Government e-service lacks cybersecurity
There are government agencies responsible for information security. E-Mongolia is an integrated public service system that provides public services to citizens electronically through a single-window using the government information exchange system. Just as citizens use Facebook to communicate with each other, the E-Mongolia Facebook page was a channel for communicating with and delivering information to citizens, not a system that provides public services,” the ministry informed.
Although Facebook is not a part of the actual system, citizens receive news and information from the page and send personal information via Facebook chat. Hence, the authorities in charge shouldn’t justify themselves in this way and ensure the protection of all information received across various channels, including Facebook. Lawyer and researcher specializing in information security and cyber law L.Galbaatar said, “In Mongolia, a so-called professional organization should not have made this kind of a statement after making such a mistake. It is the fault of the Ministry of E-Development and Communications for failing to anticipate and prevent attacks and risks. Therefore, it must be held accountable for it. The ministry must take effective action on this issue and report back on it to the public. Otherwise, citizens will be left puzzled and wondering whether it’s safe to use the E-Mongolia system in the future or whether organizations can deliver services reliably.”
He added, “Public services do not have to be available on Facebook. Other countries no longer use or trust public services offered on such platforms. In Mongolia, on the contrary, information of all government agencies is available on Facebook. As the election approaches, government agencies are increasingly meeting with Facebook representatives. In fact, the Mongolian government has become too dependent on Facebook.”
When asked about this issue, cyber security researcher O.Enkhbat said, “E-transition is necessary. This is a huge step forward. However, if you decide to move toward becoming an e-nation, you need to prepare and improve your foundations for the long term. Protecting citizens’ information is a priority. To become an e-nation, it is necessary to implement technologically-sound cyber security solutions.”
Officials say the hackers did not make changes to citizens’ information, but there is no confirmation on whether their information was copied or duplicated. E-Mongolia has been live for more than two years. To date, about 2 million users have received 7.5 million government services online in duplicate counting. Of these users, 56 percent were Ulaanbaatar residents and 44 percent were provincial residents. Overall, E-Mongolia is a large complex system where Mongolians receive public services and input all of their information. However, the loss of so much valuable information can bring about unimaginable consequences for not only the people but the entire nation.
Information security is a sensitive issue in Mongolia. The first Cybersecurity Law was approved last fall, effective from May 1, 2022. The Cybersecurity Law specifies 17 sectors with critical roles in information technology. In other words, these organizations can impact the economy and society through information systems. It is noteworthy that the law stipulates that these organizations must undergo an independent security audit every two years and improve their operations. At the same time, the law provides for the support of intelligence agencies, the Ministry of E-Development and Communications, and Mongolian Armed Forces in matters related to the military. This law will come into force in just a month. Therefore, in preparation for the implementation of the law, officials have established a national cyber security strategy, procedures, regulations on cyber-attacks and breaches, communication and information technology audits, information security audits, and cyber security risk assessment procedures. Other documents are being developed and approved in cooperation with relevant organizations.
Head of E-Development Policy Implementation and Coordination Department of the Ministry of E-Development and Communications B.Bilegdemberel said, “The E-Mongolia system is an integrated e-service system consistent with the Law on Public Information and Law on Information Transparency and Right to Information. If a government organization decides to deliver services online, it needs to connect to the EMongolia system and provide a single window. The National Center for Combating Cyber Attacks should support information security in government information systems. The organization responsible must have risk prevention policies, rules, and procedures to conduct information security inspections and detect vulnerabilities and reduce risks. There is no concept of 100 percent protection against attack. In any situation, there will be risks. However, in the event of an attack and the organization becomes unable to provide normal operations, action must be taken immediately to recover. In this sense, information security risk assessments are mandatory for publiclyused systems to identify and mitigate risks.”
Due to the lack of cybersecurity, local government agencies have been repeatedly attacked by hackers. For instance, in March 2020, a Chinese hacker group attached malicious code to a file containing information on COVID-19 and launched an attack on Mongolian government agencies. The hackers used the name of the Ministry of Foreign Relations and the Embassy of Mongolia in China to send the file to government agencies. The file had an RTF (Rich Text Format) extension and contained malicious code called RoyalRoad, which exploits vulnerabilities in Microsoft Office’s software to take screenshots, delete, move and download files from them. In December 2020, the APT hacker group attacked ABLE Software, a unified network of Mongolian government agencies. ABLE Software is used by more than 430 organizations, including the Office of the President of Mongolia, the Ministry of Justice and Internal Affairs, the Ministry of Health, the Ulaanbaatar Mayor’s Office, the General Agency of Specialized Inspection, the General Archives, local law enforcement agencies and provincial administrations.
In addition, on November 11, 2021, Mongol Bank was attacked by hackers. The hackers posted a message on their telegram saying, “We’ve hacked the central bank of Mongolia’s website and system.” There were also suspicions on social media that Khan Bank’s customer information may have been leaked. The next day, on November 12, it was confirmed that Khan Bank’s information had been indeed leaked. More specifically, the hacker site raidforums.com started selling about 4 million pieces of information of 2.3 million Mongolians for 700 USD. The site’s database contained people’s names, surnames, telephone numbers, e-mail addresses, home addresses, workplaces, and ID numbers. Until the Mongolian press and media reported on it, the police and intelligence officers were unaware of the attack. In fact, the case was soon left forgotten after the law enforcement body said, “The authorities are investigating this.”
The fact that large databases of both government agencies and a bank that store citizens’ information was hacked like this demonstrates Mongolia’s weak cybersecurity. Most importantly, there are no reports available on whether officials were held accountable for the loss of public information and if so, how they were reprimanded. Now that Mongolia is headed toward becoming an e-nation, it must strengthen its cybersecurity. The main cause of these cyber-attacks is linked to the lack of skilled professionals. In fact, government agencies are short of skilled IT professionals, especially due to the well-known fact that talented Mongolian engineers seek jobs abroad where they are compensated enough. It is estimated that 400 to 500 engineers leave for foreign countries every year. In any case, it is about time the government pays attention to cybersecurity, especially now that a new law is coming into force.
if you decide to move toward becoming an e-nation, you need to prepare and improve your foundations for the long term. Protecting citizens’ information is a priority. To become an e-nation, it is necessary to implement technologically-sound cyber security solutions...