Cybersecurity in critical information infrastructure of Bangladesh

As Bangladesh's digital landscape evolves, it grapples with an escalating degree of cybersecurity threat, raising concerns about the integrity of the country's digital infrastructure. Bangladesh's cybersecurity landscape is a dynamic tapestry, marked by both significant advancements and persistent vulnerabilities. Despite initiatives prioritizing collaboration and implying Government focus into the issue, such as the National Cyber Security Act, the nation grapples with interminable challenges.

For instance, the rise of ransomware attacks targeting government agencies and businesses underscores the pressing need for enhanced cybersecurity measures. Furthermore, the proliferation of social engineering tactics, as seen in phishing scams and identity theft cases, underscores the multifaceted nature of cyber threats in Bangladesh.

One poignant example is the notorious cyber heist targeting the Bangladesh Bank in 2016. Hackers attempted to siphon off nearly $1 billion from the bank's reserve account held at the Federal Reserve Bank of New York, succeeding in absconding with $81 million.  This among several other breaches not only highlights the immediate ramifications of concerned establishments but also raises questions on the broader implications of inadequate cybersecurity measures for safeguarding critical infrastructure.

Critical Information Infrastructure (CII) constitutes the backbone of Bangladesh's technological framework, encompassing sectors vital for national security, economy, and public welfare. This includes telecommunications, energy, transportation, banking, and healthcare systems. In the context of Bangladesh, where digital transformation is rapidly reshaping socio-economic paradigms, the security of CII assumes paramount importance. Any breach or disruption within these crucial systems not only poses immediate risks to public safety and economic stability but also threatens the nation's developmental aspirations. Thus, safeguarding CII is imperative to ensure sustainable growth and resilience in the face of evolving cyber threats.

Elements of Critical Information Infrastructure (CII) in Bangladesh are intricately intertwined with citizen life, so much so that we fail to notice any aspect of these systems until they are actively hampered. For instance, the telecommunications sector, represented by entities like the Bangladesh Telecommunication Regulatory Commission (BTRC), facilitates crucial communication channels for emergency response coordination, law enforcement activities, and dissemination of public safety information during crises. Moreover, the energy sector, embodied by the Bangladesh Power Development Board (BPDB), ensures the uninterrupted supply of electricity, powering essential services such as hospitals, transportation systems, and financial institutions. Additionally, the banking sector, exemplified by the Bangladesh Bank, plays a pivotal role in facilitating secure financial transactions, vital for sustaining economic activities and public confidence. The role of CII is indispensable in sustaining essential services and fortifying Bangladesh's national security framework, which is why safeguarding this infrastructure against emerging threats like evolving cyber adversities is of paramount importance.

Bangladesh faces a myriad of cybersecurity challenges stemming from its rapid digitization and evolving threat landscape. One prominent issue is the prevalence of malware and phishing attacks targeting government agencies, businesses, and individual users, leading to data breaches and financial losses. Furthermore, the inadequate degree of cybersecurity infrastructure and skilled workforce exacerbate vulnerabilities, hindering effective threat detection and response mechanisms.

Despite these challenges, Bangladesh has made essential strides in bolstering cybersecurity measures to safeguard its critical infrastructure. The government has enacted relevant, needed policies such as Bangladesh's Digital Commerce Operation Guideline 2021, which sets out regulations and standards for secure digital transactions and e-commerce operations. Furthermore, the Bangladesh Cyber Security Act (2023) provides a comprehensive legal framework for addressing cyber threats, ensuring accountability, and protecting digital assets. In alignment with global cybersecurity initiatives, Bangladesh has developed the Bangladesh Cybersecurity Strategy for 2021-2025, outlining strategic objectives and action plans to enhance cyber resilience and mitigate cyber risks. Moreover, Bangladesh's collaboration with international partners extends to aligning its policies with the European Union's Digital Services Act (DSA), fostering interoperability and harmonization of cybersecurity standards. These concerted efforts underscore Bangladesh's commitment to strengthening its cyber resilience and fostering a secure digital ecosystem for its citizens and businesses.

Running parallel to policy-level initiatives, citizen-focused cybersecurity initiatives and awareness campaigns play a crucial role in fostering a cyber-secure society. For example, the Cyber Security Awareness Programme organised by the Bangladesh Computer Council educates citizens about common cyber threats and best practices for safeguarding personal information and digital assets. Similarly, the "Cyber Safe Bangladesh" campaign led by non-governmental organisations raises awareness among students, teachers, and parents about online safety and responsible digital citizenship. Additionally, initiatives like the Cyber-Maitree 2023 programme foster collaboration between government agencies, industry stakeholders, and the public to enhance cybersecurity awareness, skills, and resilience at the grassroots level. These initiatives empower individuals to navigate the digital landscape safely, contributing to the overall cybersecurity posture of Bangladesh.

