Dr Rajiv Subba was the COO of InfoDevelopers Pvt Ltd till recently. A former Deputy Inspector General of Nepal Police, Dr Subba also led the Communication Directorate of the Nepal Police for many years. Madan Lamsal of New Business Age talked to Dr Subba to know where Nepal stands in the world in terms of information communication technology (ICT). Excerpts:
Where does Nepal stand in the world in terms of information technology?
Nepal's position in the world in terms of information technology is still relatively low, especially when compared to developed countries that have invested heavily in the sector. However, Nepal does have some strengths in software development, which relies heavily on creativity. Nepal's historical heritage and monuments can provide a rich source of inspiration for creative software development. For example, Araniko, a Nepali artist and architect, expanded Nepali art and architecture to China, demonstrating Nepal's historical contributions to creativity and innovation. Despite these strengths, there is still much room for growth and investment in Nepal's information technology sector
You portrayed a rather rosy picture about our information technology sector. Can you please elaborate more on this?
I am not saying that Nepal is ahead in the development of information technology, I only made a comparison. India is much ahead of us in the field of information technology. We cannot compete with it for sure. But when we study some applications development in India, I can say that we can compete with them. This is because the knowledge and workforce required to build such applications are of the same nature in the world.
It is true that some Nepali companies are working on digital transformation using local resources. The core banking system can be taken as an example of this. Not only the commercial banks, development banks, finance and microfinance companies are running the core banking software developed in Nepal. There are some who still use the core banking system developed in foreign countries.
Similarly, while the Nepali government does use some software and applications developed domestically, there are also some applications developed by foreign companies in use. That said, it is important to recognise that Nepal's information technology sector has potential, and there is scope for growth and development. While Nepal may not be at the forefront of information technology globally, it does have strengths and opportunities in this field, which can contribute to the country's economy and development in the long run, much like tourism or any other sector.
Recently, the Minister for Communication and Information Technology said the government doesn’t have access to data centres where the government data is stored. Is this the situation that we are in?
I don't think the minister actually said that. The issue may have been discussed in the context of cyber security, and the minister's intention could have been to highlight Nepal's need for stronger cyber security measures.
According to a World Bank report from 2017, Nepal's ICT exports were worth over Rs 6.5 billion, indicating the growing investment in this sector. The digital landscape of Nepal has undergone significant changes in the past five to ten years, with advancements in fintech and e-payments, among other areas.
While investment in the sector is increasing, the necessary security infrastructure to support it is lacking. There is a shortage of skilled manpower and preparation needed for cyber security. The minister's statement may be an attempt to draw attention to these concerns.
When it comes to the banking sector, data is more or less secure. However, Nepal's data privacy standards are not up to par, and there is a lack of mechanisms to ensure data safety. It is crucial for the government and private sector to work together to strengthen cyber security measures and improve data privacy.
What kind of mechanism do we need to keep our data safe?
To keep our data safe, we need to invest in various mechanisms such as cybersecurity technology, antivirus software, data privacy laws, and other related areas. Currently, Nepal is weak in the cyber security index when compared to other countries.
We frequently hear about hackers getting access to government websites. Is this because of the lack of cyber security infrastructure that you mentioned, or because of the ignorance of the government officials?
Both are contributing factors. Firstly, our investment in cyber security is low, and our knowledge about it is also lacking. Secondly, some government officials understand cyber security as only computer security. Most government organisations have only one permanent employee who looks after information technology (IT), and the rest are on contract. This makes it impossible to expect proper cyber security from them.
In my opinion, computer security is only a small component of the current digital environment. As we become more reliant on digital technology, we must have good digital infrastructure, standard operating procedures, and a framework for business continuous process to cyber security. We need skilled manpower who understand the importance of cyber security, and organisations and companies must also understand its importance.
For example, nowadays, companies collect names of three generations of their clients and publish them, which is not the correct thing from a security standpoint. We need to pay attention to such things and take necessary steps to ensure the safety of our data.
Where do we stand in the world in terms of cyber security?
