The Government of Nepal, on August 9, endorsed the National Cyber Security Policy 2023, marking a significant milestone as the country enacted its inaugural legislation aimed at combating cybercrime.

The policy delineates forthcoming strategies, operational guidelines, objectives, and plans pertaining to cyber security, with a primary emphasis on creating a secure digital landscape for users.

Moreover, the policy conducts an appraisal of the current state and historical context of cyber security, concurrently shaping a framework for future advancements in this arena.

The National Cyber Security Policy 2023 also encompasses comprehensive details concerning the prevailing internet landscape within the nation, as well as the vision, mission, objectives, strategies, and operational plans for establishing secure digital environments across government, private, and non-governmental sectors.

Until this point in time, Nepal had been addressing complaints related to cybercrime in accordance with the Electronic Transactions Act, 2063BS (2008).

However, this legislation does not specifically tackle emerging threats and cybercrimes.

In recent years, the country has encountered numerous instances of security breaches on government websites. In late January, hackers managed to disable around 1,500 government websites.

The impact of cybercrimes becomes particularly concerning at an individual level. As stated by the cyber bureau, they received more than 16,000 complaints within the past four years.

Until a few months ago, the average daily complaints numbered between 60 and 70. However, officials have observed a significant surge in these figures.

The majority of these complaints pertain to incidents like email and social media password breaches, as well as other general issues.

Addressing critical aspects such as cyber security infrastructure, capacity enhancement, and data protection, among others, the policy outlines the necessary foundations for safeguarding digital assets.

This trend continued to unfold, with cyber attacks experiencing a global increase of 125% throughout 2021, and a persistent surge in cyber attacks threatening both businesses and individuals in 2022.

The government’s enactment of this policy responds to the escalating instances of digital platform-related violence, which had been on the rise due to the lack of relevant legislation.

To emphasize, Nepal Police records illustrate a significant upswing in cyber-bullying cases since 2014.

Over the past years, instances of data breaches in e-commerce enterprises, internet service providers, the Central Library, ATM system breaches, social media hacks, and cyber-bullying have been reported, highlighting vulnerabilities within Nepal’s cyber security infrastructure.

Additionally, numerous instances have led to government offices facing disruptions due to data breaches.

In the absence of pertinent regulations, cases of cybercrimes have been managed under the Electronic Transaction Act 2008.

In recent years, an expert consortium named the Computer Emergency Response Team (CERT), operating under the purview of the Department of Information Technology, has been actively mitigating cyber security threats such as hacking and phishing.

In fact, the recently formed policy aims to tackle issues concerning the legal framework and procedures within the cyber security sector.

Stakeholders have been advocating for the government to incorporate a structure involving essential responsible agencies and resources for effective policy implementation.

This entails embracing fundamental principles such as an open and secure internet, safeguarding individual privacy, upholding credibility, neutrality, accountability, interoperability, and partnership.

The policy is also set to adopt a multi-stakeholder approach.

To achieve these goals, in March 2023, the government assembled a high-level committee tasked with generating a report to outline the foundations of a Cyber Security Policy.

Furthermore, the policy’s scope encompasses a range of areas, encompassing the establishment of a robust cyber-security infrastructure, the promotion of capacity development, and the assurance of data integrity.

In addition, the policy’s vision extends to the establishment of a dedicated entity known as the ‘Cyber Security Center,’ designed to enhance the effectiveness of related initiatives.

In the midst of a surge in digital-related crimes attributed to regulatory gaps, Nepal Police records consistently indicate a rising trend in cyber-bullying cases since 2014.

In recent times, instances of data breaches within e-commerce firms, internet service providers, the Central Library, ATM systems, and social media platforms have become increasingly frequent, laying bare vulnerabilities within Nepal’s cyber-security framework.

Moreover, incidents of government offices falling victim to data breaches have been reported.

Up until now, cybercrime offenses have typically been addressed under the provisions of the Electronic Transaction Act 2008, as no specific cybercrime legislation was in place.

In order to counter cyber-security threats such as hacking and phishing, an expert team known as the Computer Emergency Response Team (CERT) has been operational within the Department of Information Technology for a number of years.

The freshly enacted policy aims to bridge gaps in the legal structure and operational processes within the domain of cyber security.

Various stakeholders have called for the government’s commitment to involve key responsible agencies and allocate resources to ensure effective policy implementation.

This effort involves the embracement of principles such as an open and secure internet, individual privacy, credibility, neutrality, accountability, interoperability, partnership, and the adoption of a multi-stakeholder approach.

Despite the relatively small population, Nepal continues to grapple with the issue of cybercrime.

In the fiscal year 2020-2021, there were 3,906 documented instances of cybercrime.

