Eight years from first drafting the important policy, the country is struggling to keep pace with cyberattack sophistication.

The Himalayan kingdom of Bhutan does not naturally feature high on any cyber-threat list as a targeted zone, owing to its people’s peaceful existence and relaxed outlook towards life.

This, however, does not mean that Bhutanese do not face any data breaches, or that their network vulnerabilities are not exploited by cybercriminals every now and then. For such a small and serene country, the Bhutan Computer Incident Response Team (BtCIRT) had resolved 275 cyber threats from its government departments and organizations between 2016 and 2018 (latest available data).

The most common cybercrimes plaguing Bhutan in the recent times are email phishing and malicious links on social media platforms; vishing; web defacement; and system vulnerabilities.

High tech usage, low awareness

The nation’s Department of Information Technology & Telecom (DITT) has readily admitted through several reports that the people’s cybersecurity awareness is negligible. While there are laws to safeguard country’s data and information systems, the common refrain is that this “is still not comprehensive or sophisticated enough.”

Due to the ever-evolving nature of IT products and services, many people are unaware of the associated risks and threats, and therefore, are unable to always follow safe cyber habits. One reason for this could be the increasing number of 3G and 4G network subscribers in the country.

The official statistics of the ICT Ministry puts the number at around 700,000, nearly as high as Bhutan’s population. Apparently, the people have taken to cardless transactions lately. Ever since the COVID-19 pandemic, the health and education sectors have followed in the footsteps of other government departments in ensuring e-delivery of services. All these aspects add up to Bhutan’s cybersecurity scenario as of today.

According to a report by the International Telecommunication Union’s news portal, MyITU.int: “Despite the great engagement of the Kingdom of Bhutan in ICT development, many government and private sector leaders are from non-technical backgrounds. In a country where digital transformation is a work-in-progress, awareness of the importance of cybersecurity remains a big challenge.”

Cybercriminals have been taking advantage of the current situation and spreading scams through social networking sites and malicious links through emails promising money, free rewards, job offers and free Internet access, a senior ICT officer with BtCIRT, Sonam Choki, was quoted saying recently.

Rapid digitization demands swift action

All said and done, the Kingdom of Bhutan has been undergoing considerable digital transformation over the last 20 years. The country’s public sector and private players have been offering a lot of digital services, with digital literacy constantly on the rise.

According to Bishwajit Sutradhar, Vice President, Synersoft Technologies, which has extensive experience working with government: “Bhutan is well connected to the outside world and has close ties with neighboring countries like India, Myanmar, Singapore and Thailand. Therefore, the nationals are gradually improving their cybersecurity awareness, with government agencies, banks, hospitality and food processing units implementing some measures.”

Since 2012, Bhutan had realized the need for stringent policies to protect its data and digital assets, and had begun drafting its first National Cybersecurity Strategy (NCS) then. The BtCIRT was the taskforce entrusted with enhancing cybersecurity in Bhutan. According to Sutradhar, the body has facilitated cybersecurity information coordination and established computer security incident handling capabilities within the country.

By 2018, the NCS finally started taking some shape and the first version was ready in October 2020. According to those in the know, the NCS is in an advanced stage pending the government’s final approval for implementation.

Educate to tackle threats

After BtCIRT started tracking down numerous instances of social media phishing, it became concerned about online user behavior and felt the need for more online safety education, Choki said.

The national agency regularly uploads educational videos on cybersecurity, phishing emails, social media phishing, Internet hackers and password security on its Facebook page, apart from telecasting them through the Bhutan Broadcasting Service (BBS). These platforms also disseminate information on the latest threats and other vulnerabilities.

The BtCIRT also collaborates with system developers in government sectors to conduct training and workshops for ICT officials to equip them with skills necessary to combat cyber threats.

Even as the NCS remains a work in progress, Bhutan is enhancing its cybersecurity posture to tackle all kinds of cyber threats, and pushing out digital initiatives to reach every last citizen, in preparation for a secure digital future.