In terms of the information technology index, Nepal is at the very bottom. There are various parameters for cyber security or digital data security. As I mentioned earlier, our weakness is the lack of investment in this sector. Although investment in digital is increasing in Nepal every year, it appears that we have not paid enough attention to security. For instance, we may spend Rs 300,000 on a motorcycle but only buy a helmet costing Rs 2,000. A similar trend is evident in the field of information technology. It is high time we set parameters for cyber security by drafting necessary laws. In conclusion, we are lagging behind other countries in the cyber security index.
What do you think we should do to beef up cyber security?
First of all, we should not limit cyber security to computer security. The country's data is its property, and cyber attacks aim to gain access to data. Sony Corporation was also attacked for data. Cyber attacks in various countries, including the US, were all aimed at stealing data. Such incidents have happened in Nepal as well. Not only the citizen's name, their citizenship number, phone number, email address, but also what position the person is working in which organisation is connected with security. The Prime Minister of India recently said that cyber security is national security. Therefore, cyber security should be considered as national security. To strengthen it, the government, private sector, and other agencies should work together, and necessary laws should be drafted and passed. Currently, the cyber security law has been stuck in parliament for a long time, and a separate law drafted by the Nepal Telecommunication Authority (NTA) has been forwarded to the ministry. These crucial laws have to be passed at the earliest.
Companies or organisations that collect public data should take responsibility for its protection. The investment in cyber security has to be increased by 10-20% annually. Data with banks is secure because they audit their information system regularly under the instructions of Nepal Rastra Bank. Other organisations should also be prompted to do the same, and it should be made mandatory by enacting new laws. Necessary manpower should be arranged, and training should be given to beef up cyber security. Cybersecurity should also be included in the curriculum of undergraduate and master's levels. There are 3.5 million job opportunities available in cyber security alone in the world, and Nepal has a lot of opportunities as well. A team of, say 50-60 engineers, can take care of cyber security issues of around 300 companies round the clock. This way, we can retain Nepali youth in the country and improve our cyber security.
Moreover, raising public awareness about cyber security and lobbying political parties for early passage of cyber laws is necessary. The formation of a commission for regulation and supervision of cyber security issues should not be delayed. The Singapore model can be appropriate for us, where the Prime Minister is directly involved in cyber security matters. If cyber security is not only connected with computer security but also national security issues, its effectiveness will increase.
Talking about data security, there was a big controversy when the government awarded the national ID card contract to a foreign company. How appropriate was it to award the contract to a foreign company?
Even I am of the view that such a sensitive issue like national ID card shouldn’t be awarded to a foreign company. Nepali companies should be given the opportunity if they are capable of the job. How will Nepali companies increase their capacity if they are not given opportunities? I strongly believe Nepali companies are capable of providing cyber security services. Had savings and cooperatives not shown their faith in Nepali companies some two decades ago, Nepali IT companies would not have been able to come to this stage. InfoDevelopers is currently employing nearly 350 people because it got the opportunity to show its capabilities. The government should prioritise Nepali youths and companies working in the field of digital transformation. The presence of Nepali companies has expanded to South Asia. For example, Pumori software developed by Mercantile is being used in Bhutan and Myanmar. But the government is not showing any attention to this.
You said Nepali companies are capable. But there was a time when there were complaints that Pumori has several flaws, wasn’t it?
It is natural for software to have flaws. It shouldn't be taken otherwise. These help to make software even better. We have recently taken over Pumori, and very soon, we will bring its updated version. It may still have flaws, but it doesn't mean that the software cannot be used just because of the flaws. We should fix those flaws and move ahead.
How safe is the data of government agencies like customs, revenue investigation, financial institutions and security agencies?
It's difficult to guarantee that the data of government agencies like customs, revenue investigation, financial institutions, and security agencies is 100% safe because there are various risks involved. Although we are aware of reported incidents, many unreported incidents could have happened. For example, about a year ago, there was a major attack on Nepali servers. Besides this, no other serious incident has been reported. However, to improve data security, we must first understand which sectors hackers are targeting and their motives.
Our public offices are using different types of software. How is the level of tech literacy in the government workforce?
In the IT sector, IT literacy is not an issue, but for other sectors, it can be a big problem. I am not saying that public office staff who have invested in software and IT services are not IT literate, but their knowledge may not be up to the mark. We need to understand that hackers are always one step ahead, and we don't have a good idea of how they work because ethical hacking isn't practised much here. Additionally, nobody is conducting any tests on whether our systems are 100% secure. We will only be able to determine this after conducting a thorough safety audit.
