Nepal’s Cybersecurity Landscape: Infrastructure, Strengths, and Challenges in the era of 2025

The Structure of Nepal’s Cybersecurity Infrastructure 

Nepal’s cybersecurity apparatus is a blend of government bodies, law enforcement units, private sector stakeholders, and emerging institutions working to protect the nation’s digital assets. Key government agencies include the Ministry of Communication and Information Technology (MoCIT), which formulates IT and cybersecurity policies, and the National Information Technology Center (NITC) that manages government data infrastructure. The NITC operates the Government Integrated Data Center (GIDC) – the central data bank for government websites and services. The GIDC’s importance was highlighted in 2023 when a cyberattack knocked over 400 government websites offline, including critical systems for immigration and passports. This incident underscored the NITC’s pivotal role and the need to fortify central infrastructure. 

Regulatory bodies also play a critical role. The Nepal Telecommunications Authority (NTA), the telecom regulator, has taken on cybersecurity oversight by issuing directives and bylaws. Notably, the NTA’s Cyber Security Bylaw 2020 imposes security standards on telecom and internet service providers, mandating measures like regular security audits and vulnerability assessments for new applications. The bylaw also encourages ISPs to participate in cyber threat information-sharing platforms to improve national readiness. Another important entity is the Office of the Controller of Certifying Authorities, established in 2007 to oversee digital certificates and encryption for secure e-transactions. This office enables a trusted environment for online services by licensing Certificate Authorities under the Electronic Transactions Act. 

Law enforcement and cyber defense units are integral components of Nepal’s cybersecurity structure. The Nepal Police operates a dedicated Cyber Bureau, which investigates cybercrimes, handles digital forensics, and coordinates with international agencies on cyber incidents. This Cyber Bureau has improved accessibility for the public to report cybercrimes (e.g. via email hotlines) and has been involved in busting cyber frauds and arresting perpetrators, including foreign nationals involved in ATM heists. The Nepal Army and Armed Police Force have also formed specialized cyber cells to address cyber threats to national security, reflecting a recognition that defense forces must be cyber-capable. A National Cyber Security Monitoring Center was established under MoCIT directives in 2018, tasked with continuous monitoring of government IT systems for threats. In addition, Nepal’s draft legislation envisions creating a new National Cyber Security Center (NCSC) as a central authority to oversee and respond to cybersecurity incidents nationwide. If implemented effectively, the NCSC would coordinate national efforts and enforce standards across public and private sectors. However, experts caution that this center must be led by qualified professionals rather than becoming a political sinecure. 

Private sector and civil society actors are increasingly part of the cybersecurity ecosystem. Banks and financial institutions have their own IT security teams and comply with guidelines from the Nepal Rastra Bank (NRB, the central bank). After several cyber heists, the NRB issued enhanced cybersecurity guidelines for banks, mandating stricter controls and incident reporting. The banking sector also connects via the Nepal Electronic Payment Systems (NEPS) network, whose compromise in 2019 allowed hackers to conduct a massive ATM cash-out fraud. Internet service providers coordinate through the Internet Service Providers’ Association of Nepal (ISPAN) to address network security issues in collaboration with NTA and telecom companies. An Information Security Emergency Team Nepal (NPCERT) was established in 2016 as a sort of national Computer Emergency Response Team. NPCERT functions as Nepal’s “flagship cyber defense and incident response” center, facilitating operational cooperation among stakeholders. It appears to be a public-private collaborative CERT initiative, given its links with industry and government support. Meanwhile, tech community organizations and NGOs contribute to raising awareness. The Internet Society Nepal chapter promotes a “safe Internet for all” and aligns with international best practices. Academic and research initiatives like the Cyber Security Research and Innovation (CSRI) program focus on cybersecurity research and innovative solutions for local challenges. In summary, Nepal’s cybersecurity infrastructure is evolving into a multi-stakeholder framework: government agencies set policies and run critical infrastructure, law enforcement tackles cybercrime, and private sector and community groups supplement with expertise, innovation, and outreach. 

Achievements and Strengths in Nepal’s Cybersecurity 

Despite being a developing digital economy, Nepal has made noteworthy progress in fortifying its cybersecurity posture. Several legal reforms and policy initiatives have laid a foundation for cyber governance. The country’s first cyber law, the Electronic Transactions Act (ETA) 2006 (Nepali year 2063), legalized electronic communications and defined cyber offenses, providing an initial legal basis to tackle cybercrime. Building on the ETA, Nepal’s constitution adopted in 2015 enshrined digital rights such as the right to privacy and right to information, reinforcing the importance of data protection at the highest legal level. In recent years, authorities recognized the need to update outdated laws: an Information Technology Bill (drafted in 2018) and a Cybersecurity Bill 2022 were combined into a comprehensive Draft Information Technology and Cyber Security Bill 2024. This draft bill, currently awaiting enactment, is set to replace the ETA and modernize Nepal’s cyber legal framework. Importantly, the bill aims to establish a dedicated National Cyber Security Center (as mentioned) and introduce licensing for critical service providers like data centers and cloud services, requiring them to meet security standards and audits. It also tackles emerging domains by referencing blockchain, AI, machine learning, and IoT, indicating Nepal’s intent to address new technology risks in law. This legislative initiative is a significant achievement, reflecting Nepal’s awareness of evolving cyber threats and its commitment to strengthen legal deterrence against cybercrime. 

Nepal has also developed national strategies and policies to guide cybersecurity. A National Cybersecurity Policy was first drafted in 2016 and later updated in 2021 and 2023. The National Cybersecurity Policy 2016, drafted by the Ministry of ICT, outlined a vision to address global cyber challenges and proposed creating a National Cyber Security Strategy Working Group and a national CERT for Nepal. Although implementation was slow, it signaled high-level acknowledgement of cybersecurity. By 2019, the government’s Digital Nepal Framework explicitly included plans for establishing a National Cyber Security Center and broad digitization with security in mind. In 2023, the Cabinet endorsed an updated National Cybersecurity Policy, incorporating lessons from recent incidents and aligning with new technological realities. The 2023 policy emphasizes protecting critical information infrastructure, enhancing the security of government and private information systems, and building capacity for cybersecurity across sectors. It has been described as an “important base” for improving confidentiality, integrity and availability of data nationwide. Complementing these are sectoral guidelines like the Cyber Security Byelaw 2020 (under the Telecommunications Act) which is already in effect. This byelaw requires telecom operators and ISPs to implement cybersecurity measures and only launch new services (e.g. mobile apps) after conducting security vulnerability assessments. According to NTA officials, this regulation shows providers’ readiness to invest in cybersecurity and has led to hiring of specialized cyber personnel in the telecom sector. Similarly, the central bank (NRB) has issued IT and cyber risk management guidelines for banks to safeguard digital financial services. These policies and regulations demonstrate Nepal’s proactive stance: by establishing rules and standards, the country is gradually nurturing a culture of cybersecurity compliance. 

