Opinion
Repeal of Online Safety Act vital for economic salvation of Sri Lanka
I. Imminent Danger
While the economy of Sri Lanka has achieved some degree of stabilisation after the most dire crisis in history, progress along a growth trajectory remains a clear imperative. Fragility of the current situation has been massively increased by the devastating tariffs imposed by the Trump Administration, making our country’s exports to the United States – especially apparel and rubber products – starkly vulnerable.
Against this backdrop the GSP+ facility, affording preferential access to the vast markets of the European Union, becomes a lifeline for our exports. Exemption from import duty for a wide array of products involves an advantage of immense value.
This is, however,neither a right nor an entitlement, and its availability is by no means assured in perpetuity. Its continued enjoyment is conditional upon compliance with provisions contained in 27 treaties, principally the International Convention on Civil and Political Rights. Aspects of this have been incorporated into the domestic legal system of Sri Lanka, by legislation in the drafting of which,as Minister of Export Development and International Trade, I played a key role in 2007.
GSP+ privileges for Sri Lanka are now coming up for review, with a delegation from Brussels expected to arrive very shortly.
One of Sri Lanka’s abiding commitments is a fundamental modification of the Online Safety Act, No. 9 of 2024, an unforgiving onslaught on media freedom, which was vehemently opposed by political parties across the spectrum, and representatives of the media and civil society. Despite the outrageous contents of the Act, no action whatever has been taken up to now, to amend this legislation. There is no doubt that this situation, if it is allowed to continue, will gravely impede vital interests in respect of our international trade. Certainly, the government’s professed intention of enhancing the value of exports to the European Union to the threshold of 3.6 billion dollars in the short term, will be reduced to a fanciful expectation.It is, therefore, a matter of urgent practical importance to identify the most obnoxious features of the law and to set in motion the legislative procedures necessary to effect their repeal or radical reform.
II. Overbroad Definition of Offences
A defect going to the very root of the legislation is a definition which is strikingly vague and overbroad: “Any person, whether in or outside Sri Lanka, who poses a threat to national security, public health or public order or promotes feelings of ill-will and hostility between different classes of people, by communicating a false statement, commits an offence” (Section 12).
The central criterion itself is an attack on basic democratic values. There has been judicial recognition of the reality that “Erroneous statement is inevitable in free debate” (New York Times vs. Sullivan 376 U.S. 254 at p. 270 – 1 (1964). The solution, in a democratic culture, is not suppression but refutation of falsehood through enhanced engagement and challenge.
The central objection is to the use of subjective language like “ill-will” and “hostility” as elements of the definition of a penal offence carrying condign penalties, including long periods of rigorous imprisonment. Inherent vagueness leads to unpredictability of consequences.
Equally compelling considerations apply to the use of “national security” as a lever for restraint on expression and publication. Public policy, as set out in the Johannesburg Principles on National Security, Freedom of Expression and Access to Information (Preamble to UN Document E/CN 4/1996/39), adopted on 1 October 1995, emphasises the need “to discourage governments from using the pretext of national security to place unjustified restrictions on the exercise of freedom of speech and expression”.
It is the absence of necessary qualification that violates the basic ethos of a democratic society.A “threat” to national security, public health or public order as the basis of restriction on free speech and communication is unacceptable without essential limitation.The internationally accepted test of “clear and present danger”(Schenk vs. U.S. 249 U.S. 247 at p.52 (1919)) is in no way reflected as a qualifying element in the Sri Lankan legislation.
III. Overarching Authority of the Commission
The crux of the pivotal offence is a “false statement”. The truth or falsity of the statement complained of, is a matter to be determined at the untrammelled discretion of the Online Safety Commission, the central authority created by the law. It is composed of 5 members appointed by the President,with the concurrence of the Constitutional Council.
A vital circumstance is that members of the Online Safety Commission, unlike the membership of other independent Commissions established under the Constitution, are not recommended for appointment by the Constitutional Council. The initiative is that of the President, not the Constitutional Council, the function of the latter being confined to “approval” (Section 5 (1)). This is a marked, and in principle unacceptable, departure from the pattern of constitutional provisions governing the appointment of independent Commissions.
This difference of approach undeniably impacts public perceptions regarding performance of the Commission’s functions in a spirit of total independence – a result much to be regretted, in view of the awesome sweep of powers conferred on the Commission. These include the prohibition, by mere fiat of the Commission,of statements pertaining to a diversity of matters such as physical security,ethnic and religious harmony,disaffection to the State, personal wellbeing and privacy, and interference with the right of association.
