The Department of Information Technology and Telecom (DITT) under Ministry of Information and Communication (MOIC) in collaboration with the International Telecommunications Union (ITU), conducted a Cyber Incident Simulation exercise on 27 November.
The simulation exercise was designed exclusively for heads of government, policy makers and other high ranking figures to increase awareness on cyber security and preparedness to make critical decisions in response to cyber attacks.
According to Professor Marco Gercke from Cybercrime Research Institute, who is also a consultant to ITU, the likelihood of Bhutanbeing under the threat of cyber attack is not so big, as it is a peaceful and unique country. However, he saidthere are certain risks.
“Extortion, ransom ware, sound engineering, and release of internal emails of political parties, attack against elections, phishing and fake news, among others, are some cyber attack the country is vulnerable to,” said Professor Gercke.
A DITT official said there have been several cases of cyber attacks in Bhutan resulting in major damages, in terms of money, data loss or service disruptions.He said there are morecases that are not reported or even detected.
The official said, “One of the main reasons for cyber incidents in our country is due to the extensive use of pirated or cracked software, which are free versions of otherwise commercial software and contain malicious codes that can potentially compromise the system.”
MOIC Minister, Lyonpo Karma Donnen Wangdi, said, “While the reliance of our society on the digital infrastructure is growing, cyberspace remain inherently vulnerable. The rate of compromise is increasing and the methods used by malicious actors are rapidly evolving.”
According to the MoIC Minister, the Bhutan Computer Incident Response Team (BtCIRT) under DITT was established in 2016 to enhance cyber security in Bhutan. BtCIRT has handled and resolved around 250 computer incidents, of which 83 percent were vulnerabilities found in systems followed by 10 percent of systems that were infected by malicious codes. The remaining 6 percent resolved incidents were phishing emails and sites, compromised system and intrusion attempts.
Lyonpo said, “It is, therefore, imperative that security risks associated with the proliferation of ICT enabled infrastructure and the internet are not only combated with technological solutions, but is appropriately balanced with comprehensive national cyber security strategies and resilience. To deal with all these challenges, we must elevate cyber security as an issue of national importance.”
According to DITT, maturity of cyber security in Bhutan is low. Although there are laws to safeguard data and information systems users, however it is not comprehensive or sophisticated enough.
DITT said, “Due to the ever evolving nature of IT products and services, many users are left unaware of the associated risks and threats, and therefore, are unable to always follow safe cyber habits. We need to carry out regular extensive advocacy, continue to invest in the development cyber security capacity and infrastructure and strengthen our laws.”