Another advantage for Nepal is the growing emphasis on awareness, education, and capacity building. Recognizing that human factor is often the weakest link, stakeholders have initiated various cyber awareness programs. Government agencies, often in collaboration with NGOs, have run public awareness campaigns on safe internet use (for example, NTA’s Online Child Safety Directives 2019 aimed to prevent child abuse through ICT). Cybersecurity workshops and conferences are increasingly common, including events at universities and community IT forums to educate students and professionals about cyber threats. Some initiatives have focused on outlying regions (like Butwal) to broaden awareness beyond the capital. At the academic level, Nepalese universities and training institutes are introducing cybersecurity courses. The government has even been advised to integrate cybersecurity modules into school and university curricula across all disciplines, underscoring the cross-cutting nature of cyber risks. Efforts to build a skilled workforce are underway through training programs, certifications, and scholarship schemes. For instance, specialized training for Nepal Police and Army personnel in cyber defense has been recommended and partly implemented to bolster law enforcement capabilities. A cadre of young IT professionals passionate about cybersecurity is emerging, supported by tech communities (e.g. the “Cyber Scholars” program, hackathons, and cybersecurity clubs). 

Nepal’s public-private cooperation in cybersecurity has also yielded some successes. Internet providers and banks routinely coordinate with government bodies when incidents occur, helping contain damage. After a major ATM heist in 2017, Nepali authorities worked closely with international banks and even brought in expert consultants (like KPMG) to investigate and recover funds. The incident spurred better cooperation between banks and the central bank on security guidelines. Likewise, when large data breaches struck private companies (e.g. the Foodmandu and Vianet breaches in 2020), the companies cooperated with the Cyber Bureau to investigate and improve systems. Such collaboration has led to faster responses and increased trust between government and industry. Nepal has also tapped international support to bolster capacity. The International Telecommunication Union (ITU) provided technical support for a national cybersecurity assessment and policy recommendations. Friendly nations and forums have offered training under initiatives like the Indian Technical and Economic Cooperation (ITEC) program focusing on cyber capacity building in South Asia. These collaborative efforts are slowly elevating Nepal’s cybersecurity readiness. 

Encouragingly, Nepal’s commitment to cybersecurity has been reflected in improved global rankings and recognition. In the ITU’s Global Cybersecurity Index (GCI), Nepal moved up from 106th position in 2018 to 94th in the 2020 edition. The country scored 44.99 out of 100 points, and although still behind many peers, this climb indicates progress. Nepal was notably strong in the legal measures pillar (scoring 15.6/20) thanks to the presence of foundational laws and policies, and showed moderate gains in organizational and capacity-building pillars. The GCI report suggested Nepal could achieve significant growth by improving cooperation mechanisms. Regionally, Nepal’s rank of 94th put it ahead of Bhutan and Maldives, though it still trails neighbors like Bangladesh and Sri Lanka in cybersecurity commitment. The upward trend in such indices is an achievement Nepal can build on. It signifies to investors and international partners that Nepal is taking cybersecurity seriously. Additionally, over 90% of Nepal’s population now has access to the internet (about 27 million users), thanks to expansion of mobile and broadband networks. This digital uptake is an achievement of “Digital Nepal” efforts, and it brings a demographic dividend of young, tech-savvy users who can become cybersecurity advocates and skilled professionals – if properly educated. Overall, Nepal’s advantages lie in its recognition of cyber issues at policy levels, steps taken to update laws, early-stage institutional frameworks (like CERTs and policies), and a rising awareness that is galvanizing both public and private sectors to act. 

Key Weaknesses and Vulnerabilities in Nepal’s Cyber Defenses 

Despite the progress, Nepal’s cybersecurity landscape faces significant weaknesses and vulnerabilities that undermine its resilience. One major challenge is outdated and fragile technological infrastructure. Many government systems and critical networks still run on legacy hardware and software that lack modern security features. For example, several government websites have historically been hosted on a single centralized server (GIDC), which became a single point of failure during DDoS attacks. Aging IT infrastructure in government offices means security patches and upgrades are often delayed, leaving known vulnerabilities unaddressed. Additionally, internet connectivity in rural areas remains spotty, and many organizations have inadequate network defenses (like firewalls and intrusion detection) in place. This inadequate infrastructure makes it challenging to implement robust cybersecurity measures across the board. The problem extends to critical sectors: power grids, telecom exchanges, and hospital systems may not have been hardened against cyber threats due to resource constraints and reliance on older industrial control systems. As a result, Nepal’s digital infrastructure is relatively easy prey for attackers seeking to exploit unpatched systems or overwhelm ill-prepared servers. 

Another glaring weakness is the shortage of skilled cybersecurity professionals and resources. Nepal faces a significant talent gap in cybersecurity expertise. There are only a limited number of certified and experienced security experts in the country, far fewer than the growing demand. This shortage affects both the public and private sectors – government IT departments struggle to recruit and retain security specialists, and private companies often cannot afford dedicated cybersecurity teams. Consequently, many organizations resort to ad-hoc or reactive measures when a breach happens, rather than having proactive strategies designed by experts. The lack of specialists also hampers incident response; for instance, forensic investigations into breaches have occasionally relied on external consultants due to insufficient local expertise. This brain drain and lack of capacity is a global challenge but acutely felt in Nepal, where the cybersecurity field is still nascent. Moreover, cybersecurity initiatives are often underfunded. The budget allocated for cybersecurity by government agencies is modest, limiting investment in advanced security tools, continuous monitoring systems, and regular security audits. Many businesses, especially small and medium enterprises, also underinvest in cybersecurity, seeing it as a cost rather than an essential investment. The result is an ecosystem where preventive measures like penetration testing, threat intelligence, and employee security training are not widely practiced. Limited funding also affects infrastructure — for example, the GIDC data center may not have had sufficient redundancy or DDoS protection in place, given how a single attack caused hours of outage. 

