The recent “hacking” incident involving Sri Lanka’s Ministry of Finance and the Treasury cannot be treated as a narrow technical glitch. It raises deeper questions about how public money is managed, who is accountable, and whether systems are designed to prevent—or enable—failure. When such an event occurs at the core of public finance, it does not remain an isolated IT issue. It becomes a test of institutional credibility. At stake is not only money, but trust—the invisible asset on which an economy rests.

Public communication around the incident has not helped. Instead of reducing doubt, it has widened uncertainty. When explanations are partial, delayed, or inconsistent, they create space for speculation. Markets dislike ambiguity. So do citizens. In the absence of clear facts, narratives compete, confidence weakens, and the perceived risk of the system rises. In this sense, poor communication can amplify the damage far beyond the original event.

This article therefore looks beyond the label of a “cyberattack.” It treats the incident as a system-level failure that sits at the intersection of technology, governance, and accountability. The goal is to identify what likely went wrong, what global experience already tells us, and what policy actions are necessary—not only to find the truth, but to restore confidence and prevent recurrence.

What is a “Hacking” incident? – A simple view

The term “hacker” often suggests a highly skilled outsider breaking into a system. In practice, most breaches are less dramatic and more mundane. They exploit weaknesses that already exist: unpatched software, weak passwords, poor access controls, or careless user behaviour such as phishing. These are not rare events. They are predictable outcomes of weak system hygiene.

Fully important is the role of internal access. Many serious incidents involve “insider access”—legitimate credentials used improperly, or privileges that are too broad and poorly monitored. Such access is harder to detect because it appears normal. It often bypasses external defences entirely.

For this reason, the key question is not simply “Who entered the system?” but “How was entry allowed?” That question shifts attention from the attacker to the system. It forces us to examine design, controls, and oversight. In other words, it moves the discussion from a technical story to a governance story.

Deeper questions raised by this incident

When a transaction of USD 2.5 million is involved, the issue cannot be reduced to a single breach. Financial systems—especially those handling public funds—are built with layers of control: approvals, audit trails, and separation of duties. These controls are meant to prevent exactly this kind of outcome. If a large transfer can occur despite them, then either the controls failed, were bypassed, or were never properly enforced.

This leads to a more important question: How was such an event permitted within the system? Was it a one-off technical error? A pattern of weak controls? Or a breakdown in oversight? Each possibility points to a different kind of failure, but all point to the same conclusion—this is not a simple incident.

Trust is the operating system of any economy. Once trust is weakened, the effects spread quickly. Citizens begin to question institutions. Investors reassess risk. Lenders demand higher returns. What starts as a technical incident can evolve into a credibility problem. And credibility, once lost, is difficult and costly to rebuild.

Concerns are compounded when responses are delayed or incomplete. If critical system access was known but not acted upon, or if disclosure to responsible authorities was postponed, the issue becomes one of governance. Timely reporting is not a formality; it is a control mechanism. When it fails, the system loses its ability to correct itself.

Key Arguments

1. Erosion of Institutional Trust

Trust in public financial institutions underpins economic stability. When information is unclear or inconsistent, confidence declines. This affects expectations, investment decisions, and the willingness to engage with the system. Over time, weak trust translates into weaker economic performance.

Information Asymmetry and Narrative Control

When full information is not shared, a gap emerges between what authorities know and what the public understands. This asymmetry allows simplified labels—such as “hacker”—to dominate the narrative. Complex issues become reduced to convenient explanations. The cost is delayed truth and prolonged uncertainty.

3. System Reality

Large-value transactions typically require multiple approvals, verifications, and recorded trails. If such a system allows a questionable transfer, it signals a deeper problem. Either controls are ineffective, monitoring is inadequate, or responsibilities are not clearly enforced. In any case, it points to a system weakness, not an isolated glitch.

4. Governance Over Technology

Most major cyber incidents succeed not because technology is absent, but because governance is weak. Accountability is unclear. Oversight is fragmented. Operational discipline is inconsistent. Without these, even advanced systems fail. The central lesson is simple: technology cannot compensate for poor governance.

International lessons

Global experience reinforces these points. Repeated incidents across different countries show a consistent pattern: the root cause is rarely technology alone.

The Bangladesh Bank heist demonstrated how weak internal controls can enable large unauthorised transfers through international payment systems. Monitoring and verification failures were as important as any technical breach.

The Banco de Chile incident highlighted the importance of real-time monitoring and rapid response. Delayed detection allowed attackers to move funds before controls could react.

mex ransomware attack showed that preparedness matters as much as prevention. Without clear response plans and leadership accountability, organisations struggle to contain damage once an incident occurs.