In any event, given the invasion of seminal rights and freedoms as the direct consequence of exercise of the Commission’s powers, it is reasonable to assume the desirability of a process of consultation which would include, among others, internet service providers, internet intermediaries, and representatives of media organisations, as well as the professional, business and academic communities.
Incompatibility of scope and objectives of this Act with the irreducible norms of a functioning democracy is clear from judicial pronouncements of impeccable authority: “The freedom of speech and expression is one which cannot be denied without violating those principles of liberty and justice which lie at the base of all civil and political institutions” (Mark Fernando J. in Amaratunga v. Sirimal, The Jana Ghose Case, S.C. Application No. 468/92).
The reality of this danger is reinforced by implications of the definition of a “false statement”, the anchor of criminal liability in terms of the Act: “A ‘false statement’ means a statement that is known or believed by the maker to be incorrect or untrue and is made especially with the intent to deceive or mislead but does not include a caution, an opinion or imputation made in good faith” (section 52). The manner of formulation suggests that the concluding phrase is in the nature of an exception from criminal liability, the burden of proof in this regard falling on the shoulders of the accused. In practice, this is an intolerably onerous burden.
In sum, the behemoth of the Commission is destructive of the foundations of civil liberty.
IV. Remoteness of Causal Nexus
One of the reasons why the law is indefensibly wide in its operation is the imposition of criminal liability for consequences which are not proximately linked to the conduct of the accused.It is declared to be an offence to communicate “a false statement which gives provocation to any person or incites any person, intending or knowing it to be likely that such provocation or incitement will cause the offence of rioting to be committed” (section 14).
In the envisaged situation, rioting is committed by a third party. Criminal liability on the part of the person communicating through an online account or online location, is grounded solely in assumed knowledge of likely behaviour of the third party. Indeed, criminal liability of the communicator is established, even when the consequence of rioting does not take place at all, the only difference being reduction of sentence (section 14 (f)). Similarly, the communicator of the statement is held criminally responsible for disturbance of a religious assembly, with no clear nexus being insisted upon between the act of the accused and the rioting which takes place (section 15)).
The net of criminal liability is cast far too wide by this approach, the lack of a sufficiently clear causal nexus being the underlying defect.
V. Expanding Frontiers of Criminalisation
A prominent feature of the Online Safety Act is the indiscriminate use of criminal sanctions to attain its objectives. A wide range of offences is created by Part III of the legislation. Many of these are of amorphous scope, lacking in precise definition of constituent elements – for example, “wantonly” giving provocation by a false statement to cause riot (section 14), “voluntarily” causing disturbance to a religious assembly (section 15) and “malicious” communication of a false statement to outrage religious feelings (section 16). The ambit of the offence against “public tranquillity” (section 19) is equally unclear. These are all offences which carry deterrent sentences of imprisonment, in one case for up to 3 years and in the other for a maximum of 7 years, in addition to, or as an alternative to, a substantial fine.
The Commission, on satisfaction that an offence has been committed under the Act, is empowered to “take steps to initiate criminal proceedings in terms of s. 136 of the Code of Criminal Procedure Act, No. 15 of 1979” (section 38(2)). Moreover, every offence established by the Act is characterised as a non-cognisable offence within the meaning of the laws governing criminal procedure (section 43(a)).
Penal consequences of daunting severity are visited upon bodies corporate. Every director or other principal officer is held criminally responsible (section 44(a)). If the offender is a firm, criminal liability is imposed on every partner of the firm (section 44(b)) and, in the case of an unincorporated body, “every individual who is a controlling member and every principal officer responsible for management and control” (section 44(c)) is exposed to criminal sanctions. Lack of knowledge or exercise of due diligence is recognised as an exculpatory circumstance but, in keeping with general evidentiary principles, the burden of proof in this regard is borne by the accused.
VI. Chilling Effect of the Law
The core of the statute resides in the powers vested in the Commission, to apply an extensive range of measures to deal with “prohibited statements” (Part II). These include orders “to stop the communication of such statements” (section 11 (b)), “to disable access to an online location” (section 11 (c)) and to direct removal of prohibited statements (section 11 (e)). A worrying factor is the absence of a proper definition of “prohibited statements”, the purported definition consisting merely of a reference to the provisions which use the phrase (section 52).