Nepal’s policy and regulatory gaps present another vulnerability. While new laws are in the works, the current legal framework is still considered inadequate and outdated. The Electronic Transactions Act 2006 is widely seen as obsolete in the face of modern cyber threats. Until the new IT and Cybersecurity law is passed, there is no comprehensive legislation explicitly covering issues like data breaches, ransomware, or critical infrastructure protection. Enforcement mechanisms are weak – for example, Nepal still lacks a dedicated Data Protection Law and regulator. Recent incidents exposed this gap: after major data breaches at telecom companies (Ncell and Nepal Telecom), it was clear that no empowered authority could penalize these companies or mandate security upgrades. Citizens’ personal data (call records, locations, financial info) were compromised, yet the companies faced little accountability due to the absence of privacy regulations and cybersecurity standards in those sectors. Similarly, the lack of an established breach notification system means many incidents might go unreported or underreported. The draft cyber law aims to mandate incident reporting (initially for critical infrastructure), but until it is in force, response remains haphazard. Another policy shortcoming is the ambiguity in defining and securing critical information infrastructure (CII). The new bill references CII but leaves identification criteria to later rules. Without clarity on what assets are “critical” (e.g. power grids, banking systems, telecom networks), it’s hard to prioritize their protection. Policy fragmentation is also an issue – multiple agencies (MoCIT, NTA, NRB, etc.) have overlapping directives, which can confuse implementation. Overall, the evolving regulatory framework hasn’t yet caught up fully with the threat landscape, leaving exploitable loopholes. 

Low awareness and cyber hygiene among the public and organizations further exacerbate vulnerabilities. A significant portion of users and even IT staff in Nepal are unaware of basic security practices, which makes social engineering and phishing attacks extremely effective. Cyber literacy is still lagging in Nepalese society; as one observer noted, the government touts rising internet penetration but “the vulnerable side of the internet has never been the talk of the town”. This limited awareness means many individuals use weak passwords, fall for scams, or don’t secure their personal devices. Businesses, especially smaller ones, often neglect cybersecurity best practices – for instance, not regularly updating software, or failing to backup data securely. Insider threats and human error remain a serious concern, given minimal routine training for employees on security. The government has acknowledged this gap; suggestions have been made to mandate security awareness training for all civil servants at least twice a year. Until such measures are in place and widely adopted, human-factor vulnerabilities will persist. 

Another weakness is the limited institutional coordination and incident response capacity. Effective cybersecurity requires seamless cooperation across various stakeholders, but Nepal’s efforts have often been siloed. Intelligence sharing between government agencies and private companies is still in early stages – while the NTA bylaw encourages creating a cyber community for threat intel sharing, the practical exchange of information remains low. In the event of a major attack, Nepal currently lacks a fully functional centralized response mechanism. The national CERT (NPCERT) is a positive step, but it may not yet have the resources or authority to coordinate large-scale incident response across government and industry. As a result, responses to incidents have sometimes been slow and uncoordinated. For example, after the 2023 government server attack, it took hours to restore services and much of the effort was reactive troubleshooting. Without formal protocols, agencies scrambled to patch systems and block traffic after the fact. Furthermore, international cooperation in incident response is limited by Nepal’s not being a party to frameworks like the Budapest Convention on Cybercrime, which could facilitate cross-border investigations. Cyber threats are borderless, and Nepal’s lack of strong collaboration channels – both internally among sectors and externally with global partners – leaves it isolated in the face of sophisticated attacks. This insufficient collaboration hampers the ability to preempt threats and to respond swiftly when breaches occur. 

In summary, Nepal’s key cybersecurity weaknesses include: (1) Technical vulnerabilities from outdated infrastructure and single points of failure; (2) Human capital deficits in skilled cybersecurity professionals and insufficient funding; (3) Gaps in laws and enforcement, particularly around data protection and incident handling; (4) Low awareness leading to poor cyber hygiene; and (5) Coordination shortfalls that impede a unified defense. These vulnerabilities have been repeatedly exploited by attackers, as illustrated in the next section, and they pose serious risks to Nepal’s security and development if not addressed. 

Battling Global Threats: Nepal’s Cybersecurity in International Context 

No country today is immune from global cyber threats, and Nepal is increasingly facing the spillover of international cyber risks. As Nepal’s digital footprint grows, cyber criminals and even state-sponsored hackers see it as a potential target or a conduit. The threat landscape includes global malware outbreaks, ransomware campaigns, financial cybercrime networks, and espionage actors – all of which can impact Nepal either directly or indirectly. For instance, the ransomware waves that hit worldwide (WannaCry, NotPetya, etc.) did not spare South Asia; some Nepali systems were reportedly affected, highlighting that vulnerabilities in Nepal can be exploited by the same malicious tools used globally. State-sponsored attacks are also a rising concern. Although Nepal may not be a primary target of major cyber powers, it can become collateral damage or a stepping stone in attacks. Nepal sits strategically between two “digital powerhouses,” India and China. This position is a double-edged sword: it provides Nepal an opportunity to be a regional bridge for cyber cooperation, but also means Nepal could be caught in the crossfire of cyber espionage or proxy conflicts between larger states. Indeed, international cybersecurity agencies have ranked Nepal as high-risk in terms of cyber threats – likely due to its limited defenses rather than any aggressive posture. There is concern that advanced persistent threat (APT) groups could target Nepal’s government or financial systems to gather intelligence or siphon funds, as they have done in other developing countries. In one alarming case, Nepal’s central bank (NRB) data was found for sale on a dark web forum in 2024, with speculation that foreign hackers were involved. Such incidents demonstrate that Nepal is on the radar of international threat actors, whether for financial gain or strategic intelligence. 

