Here is an update of Nepal’s cyber landscape and how its people and private enterprises have autonomously built some cyber vigilance

Readers interested in understanding the cyber landscape of Nepal, which is still adhering to outdated cybersecurity laws and policies of 2006/2007 will be happy to know that the situation is not as grim as surmised.

According to republic’s telecommunications authority, 90.56% of its population have internet connectivity as of mid-May 2022, with a user base of 27.37m, starting from a low base of only 35,000 residents in 2000.

However, according to Suman Thapaliya, Head of IT, Texas College of Management and IT, the issue of a digital divide is visible in the country at both the individual and institutional levels. Technology adoption there is lower than in other industrialized countries, and their government does not trust email and computer transactions. 

Despite this, Nepal remains enthusiastic about the role that information and communications technology will play in overall economic progress and poverty alleviation. According to the Global Cybersecurity index 2020 released by the International Telecom Union (ITU), the country has been demonstrating a greater commitment to cybersecurity. Said Thapaliya: “People in Nepal are becoming more conscious of cybersecurity as time passes. The main reason for this is not due to study, but to cybercrime cases that have occurred. People are now more focused on cybersecurity rather than physical security, they are not sharing all of their personal information on social media, they are aware of what is spamming messages or not, and they only use HTTPS or SSL certified websites.”

Autonomous cybersecurity vigilance
Despite outdated cyber governance laws, minor regulatory initiatives such as the Cyber Security Bylaw 2020 by the Nepal Telecommunications Authority have introduced some measure of cyber vigilance and sharing of threat intelligence.

Additionally, their Ministry of Communication and Information Technology had also prepared a new policy draft in 2021 to address cyber security issues. “Almost every industry employs security measures to protect its working and learning environments. In the current climate, even the government is considering making cybersecurity measures mandatory for the establishment of any new enterprise. Industries such as banking, telecoms, ISPs and military defense spend the most money on security,” Thapaliya noted.

Private sector initiatives have also added to the level of autonomous cybersecurity vigilance in the country. Digital payments apps such as Fonepay have prompted the financial sector to implement digital transaction policies. The last few years have also seen the rapid emergence of banking applications and other utility payment apps such as esewa, Khalti, and others.  

On the flip side, the lack of updated cybersecurity laws; the use of old and obsolete software; and a general lack of IT skills have resulted in increasingly common incidents ranging from cyberattacks, cyber bullying and phishing since 2014. Data breaches have been reported in official institutions such as at the Ministry of Agriculture, the Central Library, as well as multiple incidents of ATM hacking and social media cyberbullying. 

“In many situations, victims don’t disclose the incidents, and even when they do, the authorities have trouble responding to them because they lack the necessary expertise and technology,” Thapaliya explained.

However, there is a brighter side of this grim picture. A number of new organizations have been set up to offer cybersecurity services. Similarly, bug bounties are playing a crucial role in modernizing the country’s cybersecurity posture.