In the Critical Information Infrastructure of the power sector in Bangladesh, where the consistent, reliable and secure operation of energy grids is essential for sustaining economic activities and public services, cybersecurity is of immense importance. As the backbone of Bangladesh's industrial and commercial sectors, the power sector relies heavily on interconnected digital systems for the generation, transmission, and distribution of electricity, making it a prime target for cyber threats. Identified vulnerabilities within Bangladesh's CII, particularly in the power sector, include outdated legacy systems, inadequate cybersecurity protocols, and a shortage of skilled cybersecurity professionals, leaving critical infrastructure susceptible to exploitation by malicious actors. Cybersecurity threats in the power sector CII have been observed globally, underscoring the magnitude of potential disruptions and economic repercussions. Notable incidents, such as the 2015 cyber attack on Ukraine's power grid, where hackers remotely disrupted electricity distribution to hundreds of thousands of homes, serve as poignant reminders of the devastating impact cyber threats can have on critical infrastructure. Such incidents highlight the imperative of fortifying cybersecurity measures within the power sector's CII to mitigate risks and ensure the uninterrupted supply of electricity, crucial for sustaining economic activities and public services.

Past cybersecurity incidents in Bangladesh's CII, notably within the power sector, serve as stark reminders of the vulnerabilities inherent in digital infrastructure. One such case study involves the cyber attack on the Bangladesh Power Development Board (BPDB) in 2015, where hackers breached the board's systems, disrupting electricity distribution across several regions and causing widespread power outages. Another notable incident occurred in 2017 when the ransomware attack known as "WannaCry" infected computers at the Bangladesh Energy Regulatory Commission (BERC), compromising sensitive data and disrupting regulatory operations. These incidents underscore the urgent need for robust cybersecurity measures and investments in the power sector to safeguard critical infrastructure and mitigate potential disruptions to essential services.

The underreported CII events in Bangladesh, such as the "DESCO prepaid meter hack," unveil vulnerabilities within critical infrastructure, particularly the power sector. With over 18,000 prepaid electricity meters compromised in Sylhet, the incident not only threatens revenue streams for utility providers but also raises concerns about the reliability of the power grid. The ability for consumers to access electricity despite negative balances showcases the potential for widespread disruptions and financial losses, highlighting the urgent need for robust cybersecurity measures to safeguard critical infrastructure.

Responses to underreported CII incidents in Bangladesh have been marked by a lack of transparency and accountability. For instance, the negotiation reports following the ransomware attack on Biman Bangladesh Airlines' email servers underscore the challenges in effectively managing cyber threats. Despite warnings and vulnerabilities identified by government agencies, the airline's failure to implement adequate cybersecurity measures leaves critical infrastructure sectors vulnerable to exploitation by threat actors. This opacity not only undermines public trust but also hampers efforts to address systemic vulnerabilities and prevent future cyber incidents.

Indifference to failures arising out of  underreported Critical Information Infrastructure (CII) in Bangladesh's cybersecurity landscape poses significant risks to national security and public safety. The prevalence of underreported incidents exacerbates vulnerabilities within critical infrastructure sectors, hindering efforts to build resilience against increasing cyber threats. Without transparent reporting mechanisms and accountability measures, critical infrastructure operators may remain unaware of systemic vulnerabilities, leaving their systems susceptible to exploitation. Moreover, the neglect of underreported CII failures exacerbates challenges in threat intelligence sharing and incident response coordination, further hindering efforts to prioritize investments in cybersecurity capabilities and infrastructure modernization. Addressing these challenges requires a multi-stakeholder approach involving government agencies, regulatory bodies, critical infrastructure operators, and cybersecurity experts to foster a culture of transparency, accountability, and collaboration.

CII events in Bangladesh underscore the importance of collective commitment to enhancing cybersecurity measures. The aforementioned incidents highlight the vulnerabilities that exist and the potential for widespread disruptions if not addressed adequately. Moving forward, responsible approaches to CII cybersecurity are imperative, demanding proactive measures to mitigate risks and safeguard national interests. It is essential for stakeholders in Bangladesh to prioritize CII cybersecurity measures, fostering a culture of collaboration and accountability to ensure the resilience and security of critical infrastructure in the face of evolving cyber threats.

(This article is being published as part of an effort to bring further awareness regarding cybersecurity and policy gaps relating to cybersecurity in Bangladesh to the general public, stakeholders, and policymakers and is supported by DAI Global LLC and USAID under the Digital Connectivity and Cybersecurity Partnership (DCCP) Programme.)

Syed Shadman Wahid is Senior Associate at Inspira Advisory & Consulting Limited