Hon. Eranga Weeraratne - Deputy Minister

¶ 01 compromises, 11 server compromises, two malicious software-related incidents and 45 were DDoS and cloud-related incidents. Additionally, there were approximately 56 other incidents.

¶ 02 2024

¶ 03 Sri Lanka CERT recorded a significant increase, with a total of 4,347 cybersecurity-related incidents reported, which comprised 2,241 financial scams, 926 non-financial scams, 79 phishing attacks, 22 ransomware incidents, 11 website compromises, four database compromises, six malware infections, four malicious software-related incidents and 42 data breaches. Furthermore, there were approximately 800 other incidents.

¶ 04 2025

¶ 05 Sri Lanka CERT recorded a total of 12,650 social media-related and cybersecurity-related incidents. Of those, the technically classified cybersecurity-related incidents recorded under CERT amounted to 3,284. The difference reflects the distinction between broad public complaints and technically classified cybersecurity incidents. The cybersecurity-related incidents included 1,817 financial scams, 523 non-financial scams, five ransomware incidents, 10 data breaches, seven website compromises, four malicious software-related incidents, two DDoS attacks and nine malware infections. Also, there were 551 other incidents.

¶ 06 At present, there is no mandatory legal requirement to report cybersecurity incidents to Sri Lanka CERT, since the proposed Cybersecurity Law is still in the drafting stage. Therefore, cybersecurity incidents reported to Sri Lanka CERT may not fully reflect the total number of cyberattacks, attempted breaches, ransomware incidents, phishing attacks, hacking attempts and digital fraud incidents occurring within the country.

¶ 07 Cyber intrusions are unauthorized activities carried out by attackers to access, disrupt, damage or steal information from computer systems or networks. Over the past three years, several government institutions and public digital systems had faced cyber intrusions, attempted breaches, ransomware-related incidents, website compromises, phishing, email compromises and other cyber-related incidents. Three of the most significant public incidents include,

¶ 08 i. The August 2023 ICTA ransomware attack: The LGC was compromised, encrypting the gov.lk email network. This resulted in the permanent loss of emails for approximately 5,000 government email addresses (including those of the Cabinet of Ministers) between 17th May and 26th August, 2023 due to the lack of offline backup systems.

¶ 09 ii. The cyberattack on the Department of Pensions was reported in 2025 and is considered one of the notable cybersecurity incidents affecting a government institution in recent history.

¶ 10 iii. The 2025/2026 Ministry of Finance, Planning and Economic Development/ERD-related incident presently under investigation appears to involve suspected e-mail compromise or e-mail impersonation/Business Email Compromise techniques that resulted in diversion of payment instructions. Final attribution, technical root cause and accountability should be stated subject to the findings of the official investigation, forensic review and the law enforcement process.

¶ 11 Presently, operational safeguards include the Cabinet-approved Information and Cybersecurity Policy for Government organizations, Sri Lanka CERT’s incident response and advisory services, NCSOC-based national monitoring, threat intelligence, SIEM/EDR-related capabilities, vulnerability assessment services, website security guidelines, technical web application security guidelines and incident reporting mechanisms.

¶ 12 Sri Lanka CERT’s technical guidelines outlined and approved by the Cabinet of Ministers for the Information and Cybersecurity Policy for Government Organizations also require Government web systems to be regularly patched, monitored, subjected to annual vulnerability assessments and supported by backup and restoration arrangements. This includes regular scheduled backups, offsite storage, annual restoration testing, incident registers, evidence preservation and, depending on criticality, alternative processing facilities at geographically separate locations.

¶ 13 In accordance with the Cabinet decision on the Information and Cybersecurity Policy, all government organizations defined as “Public Authorities” under the Right to Information Act, No. 12 of 2016 are required to implement the Policy, while heads of organizations are required to allocate the necessary financial and operational resources for its implementation.

¶ 14 As part of strengthening national cyber defence capabilities, the National Cyber Security Operations Centre (NCSOC) has been established to provide centralized cyber threat monitoring, threat detection, incident response coordination and security event analysis at the national level. The Cabinet has further directed 37 critical government institutions to obtain services from the NCSOC to improve the cyber resilience of critical government infrastructure. With the support of funding from the Asian Development Bank, the number of institutions connected to the NCSOC is expected to be increased further.

¶ 15 Furthermore, in January 2026, Sri Lanka CERT procured advanced cybersecurity monitoring and threat intelligence solutions to strengthen national cyber threat detection capabilities. Those solutions support deep and dark web monitoring, attack surface monitoring, vulnerability identification and cyber threat intelligence analysis, covering approximately 150 government organizations.

¶ 16 According to Sri Lanka’s Government Digital Blueprint and national digital transformation initiatives, there is a clear requirement to modernize and strengthen the country’s digital infrastructure across all government institutions. The continued use of outdated legacy systems has increased exposure to cybersecurity threats such as financial fraud, identity theft and so on. Many of these legacy systems no longer receive vendor security updates or patches, which significantly increases their vulnerability to modern cyberattacks.