When the Commission is satisfied that a “prohibited statement” has been made, its coercive powers which come into play, are of a drastic nature. These extend to the authority to issue a notice to the communicator of the statement, ordering the adoption of measures to prevent circulation (section 23 (f)). This renders applicable the draconian provision that the recipient of the notice “shall comply with such notice immediately but not later than 24 hours from such notice” (section 23 (b) and (f)). Failure results in criminal proceedings in a Magistrate’s Court (section 23 (g)).
The Commission has power to name an online location as a “declared online location” if 3 or more prohibited statements have been communicated on that location to end users in Sri Lanka (section 28 (i)). An internet service provider or an internet intermediary, on the making of such a declaration by the Commission, is obliged to cease communication instantly on pain of imprisonment for a term of up to 7 years or a maximum fine of 10 million rupees, the penalty being doubled in the event of a subsequent offence (section 29 (6)).
Especially in light of the broad definition of “inauthentic online account”, “internet service provider”, “internet intermediary” and “internet intermediary service” (section 52), the chilling effect of the law is evident.
It is hardly surprising, then, that prominent internet and technology companies active in Sri Lanka, in their response to the legislation, have sounded a strong note of caution, even indicating the risk of withdrawal from their operations in our country.
The Asian Internet Coalition (AIC) which consists of 13 companies of international stature, commenting on this legislation when it was in Bill form, declared: “Despite our commitment to constructive collaboration, the AIC has not been privy to proposed amendments to the Bill. We unequivocally stand by our position that the Online Safety Bill, in its current form, is unworkable and would undermine potential growth and direct foreign investment into Sri Lanka’s digital economy. We firmly believe that for the Bill to align with global best practices, extensive revisions are imperative” (Emergency Media Statement of 23 January 2024).
This can hardly be disregarded in cavalier fashion.As the government has emphatically acknowledged, digitalization and other technology innovations are central to current plans for economic development and, of equal importance, for ensuring equitable distribution of the benefits of progress. Swift and ready access to market information – be it for farmers, the fishing community, manufacturers of industrial products, providers of services and the small and medium sector in particular – is an indispensable requirement for the success of current strategies. If companies of the calibre of Facebook, Google,X,Apple,Amazon,Cloudflare and Yahoo,contemplate discontinuation of their services because of the oppressive character of the law, economic development, far from being advanced, is certain to be retarded.
VII. The Need for Imperative Change
Parliament debated the Online Safety Bill for 2 full days on 23 and 24 February 2024. Pervasive deficiencies of the law were convincingly identified during this rich and rewarding debate. No one was more forthright than the current Prime Minister, Dr. Harini Amarasuriya, at that time speaking from the ranks of the Opposition, in her unreserved condemnation of the Bill and her strident call for its withdrawal: “The intent of the Government is clear. It is about controlling dissent; it is about taking control of public discourse or public narrative at a crucial time in this country when democracy needs to be protected at all costs. That every instrument is gong to be used to stifle dissent, is very clear” (Hansard of 24 January 2024, Column 224).
The Online Safety Act stands as a monument to illiberalism and as an anchor of State apparatus infringing the substance of civil liberty. Its removal from the statute laws of our country is a dire necessity, no longer to be delayed.
By Professor G. L. Peiris
D. Phil. (Oxford), Ph. D.
(Sri Lanka);
Rhodes Scholar,Quondam Visiting Fellow of the Universities of Oxford, Cambridge and London;
Former Vice-Chancellor and Emeritus Professor of Law of the University of Colombo.
S. J. V. Chelvanayakam: Visionary and Statesman
S. J. V. Chelvanayakam KC Memorial Lecture Delivered at Jaffna Central Collage on Sunday, 26 April, by Professor
G. L. Peiris – D. Phil. (Oxford), Ph. D. (Sri Lanka); Rhodes Scholar, Quondam Visiting Fellow of the Universities of Oxford, Cambridge and London; Former Vice-Chancellor and Emeritus Professor of Law of the University of Colombo.
(First part of this article appeared inThe Island on 27 April 2026)
V. Subsequent Initiatives
Federalism, integral as it was to the value system which anchored the political life of Chelavanayakam, defies easy definition. Indeed, as the facilitators of the Sri Lanka peace process, when it was pursued at the international level, the Royal Norwegian government considered it central to their function to inculcate in the LTTE an understanding of the nuances of federal systems of government in practice in order to overcome inherent inhibitions. To this end, they arranged extensive travels for the political affairs committee of the LTTE in Nordic countries. Subsequent to his defection with almost the entirety of the cadres in the Eastern Province, arguably the greatest blow sustained by the LTTE in its entire history, Karuna was to declare that it was this exposure which opened his eyes to a world outside the jungles of the Vanni.
