As societies become increasingly reliant on digital systems, safeguarding information infrastructure is paramount for economic stability, public safety, and national security. LIRNEasia has been closely analysing Sri Lanka’s evolving cybersecurity policy landscape and was recently invited to participate in a closed-door dialogue between diplomats and policymakers to evaluate the country’s cybersecurity policy. This blog post distils the key high-level takeaways from that discussion. It reviews Sri Lanka’s current cybersecurity landscape, highlights relevant international good practices, and proposes four policy considerations for strengthening the country’s cybersecurity framework.

The Rising Threat Landscape in Sri Lanka

In 2024, over 65% of Sri Lankans used social media, and nearly a third used digital payments. Concurrently, the government’s ambitious digital transformation aims to accelerate economic growth by expanding digital public infrastructure and increasing the volume of sensitive data exchanged online. Given that digital systems are embedded across critical national infrastructure—energy, transport, healthcare, and telecommunications—cyber incidents now pose potential population-scale consequences.

Globally and regionally, the number of cybersecurity incidents is rising. The Asia–Pacific region accounts for over a third of global cyber incidents, and the average cost of a data breach exceeds USD 4 million. Sri Lanka is not immune. The country has seen notable incidents in the past, including a 2025 incident at Cargills Bank that led to the public release of over 1.9 terabytes of customer data, and a 2023 ransomware attack that disrupted government offices on the gov.lk domain, including the Cabinet Office. The Sri Lanka Computer Emergency Response Team and Coordination Centre (SLCERT|CC) reported a sharp rise in incidents, from 596 in 2019 to 4,347 in 2024, primarily driven by scams, phishing, data breaches, and ransomware.

The Four Pillars of a Robust Cybersecurity Framework

A strong cybersecurity framework is built on four interconnected pillars: mitigation, detection, response, and prevention of recurrence.

1. Mitigation

Mitigation involves proactive measures to reduce the likelihood and impact of cyber incidents. Many leading countries mandate formal security certification for systems and products. Singapore, for example, operates a national labelling scheme for Internet of Things (IoT) devices and certifies IT products. Public awareness campaigns promoting basic cyber hygiene are crucial, as is ensuring that institutions have competent professionals. It is important to have a skilled cybersecurity workforce. Thailand recently initiated a national cybersecurity academy in partnership with the International Information System Security Certification Consortium (ISC2) to build long-term capacity.

2. Detection

Detection focuses on the early identification of malicious activity or system compromise. Effective information sharing is central, as vulnerabilities in one organisation can cascade across interconnected digital ecosystems. Countries like the UK and the Republic of Korea operate national threat intelligence platforms connecting industry with the public sector. Regular stress testing and vulnerability assessments, such as Singapore’s public bug bounty programmes that engage ethical hackers, provide useful models. Resource-constrained countries such as Sri Lanka can leverage international partnerships, such as Thailand’s collaboration with Google Cloud Cyber Defence, to strengthen detection capacity.

3. Response

Response aims to minimise damage, preserve evidence, and restore normal operations following an incident. This requires trained personnel, operational readiness, and clear interagency coordination. Smaller organisations often rely on government support. Estonia offers a notable model with its Cyber Defence Unit, a volunteer civilian reserve under the Defence League that can be mobilised to support state capacity during major incidents.

4. Preventing Recurrence

Preventing recurrence involves activities such as post-incident investigations, root cause analysis, and accountability mechanisms. Thailand has established a specialised cybercrime division within its criminal courts for faster investigations and prosecutions. Following Singapore’s 2018 SingHealth breach, authorities imposed significant financial penalties and integrated post-incident lessons into updated legislation. The UK has also proposed a controversial ban on ransomware payments to critical infrastructure, aiming to reduce the financial incentives for attacks.

Policy Considerations for Sri Lanka

Sri Lanka signed the Budapest Convention on Cybercrime and the UN Convention against Cybercrime in 2025. Domestically, it has enacted the Computer Crimes Act, the Personal Data Protection Act, and the Online Safety Act. However, despite drafting six bills since 2019, Sri Lanka has yet to pass a comprehensive Cybersecurity Act. This legislation is needed to establish an overarching institutional framework with clearly defined mandates and create a central governing authority. International experience emphasises the need to clearly distinguish between civilian and military cybersecurity roles while maintaining strong coordination.

Drawing on international experience and Sri Lanka’s current context, we identify four areas that merit focused attention in Sri Lanka’s cybersecurity agenda:

1. Establish an Overarching Cybersecurity Governing Body:

Sri Lanka needs a stronger coordination mechanism with clear lines of authority. An empowered governing body could lead the national strategy, issue standards and guidance, and provide essential legal and policy oversight.

2. Create a National Cybersecurity Agency:

A dedicated agency, which reports to the governing body, could coordinate mitigation, detection, response, and recovery across both the public and private sectors. Existing entities, such as SLCERT|CC and the National Cyber Security Operations Centre (NCSOC), could serve as its operational arms, especially for monitoring critical information infrastructure.

3. Enable Competitive Remuneration for Cybersecurity Professionals in the Public Sector:

Sri Lanka faces a persistent skills shortage. To attract and retain capable professionals, public agencies must offer competitive remuneration comparable to the private sector and overseas opportunities. This could be achieved through mechanisms such as block grants, performance-linked incentives, and contract renewals.

4. Develop a Civilian Cyber Reserve:

Following Estonia’s model, Sri Lanka could establish a civilian cyber reserve under the Ministry of Defence’s Cyber Command. This would allow the state to rapidly draw on vetted private-sector expertise during major incidents to support national response efforts.

LIRNEasia’s presentation is available below for reference.

  Download PDF   Email