To navigate this perilous environment, Nepal’s leadership is acknowledging the need for cyber diplomacy and regional cooperation. Cybersecurity has become a topic in Nepal’s diplomatic dialogues, although it’s not yet front and center. Nepali policymakers have yet to make cyber issues a “top agenda” in parliament or bilateral talks, but experts urge that this must change. There are calls for Nepal to actively engage in cyber diplomacy by proposing cooperative agreements within regional forums like the South Asian Association for Regional Cooperation (SAARC). Given SAARC’s limited recent activity, Nepal could also pursue cyber cooperation through BIMSTEC (Bay of Bengal Initiative) or bilaterally with neighbors. For example, Nepal could benefit from India’s growing cyber capabilities by conducting joint cyber exercises or training programs under existing India-Nepal agreements. Similarly, China’s Belt and Road Initiative includes a Digital Silk Road component; Nepal could seek Chinese assistance in securing critical infrastructure, albeit balancing concerns over digital sovereignty. The Annapurna Express op-ed suggests Nepal can serve as a bridge for cyber dialogue between South Asia (India/SAARC) and East Asia (China), fostering collaboration that transcends geopolitical rivalries. This is an ambitious vision, but it underlines that Nepal sees value in being an active player in regional cybersecurity initiatives rather than a passive bystander. 

On the global stage, Nepal participates in forums like the United Nations where cyber norms and security are discussed. Nepal could push for international agreements on issues such as not targeting each other’s critical infrastructure – an idea floated as a pledge countries can make. Aligning with global norms, Nepal has supported the principle of an open, secure, stable cyberspace in UN dialogues, though it lacks a very vocal presence. One concrete step Nepal could consider is joining the Budapest Convention on Cybercrime (an international treaty facilitating cooperation on cybercrime investigations). While some neighboring countries have hesitated to join, Nepal’s law enforcement would benefit from the frameworks and training that come with membership, helping tackle cross-border cybercrimes (which are common, as many attacks originate from abroad). Additionally, Nepal can leverage international capacity-building initiatives. The country has already worked with the ITU on cybersecurity strategy, and it can deepen ties with organizations like INTERPOL (for cybercrime intelligence) and the Global Forum on Cyber Expertise (GFCE) for skills development. 

Global threat trends also compel Nepal to upgrade its defenses. The rise of financial cybercrime cartels has directly affected Nepal in incidents like the SWIFT banking hack of 2017, which echoed the tactics used in the infamous Bangladesh Bank heist. The hackers who attempted to steal $4.4 million from NIC Asia Bank may have been part of an international group targeting financial systems worldwide. Similarly, the proliferation of ransomware means Nepali businesses and government agencies are at risk of having their data held hostage, as has happened to hospitals and companies around the globe. Without robust backup and incident response plans, Nepal could struggle to recover from such an attack. The borderless nature of these threats means Nepal’s cybersecurity readiness is now judged by global standards. It’s telling that the Global Cybersecurity Index categories place Nepal in the “maturing” tier but highlight gaps in areas like international cooperation and critical infrastructure protection. In practice, this means Nepal should not only focus inward on its systems, but also outward – engaging in intelligence sharing about threats (e.g. through joining networks like Asia Pacific CERT (APCERT) or information-sharing groups) and learning from best practices of other nations. So far, there have been positive steps: for example, the NTA bylaw encouraging the use of international cyber threat intel platforms, and Nepal Police coordinating with Interpol on certain cybercrime cases. But there is ample room to institutionalize such cooperation. 

In essence, Nepal’s cybersecurity efforts are now being tested against global benchmarks. The country’s ability to handle threats like transnational hacking groups, cross-border data breaches, and state-level cyber warfare is under scrutiny. To improve, Nepal must embrace a multifaceted approach: strengthen domestic defenses while also actively collaborating regionally and globally. Cybersecurity is no longer just a technical issue; it’s a diplomatic and strategic issue as well. By raising cyber issues in forums like the UN and SAARC, pushing for norms against cyber warfare, and forming alliances for capacity building, Nepal can enhance its security and contribute to regional stability. Failing to do so could leave the country isolated against sophisticated adversaries in the increasingly contested cyber domain. 

Recent Cyberattacks and Security Incidents in Nepal 

Nepal’s vulnerabilities have been starkly illustrated by a string of cyberattacks, data breaches, and digital crimes over the past decade. These incidents have targeted government agencies, financial institutions, private companies, and citizens – underlining that no sector is untouched. Below are some notable examples from recent years, which shed light on both the types of threats Nepal faces and the impact they have had: 

• Government Website Breaches (2017): In a dramatic wake-up call, hackers defaced or compromised dozens of government websites on multiple occasions. In July 2017, a group called “Paradox Cyber Ghost” reportedly hacked 58 government websites (including key sites like the Ministry of Defence and Office of the Auditor General) in just three minutes. The attackers claimed they were merely pointing out vulnerabilities rather than causing harm, but the message was clear: government web servers were poorly secured. Only months later, another hacker group breached 19 more government sites, showing the persistence of security gaps. These breaches, though largely causing embarrassment and downtime, signaled an urgent need to harden government cyber defenses. 

• SWIFT Banking Heist (NIC Asia Bank, 2017): Perhaps Nepal’s most infamous cybercrime to date was the NIC Asia Bank SWIFT hack. In October 2017, attackers infiltrated the private bank’s SWIFT payment system during a long holiday, attempting to illicitly transfer about $4.4 million from Kathmandu to bank accounts in several countries. Fortunately, international cooperation helped freeze most of the transfers; about $580,000 remained unrecovered. An investigation revealed that the bank’s internal IT systems had been compromised – likely via stolen credentials or malware – due to poor access controls. This incident exposed serious weaknesses in banking security and prompted the Central Bank to issue stronger cybersecurity directives to all financial institutions. It also underscored that Nepali financial networks are targets of global cybercriminals. The NIC Asia attempt mirrored tactics used by sophisticated hackers in other countries, hinting that organized international groups were behind it. 

• ATM Cash-Out Scam (2019): In August 2019, Nepal was hit by a coordinated ATM fraud orchestrated by foreign criminals. A ring of at least five Chinese nationals managed to clone ATM cards and manipulate bank networks (specifically the Nepal Electronic Payment Systems) to withdraw approximately NPR 34.5 million (around $290,000) from various ATMs across Nepal and even in India. They did this over a short period before being caught. The scam exploited security weaknesses in the inter-bank payment switch and inadequate real-time fraud monitoring. This was one of the first large-scale cyber-financial crimes in Nepal involving international perpetrators physically present in the country. The police, with help from banks, responded by arresting the individuals and plugging the immediate vulnerabilities. Nonetheless, it highlighted how Nepal’s growing digital finance ecosystem could be abused by transnational criminal groups, and it pushed banks to implement better card security (like EMV chips and two-factor authentication for card withdrawals). 

