Securing Nepal’s digital future

A case for a comprehensive cybersecurity law covering key aspects like institutional mechanisms, critical infrastructure protection, cybercrime, user rights and international cooperation.

Bivek Chaudhary

  • Read Time 6 min.

As Nepal embarks on a journey of digital transformation, we stand at a pivotal moment that will define our cyber future. With increasing internet penetration, digitization of governance, and technology adoption across businesses and society, Nepal’s attack surface for cyber threats has expanded exponentially. Yet our national cybersecurity strategy and legal frameworks remain archaic and vulnerable, unable to keep pace with the sophistication of attacks by state-sponsored groups, organized hacker collectives and individual cybercriminals.

Recent incidents like the Nabil Bank data breach, hacking of Nepal Telecom servers, multiple ransomware attacks on hospitals and frequent defacements of government websites are warning signs we can no longer afford to ignore. It is estimated that cybercrime and cyber-attacks cost the Nepali economy over Rs 15 billion annually as per industry reports. Beyond immediate financial losses, such threats undermine public trust in digital services, violate privacy and data rights, and can cripple critical infrastructure putting lives at risk.

In “The Art of Cyber Law & Cyber Crimes,” a comprehensive guide to understanding and addressing the complex landscape of cybersecurity and digital crime, we are privileged to feature insights from Dr Newal Chaudhary, a distinguished advocate at the Supreme Court of Nepal and a dedicated Assistant Professor of Law at Nepal Law Campus, Faculty of Law. Dr Chaudhary, with his extensive experience and expertise in the field of cyber law, has made significant contributions of making comprehensive cyber law for Nepal shedding light on this enigmatic and often perilous corner of the internet. As a digitally developing nation, Nepal requires a comprehensive cybersecurity law aligned to global best practices but tailored for our unique needs and capabilities. This article makes the case for such a law while proposing a policy framework covering key aspects like institutional mechanisms, critical infrastructure protection, cybercrime, user rights and international cooperation.

Global landscape

Cyberspace is recognized as the fifth domain of warfare and conflict, in addition to land, air, sea and space. Offensive cyber capabilities are now part of military strategies for nations big and small. Cyber weapons like Flame, Stuxnet and Wannacry have shown how sophisticated attacks can disable nuclear plants, affect election outcomes and cause mayhem by exploiting vulnerabilities in common software. At the same time, cybercrime has become a $6 trillion industry affecting businesses and individuals worldwide.Against this backdrop, securing national cyberspace has become crucial for every country’s defense, economy and national security. By 2021, over 150 countries had implemented cybersecurity strategies and enacted cyber laws covering issues like cybercrime, data protection, security standards and institutional oversight. Robust legal frameworks combined with technological defenses and public vigilance have become essential to manage cyber risk.

Case of Nepal

However, Nepal has lagged behind in developing our cybersecurity defenses. The existing Electronic Transaction Act drafted in 2006 does not address contemporary internet-era threats. With 2G level speed and limited surveillance capability, our law enforcement agencies struggle to detect and investigate digital crimes. We lack trained cybersecurity professionals across both the government and private sector. Critical infrastructure sectors like energy, banking and telecom lack mandated cybersecurity standards or incident reporting mechanisms. With the creation of new institutions like NCIIPC and NCCC, India has demonstrated far greater leadership in securing its cyber future.

According to the experts, there are huge gaps in Nepal. They include outdated laws not covering new types of cybercrimes, lack of institutional coordination between government, CERT Nepal and private sector, no mandated frameworks for audits, controls, drills around critical infrastructure, absence of data protection legislation and privacy safeguards, overreliance on imported technical solutions rather than local capacity building and low awareness among citizens, businesses, agencies about cyber hygiene and defense.

With our growing integration into the global digital economy, Nepal simply cannot afford to neglect cybersecurity any longer. Our vulnerabilities are actively being probed by adversaries looking to penetrate critical systems. A single successful attack on our financial networks or power grid could have devastating cascading effects across Nepali society. We need a comprehensive law encompassing global best practices but tailored for Nepal’s ground realities and resource constraints.

What should our cybersecurity law be like?

Based on examples from other national cyber laws and recommendations of experts, Nepal’s legislation must cover the following crucial aspects. First, we need an institutional framework. A nodal National Cybersecurity Authority (NCA) should be set up under the PMO as the key policymaking, oversight and incident response body. In addition, sector-specific CERTs, cybercrime cells, and cybersecurity workforce initiatives are needed.

