Bangladesh’s e-security efforts stuck in neutral even after $81 million central bank cyber-heist

13 February 2017. By Jennifer Freedman.

Bangladeshi authorities were quick to promise a crackdown on cybercrime after hackers stole $81 million from the country's central bank last February in one of the biggest-ever cyber-heists.

Yet little has happened in the past year beyond some halfhearted attempts by the government to encourage financial institutions to develop cybersecurity policies and rhetoric assuring the public that tackling the problem would be a top priority. The result is that, as Bangladesh becomes more integrated into the online banking ecosystem, the country is increasingly vulnerable to future cyberattacks.

The main obstacle is a lack of human resources, say cybersecurity companies such as Aspire Tech Services & Solutions, a New York-based information technology company with offices in Bangladesh.

"There are no cybersecurity experts in Bangladesh," said Tito Rahman, Aspire's managing director in Dhaka. "The government is providing training, but it's not properly working."

Bangladesh has some globally accredited cybersecurity researchers, but the absence of a platform leads most eventually to shift to software development, said Muqeet Halim, managing director of Big Web Technologies. "The talent is lost, wasted," he told MLex.

Seeing an opportunity to address that talent drain, alongside concerns about cybersecurity, Big Web Technologies developed a platform named Beetles — The Hacker's Approach. The company launched Beetles at the BASIS SoftExpo trade show in Dhaka earlier this month, where one seminar* focused on cybersecurity.

"Beetles was co-founded by some of the researchers from the younger generation who hate to see that such raw talent is being squandered," Halim said. "We look toward providing a space for these young, talented researchers to grow and harness their full potential."

Beetles, created just a few months before the central bank was hacked, was slow to get off the ground because most Bangladeshi companies saw it as an unnecessary expense. But after the brazen theft, "all the papers and people could talk about was the cyber-heist," Halim said.

"That pretty much took care of educating the market, and we started seeing positive responses from people we had approached before," he said. "We started generating clients, mostly local software development companies and e-commerce companies. What we found was pretty much what we expected going in: most of the apps were extremely vulnerable and full compromise was possible."

Nevertheless, the Bangladeshi government has been slow to embrace such platforms. Following the central bank heist, more than 40 companies from the US and Europe presented their cybersecurity products, "but the government still hasn't decided what to do," said Alam Mohammad, cybersecurity director at Aspire. "There is also no clear budget in Bangladesh to combat cybersecurity."

That money will "definitely" come through after the government decides the fiscal year budget in June, Rahman said.

Waiting game

In the meantime, Bangladeshi finance sector businesses are doing little to upgrade their security systems. And not surprisingly, more security breaches have occurred; hackers stole data from three lenders — Dutch Bangla Bank, City Bank and Trust Bank — last May, and it is understood that Bangladeshi police department data were breached six or seven months ago.

"We haven't seen any bank do anything in the last year," Mohammad said. "They are waiting to see what the central bank is doing, but the central bank, even after that incident, isn't taking it seriously. The banks won't take it seriously until the central bank does.

"Everybody talks about cybersecurity and that we have to implement as soon as possible, but it's been months and they really haven't done much," he added. "Sooner or later there will be another incident if they don't set up a cybersecurity operations center."

Rahman echoed that sentiment, saying: "Billions are at risk. Even after a big incident, we don't learn. People just smile."

Bangladesh created a cyber-tribunal in February 2013 that has access to sophisticated technology to trace offenders and track Internet fraud. But a lack of clear directives from higher authorities has tied the hands of the agency, which is limited to carrying out surveillance and acting only when a case is filed.

Last year, 233 cases were lodged — up from 152 in 2014, 33 in 2014 and just three in 2013.

Prime Minister Sheikh Hasina Wajed has promised that under the Digital Security Act 2016, the government will set up a world-class forensic laboratory, a cybersecurity agency, a cyber-incidents response team and a high-level digital security council.

But with no clear-cut policy, Alam said: "No matter what other steps they take, how are you going to implement anything? The government has a policy, but it's not clear. They have been working on it for years."

The solution? "They have to force all the banks and financial companies to build a policy for cybersecurity, and those that don't comply will face penalties," Alam said. "You can't protect by only using firewalls and antivirus."

*Addressing Cybersecurity from Global and Local Perspectives, BASIS SoftExpo, Dhaka, Bangladesh, Feb. 2, 2017