• Major Data Breaches in Private Sector (2020): The year 2020 saw a rash of high-profile data breaches affecting Nepali consumers. In March 2020, Foodmandu, a popular food delivery platform, was hacked by an individual alias “Mr. Mugger”. The personal information of over 50,000 customers was stolen and dumped online. The leaked data included names, addresses, phone numbers, and even precise delivery coordinates – a trove that could fuel identity theft and social engineering. Just weeks later in April 2020, Vianet Communications, one of Nepal’s largest internet service providers, suffered a massive breach. Hackers leaked the records of approximately 170,000 Vianet customers, exposing names, contact info, and addresses. Vianet confirmed the breach and had to patch its systems and work with police on investigations. These back-to-back breaches caused public uproar about data privacy. They demonstrated that even private tech-savvy companies in Nepal had serious lapses in security (in Foodmandu’s case, possibly a database vulnerability; in Vianet’s case, perhaps poor access security on customer databases). The incidents were a catalyst for calls to accelerate passage of a Data Protection law and improve companies’ cybersecurity practices. They also shook consumer trust – people became more wary of how their data was stored by services they use. 

• Distributed Denial-of-Service (DDoS) Attack on Government (2023): In January 2023, Nepal experienced an unprecedented cyber disruption when a massive DDoS attack overwhelmed the Government Integrated Data Center. This cyberattack took down over 400 government websites for about four hours, effectively bringing many public services to a halt. Among the affected systems were critical ones such as the Immigration Department’s online visa system and the Passport Department’s database, directly impacting travelers. At Kathmandu’s international airport, immigration counters ground to a crawl as officials had to switch to manual processing of visas and passport checks, causing hours-long queues and flight delays. The attackers (identity still unknown) basically flooded the government servers with fake traffic (“intentionally generated fake users”) from abroad, exploiting the fact that most .gov.np sites were hosted on a centralized infrastructure with limited defensive capacity. Technicians responded by temporarily geo-blocking foreign traffic to bring systems back online. While it was reported that no data was stolen in this incident, the service denial itself had real consequences for national security and the economy (e.g., delaying flights, inconveniencing thousands of people). It was a wake-up call about the need for redundancy and better DDoS protection, and it raised fears that more severe attacks could both steal data and disrupt critical infrastructure in the future. The government launched investigations and acknowledged that this was the most serious cyber incident Nepal had faced to date. 

• University and Educational Sector Attacks (2024): Cyber threats have also hit Nepal’s education sector. In early 2024, the country’s oldest and largest university, Tribhuvan University, fell victim to a hack just two days after launching new online service portals. A 12th-grade student astonishingly breached the Examination Control Office’s website, forcing the university to suspend its online system for over a week. While apparently not a malicious attack (the student may have been exposing weaknesses), it disrupted services for thousands of students who had to revert to manual processes for transcripts and certifications. The incident highlighted gaps between ambitious digital initiatives and actual cybersecurity readiness in educational institutions. Around the same time, a separate breach saw personal data of 7,800 engineering students leaked and put up for sale on the dark web. The stolen data included sensitive identifiers (addresses, contact info, and even ID document copies), creating risks of identity theft for those students. These episodes underscore that academic institutions are also on attackers’ radar, possibly due to weaker security and valuable datasets of personal information. 

• Central Bank (NRB) Data Leak (2024): A particularly alarming incident was the reported leak of internal data from the Nepal Rastra Bank in late 2024. According to cybersecurity researchers, a cache of NRB documents – including internal communications, regulatory filings, and some financial records – appeared for sale on dark web markets. The NRB initially officially denied being hacked, but independent analysts verified samples of the leaked files as authentic. This breach did not necessarily involve customer account data, but it struck at the heart of Nepal’s financial governance. The idea that the central bank’s confidential information was compromised raised questions about the security of even the most critical financial systems. It also posed potential national security implications, given the central bank’s role in economic stability. The NRB incident is possibly the most significant data breach in Nepal’s financial sector to date, and it underscores that threat actors are interested in high-value targets. It likely spurred the central bank to re-evaluate its security protocols and may have accelerated collaborative efforts with law enforcement and international partners to secure the financial sector. 

• Telecom Data Breaches (2020–2022): Though details are scarce, it has been publicly noted that both major telecom operators – Nepal Telecom (government-owned) and Ncell (private) – suffered data breaches in recent years. These breaches reportedly exposed sensitive customer data like phone records, locations, and even financial information linked to mobile payment services. The fact that such core communications infrastructure had leaks is indicative of poor security practices and oversight. What’s more concerning is that Nepal’s regulatory vacuum meant there were virtually no consequences or mandated remedial actions for these telecom companies. Such incidents compromise citizens’ privacy on a large scale and could be exploited for surveillance or fraud. They add to the chorus calling for stringent data protection laws and security standards in telecom. 

Collectively, these incidents reveal persistent patterns in Nepal’s cybersecurity troubles. Many attacks succeeded due to weak authentication (e.g. reused or default passwords), lack of network segmentation (allowing an intruder broad access once inside), absence of regular security audits, and insufficient monitoring to detect intrusions early. In several cases, the response was reactive: fixes applied only after the damage was done. The recurring issues across these examples include outdated systems, weak passwords (some government sites allegedly had extremely guessable admin credentials), and negligence in applying patches. Importantly, the impact of these incidents has been significant: they have risked national security (government and defense data exposed), caused economic loss (millions stolen or recovery costs incurred), and eroded public trust in digital services. When citizens see news of frequent hacks – whether it’s their bank, ISP, or a government office – they naturally become wary of using online services, which in turn can slow down Nepal’s digital transformation. 

On a positive note, each incident has also been a learning experience prompting authorities and companies to improve defenses. For example, after the 2017 bank hack, banks instituted stricter SWIFT protocols and closer monitoring of transactions. After the 2020 breaches, many companies began hiring security consultants to perform penetration testing. The 2023 government DDoS debacle spurred discussions about having multiple backup servers and possibly a second data center site for redundancy. Thus, while painful, these cyber incidents have galvanized momentum for reform. They make clear that Nepal must address its cybersecurity weaknesses – not in theory, but in practice – to avoid even more damaging attacks in the future. As one local commentary put it, these attacks should serve as a wake-up call that investing in cybersecurity is no longer optional but essential for Nepal’s national security, economic stability, and citizens’ privacy. 

