Threat Intelligence Sharing and International Cooperation: Given the transnational nature of threats, Sri Lanka should deepen its collaboration networks. It’s recommended to establish a formal Threat Intelligence Sharing Platform (perhaps using platforms like MISP – Malware Information Sharing Platform) where CERT, tech companies, telcos, banks, and others can contribute and consume threat data in real time. This could operate under the aegis of the CSA or CERT with proper trust agreements in place to protect sensitive information. Participation in more international cyber exercises and information exchanges is also crucial. Sri Lanka should actively engage in APCERT drills, and seek to join initiatives such as the Global Forum on Cyber Expertise (GFCE) for capacity building opportunities, or NATO’s Cyber Range exercises as an observer, etc. While Sri Lanka is not a NATO member, they sometimes invite partners for training which can be valuable.
On a bilateral level, negotiating MoUs with countries that have advanced cyber capabilities can pay off. For instance, continuing to work closely with India via the Colombo Security Conclave to possibly set up a regional cyber incident response coordination center would strengthen regional security. Engaging China and Western countries in dialogues will also ensure Sri Lanka stays informed about global threat actors (a balanced diplomacy approach could even allow Sri Lanka to receive assistance from all sides – e.g., training from the US on certain aspects, infrastructure funding from others, etc., without getting caught in big power crossfire). Because Sri Lanka is part of the Belt and Road, it could push for including cybersecurity capacity aid in those collaborations as well (for example, if deploying Chinese ICT infrastructure, also get cybersecurity training/equipment as part of the deal).
Additionally, Sri Lanka’s law enforcement should intensify cooperation through INTERPOL and the expert working groups under the Budapest Convention to help track cybercriminals. Since the country now has the Data Protection Authority, joining global privacy and data security conversations (like the Global Privacy Assembly) can also provide insights on handling emerging issues that overlap with cybersecurity (like personal data breaches and cross-border data requests during investigations).
5. Mandate Security by Design in Digital Government Projects: As e-governance expands, it’s essential to incorporate “security and privacy by design” in every new system from the get-go. The government should enforce a policy that any digital service (whether developed in-house or by a vendor) must go through a threat modeling and security testing phase before launch. Regular vulnerability assessments and penetration tests should be budgeted for and conducted on e-government platforms, preferably by independent experts. The results can feed into rapid remediation before attackers find the holes. For existing systems, perform audits and modernization – legacy applications that manage sensitive data might need to be upgraded or isolated if they cannot be fully secured.
For the upcoming National Digital ID system and other critical citizen databases, consider commissioning an international review panel of cybersecurity experts to scrutinize the architecture and encryption methods, to ensure they meet global standards. This external validation can prevent costly mistakes (for example, avoiding a scenario where a national ID smartcard has an easily cloneable chip due to a weak encryption scheme). Also, enforce strong identity and access management: government systems should implement multi-factor authentication for administrators and perhaps even for citizen-facing logins where feasible (to mitigate risks of brute force or credential stuffing attacks).
6. Promote Cybersecurity Awareness and Resilience Culture Nationwide: Building a cyber-aware society is a defense in itself. The government and private sector should collaborate on continuous public awareness campaigns. This could include initiatives like an annual “Cybersecurity Week” with workshops and media messages in Sinhala, Tamil, and English on safe internet practices, how to avoid phishing scams, the importance of using legitimate software, etc. Schools should incorporate basic cybersecurity hygiene into IT curricula for students. Community outreach is key too – for instance, training programs for small business owners on cyber risks, or public webinars for parents on child online safety (given the prevalence of online harassment issues).
Beyond awareness, developing a culture of resilience is vital. Encourage organizations to not only try to prevent attacks, but assume breach and plan continuity. Every critical organization should have an up-to-date incident response plan and a business continuity/disaster recovery plan that includes cyber scenarios. The CSA or CERT could create templates for SMEs and government departments to use in crafting their incident response playbooks.
It’s also recommended to create a Cybersecurity Innovation and Research Fund – this would support local research projects, startups or university labs working on cybersecurity solutions relevant to Sri Lanka (like AI tools for Sinhala/Tamil phishing detection, or low-cost SCADA firewalls for local utilities). Fostering local innovation can provide home-grown solutions and also develop the next generation of experts.
7. Strengthen Legal and Law Enforcement Mechanisms: Ensure that new laws like the Cyber Security Act and Data Protection Act are effectively implemented. The CSA should work closely with the Data Protection Authority to align on breach notifications and enforcement in cases where negligence leads to breaches of personal data (for example, in the Cargills breach, under the PDPA the bank could face penalties if it’s shown they didn’t take adequate protection measures once the law is fully in force). Additionally, update any outdated provisions – for instance, consider reviewing the Computer Crimes Act 2007 to amend it if needed for clarity on newer crimes (like crypto-jacking, cyberstalking, etc.) that may not be explicitly covered. Sri Lanka may also look into legislating critical infrastructure protection obligations (some countries have specific critical infrastructure cybersecurity acts – Sri Lanka could incorporate such rules via regulations under the new CSA).
Law enforcement capacity should be boosted: equip the police Cyber Crime Unit with better tools for digital investigations (forensics hardware, software licenses for analysis of mobile phones, etc.), and consider establishing cybercrime liaison officers in every province so that not all cases bottleneck in Colombo CID. Training judges and prosecutors further on cybercrime will also ensure the legal system can effectively prosecute offenders, which in turn deters criminals. Internationally, since Sri Lanka is party to the Budapest Convention, fully utilize its provisions for mutual legal assistance – train the officials on how to expedite requests for data from overseas providers when investigating crimes, so that cases don’t fall apart due to lack of evidence from foreign tech companies.