These cases are not isolated. They are lessons. They show that effective protection requires a combination of sound technology and strong governance. The critical question, therefore, is not whether such incidents happen elsewhere—they do—but whether those lessons have been learned and applied.

Real consequences

The visible loss in a case like this is financial. The real cost is broader.

First, public trust declines. When institutions appear uncertain or opaque, confidence erodes. This weakens the effectiveness of policy and administration.

Second, foreign investment becomes more cautious. Investors prioritise stability and transparency. Perceived risk rises when systems appear unreliable.

Third, borrowing costs increase. International markets price risk. Lower credibility leads to higher premiums, making financing more expensive.

h, financial stability can be affected. Doubts about institutions can influence liquidity, flows, and overall system confidence.

Over time, these effects accumulate. Growth slows. Development is constrained. The long-term cost exceeds the immediate loss.

Policy Response

A narrow technical fix will not suffice. The response must be comprehensive.

An independent investigation is essential. It must be credible, free from interference, and supported by both local and international expertise. The objective is to establish facts, not narratives.

A full forensic analysis is required. System logs, access records, and transaction trails must be examined in detail. The aim is to understand both the breach and the conditions that enabled it.

Transparent communication is critical. Regular updates and a final public report help rebuild trust. Silence or delay does the opposite.

Accountability must be clear. Where negligence, misconduct, or failure is identified, appropriate legal action must follow. Responsibility should not be diffused.

System reforms are necessary. Stronger controls—such as dual authorisation, multi-factor authentication, and real-time monitoring—should be standard, not optional.

Cyber security capability must be strengthened. Continuous monitoring, training, and regular risk assessments are essential.

Finally, legal and institutional frameworks need reinforcement. Transparency laws, digital governance standards, and protection for whistleblowers can improve long-term resilience.

Can government remain silent?

Silence is not neutral. It increases uncertainty.

When information is withheld or delayed, speculation fills the gap. Markets react. Confidence weakens. Trust erodes. In public finance, this is costly.

The response must be timely and clear. Facts should be disclosed. Responsibility should be assigned. Weaknesses should be corrected. The process must be seen as fair and independent.

If these steps are not taken, the issue will not remain contained. What appears to be a USD 2.5 million problem can evolve into a wider crisis of confidence. And once confidence is damaged, the cost of repair is far greater than the cost of prevention.

Strong systems depend on capable leadership and sound institutions. Positions of responsibility must be matched by competence and experience. Where gaps exist, they must be addressed.

In the end, the question is simple: will this incident be treated as a minor event to be managed, or as a warning to be acted upon? The answer will determine not only accountability for the past, but the credibility of the system going forward.

By Prof. Ranjith Bandara

The President has taken the bold decision to get rid of the office bearers of Sri Lanka Cricket (SLC) and appoint an interim committee till such time suitable persons are elected to run the SLC. All Sri Lankan cricket lovers will applaud and endorse President Anura Kumara Dissanayake’s action as the SLC was one of the most corrupt sports organizations in Sri Lanka for a long time.

The office bearers had organized it in such a manner that no other persons could get elected to this den of thieves. They increased the number of clubs as members to collect their votes. Large amounts of funds were doled out to the clubs to which the office bearers belonged.

All cricket lovers would remember how when a previous Minister holding the Cabinet portfolio pertaining to sports tried to get rid of the corrupt officials which the then Parliament endorsed unanimously and how they manipulated to remain in power and get the President at that time to get rid of the Minister instead of the corrupt officials of the SLC.

They were able to get round the ICC too to get what they wanted. The Minister who was appointed in place of the ousted Minister fell into the pockets of the SLC officials and they continued happily thereafter. The Minister was happy and the corrupt officials were happy!

It is not only the elected officials who have to be removed. There are executive employees and other permanent employees who have to be relieved of their duties as otherwise they could get round the incoming officials, and the activities of the bandwagon could go on.

We would appreciate if the President and the Minister in charge would go the whole hog and relieve the SLC of all corrupt personnel so that Sri Lanka’s cricket could get back to its halcyon days again.

HM NISSANKA WARAKAULLE

Malimawa government and Yahapalanaya are dissimilar in many respects, the most important being whilst Yahapalanaya had to manage with a balancing act in the parliament, Malimawa has the luxury of a massive parliamentary majority. However, they share one thing in common; the main plank for the election of both presidents Dissanayake and Sirisena was their solemn pledge for the eradication of corruption. It looks as if both have failed miserably, on that count!