Federalism, as a concept, represents a spectrum rather than a split. This is brought out clearly in three sets of constitutional proposals by the Chandrika Kumaratunga administration during the period 1995 to 1997. They oscillated from one end of the spectrum to the other in establishing the line of demarcation between the functions of the central government and the periphery, in a coherent constitutional scheme.
I would like, at this point, to pay tribute to the legacy of a valued friend and colleague, Dr. Neelan Tiruchelvam, who co-authored with me, as Minister for Constitutional Affairs, Ethnic Affairs, and National Integration, with the support of many others, including Dr. Jayampathy Wickramaratna, the proposals of 1995, 1996, and 1997. Neelan, who had been a fellow undergraduate in the University of Sri Lanka, had proceeded to Harvard University while I was the recipient of a Rhodes Scholarship at Oxford. A further coincidence was the entry of both of us together into the Parliament of Sri Lanka in August 1994. He was brutally assassinated because he stood in the way of the LTTE’s claim to exclusivity of representation of the interests and aspirations of the Tamil people. The future might well have been different, had he lived.
The Constitution Proposals of 1995 embodied strong features of federalism, and indeed went well beyond. Regional Councils, forming the gist of the proposals, were vested with executive, legislative and judicial competence in the subjects assigned to them. In all key areas, these powers were to be protected against encroachment by the centre. With regard to finance, Regional Councils were to have powers of taxation, including international borrowings and the power to promote foreign investment, international grants and development assistance. In the crucial area of law and order and policing, provision was to be made for a regional police service headed by a regional police commissioner appointed by the Chief Minister. Land was clearly identified as a devolved subject, and state land within a region was to be vested in the Regional Council, with limited reservations in respect of requirements by the central government. This document represents the strongest movement towards a federal structure in the entire evolutionary process in Sri Lanka.
The Proposals of 1995 were modified by a more detailed draft in 1996, which represented a regressive development. The basic weakness consisted of conferment of awesome powers on the Presidency, fundamentally altering the balance of power between the Centre and the regions, and making the latter vulnerable to capricious exercise of discretion which could strike at the very root of the regions’ authority. The mere ipse dixit of the President was to prevail in a situation where the entire sweep of the regions’ powers, entrenched by constitutional provisions, was sought to be negated by executive action at the Centre, no recourse being available to the region for access to the courts. This was hardly likely to inspire confidence.
A corrective trend then set in, resulting in a further set of Proposals published in 1997. The solution chosen this time was conferment on the regions of a power, to veto proposed constitutional amendments to the content of the chapter on devolution of power to the regions and the two schedules to the draft constitution which dealt with the scope of the regions’ powers and the division of powers between the centre and the regions. A drastic curtailment of Parliament’s powers, this was movement from one extreme to the other. Invitation to arbitrary action was shifted from centre to periphery. It is scarcely surprising that these Proposals were seen to contain within them the seeds of their own destruction.
The most elaborate and thorough response to the widely acknowledged imperative of constitutional reform was contained in the Constitution Bill which, as Minister for Constitutional Affairs, I presented on behalf of President Kumaratunga on 3 August 2000.
While the nomenclature of federalism was not specifically invoked, its essence was captured in the provision that the Republic of Sri Lanka shall consist of “the institutions of the centre and the regions”. The legislative power of the people was to be exercised “by Parliament and by Regional Councils”, while the executive power of the people was to be exercised not only by the President, but also by “the Governors acting on the advice of the respective Chief Ministers and Regional Boards of Ministers”. Governors of regions were to be appointed by the President “in consultation with the Prime Minister and with the concurrence of the Chief Minister of the region”. Exclusivity of legislative power in respect of devolved subjects was explicitly conferred on the regions. No element of equivocation characterised treatment of the controversial subjects of land and police powers. With regard to the former, the applicable provision was that “Every region shall succeed to all state land within the region and be at the disposal of the regional administration of that region for the purposes set out in the regional list”. As for the latter, there was to be “a regional police service for each region, headed by a regional police commissioner who shall be appointed by the regional police commission with the concurrence of the Board of Ministers of the region”. Equally striking on the subject of finance was the amplitude of authority conferred through the Consolidated Fund of the region.
Robust hostility of the LTTE to implementation of these proposals as the core of a constitutional settlement had its gruesome manifestation in the brutal killing of Dr. Neelan Tiruchelvam. The chilling effect on the major Tamil formation in Parliament, the Tamil National Alliance, of which Dr. Tiruchelvam had been an active member, was overbearing.