As most of our staffers lack tech literacy, how will they know which software can keep their data safe or which will be more effective?
Not everyone may have the expertise to select appropriate software for their office. However, technical teams are being set up in government offices to assist with these decisions. The procurement of software is based on the suggestion of the technical team. It will take time for this process to be fully implemented. Additionally, many people are unaware that there should be a business continuity plan in place. For example, if a server goes down, another server should automatically take over. However, we don’t have this system in place. We need to provide training to our workforce in these areas. Even dedicated IT staffers should have knowledge about cybersecurity, including risk analysis, to strengthen our system. Unfortunately, cybersecurity is not currently a priority in our public offices, and this is why their data may not be safe. It is crucial to prioritise cybersecurity to protect our data.
Incidents of online frauds and scams are on the rise. How can we protect ourselves from such frauds?
A: It is indeed the responsibility of the state to protect its citizens from online frauds and scams. The government has established a specialised Cyber Cell within the Nepal Police to investigate such cases. However, these crimes are constantly evolving with new methodologies, making it difficult to control them. To avoid falling victim to such crimes, we should all exercise caution and avoid sharing personal data such as our date of birth, address, and mobile numbers on social media. We should also be careful not to engage in social engineering tactics by chatting continuously on the same topic. Before clicking on links forwarded on social media, we should verify their credibility. It is also crucial to educate ourselves and future generations about cybersecurity to prevent such incidents from occurring.
As digital banking services proliferate, banking frauds are also on the rise. How can we mitigate them?
If we look at the data, incidents of banking frauds are comparatively lower. Although cases of cyber banking crimes are very few, there have been instances of such incidents using OTP of others. To mitigate them, we need to focus on strengthening our authentication processes. Double authentication is a good way to protect our accounts. Banks and financial institutions should also make their verification process more rigorous. Additionally, app developers should continuously work on developing new security mechanisms to enhance their features. It is important to remember that these incidents are happening because of human weaknesses and not because of shortcomings in technology.
Where do we stand in terms of software development? What should we do in the future?
Nepali companies are involved in different domains of information communication technology. They have a strong presence in the banking sector. Likewise, most of the vendors of government agencies are Nepali companies. Fintech is also an area where Nepali companies are ahead. Additionally, Nepali companies are providing services using digital applications in supermarkets, tourism enterprises, and education. While foreign companies were dominant players in these areas until a decade ago, Nepali companies are now exploring new avenues in the field of ICT. The agriculture sector holds a lot of potential, and tech companies should consider working in this area.
You mentioned that Nepali companies can benefit a lot by exploring foreign markets for their software. How can they benefit?
There are two ways Nepali companies can benefit. First, they can get contracts from international buyers and develop software in Nepal. Second, they can develop software in Nepal, as some companies are already doing, and explore the international market for such products. I believe we need more companies of the second type because it will make foreign companies more familiar with Nepali brands. Nepali products will have branding value.
Unless the government and private sector prepare accordingly and increase investment, we will lag behind other countries. We shouldn’t just introduce Nepal as the land of Everest, Gurkhas, and Khukuri, at a time when software companies like Wipro and InfoSys have become the identity of India. We should introduce Nepal in the same way.
How can the government create a conducive environment for the ICT sector?
The workforce of the ICT sector pays an average of 30% tax. The government can study tax systems in other countries and make necessary decisions. While the government denies tax incentives to ICT companies, business process outsourcing (BPO) companies enjoy tax incentives. BPO employees are also receiving tax benefits.
Companies that aim to expand into the international market need to increase investment, not just in capital but also in technology. We should try to understand the reasons why Nepali companies shift to India after a few years of operation in Nepal. Some may argue that India is a big market, but having a large population does not necessarily matter for a software company. Even countries with low populations, like Costa Rica, have made significant progress in software development. We need a vision. If the government prioritises the software industry and brings incentives and programs for the next five years, this sector can attract significant investment.
We also need the government's commitment to bring necessary laws to support these industries. Few years ago, the government launched IT parks with much fanfare. But its current status is unknown. While the government seems to understand the necessity of the ICT sector, its presence cannot be felt in creating a conducive environment for the private sector.