Recent cyber-attacks on Nepal’s sensitive government systems have exposed glaring vulnerabilities, highlighting weak defences amid internal conflicts over contract renewals and variations.
Last week, a malware attack on the biometric-based passport system halted services completely from Wednesday to Monday. The system, managed by the French company IDEMIA, remains disrupted, with passport services yet to resume in district administration offices and foreign missions.
While it is uncertain when the issue will be resolved, the Department of Passports has not confirmed whether the attack compromised sensitive data.
Government systems under frequent cyber threats
This attack is not an isolated incident. The online equivalency certificate system under the Curriculum Development Centre has been down for a week, with the website operational but the system inactive. Similarly, the websites of several ministries in Sudurpashchim Province, including those for land management, agriculture, cooperatives, industry, and law, remain non-functional, disrupting related systems.
Many local government websites have also been targeted, rendering linked online services inaccessible. Past incidents, such as the attack on the Teachers’ National Database in July and repeated breaches of government servers, have resulted in significant data losses.
Even the sensitive National ID Management Information System, which stores biometric and personal data, is prone to frequent cyber attacks, with the Department of National ID lacking the main source code for the system. This reliance on contractors for system maintenance has persisted for six years.
Contractor dependency weakens security
The passport and registration systems exemplify a larger problem: many government systems are under the control of contractors. Vendors often withhold source codes, manipulate system operations to influence decisions, and even disable systems deliberately during disputes.
The Department of Information Technology (DoIT), responsible for overseeing government IT systems, lacks an integrated database of active software and systems. There is no requirement for prior approval for system development or mandatory reporting of operational systems, leaving many unregulated.
Many government offices lack skilled personnel, resulting in over-reliance on vendors for system operation, updates, and troubleshooting. This dependency often prevents government agencies from obtaining source codes and maintaining control over their systems.
Security audits and preventative measures lacking
The absence of regular security audits has left government systems highly vulnerable. The DoIT provides IT system security testing services but managed to test only 90 systems from 64 agencies in the last fiscal year due to limited resources.
“While we aim to test more systems, we face resource constraints, including limited licenses for necessary tools,” said DoIT Director General Ramesh Sharma Paudel. He emphasized the need for extensive cybersecurity audits for sensitive systems.
Cybersecurity experts like Naresh Lamgade stress the importance of stringent laws and mandatory security audits. “Countries worldwide are enacting strong cyber security laws, but Nepal is still lagging. Without robust audits, government data and services remain at risk,” Lamgade noted.
Structural issues and delayed reforms
The recently established National Cyber Security Centre has yet to become fully operational due to a lack of infrastructure, equipment, and resources. Despite its potential, the centre remains underutilised, leaving government systems exposed to ongoing cyber threats.
To address these vulnerabilities, Paudel called for resource allocation and a focused approach to secure cyber infrastructure. “We need comprehensive policies and frameworks to ensure government systems are secure, reliable, and user-friendly,” he said.
Cybersecurity awareness among government agencies remains low, with minimal priority given to third-party security testing and post-development audits. Many vendors also provide superficial reports from automated scanners, undermining efforts to enhance system security.
Until significant reforms are implemented, Nepal’s critical systems remain at risk, with cyber attackers exploiting weaknesses and the government struggling to mount an effective defence.