Cybersecurity and National Development in Nepal 

Cybersecurity in Nepal is not an isolated tech issue – it is deeply intertwined with the nation’s broader development goals, the protection of critical infrastructure, the growth of digital finance, and public trust in government services. As Nepal pushes forward with digital transformation, a secure cyberspace has become a prerequisite for sustainable development in multiple domains. 

Digital Government and Public Services: Nepal’s government has embarked on ambitious e-governance initiatives, aiming to digitize everything from citizen registries to service delivery (e.g. online license applications, digital land records). The success of these initiatives hinges on security. When government systems are compromised or unreliable, it undermines public confidence in e-governance. For example, the 2023 shutdown of 400+ government sites due to a cyberattack not only halted services but also shook faith in the government’s ability to safeguard data. Citizens expect that their personal information submitted to government portals (for passports, taxes, social security, etc.) will be kept confidential and safe. If high-profile breaches or leaks occur, people may revert to demanding paper-based processes, slowing down the adoption of efficient digital systems. Moreover, cybersecurity is crucial for national identity projects such as national ID cards or biometric passports. These systems concentrate sensitive data and thus are high-value targets; securing them is fundamental to protecting citizens’ identities and rights. In short, robust cybersecurity underpins public trust, which in turn is necessary for Nepal to fully realize its digital governance and smart nation plans. A lack of security could derail these plans by causing public pushback or actual harm if data is misused. 

Critical Infrastructure Protection: Modern economies depend on interconnected critical infrastructures – power grids, telecommunications networks, transportation systems, banking systems, healthcare networks, and more. Nepal is no different. Protecting these critical infrastructures from cyber threats is now recognized as part of national security. For instance, Nepal’s National Security Policy 2018 explicitly lists the misuse of technology and cyber threats among challenges to national security. We have seen how an attack on the government data center impacted airport operations; one can imagine other worst-case scenarios, such as a cyberattack on the electricity grid causing blackouts, or interference with telecom networks cutting off communications. As Nepal invests in infrastructure development (often with foreign partnerships), it must incorporate cybersecurity by design. This includes securing the SCADA systems in hydropower plants (Nepal’s electricity is heavily hydro-based), ensuring telecom switches are updated and monitored, and that transport infrastructure (like the digital systems in aviation or proposed smart traffic management) have failsafes against hacking. There is also a link between natural disasters and cybersecurity – Nepal is prone to earthquakes, and critical systems must not only be disaster-resilient but also cyber-resilient, so that in times of crisis the networks remain operational and trusted. The government’s upcoming policies define critical information infrastructure and will impose security requirements on them, which is a welcome move. However, as noted, clarity and proper implementation of those policies will be key to actually protecting these vital systems. 

Digital Finance and Economic Growth: Nepal’s financial sector is rapidly digitizing, with a surge in online banking, digital wallets, and QR payments in recent years. The number of mobile banking transactions more than doubled from 2020 to 2024, and e-wallet usage similarly soared. This digital finance boom is driving financial inclusion and convenience – a pillar of economic development. Yet, it also enlarges the attack surface for cyber threats. The F1Soft/eSewa breach in 2024, where hackers stole NPR 34.2 million from a leading digital payment provider, was a red flag for fintech security. Such an incident not only causes direct financial loss but can erode trust in digital payments at a critical adoption stage. If people fear that their mobile wallet or online banking app can be hacked, they may revert to cash transactions, hampering the push towards a less-cash economy. Cybersecurity is thus essential to maintaining confidence in digital financial services. The central bank recognizes this – it has emphasized that as digital transactions increase, so do the threats, hence investing in cybersecurity infrastructure is vital for economic stability. Moreover, Nepal’s economy relies on remittances and international banking connections; a major cyber incident could disrupt remittance flows or make correspondent banks wary of doing business with Nepali banks (if they’re seen as insecure). For sustainable economic growth and integration into the global digital economy, Nepal’s financial systems must meet international security standards. This intersects with development: secure digital finance can empower entrepreneurs, boost e-commerce, and streamline government payments, all contributing to development – but insecurity in this domain could set those efforts back. 

Public Trust and Social Stability: In the digital age, cybersecurity and public trust are closely linked. Misinformation, cyberbullying, and privacy breaches all have social implications. For example, if citizens’ personal data (like health or financial records) are leaked, it not only harms individuals but also breeds distrust in the institutions that were custodians of that data. In Nepal, the lack of a data protection regime has led to instances where personal data was handled carelessly, especially during COVID-19 data collection. People had no control or assurance over how their sensitive information was used, which normalized a disregard for privacy rights. This can fuel public resentment or apathy towards digital initiatives. On the other hand, a strong cybersecurity posture, including privacy protections, can enhance trust and civic participation in digital platforms (such as e-voting or digital public consultations in the future). Public trust is also critical in times of crisis: for instance, during disaster response, citizens need to trust that the information systems (emergency alerts, etc.) are accurate and not compromised. Additionally, social stability can be threatened by cyber incidents – consider a scenario where a hostile actor leaks or fabricates government data to incite panic or communal tensions. Nepal’s social media space has already seen incidents of hacking of political figures’ accounts and spread of inflammatory content. Cybersecurity measures, combined with digital literacy, are needed to mitigate these risks and maintain societal harmony. The Cambridge Analytica scandal even had a tangential link to Nepal’s 2017 elections (with allegations of voter profiling), highlighting that data security lapses can affect democratic processes. All these facets show that cybersecurity underpins good governance and public trust, which are themselves foundations of development. 

In summary, ensuring cybersecurity is now a cross-cutting requirement for Nepal’s development agenda. It supports the reliability of e-government services, shields critical infrastructure that the economy and public safety depend on, enables the continued growth of digital financial inclusion, and safeguards citizens’ trust in the digital ecosystem. Conversely, if cybersecurity is neglected, the resulting incidents can derail development projects, cause economic setbacks, and diminish public confidence. Thus, investments in cybersecurity yield dividends across multiple sectors – making Nepal’s digital revolution safer and more sustainable. 