Within just the initial three months of the ongoing fiscal year (2021/2022), there have been 1,547 reported cases of cybercrime.

Nepal’s ranks 101st out of 160 nations on the National Cyber Security Index, and holds 94th position on the Global Cyber Security Index in global cyber security metrics.

Moreover, Nepal’s placement on the ICT Development Index is at 140th.

Cyber Attack

It’s essential to grasp the concept of cyber-attack, and it’s important to recognize that when an external entity gains unauthorized entry into a system or network, it qualifies as a cyber attack, encompassing scenarios like data breaches resulting in data loss or manipulation.

Furthermore, this category includes instances where organizations endure financial setbacks, experience erosion of customer confidence, and undergo damage to their reputation.

Global Landscape

The global landscape of cyber security has witnessed an escalation in threats in recent years. Amid the pandemic, cyber criminals capitalized on the vulnerabilities of misaligned networks that arose as businesses transitioned to remote work setups.

Cyber attacks manifest through diverse methods. For instance, hackers might employ phishing tactics to deceive users into interacting with malicious links or providing login credentials on counterfeit websites.

Notably, in 2020, instances of malware attacks surged by a staggering 358% in comparison to 2019.

This trend continued to unfold, with cyber attacks experiencing a global increase of 125% throughout 2021, and a persistent surge in cyber attacks threatening both businesses and individuals in 2022.

The invasion of Ukraine by Russia significantly impacted the realm of cyber threats.

Since the commencement of the conflict, there has been an eightfold rise in phishing attacks emanating from Russia targeting email addresses belonging to European and US-based businesses.

Additionally, nearly 3.6 million Russian internet users encountered breaches during the first quarter of 2022, reflecting an 11% increase in comparison to the previous quarter.

To fortify Ukraine’s critical infrastructure against Russian cyber incursions, the UK introduced the ‘Ukraine Cyber Program’ in 2022.

This program, launched in response to heightened Russian cyber activities following the invasion of Ukraine, entails an initial funding package of £6.35 million.

The program encompasses incident response mechanisms to safeguard Ukrainian government entities from attacks, offers Distributed Denial of Service (DDoS) protection to ensure access to crucial information for Ukrainian citizens, and implements firewalls to counteract attacks.

Given the intensifying global threat landscape, an increasing number of organizations are prioritizing cyber security.

Global Statistics on Cyber Crime:

• In 2022, the United Kingdom recorded the highest number of cyber-crime victims per million internet users, reaching 4783, which marked a 40% increase over figures from 2020.
• The United States followed closely with the next highest number of victims per million internet users in 2022, with 1494, signifying a 13% decrease compared to 2020.
• One out of every two internet users in North America experienced breached accounts in 2021.
• The United Kingdom and the United States exhibited significantly higher numbers of cyber-crime victims per million internet users when contrasted with other countries. In 2021, the USA had 759% more victims than the second-highest country, Canada.
• The Netherlands witnessed the most substantial rise in victims, with a 50% increase compared to 2020.
• Greece observed the most significant decrease in victims, experiencing a decline of 75% from 2020.
• During 2021, an average of 97 data breach victims occurred every hour globally. • Throughout 2021, the average financial loss due to data breaches was $787,671 per hour.
• The country leading the National Cyber Security Index (NCSI) as of January 2023 is Greece.
• Between May 2020 and 2021, cyber-crime in the Asia-Pacific region surged by 168%. Japan witnessed a 40% increase in cyber-attacks in May 2021 compared to previous months of the same year.
• From Q2 to Q3 of 2022, the countries experiencing the most significant increases in data breaches were:

China (4852%, resulting in 14,157,775 breached accounts)

Japan (1423%, resulting in 1,246,373 breached accounts)

South Korea (1007%, resulting in 1,669,124 breached accounts)

• The countries displaying the most substantial decreases in data breaches between Q2 and Q3 2022 were:

Sri Lanka (-99%, resulting in 1,440,432 fewer breached accounts)

Myanmar (-82%, resulting in 17,887 fewer breached accounts)

Iraq (-78%, resulting in 16,113 fewer breached accounts)

• In Q3 2022, there was a 70% increase in breached accounts compared to Q2, with 108.9 million accounts breached between July and September 2022. This translates to 14 accounts being compromised every second.
• A case study conducted in 2022 across the United States, Canada, the United Kingdom, Australia, and New Zealand revealed that 76% of participants indicated that their organizations had experienced a minimum of one cyber attack within that year.
• In 2021, Asian organizations faced the highest percentage of attacks worldwide, with the distribution of attacks against organizations by continent as follows:

Asia (26%)

Europe (24%)

North America (23%)

Middle East and Africa (14%)

Latin America (13%)

(Source: aag-it.com)

Cybercrime Trends in Asian countries

Cybercrime in Nepal

Despite its smaller population, cybercrime remains a concern in Nepal. For the fiscal year 2020-2021, there were 3,906 recorded cases of cybercrime.

