Is none of our data safe with the government?

We are deeply concerned by the regularity with which cyberattacks seem to be crippling many organisations in the country. Just over the past few months, we have witnessed a handful of serious incidents wherein sensitive data of citizens and organisations (both private and government-run) have been compromised. In the latest iteration, websites of at least 25 institutions were allegedly hacked by a group of Indian cyberattackers on August 15. What is more concerning is that the Directorate General of Health Services (DGHS) and the Investment Corporation of Bangladesh (ICB) were among the 25 victims. The exposed data ranges from information about thousands of investors and investment applicants, to the addresses and bank account numbers of people investing in government mutual funds. It is unacceptable that the cybersecurity for such sensitive data should be this lax.

One thing that exemplifies the authorities' lack of priority when it comes to ensuring cybersecurity is the focus of the Digital Security Act, 2018 (DSA), which has been repackaged and proposed as the Cyber Security Act (CSA), 2023. For a law with that name, we would have liked to see it actually stamping down on the increasing threats to the data security of countless public and private organisations. Instead, as before, the focus of the proposed law remains on punishing dissent and gagging freedom of the press.

Meanwhile, cybersecurity threats to sensitive data keep increasing every day. Between June 20 and August 1 alone, our e-Government Computer Incident Response Team (BGD e-Gov CIRT) recorded at least five such attacks (or alleged attacks) on multiple government organisations. Of particular concern among these was hackers claiming to have compromised the security of the state-owned investment company, ICB, and gaining access to the data of over 100,000 investors and investment applicants. No one can forget the 2016 breach into the central bank, when hackers used the SWIFT system to steal $101 million of Bangladesh Bank's funds from the Federal Reserve Bank of New York. It is alarming that this incident seems to have taught our authorities very little.

We hope that the incidents of the past couple of months will nudge the authorities to focus where focus is due: thoughtful investments in strengthening cybersecurity across the board. The BGD e-Gov CIRT itself has urged all organisations within Bangladesh to take precautionary measures to safeguard their infrastructures, providing specific recommendations such as implementing 24/7 network and user activity monitoring, deploying firewalls to filter out malicious requests, and maintaining regular backups of website content and databases. We urge the relevant authorities to pay heed to these recommendations and protect citizens from ever-evolving cyberthreats.