¶ 17 In line with the Government Digital Blueprint, the Government has emphasized the need to develop secure, scalable and interoperable digital infrastructure that supports efficient public service delivery while ensuring strong cybersecurity controls. Accordingly, institutions are expected to migrate from legacy platforms to modern, secure systems and adopt standardized cybersecurity frameworks to reduce risk and improve resilience across the public sector digital ecosystems.

¶ 18 Annual cybersecurity audits, vulnerability assessments and risk evaluations are required for critical systems and government web applications under the Cabinet-approved policy framework and Sri Lanka CERT technical guidelines. In particular, government web applications are required to undergo vulnerability assessments at least annually and after major functional changes. A consolidated compliance status of all institutions is being compiled through Sri Lanka CERT, the relevant line ministries and the National Audit Office. Where institutions have not completed the required assessments, they will be prioritized for NCSOC onboarding, vulnerability assessment and compliance monitoring.

¶ 19 Accountability operates at multiple levels. The head of institution is responsible for ensuring implementation of the Cabinet-approved cybersecurity policy. The Chief Innovation Officer, Director IT, Information Security Officer or an equivalent designated officer is responsible for operational implementation, incident reporting, access control, backup, patching and compliance actions. Sri Lanka CERT provides technical guidance, incident response support and other national coordination. Where any negligence, fraud, unauthorized access, data protection violation or financial misconduct is suspected, the matter must be referred to the relevant disciplinary, audit, law enforcement, financial crime and data protection authorities.

¶ 20 As per the Cabinet-approved Information and Cybersecurity Policy for Government Organizations, all government institutions are advised to promptly report cybersecurity incidents to SLCERT to facilitate coordinated incident response. However, there is currently no mandatory legal obligation requiring organizations to report cybersecurity incidents to SLCERT.

¶ 21 That is why we are now in the process of drafting the Cybersecurity Law to establish a Cybersecurity Regulatory Authority to mandate the implementation and reporting of all cybersecurity-related incidents.

¶ 22 In addition, incidents involving financial cybercrimes, fraud and related criminal activities are generally reported to the Computer Crimes Investigation Division or if it is related to the financial sector, it should primarily be reported to FINCSIRT operating under the Central Bank. Therefore, information relating to financial losses and operational impacts may be distributed across multiple agencies and reporting mechanisms.

¶ 23 That is why we are introducing this overarching regulatory law to establish the Cybersecurity Regulatory Authority so that all the incidents would be reported to a single entity.

¶ 24 The Government of Sri Lanka is expected to implement several urgent coordinated measures to strengthen national resilience against future cyber warfare, cyber threats and organized cybercrime. Those measures include the following, which I will briefly refer to:

¶ 25 i. Mandatory NCSOC onboarding for critical institutions starting with finance, identity, immigration, inland revenue, customs, health, police, transport, social protection and payment-related systems.

¶ 26 ii. Enhancement of threat hunting and malware analysis capabilities.

¶ 27 iii. Priority implementation of the Information and Cybersecurity Policy.

¶ 28 iv. Strengthening cybersecurity awareness and capacity-building.

¶ 29 v. Audit and compliance monitoring.

¶ 30 vi. Allocation of dedicated cybersecurity resources.

¶ 31 vii. Strengthening the legal and regulatory framework.

¶ 32 viii. The National Cybersecurity Strategy (2025-2029).

¶ 33 ix. Signing the United Nations Convention against Cybercrime (2025).

¶ 34 The Government of Sri Lanka had signed the United Nations Convention against Cybercrime in October 2025 in Hanoi, reinforcing its commitment to strengthening global cooperation on cybercrime matters. Steps are now being initiated to conduct a comprehensive gap analysis to support the ratification process.

¶ 35 x. Improve other technical measures such as, a. Mandatory Multi-Factor Authentication (MFA) for all government email and privileged accounts, especially finance/payment workflows. b. Payment verification protocol for foreign and high-value payments, including out-of-band confirmation, maker-checker approval, beneficiary change control and bank callback verification. c. Backup hardening, including immutable/offline backups and annual restoration drills. d. Legacy system risk register with priority replacement or compensating controls. e. Compulsory annual vulnerability assessment/penetration testing for public-facing and critical systems. f. Incident reporting SLA, for example critical incidents to be reported to CERT/NCSOC within a fixed number of hours. g. Cybersecurity clauses in all ICT procurements, including secure coding, logging, audit trails, MFA, vulnerability disclosure, patching SLA, backup, DR and PDPA compliance. h. Legal strengthening, including cybersecurity legislation and clearer institutional mandate for CERT/NCSOC. i. Public awareness-building, because the 2025 spike in complaints shows scams and social media-based fraud are now a mass public risk.

¶ 36 Sir, I would like to table the detailed answer to question No. 8. Placed in the Library.

¶ 37 These combined measures are expected to significantly strengthen Sri Lanka’s national cyber resilience, enhance the protection of critical information infrastructure and reduce the risks posed by cyber warfare, cyber espionage, ransomware and organized cybercrime.

¶ 38 Thank you.