On March 9 the ICT Division organised a day-long conference at Bangladesh Computer Council auditorium at the ICT Tower in Agargaon to celebrate the first anniversary of the BDG e-GOV CIRT (Bangladesh Government Cyber Incident Response Team). Titled ‘International Cyber Security Conference’, the event was arranged in collaboration with the leading global cyber security agencies, including Norway Registers Development Companies (NRD Companies), which won the contract from Bangladesh government to assist in establishing the BGD e-GOV CIRT.
Rimantas Žylius, the Managing Director at NRD gave a keynote speech at the conference. Widely recognised as a “Business Environment Reform and policy mastermind”, Žylius is no mere technocrat. In 2011, at the age of 37 he was appointed minister of economy of the Republic of Lithuania. During his one-year tenure (2011 – 2012) as the minister, Žylius was in charge of reducing red tape, improving the business environment, reforming public procurement, and increasing the efficiency of state-owned enterprises (SOEs). Under his leadership, public procurement in Lithuania became more transparent, more efficient, and better controlled by the state.
On the day of the conference Rimantas Žylius spoke with Fintech in an exclusive interview, in which he discussed cyber security, NRD’s work for Bangladesh government, Fintech and other issues in detail.
FINTECH: NRD have worked in government projects in Bhutan, Estonia, Lithuania, Tanzania and other countries. Now you are working here in Bangladesh. Could you start by telling us a little bit about NRD and the projects?
RZ: Overall, NRD is a group of companies, which work in a field I would describe as public and financial sector transformation. One of our work is management consulting, where we help companies and institutions to redefine what they are doing; redefine the processes, may be draft legislation, prepare for organisational change, and implement organisational changes. For example, moving from paper based business register to electronic business register. It is much more complex than it sounds. Because it requires deeper thinking of the legal environment. It also requires to change people completely and how they use the registry. We help in this thinking process and the implementation.
These changes are implemented through software. We provide software development services as a part of this consultancy and redefinition. After providing the software system we take care of or provide clients with the reliable critical systems, i.e. servers, storage, engineering of the centres. In addition to that, when you go digital, security is absolutely essential. If you fail to be secure, you fail your project. You don’t fail a part of it, you fail all of it. So, making all of this happen, putting the system on a reliable infrastructure, and making it secure is really what we do.
FINTECH: We have all the technologies needed to go paper free. Why it hasn’t occurred yet?
RZ: There are more than enough reasons for that. First of all, paper is an extremely good medium. It’s very reliable, it’s very accessible and so on. People have to have very small training to do paper work. Digital requires of us much more input, change of mindset and attitude. And I would say it is extremely important to realise that so far we are in the very early stages of digitization. It means that designs of our systems are very complex. I mean just go to websites. Most of the time they are clumsy, they are not interesting, you can’t understand what you should do. I believe that as societies, technologists, and as vendors we have a long way to go still, until we make it right to the people. And one of our companies in our group, which works in financial technologies, is extremely focused on design. They believe in design driven technologies, where customers can go to websites, to a banking website for example, to use complex products without any training or explanation. Because everything is visible and rightly designed.
FINTECH: Could you tell us about the project with CIRT here in Bangladesh? How is it coming along?
RZ: We won the project nearly 18 months ago. This is the project of establishing the computer incident response centre team and developing their capacity. So, we started by defining processes, providing technologies and so on in order to help equip this team. So, it’s already one year since we are working with this team, in what I would call, a mixed environment. We are not training the team. It’s on job training, we are working with them together. So, basically our best specialists are coming here to Dhaka. Some the people from the team are visiting our offices in Norway and Lithuania for study visit and so on. But basically we are working together and growing competence. So, our people are leaving their responsibilities to the local team. What is important is that we are not rushing it. It’s a very well designed and long project. The purpose is to give these new habits, new capabilities enough time to mature, so that they are sustainable. It’s not like I’m telling you what to do and then you are left alone trying to make sense of what you were told. The scenario testing, constant availability of specialists, helping to leverage our networks for this team, is what this project is about. We are extremely happy about how it is going. This is what we always promote as a model.
