Phub Dem 

Since the advent of the coronavirus pandemic, many government agencies started e-delivery services, adding to Bhutan’s cybersecurity scenario. Despite the increased engagement in Information and Communications Technology (ICT) development, studies indicate that many government leaders are from non-technical backgrounds, hampering cybersecurity awareness.

Recognising the importance of awareness of cybersecurity threats and challenges at the leadership level, the Department of Information Technology and Telecom (DITT) conducted a cybersecurity leadership programme targeting senior leadership and officials that started on January 6.

With more agencies engaging in digital transformation activities, Bhutan Computer Incident Response Team (BtCIRT) team head Dechen Chhoden said it is important for agencies to identify essential IT and information assets through risk management processes and adopt controls to ensure security of the systems and information.

Although most of the participants are non-technical and lack background knowledge about cybersecurity, the department expects the participants to understand their role better and be better prepared to manage cyber risks in their organisations.

She said that the engagement of senior management is critical in the governance, risk, and compliance aspects of cybersecurity, adding that they must be aware of the cybersecurity threat landscape and be mindful of the risks of cyberattacks and emerging local and global trends.

The training was designed to introduce the senior officials to the various aspects of cybersecurity, its trends and risks, implications of cyberattacks and data breaches, and security management in a public agency.

Is Bhutan sufficiently prepared to respond to and manage a large-scale cyberattack?

Considering the newer trends of cyberattacks across the globe and the complexity of such attacks, Dechen Chhoden said that Bhutan is not prepared to respond to and manage a large-scale cyberattack. “Cybersecurity is not only about technology, it includes people and processes, and this is by far the biggest concern.”

She added that Bhutan needs to create cyber hygiene awareness among all individuals within the country, increase cybersecurity human resources, develop and enforce policies, and have a system to respond to different cyber incidents.

DITT is coming up with a Security Operation Centre (SOC) project to equip the country with skilled cybersecurity operators and incident responders. It will also identify and designate critical information infrastructure (CII). Critical infrastructure is considered the most crucial infrastructure, which, if attacked, will hamper the country’s economy, disrupt daily operations, and in the worst case scenario, may result in the loss of lives.

BtCIRT, as the central coordinating agency, encourages organisations and even citizens to report any cybersecurity incident so that the incidents can be responded to and contained as soon as possible to avoid the risks of it spreading to other devices in the country.

Dechen Chodden said that the team has been working with the organisations for government systems to ensure the systems are free of vulnerabilities that could be exploited before reaching the government data centre. “BtCRIT has been promoting cybersecurity awareness programs as a part of the digital literacy programme, providing relevant security-related training to ICT professionals.”

The BtCRIT has handled 870 incidents since 2016. The most common cyber threat is system vulnerabilities–defects in a system exposing it to attack. The risk includes systems that are not updated or patched, weak passwords, software infected with viruses. Scams and phishing are also common threats. Phishing, she said, involves calling, texting, or emailing or using social media to trick you into clicking malicious links, downloading malware, or sharing sensitive information.

Dechen Chodden said that the threat has evolved from scammers targeting email users and through messages in social media platforms to calling users saying they have won a lottery, making them send the lottery amount, and making people give personal information.

According to a press release from DITT, the degree of financial loss and reputational damage from a significant cyberattack could be severe and cause loss of faith in the digital government, an even bigger risk for the country.

The programme consists of five 2-hour sessions spread over several weeks and is attended by 30 senior officials. The programme is supported by the Temasek Foundation and organised and implemented by the Nanyang Polytechnic International, Singapore.

In addition to equipping the leaders with knowledge about the global trends on cybersecurity threats and challenges, the programme includes introducing the Singapore Cybersecurity Strategy and sharing their experiences and insights, issues, and best practices.