In December 2018, when the Digital Security Agency was formed under the Digital Security Act, it was hoped that the cybersecurity of important government sites with critical citizen data such as the Election Commission's national identity database and the Office of the Registrar of Birth and Death  would be robust.

Five years on, the government sites remain vulnerable to cyberattacks and data breaches, and the agency, which has since been renamed to the National Cyber Security Agency, cannot be blamed at all for the incidents and the compromised cybersecurity of the sites.

Documents pieced together by The Daily Star show the Digital Security Agency was not provided with the equipment or the manpower to perform this critical role, in what can be viewed as sheer apathy of the government in protecting citizens' data.

After the establishment of the agency in December 2018 -- three months after the Digital Security Act was passed in the parliament -- more than a year had elapsed before the organisational structure could be finalised.

In May 2020, the ICT division submitted a proposal for 1,021 positions to the public administration division.

However, the public administration division bargained to bring down the headcount to 235 in January 2021. That number was brought down further to 120 by the finance division.

The finance division put in another condition: not all positions could be filled up at once. In the first year, 50 positions would be filled up, in the second year, there would be 40. In the third year, the rest of the recruitment would be done.

After that, the finance division took almost six months to finalise the pay grades and positions of the employees. This is how the entire 2021 had passed.

In April 2022, the cabinet division recommended creating the positions, and two months later, the ICT division issued the order.

The ICT division sent the draft recruitment rule to the public administration and after some other procedures, the cabinet division approved the agency's recruitment rule in June this year.

The agency also had trouble finding personnel to run it.

During these five years, the agency saw a handful of director-generals, all of whom came from the ICT division and were on additional duty.

In January, Abu Sayed Md Kamruzzaman was appointed on a full-time basis.

At present, the agency employs about a dozen individuals and none of them are permanent staff members; they are all assigned to the agency from elsewhere or from projects under the ICT division.

What is more alarming is that most of them do not have any expertise in cybersecurity.

"I don't want to blame anybody for this," Kamruzzaman told The Daily Star.

The delay in appointing manpower to the agency was mainly due to misconstruction as many government agencies do not understand the importance of cybersecurity, he said.

"Many officials have no idea about the importance of the citizen's personal data security. We need a very large team to perform the overall task."

And to attract the right talent, the remuneration for the agency needs to be higher than the other government jobs as the demand for programmers and cybersecurity experts is very high, he added.

The agency has also become a revolving door of directors: it saw six directors leave this year.

According to the act, the agency must be constituted with two directors. In reality, it never had any full-time director.

After repeated letters from the ICT division, the public administration division had two directors for the agency, but the instruction was cancelled before they could join.

Just one director is currently serving the agency on a part-time basis: Saiful Alam Khan, who is the project director of the Bangladesh government's e-Government Computer Incident Response Team (BGD e-GOV CIRT).

"No one wants to come here as no one finds it a rewarding place to work," said an official of the ICT division requesting anonymity to speak candidly on the issue.

Even officials from the ICT division are reluctant to work at the agency as an additional charge, he said.

According to the law, the agency should have a national computer emergency response team and digital forensic labs to prevent cyberattacks or take necessary steps if any attack happens. But the agency has none of these.

There are such teams under Bangladesh Computer Council's projects, but their activities are limited to mostly listing incidences of cyberattacks as they also lack manpower.

"It is the failure of the ICT division that the agency remains non-functional -- ICT division failed to the agency properly," said Mustafa Jabbar, who served as the telecom minister from May 19, 2019 to November 29, 2023.

Zunaid Ahmed Palak, the state minister for the ICT division, could not be reached for comment despite repeated attempts.

Contacted, Md Shamsul Arefin, secretary at the ICT division, said: "It takes time to prepare the structure and create positions for an agency that is formed under a law. However, the ICT division always made efforts for this and now we are trying to get human resources as early as possible."

However, experts criticised the government's indifference towards the agency.

"It is the classic example of the government's inability to conceive the significance of this agency in the rapidly growing digital context at personal, professional and national spheres," said Abu Saeed Khan, a senior policy fellow at LIRNEasia.

The current state of the agency underscores that either the concerned policymakers have failed to realise the importance of cybersecurity or they showed negligence towards the issue, said Sumon Ahmed Sabir, a technology expert.

The task of the agency, with some wings, is to form policy, conduct audits and take measures so that the government sites, financial institutions and so on can ensure their cyber security, he added.

And it appears that there would be further delays in making the agency functional because of the name-change of the law under which it was formed.

"We were at the last phase of appointing the human resource. But we now have to start over again as the status of the agency was not clear in the previous law, which is specified in the new one," Kamruzzaman said.