Second, we need critical infrastructure protection. Mandatory standards, regular audits, and incident reporting mechanisms must be defined for assets like power systems, transportation, banks etc. considered as ‘critical information infrastructure’. Then comes personal data protection. With growing instances of data theft, strong safeguards are required around individual privacy, consent and data localization. Provisions for data protection authorities, privacy impact assessments and grievance redressal should be incorporated. Likewise, cybercrime and law enforcement are other critical factors.  New types of offenses like identity theft, phishing, ransomware etc. need to be added to Nepal’s criminal code. Investigators and judges will require training on digital forensics and cyber laws to aid prosecution.

The focus should also be on information sharing. Processes for threat intelligence sharing between government and industry, vulnerability disclosures, and coordinated vulnerability hunting across critical networks will boost collective defense.

Equally important, the National Cybersecurity Authority (NCA) should enable global partnerships for capacity building, information exchange and evidence collection to combat cross-border cybercrime. Collaborations with think tanks, academia and civil society should be tapped for recommendations. Finally, the focus should also be on awareness and capacity building. Public education programs should promote cyber hygiene and vigilance across professional and community groups. Educational institutes must be incentivized to develop the cybersecurity workforce.

Legislative recommendations

Drawing upon the key principles above, the following provisions are recommended as part of Nepal’s cybersecurity legislation. First, the Ministry of IT shall draft a National Cybersecurity Policy in consultation with the private sector and civil society. This will guide Nepal’s cyber posture based on current and emerging threats. Second, a 5-year National Cybersecurity Strategy shall subsequently be developed by the National Cybersecurity Authority to implement the policy priorities.

Under the institutional mechanisms, we need to establish the National Cybersecurity Authority (NCA) under the PMO to monitor threats, coordinate stakeholders and drive implementation of cybersecurity policies and programs. We also need to set up sector-specific Computer Emergency Response Teams or expand the mandate of existing Nepal CERT for focused oversight of critical infrastructure sectors. Besides, we need to create a Cybercrime Investigation Unit within Nepal Police staffed by officers trained in cyber forensics, cryptography and digital evidence collection.

For protection of critical infrastructure, National Cybersecurity Authority (NCA) shall categorize and maintain a register of assets like power plants, banks, telecom networks, government databases among others as Designated Critical Information Infrastructure based on their criticality for Nepali society and economy. Owners/operators of such designated infrastructure must comply with cybersecurity control requirements as mandated by NCA including audits, maintenance procedures, emergency planning and mandatory incident reporting.

For personal data protection, organizations processing personal data of Nepali citizens must implement privacy policies clearly laying out purpose of use, retention periods and deletion protocols. Trans-border data flows especially of sensitive information like financial data, health records among others shall be allowed only with explicit consent and after transfer risk assessment. Individuals have the right to revoke consent and demand erasure of personal data if it is no longer required for the specified purpose.

To address cybercrime, the Electronic Transaction Act and Criminal Code should be amended to add new cyber offenses like identity theft, phishing, cyber stalking, cyber terrorism etc. and define appropriate penalties per damage caused. We also need to make provisions for expedited preservation, acquisition and analysis of electronic evidence related to cybercrimes and online harassment.

In the same way, any data breach involving personal user data must be reported to the sectoral CERT within 24 hours of detection. Other cyber incidents must be reported within reasonable timelines. An annual report shall be tabled in the Parliament summarizing cyber threats, incidents, and enforcement and policy measures undertaken during the year.

All government entities must annually budget at least five percent of their IT expenditure for cybersecurity improvements like audits, upgrades and capacity building. Critical infrastructure entities must undertake technology refreshes of core control and security systems every 2-3 years minimum or align with sectoral guidelines defined by NCA.

Forward looking approach

Nepal faces a pivotal moment in securing its digital future. As our reliance on computing and connectivity grows across every sphere of life, we need a forward-looking legal framework backed by institutional capacity to manage cyber risks. This article proposes key elements of such a comprehensive national cybersecurity law. Of course, enacting the law will require broader consensus building through public consultations, parliamentary debates and expert recommendations.Once implemented, the effectiveness of the law will depend on transparency, oversight and constant evolution. With deliberate effort, this law can be a stepping stone in creating a safe and resilient cyberspace that will be foundational for Nepal’s development. But cybersecurity is ultimately about much more than just technology or legal compliance. It is about fostering a culture of collective vigilance–where the government, private sector and citizens work together to secure Nepal’s digital future.

Bivek Chaudhary is pursuing a BA LLB degree at Nepal Law Campus, Kathmandu.