8. Foster Public-Private Collaboration and Trust: As highlighted, trust issues can hinder public-private cooperation. To counter this, the CSA and CERT should implement policies that protect sensitive information shared by companies (e.g., anonymizing incident reports in public disclosures, or using Traffic Light Protocol (TLP) for sharing intel so companies are assured their info won’t leak). Establish a voluntary Cybersecurity Alliance of major Sri Lankan businesses (banks, telcos, ISPs, tech firms) where they regularly meet with CERT to discuss threat trends and collectively strategize. This could be an expansion of the current Cybersecurity Week conference into a more sustained consortium. The private sector can also be incentivized through recognition – for example, the government can institute annual awards or a scorecard for companies with exemplary cybersecurity practices, which could encourage healthy competition to improve security.
Another actionable idea is conducting joint cyber drills involving both government agencies and private companies. For instance, simulate a payment system attack that involves a bank, the Central Bank, a telecom provider (for SMS OTPs), and CERT, to practice joint response. These exercises build trust and clarify expectations on both sides.
9. Protect the Citizens: Focus on Personal Security and Online Safety: Amidst national-level initiatives, it’s important not to lose sight of individual users who are often the target of scams, fraud, and harassment. Strengthening cybersecurity must include improving digital safety nets for citizens. This could involve launching a national Cybersecurity Hotline or online portal where people can report cyber incidents (like hacking of social media accounts, online bullying, phishing attempts) and receive guidance. Sri Lanka CERT already allows reporting of incidents, but a more user-friendly, well-publicized channel (possibly integrated with the Police emergency number or a dedicated short code) could encourage more reporting and early help. For issues like online gender-based violence, the police Women and Children’s Bureau and CERT could collaborate to provide easier reporting mechanisms and awareness on how victims can preserve evidence and seek legal remedy. Enforcing existing laws against online abuse and demonstrating that perpetrators are caught will also enhance public confidence in using digital spaces.
Finally, an often overlooked aspect: cybersecurity for the underserved. Ensure that as cybersecurity measures ramp up, they don’t exclude those with less access or knowledge. For example, if banks push two-factor authentication via mobile, there must be alternatives for older people or those in rural areas who might not be as tech-savvy. Inclusivity in cybersecurity ensures the digital divide doesn’t become a security divide.
By implementing the above recommendations, Sri Lanka can significantly bolster its cybersecurity posture. Each recommendation ties back to the core issues identified – governance gaps, infrastructure protection, skills shortage, cooperation, and culture. Together, they form a roadmap towards a resilient cybersecurity framework that not only addresses current vulnerabilities but is agile enough to adapt to future challenges (be it the rise of AI in cyber threats, quantum computing risks, or others on the horizon). As Sri Lanka moves forward, it should continually assess progress on these recommendations, measure outcomes (like reduction in incidents, improved response times, higher stakeholder satisfaction), and adjust strategies accordingly. Cybersecurity is a journey, not a destination – but with commitment and collaboration, Sri Lanka can travel that journey confidently and reap the benefits of a secure digital nation.
Conclusion
Sri Lanka stands at a pivotal moment in its cybersecurity journey. The country has made commendable progress – from establishing one of South Asia’s early CERTs to formulating ambitious national strategies and improving its international cybersecurity rankings. These efforts have built a foundation of strengths such as a growing pool of expertise, stronger laws, and heightened awareness of cyber risks across society. Yet, as our analysis shows, significant challenges remain in shoring up technical defenses, closing policy gaps, and responding deftly to an onslaught of ever-evolving threats. Cyber incidents like the Cargills Bank breach and the 2021 hacktivist attacks have exposed weaknesses while also serving as catalysts for change.
In the broader context, cybersecurity has moved from the periphery to the heart of Sri Lanka’s national agenda – interlinked with national security, economic prosperity, and the smooth functioning of daily life. A secure cyber environment will enable Sri Lanka’s digital economy to flourish, protect citizens’ rights and data, and guard the nation’s critical infrastructure and sovereignty in an increasingly volatile cyber realm. Conversely, failing to address cybersecurity gaps could undermine public trust in digital services and leave the country vulnerable to malicious actors who do not respect national boundaries.
The recommendations outlined – from strengthening institutions and infrastructure defenses to nurturing talent and fostering partnerships – provide a multi-dimensional approach to building resilience. Implementing these will require sustained political will, resources, and above all, collaboration among government bodies, businesses, academia, and the public. The task is undoubtedly complex, but not beyond reach. Sri Lanka can draw encouragement from its own improvements (such as climbing into the “Advancing” tier globally) and the experiences of other nations that have bolstered their cybersecurity postures successfully.
For a diverse audience – whether you are a general reader, a tech professional, or a policymaker – the key takeaway is that cybersecurity is a shared responsibility and a shared necessity. Simple steps by individuals (like using strong passwords or being vigilant against phishing) complement grander initiatives like national SOCs and international treaties. Sri Lanka’s journey illustrates this interplay: awareness is as important as firewalls; leadership vision is as crucial as technical patches.
In conclusion, Sri Lanka’s cybersecurity system is very much a work in progress, characterized by significant achievements and sobering shortcomings. The country is learning and adapting, as any resilient system does. By continuing on the path of proactive strategy, openness to expertise, and inclusive policy-making, Sri Lanka can transform its cybersecurity landscape from one of reactive fire-fighting to one of predictive, well-governed safety. The benefits of doing so will be felt widely – in secure online transactions, reliable essential services, protected personal data, and a stronger national defense. In essence, a secure cyber Sri Lanka underpins a secure and prosperous Sri Lanka. The challenge is formidable, but with unity of purpose and smart execution, Sri Lanka can build a cyber fortress worthy of its digital future.