Strategies and Recommendations for a Cyber Resilient Nepal 

Building on the analysis of Nepal’s current state, it’s clear that a multi-pronged strategy is needed to enhance cybersecurity resilience. The following actionable recommendations and strategies could significantly strengthen Nepal’s cybersecurity posture in the coming years: 

• Bolster the Legal and Regulatory Framework: Fast-track the enactment of the Information Technology and Cyber Security Bill 2024, ensuring it addresses current gaps. This new law will replace the outdated 2006 cyber law and introduce much-needed provisions on incident reporting, critical infrastructure protection, and regulation of cybersecurity service providers. Once passed, focus on robust enforcement: designate or establish competent authorities to oversee compliance (for example, empower the proposed National Cyber Security Center to audit and enforce standards). Simultaneously, draft and pass a dedicated Data Protection Act that aligns with international privacy principles. As noted by experts, Nepal must enact comprehensive data protection rules (consent requirements, data minimization, breach penalties, etc.) to protect citizens and hold organizations accountable. Such laws will not only protect rights but also build trust in digital services. Additionally, update sectoral regulations (banking, telecom, healthcare) to include explicit cybersecurity and data privacy standards, so that critical sectors have clear obligations. In short, create a strong legal deterrent against cybercrime and negligence, supported by clear guidelines. 

• Empower Institutions and Improve Governance: Establish the National Cyber Security Center (NCSC) as a functional coordinating body with a clear mandate, skilled staffing, and political backing. The NCSC should serve as the nerve center for Nepal’s cybersecurity – monitoring threats, issuing alerts, coordinating incident responses, and advising all sectors on security. It must be staffed by qualified cybersecurity professionals (merit-based hiring is crucial to avoid it becoming a dumping ground for political appointees). The NCSC can also maintain a registry of certified cybersecurity auditors and professionals, as envisioned in the draft bill. Strengthen the existing Cyber Bureau of the police by allocating more resources and training – this unit should evolve into a world-class cyber crime investigation agency, equipped with digital forensics labs and legal powers to act swiftly. Encouragingly, the government is urged to boost capacity in the Nepal Police Cyber Bureau and even the Army’s cyber units; this could involve creating a dedicated cyber force or task force that pools talent from multiple agencies. Enhancing inter-agency coordination is also key: form a high-level Cybersecurity Coordination Committee that brings together MoCIT, NTA, NRB, security agencies, and industry representatives. This committee would facilitate information-sharing and joint actions (for example, running national cyber drills). Essentially, Nepal needs strong institutions with defined roles – a central agency to coordinate and sectoral bodies to implement – to overcome the current fragmentation. 

• Invest in Secure Infrastructure and Technology: Prioritize upgrading Nepal’s IT infrastructure to make it inherently more secure and resilient. This starts with the Government Integrated Data Center – invest in expanding its capacity, adding DDoS protection services, and creating redundant backups (possibly a secondary data center in a different location) to avoid single points of failure. Critical government systems should undergo regular penetration testing and security audits mandated by policy. Similarly, critical infrastructure operators (power, telecom, banking) should be required to implement state-of-the-art security controls: network segmentation, intrusion detection systems, and continuous monitoring for anomalies. Funding must be allocated to replace legacy software/hardware in government with more secure, supported technologies. Adopt secure cloud solutions where appropriate – for instance, government websites could be hosted on cloud infrastructures with built-in security and redundancy (though mindful of data localization requirements). The government can also set up a national cyber threat intelligence platform (leveraging the NTA’s bylaw initiative) where indicators of compromise and threat information are shared in real-time among government, ISP, and financial sector networks. Another aspect is developing incident response infrastructure: establish a reliable cyber hotline and incident reporting portal where any organization can report cyber incidents to the authorities and get immediate guidance. Moreover, ensure essential services have manual fallbacks (as seen when immigration officers had to revert to pen and paper) and disaster recovery plans in case of cyber disruptions. Investing in robust infrastructure is costly, but the cost of not doing so – as demonstrated by outages and breaches – is far higher in the long run. 

• Human Capacity Building and Skill Development: Address the talent gap by fostering a pipeline of cybersecurity professionals. This requires interventions at multiple levels of education and training. Integrate cybersecurity curriculum into university programs – not just computer science degrees, but also in management and social sciences to build a broad understanding. As recommended by Nepali experts, universities should update syllabi to international standards and even make basic cybersecurity courses mandatory for all students. At secondary school level, introduce modules on digital literacy and safety so that youth learn safe online habits early. For current professionals, incentivize obtaining certifications (like CISSP, CEH, etc.) through scholarship or employer recognition programs. The government and private sector can collaborate to establish a Cybersecurity Academy or Center of Excellence that offers specialized hands-on training, simulation labs (cyber ranges), and research opportunities. This could tie into the bill’s mention of a Center of Excellence for emerging technologies including cybersecurity. Additionally, encourage the growth of local cybersecurity firms and startups (Nepal already has companies like Cryptogen, Eminence Ways, LogPoint, as noted) by providing incubation support or tax incentives; a thriving infosec industry will create jobs and services. In the public sector, make cybersecurity training a continuous requirement: as suggested, require every government staff to undergo security awareness training biannually. Also, create career pathways in government for cybersecurity specialists so that talent is attracted and retained (for example, a dedicated cybersecurity cadre or at least competitive pay scales for such roles). Finally, stem brain-drain by engaging the Nepali tech diaspora – invite experts working abroad to contribute via short-term consultancies or remote mentorship of local teams. Building human capital is a slow process, but these steps will gradually fill the expertise gap. 

• Raise Public Awareness and Strengthen Cyber Hygiene: Launch a sustained national cybersecurity awareness campaign targeting citizens, businesses, and government employees. This could take inspiration from global efforts like Cybersecurity Awareness Month, but tailored to Nepal’s context and languages. Use mass media (TV, radio, social media) to disseminate simple tips on using strong passwords, avoiding phishing scams, updating devices, and protecting personal information. Community-based workshops can help extend reach – for example, partnering with local ICT clubs or municipalities to run digital safety sessions in schools and community centers. The goal is to transform cybersecurity from a niche topic into common knowledge, much like public health campaigns. Encourage a culture where people report cyber incidents (like fraud attempts) without fear. The private sector should also contribute – ISPs might send out periodic security newsletters to customers, banks can educate users on safe e-banking practices, etc. Additionally, leverage the influence of tech-savvy youth and “cyber ambassadors” – for instance, Nepal could create a volunteer corps of trained students who help teach digital safety in their communities. Another important aspect is addressing cybercrime victims’ support: ensure there are accessible channels for the public to seek help if they fall victim to online scams or harassment (expanding on the Cyber Bureau’s hotline services). By improving overall cyber hygiene in society, Nepal can reduce the success rate of common attacks and make the digital environment safer for everyone. 