It did not take very long for Yahapalanaya’s first act of corruption; the bond scam. COPE, headed by the veteran politician D E W Gunasekara, picked on this but to prevent the presentation of the report, Sirisena dissolved the parliament which was done at the request of the Prime Minister Ranil, to whom Sirisena was obliged for the unexpected bonanza of becoming president. This enabled the second bond scam to take place, also masterminded by Ranil’s friend Mahendran, imported from Singapore!

Malimawa convinced the voters that they are the only group that could get rid of the 76-year curse of corruption and made a multitude of promises, most of which are already broken! What is inexcusable is that, in a short space of time, they seem to have become as corrupt as any previous government and they seem to excel their predecessors in doling out excuses. Of course, they have a band of devoted social media influencers who are very adept at throwing mud at their opponents which they hope would help to cover up their sins. How long this strategy is going to work is anybody’s guess!

Some of these issues were addressed in an article, “Squeaky clean image of JVP in tatters” by Shamindra Ferdinando (The Island, 22 April). I hasten to add that, though some of his supporters are still trying to paint an honest image of AKD, he should be held responsible for many of these misdeeds and irresponsible acts.

One of the first acts of the newly elected president AKD was to appoint two retired police officers, who openly worked for the NPP through the Retired Police Collective, to top posts; Ravi Seneviratne as Secretary to the Ministry of Public Security and Shani Abeysekara as the Director of CID. Both of them held top jobs in the CID when the Easter Sunday attack took place and were blamed, by some, that they too failed to prevent this horrendous act of terrorism. In addition, there was a case against Seneviratne for causing accidents whilst under the influence and Abeysekara was exposed as a ’fixer’ by the infamous Ranjan Ramanayaka tapes. No one would have objected had they been appointed after their names were cleared but AKD’s rash decision to appoint them, disregarding all norms, clearly showed what his long-term strategy was. Was this not political corruption?

Now these two tainted officers are heading the search for the mastermind of the Easter Sunday attacks! Are they being used to divert attention away from Ibrahim’s family that was supposed to have funded the project? After all, Mohamed Ibrahim, the father, was on the national list of the JVP, and the two sons were the leading suicide bombers. It is a matter of great surprise that the Catholic church led by Cardinal Ranjith is not demanding the removal of these two officers from the investigation, who obviously have a conflict of interest. It becomes even more surprising when the demand is made for the Deputy Minister of Defence Aruna Jayasekara to resign, for the same reason; as well stated in the editorial, “Of masterminds” (The Island, 21 April).

The first act of the new parliament was to elect ‘Dr’ Ranwala as the speaker and pretty soon his doctorate was challenged. He stepped down to look for the certificate, which he is still looking for! Though some of the ministers too have admitted that Ranwala may not have a PhD, AKD seems silent. When Ranwala was involved in an RTA, police had run out of breathalyser tubes and blood was taken after a safe period had elapsed. Why has AKD no guts to sack him?

Episode of the release of 323 containers, without the mandatory inspections, seems to be receding to the past and the long-awaited report may be gathering dust in the president’s office! It is very likely due to political intervention and we probably will never know who benefitted.

A minister, who claimed that he is living on his wife’s salary and on the generosity of the party faithfuls, seems to have been able to build a three-storey house in a suburb of Colombo. He claims that when he made that statement, his father was alive but has since died and he has inherited everything as he is the only son! What a shame that Marxists do not believe in sharing the family wealth with sisters? Though the opposite may be true, his explanation that he was able to build a house in Colombo by selling the land in Anuradhapura rings hollow!

The worst of all was the coal scam which would have long lasting consequences on our economy. I do not have to go into details as much has been written about this but wish to point out AKD’s role. In spite of ex-minister Kumara Jayakody being indicted by CIABOC, AKD continued to give unstinted support till it became pretty obvious that he had to go. In fact, he is being charged with an offence which was committed whilst he was serving the Ceylon Fertilizer Company which was under the purview of, guess who? AKD when he was the Minister of Agriculture.

Devastating report from the Auditor General,before Jayakody’s resignation, would not have happened if AKD had his way. He attempted a number of times to get one of his henchmen appointed to this coveted post, overlooking those experienced officers in the department. AKD’s political machinations were thwarted thanks to the integrity of some members of the Constitution Council. If not for them, AKD’s nominee would have been in post and, perhaps, his friend Jayakody would still be the minister.

Malimawa seems to have beaten Yahapalanaya rather than being the second!

By Dr Upul Wijayawardhana