FINTECH: You must have heard about the Wikileaks release just a day before about secret CIA codes that are supposedly used to infiltrate devices. What are your thoughts on this?
RZ: Yes, I am aware of the news. The sad part of it is that in most of the cases you don’t need these cyber weapons to break into the system. Today in the presentation what the CIRT team was showing is probably the most convenient way to break into a system (referring to a session during the conference where two members of the CIRT team showed how weak and predictable passwords make systems breach extremely easy for hackers). I am afraid in most of the cases we are at the less advanced stages. I mean we are not so protected and Bangladesh in most of the cases, most of the institutions lack enough sophistication even to care what Wikileaks gave us insight into. And we have to admit that in the biggest countries there will be always lot of talents available to do the necessary work. But most of the harm coming, specially for the financial institutions, are not coming from state actors, but from hackers who do it for business, just to receive ransom or to gain relatively small profit (from the intrusion).
However, I would not care so much about what Wikileaks tells us. In this kind of situation, I would say that we shouldn’t care about microbiology, we should care about washing our hands before eating. So, this is a procedure we are still in. That was the essence of my talk today and what I think is very brilliantly put in the draft declaration (referring to a declaration put forward by the ICT Division on March 9 during the conference) that you have seen; (which is) we still lack this understanding for every institution that cyber security is not a technical issue. It is a management issue. It is not something that technical people have to take care of, but something that everyone across the board has to be aware of. Because this is an operational risk.
And what perhaps specifically important for your magazine is that the financial industry probably has the most to lose in this environment. And so far what we see, the situation is not brilliant. I mean the financial sector in Bangladesh has a long way to go. It has to internalize what risk they are facing and make sure that it deals with them.
FINTECH: Could you talk about the fintech disruptions in the industry and how this is going to impact or change cyber security?
RZ: When we talk about these disruptions we are really talking about something we don’t know yet. For example, mobile money was not even a big issue worth noticing in Western Europe or in the United States, because in those regions a huge number of people are banked, they have credit card and so on. So, no real issue was solved by mobile banking. But it came in the form of disruption in the emerging economies. Now we see its impacts going through Western Europe as well. Even in the mature markets the impacts are large. This has made transactions more accessible and cheap. Overall it made the financial sector much more useable. I think the impacts have been most astonishing. And in a way this is also where threats are coming from.
Banks, and the financial sector overall, is definitely one of the first that has become extremely technological and highly complex. And complex systems are always vulnerable. There has to be serious thinking put into how to make them resilient. And this resilience is not only technological. Rumours about institutions, for example, is a problem. So, a rumour that an institution is bankrupt can make them bankrupt; I mean even absolutely healthy institutions. It’s not only about making my credit card secure and making my system secure. But financial institutions, which depends so much on the trust of people, and it is now put in the context of social media, where news now spread in seconds, you know, Twitter, Facebook, all of this makes the environment for the financial sector extremely volatile.
So, overall the area of operational security now becomes inseparable from cyber security. As I said, it’s not only about banks making sure that nobody breaks into the system, but it is also about if we will be able to react early enough to rumours in the social media about our credibility or about our vulnerability and so on. Will we notice this information soon enough and will we have a plan to act accordingly? These are the core questions. There are a lot of challenges and security is now a huge part of it.
FINTECH: You served as the Minister of Economy of Lithuania. As a European political leader what was your reaction to Brexit?
RZ: I was very sad. I mean for Lithuania the UK had always been a strong ally on a lot of fronts. In my term as a minister I always pushed for more flexibility in Europe, for making it less bureaucratic, removing regulations and so on. And we had very strong support from the UK. For me, losing the UK leaves Europe without an extremely valuable partner. So, it was very sad from that aspect.
On the other hand, I think it is important to understand what happened. I think that we are entering in such a democracy era where popular politics is a must. People must approve your policies. And the gap in the thinking process between the elites and the general public cannot be too large. I mean, the elites cannot just say that ‘this must be done’. They must think about how you persuade and how you communicate. So, for me Brexit signifies an already visible change in how we do politics in the democratic world.
FINTECH: Thanks Very much for talking to us
RZ: You are welcome.