In March, various government servers at the National Information Technology Centre (NITC) experienced issues one after another. Initially reported as a simple technical problem, the NITC later reported that it lost data from various government agencies.
Stating that digital data loss was due to technical reasons, the NITC has not been able to find out how many details they lost and how.
The NITC’s list of responsibilities is long. It has been tasked with the responsibility of storing, managing and processing government data along with ensuring its safety. It also needs to provide shared computing resources, consult the government on various IT-related issues, register government domains and manage government networks.
At the same time, the NITC–which helps the government in training officials, collocation of services, virtualisation, cloud services, web hosting and software development–has termed the latest incident as a machinery problem.
Pradip Paudel, the NTNC executive director, says that there was a problem in some parts of the Principal Component Analysis (PCA) of a server, leading to digital data loss, and efforts are being made to recover the data with global support.
But the employees of the centre say they do not know how many government bodies have been affected by the digital data lass loss incident. They say they will only know when the concerned government bodies will inform them about their data being lost.
Helpless government
An official says it has been confirmed that many local level data including that of the Public Service Commission, Department of Health Service and Gorkhapatra have been lost. However, it is not clear which details of which agencies were deleted.
Paudel claims that the data of about 10-15 agencies were lost. However, he cannot reveal the exact number.
It is not certain whether the lost information will be recovered. The centre claims it has been trying to recover lost data with help from a foreign expert for over a month.
The NITC says efforts are being made to recover the data with the help of Oracle International, but sources say it is almost impossible to solve the problem.
“Experts have said that this kind of digital data loss is something that has not happened in the world,” says one of the technicians at the centre. “We will try for one more week to recover data, but things do not look likely.”
This has started to affect the performance of various government agencies. According to the Public Service Commission, data about more than 85,000 examinees preparing for the various examinations are missing. This has resulted in the commission postponing the exams by three weeks; it has asked applicants to fill out the form again.
Toya Narayan Subedi, the spokesperson of the commission, says that the data of those who filled out the online form for the exams between November 2022 and March 2023 have been lost.
The commission is facing issues as it does not even have data on people who have paid the examination fees and has asked those who applied to submit their vouchers when submitting the form.
“Because all the details were lost, it took time for us to identify the examinees,” says Subedi. ”The details of applicants who paid are at the Office of the Comptroller General and we are using that to identify who has paid and who hasn’t.”
Another employee of the commission says that the exams, scheduled to begin on May 27, will have to be postponed for at least a month or two as it needs to carry out various preparations.
“Although the efforts are ongoing, the commission has not received information about when the data will be recovered from the NITC. The commission is working on an alternative plan to conduct the examinations of pre-published advertisements,” read a statement issued by the commission.
According to the Public Service Commission, since 2012, all the details have been kept in the NITC data centre at Singhadarbar. Now with the digital data loss, the commission does not know what to do and is looking at alternative options.
Whose fault?
Narayan Neupane, an information technology expert working in the field of data storage and management, says both NITC and the commission are at fault for the recent case of digital data loss.
“The NITC should have kept a backup,” he says. “Even the technicians of the commissions should have made a clear policy regarding the need to back up its data.”
The latest incident is proof of how weak the technical capacity of the NITC is and how that has compromised the data security in the country.
Officials of the Ministry of Communication and Information Technology say that if the data centre took the issue of government servers going down on January 28 seriously, this particular issue of digital data loss could have been dealt with differently. However, they believe since the data centre is operated in a sloppy manner, it faces regular problems.
Systems handled by the NITC face regular issues. The servers go down frequently as does the internet while the websites are either down or operate very slowly.
The recent case of the government’s digital data loss is clear that the centre is losing its credibility.
Experts say a suitable mechanism for multilateral analysis and resolution of data security has not been created at the centre. Because of this, the report of the Office of the Auditor General in 2022 pointed out that the risk of cyber threats such as piracy, hacking, viruses, phishing, and malware was increasing.
Paudel of the NITC says not all data are backed up.
“Digital data loss is not only our concern; it is also the responsibility of those whose data have been lost,” says Paudel. “All we do is provide servers and resources. It is not just up to us to protect these data.”
He says that another server has been given to the agencies including the Public Service Commission, and adds these agencies should also be responsible for protecting their own data.
The storage network established in 2011 is now called Government Integrated Data Centre (GIDC). There is also a Disaster Recovery Centre which has been operating since May 14, 2019, in Hetauda, Makawanpur, so that all data is not destroyed if there is a problem. But Paudel says even the Disaster Recovery Centre does not back up all data.
“If they write to us asking us to back up their data, we do so; otherwise we don’t,” says Paudel.
Mismanagement galore
The NITC does not keep records of the equipment at offices and agencies it is providing its services. It does not even analyse how much the capacity of the server is and how much the capacity should be in that server according to the customer pressure.
It does not even regularly update the software and hardware it has purchased, which is also a major concern responsible for digital data loss, say officials.
The information technology audit conducted by the Office of the Auditor General has pointed out the state of negligence at the centre.
According to the report, the centre does not have the details of the number agency it provided colocation services to.
Internal system audits and regular technical audits of the data centre have not been done regularly either. The quality testing and levelling of organisations such as data centres, which store very important and confidential information of all government agencies and provide essential services, have not even been done. The centre has not made arrangements for multilateral and multi-level data security to meet international security standards either.
Information technology expert Manohar Bhattarai says that the centre is operating without a reliable data security and access policy.
“There are international standards, practices and accreditations for data centre operations. If there are risks when following all of it, imagine what can happen if you don’t follow it?” he questions.
It is recognised that server security should be guaranteed by conducting national or internationally recognised tests such as an ISO 27001 certificate. For that, the centre has not shown interest in conducting regular internal and external tests.
Cyber and physical security risks at the data centre have not been detected by the NITC due to a lack of technical testing by external agencies.
Data protection has not been done according to international standards in infrastructure quality, environment, security, access or disaster management.
Most of the human resources employed at the data centre are temporary. Many do not have specific qualifications, skills, and expertise. Sources say the centre does not have staff that are knowledgeable about networking, database, cooling, power and other infrastructure.
Most of the work is put on computer engineers and whenever there are problems, it is forced to seek services from external parties.
Bhattarai sees the government slipping in terms of IT infrastructure management and security despite regular digital data loss.
“Data security can only be achieved if there is a combination of appropriate laws, organisational structure, technology and its management,” he says.
“In the changing times, the protection of the country’s borders should not be the only concern when it comes to national security,” he says. “Since there is so much dependence on technology, including the financial sector, the security of the data held by the government is also an equally important issue.”
This story was translated from the original Nepali version and edited for clarity and length.
