Thukten Zangpo

As government agencies increasingly use the internet to streamline service delivery to citizens, reports of cyber incidents have surged, with a total of 129 incidents recorded last year, according to the Royal Audit Authority’s (RAA) “Performance Audit Report on Preparedness for Cybersecurity 2023.” 

This figure represents one of the highest numbers reported in the past five years. In 2021 and 2020, government agencies reported 94 and 113 incidents, respectively, while the highest number of incidents, 219, was reported in 2016.

Furthermore, non-government agencies reported 37 cyber incidents, while the government data centre reported 10 incidents, and internet service provider DrukREN reported one incident last year.

During the period from July 2021 to June 2022, the Bhutan Computer Incident Response Team (BtCIRT) handled a total of 156 cyber incidents, with the majority relating to vulnerabilities, followed by scam incidents and malware.

The impact of cybersecurity issues on the daily lives of Bhutanese citizens is significant as personal devices such as smartphones, Wi-Fi networks, social media platforms, and electronic banking are extensively used. 

With the increasing use of the internet, users are increasingly exposed to fraudulent activities, phishing attempts, scams, data loss, and various cyber threats.

As of December 2021, the number of mobile internet connections in Bhutan reached 762,171, with 5,382 leased line connections and 2,539 broadband connections.

The RAA’s performance audit identified deficiencies in the regulatory framework and enforcement mechanisms for cybersecurity in the country. 

“The cybersecurity initiatives undertaken in the country lack strategic visions and directions, defined principles, and set priorities in managing cybersecurity risks, with the National Cybersecurity Strategy (NCS) still in its draft stage,” the Authority stated. 

Bhutan developed the draft NCS in 2018, intending to implement it from 2021 to 2025.

Additionally, critical information infrastructures (CIIs) such as energy production and transmission, information and communication technology (ICT), and financial services have not been identified or adequately protected. 

These CIIs heavily rely on IT systems and electronic data, leaving them vulnerable to potential cyber threats.

The RAA warned that the delay in identifying CIIs could result in increased exposure to cyber threats and the inability to establish adequate protection mechanisms.

The audit report also highlighted a lack of coordination among various agencies in addressing cybersecurity, limited cybersecurity expertise, insufficient capacity, and inadequate resources allocated to the national agency for cybersecurity, BtCIRT, under the GovTech Agency, among other challenges.

To strengthen cybersecurity, a mere Nu 3.2 million was allocated during the 12th five-year plan until the fiscal year 2020-21.

The Authority expressed concerns about Google Workspace, a cloud-computing tool, particularly regarding data privacy and protection, despite its operational efficiencies. 

Government agencies and state-owned enterprises rely on Google Workspace for processing, storing, and communicating official information. 

As of December 2020, there were 9,500 Google Workspace users in 87 government agencies and state-owned enterprises, along with 187,306 education users comprising teachers, students, and supporting staff as of December 2022.

To address cybersecurity challenges in the country, the RAA recommended that the GovTech Agency review and implement the draft NCS, expedite the identification and protection of CIIs, strengthen the cybersecurity legal framework, and enforce mechanisms for data privacy and protection, among other measures.