Merely within the initial quarter of the fiscal year (2021-2022), a total of 1,547 documented cases of cybercrime have emerged.

On a worldwide scale, Nepal holds the 101st position out of 160 nations in the National Cyber Security Index and ranks 94th on the Global Cyber Security Index.

Globally, Nepal ranks 101st out of 160 countries in the National Cyber Security Index and 94th on the Global Cyber Security Index. Additionally, Nepal holds the 140th position on the ICT Development Index.

Cybercrime in Pakistan

The issue of cybercrime has escalated significantly in Pakistan over recent years.

The predominant type of reported cybercrime is financial fraud.

During the year 2020, among a cumulative count of 84,764 complaints, 20,218 individuals from Pakistan disclosed being subjected to online offenses linked to financial fraud.

This surpasses instances of hacking (7966), cyber harassment (6023), and cyber defamation (6004).

An increasing number of Pakistanis have encountered cybercrime through social media platforms.

Between 2018 and 2021, financial fraud via social media surged by 83%. Among the 102,356 complaints received in 2021, 23% of reported cybercrimes were linked to Facebook.

Cybercrime in India

Like many other nations, India is grappling with an increasing prevalence of cybercrime.

The reported count of cyber-related crimes reached 208,456 in 2018. In the initial two months of 2022 alone, there were 212,485 reported instances of cybercrime, surpassing the entirety of 2018.

The numbers rose more sharply during the pandemic, with reported cases jumping from 394,499 in 2019 to 1,158,208 in 2020 and 1,402,809 in 2021. Between Q1 and Q2 of 2022, cybercrime across India increased by 15.3%.

Furthermore, there has been a growing incidence of Indian websites falling victim to hacking.

In 2018, approximately 17,560 sites were compromised, and an additional 26,121 sites were hacked in 2020.

In 2021, 78% of Indian organizations encountered ransomware attacks, with 80% of those attacks resulting in data encryption.

This compares to the average attack rate of 66%, with an average encryption rate of 65%.

Cybercrime in Malaysia

In Malaysia, 79% of organizations experienced ransomware attacks in 2021, with 64% of these attacks resulting in data encryption.

Cybercriminals have also increasingly targeted internet users in Malaysia. Over 20,000 cybercrimes were reported in 2021, resulting in a loss of RM560 million ($123 million) for victims.

Between 2017 and 2021, the total amount lost to cybercrime in Malaysia was estimated at RM2.23 billion ($490 million).

From January to July 2022, there were 11,367 reported cases of cybercrime, indicating a 61% increase from 2016 to 2022.

(Source: aag-it.com)

What Constitutes a Cyber Attack?

A cyber attack refers to an unauthorized and offensive intrusion into a system or network by a third party.

The intention is to compromise, steal, or manipulate confidential data from computer networks, information systems, or personal devices.

The individual responsible for executing such a cyber attack is commonly known as a hacker.

What Examples Illustrate Cyber Attacks?

Several instances exemplify cyber attacks, including attacks on celebrity profiles on platforms like Twitter, emails carrying malware-infected attachments, emails containing links to malicious websites, and even seemingly legitimate communications that carry harmful packets.

What Occurs During a Cyber Attack?

Cyber attacks encompass actions that incapacitate, sabotage, disrupt, or commandeer computer systems to modify, manipulate, obstruct, erase, or appropriate data within these systems.

These attacks can be carried out by individuals or groups through the internet, employing various strategies, and often result in financial losses or data theft.

How Can Cyber Attacks Be Prevented?

Efficient methods to prevent cyber attacks involve regular password changes, utilization of complex passwords that are resistant to hacking, timely updates of operating systems and applications, deployment of network security tools including firewalls, cautious handling of emails from unknown sources, consistent data backup practices, and the adoption of multi-factor authentication.

What Are the Primary Categories of Cyber Attacks?

The principal categories of cyber attacks encompass Phishing Attacks, Malware Attacks, Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks.

Additional categories comprise Man-in-the-Middle (MitM) Attacks, SQL Injection, Cross-Site Scripting (XSS), and Whale-Phishing Attacks.

How Do Cyber Attacks Occur?

Cyber attacks manifest through diverse methods. For instance, hackers might employ phishing tactics to deceive users into interacting with malicious links or providing login credentials on counterfeit websites.

Alternatively, hackers could exploit vulnerabilities in software to infiltrate other devices and pilfer sensitive information.

(The writer just completed his Grade 12)