• Enhance Public-Private Partnerships and Industry Standards: The government should work closely with the private sector – which owns and operates much of Nepal’s critical digital infrastructure – to uplift security standards. Establish formal information-sharing partnerships where private companies (banks, ISPs, utility providers, etc.) regularly share anonymized threat data with the government and each other. This can be facilitated through the NCSC or a sectoral ISAC (Information Sharing and Analysis Center). Encourage industries to develop their own cybersecurity best practice frameworks in line with global standards like ISO 27001 or the NIST framework. For example, banks in Nepal could collaborate via the Bankers’ Association to implement a uniform baseline security standard beyond the NRB’s minimum requirements. The telecom sector, under NTA’s guidance, might do the same for telecom network security. The government can incentivize compliance by linking it to licensing – e.g. only licensing cloud providers or data centers that meet strict security certifications. Public-Private Collaboration is also invaluable for incident response: conduct joint cyber drills that simulate attacks on, say, the banking system or power grid, involving both companies and government responders so they can practice coordination. Moreover, Nepal can explore innovative PPPs like contracting domestic IT firms or international partners to monitor critical networks (managed security services) if in-house capacity is lacking. Given limited resources, pooling expertise from the private sector (including ethical hackers and cybersecurity researchers) is a smart way to improve overall defenses. Many local tech firms and freelancers, as mentioned, are already doing cybersecurity work internationally – harness their knowledge through advisory roles or project-based engagements to solve national security problems. 

• International Cooperation and Agreements: Proactively seek international collaboration to boost Nepal’s cybersecurity. This can happen on multiple fronts. First, improve law enforcement cooperation by signing onto international conventions or MoUs that enable information exchange on cybercrime (for example, revisit joining the Budapest Convention to ease evidence sharing with other countries for cybercrime investigations). Second, establish bilateral partnerships for capacity building – Nepal could request cybersecurity training programs from countries like India (which already provides some training under ITEC), China, the USA, Estonia (renowned for cyber capabilities) or Japan. These trainings can cover advanced topics like malware analysis, digital forensics, and secure network design. Third, engage actively in regional forums: advocate reviving a SAARC cybersecurity task force or a regional CERT interoperability framework. If SAARC is slow, use BIMSTEC or SCO (where Nepal is observer) as alternative platforms to collaborate on cybersecurity drills or policy harmonization. Additionally, join global networks such as the FIRST (Forum of Incident Response and Security Teams) by ensuring Nepal’s CERT/NCSC meets criteria – this would allow Nepal to receive early warnings about global threats and best practices from the international CERT community. At diplomatic levels, include cybersecurity agenda items in dialogues with other countries. For example, when discussing development aid or cooperation with allies, Nepal can prioritize projects like “cybersecure smart city development” or “critical infrastructure cyber protection” to attract funding and technical help. International financial institutions (World Bank, ADB) are increasingly funding cybersecurity as part of development — Nepal should capitalize on that by including cybersecurity components in all ICT-related development projects. Finally, Nepal should voice support for international norms against cyber warfare (such as not attacking critical infrastructure in peacetime) – by aligning with such norms, Nepal reinforces a rules-based cyber order that ultimately benefits smaller nations. In sum, look beyond borders for both help and solidarity, because cybersecurity is a shared global challenge. 

• Develop Robust Incident Response and Crisis Management Plans: Given that no defense is foolproof, Nepal must improve its ability to respond to and recover from cyber incidents. This means formulating and regularly updating incident response plans at organizational and national levels. The NCSC (once operational) should create a National Cyber Incident Response Plan that defines how various stakeholders coordinate during significant incidents (who takes lead, how information flows, etc.). Conduct annual cybersecurity emergency drills that simulate scenarios like a major power grid attack or a large data breach, involving technical teams, management, law enforcement, and communications officers. These drills will help identify gaps in preparedness and improve inter-agency communication under pressure. Organizations, from banks to government ministries, should also have internal playbooks for handling incidents – including steps like isolating affected systems, notifying authorities and users, and public communication to manage fallout. Additionally, improve digital forensics capabilities so that after an incident, Nepal can effectively investigate and learn lessons. This might involve establishing a dedicated digital forensics lab and training police and experts in evidence preservation. Part of crisis management is also strategic communication: the government should be transparent and timely in informing the public about breaches (to prevent misinformation and maintain trust), while also countering any malicious narratives (for example, if a state-sponsored attack tries to leak false information, the government must be ready to rebut and control panic). Planning for the “when, not if” of cyber incidents will ensure Nepal can contain damage swiftly and continue essential services even under cyber siege. 

By implementing these strategies – from legal reforms and institutional empowerment to infrastructure upgrades, capacity building, and international cooperation – Nepal can significantly enhance its cybersecurity resilience. These steps are interrelated and should progress in parallel. Policy reforms create the environment for better security; capacity and infrastructure investments provide the tools and people to enforce security; awareness and partnerships multiply the effectiveness by aligning all stakeholders. As Nepal embraces digital innovation for development, these measures will help ensure that innovation is not undone by insecurity. The goal is a Nepal where digital progress and security go hand in hand, reinforcing each other. 

In conclusion, Nepal stands at a critical juncture in its digital journey. The country has made commendable strides in recognizing cybersecurity’s importance – drafting new laws, formulating policies, and beginning to build institutions. It has also faced real adversities in the form of cyberattacks that exposed its weaknesses. The experiences and lessons from those incidents, coupled with best practices from around the world, provide a roadmap for improvement. By strengthening its cybersecurity infrastructure now, Nepal can safeguard its nascent digital economy and protect its citizens in cyberspace. Cybersecurity must become a national priority, embraced not just by IT professionals but by government leaders, business executives, and ordinary users alike. The investments made in cybersecurity – whether money, time, or training – will yield long-term benefits by enabling Nepal’s digital transformation to unfold on a foundation of trust and resilience. In an interconnected world of escalating cyber threats, Nepal’s choice is clear: act decisively today to prevent and mitigate the cyber risks of tomorrow. The safety, prosperity, and trust of the digital Nepal depend on it. 

Learn more….