Compounding the problems was the attitude of the main opposition party, the United National Party, which was disinclined to cooperate after their narrow defeat in the presidential election of December 1999. It was the nation’s misfortune that the culture of adversarial politics trumped a national initiative, compelling the government to withdraw the Bill during the debate in Parliament.
VI. Elevation to an International Profile
It was against the backdrop of failure of the constitutional process that direct negotiations were embarked upon between the Government of Sri Lanka and the LTTE, with Norwegian facilitation in September 2002. The insuperable obstacle, it soon became evident, was the ethos of the LTTE. Dominant in their mindset was the unshakable conviction of military invincibility. In light of this, Prabhakaran saw no necessity to make any significant concession and believed fervently that the state of Tamil Eelam was well within reach.
Anton Balasingham, who represented Prabhakaran in six rounds of direct discussions across the world, was the only member of the LTTE delegation with a grasp of underlying issues. As my relationship with him grew less formal, I decided to put to him a candid question outside the conference floor. I told him that I saw events moving relentlessly, much in the manner of a Greek tragedy, from the LTTE’s point of view, towards the climax. There was nevertheless a narrow window of opportunity, and I asked him why they were intractably resolved to make no use of it.
His response remains indelibly etched in my mind. He told me that he had nothing to reproach himself with: he had done his best to present the reality of the situation to his leader, but the latter, intransigent in his convictions, resisted reason to the point where Balasingham was convinced that further attempts at persuasion involved peril to his own life. Erik Solheim, who had a conversation with him a few days before his death in London, told me that Balasingham died, dispirited and disillusioned.
The theory that the LTTE, at a decisive phase of the peace negotiations, deliberately jettisoned the option of external self-determination, is total delusion. This was a myth around what came to be known as the “Oslo Declaration” during the third session of talks in the Norwegian capital. At the end of this session, the official communique by the facilitators declared: “The parties agreed to explore a solution founded on the principles of internal self-determination in areas of historical habitation of the Tamil-speaking peoples, based on a federal structure within a united Sri Lanka”.
The LTTE’s understanding of “internal self-determination”, however, was set out with clarity in the following statement: “We are prepared to consider favourably a political framework that offers substantial regional autonomy and self-government in our homeland on the basis of our right to internal self-determination”. But the sword of Damocles was ever present.
The caveat was added, with unrelenting emphasis, that “If this internal element of self-determination is blocked and denied, and the demand for regional self-rule is rejected, we have no alternative other than to secede and form an independent state”.
The LTTE, then, left wide open the option of external self-determination.
They purported to derive authority for their position from the United Nations Declaration in 1970 on Principles of International Law concerning Friendly Relations and Cooperation among States and from the judgment of the Supreme Court of Canada in 1998 in the Quebec Secession case.
The LTTE’s rigid stance was expressed with precision in their proposal for the establishment of an Interim Self-Governing Authority and the conferment of all-encompassing jurisdiction upon it: “The ISGA shall have plenary power for the governance of the North-East, including powers in relation to resettlement, rehabilitation, reconstruction and development, including improvement and upgrading of existing services and facilities, raising revenue, including imposition of taxes, revenue, levies and duties, law and order, and over land”. It was added for good measure that “These powers shall include all powers and functions in relation to regional administration exercised by the government of Sri Lanka in and for the North-East”. This was, in all but name, the blueprint of a separate state.
This went well beyond the solution which Mr. Chelvanayakam, in his mature judgment, deemed feasible in the political and economic context of our country.
VII. A Final Opportunity
Neelan
Events, then, seemed to be moving rapidly towards an impasse incapable of resolution through dialogue. One final opportunity, albeit in uniquely distressing circumstances, appeared to present a lifeline.
This was the tsunami which struck Sri Lanka on Boxing Day, 26 December 2004. Since much of the destruction, especially on the east coast, was in areas controlled by the LTTE, there was the urgent need for a collaborative mechanism between the government and the LTTE to deliver relief and undertake immediate reconstruction. Consequently, a painstaking attempt was made to formulate a pragmatic framework for collaboration, its parameters strictly confined to the matter in hand and devoid of political controversy to the maximum extent possible. President Kumaratunga attached great importance to the resulting P-TOMS mechanism, which, in her judgment, held out the last chance for a successful peace negotiation.
However, the Supreme Court, in an Interim Order, struck down vital portions of the Agreement dealing with control of resources for urgently required construction and rehabilitation work. The ensuing message was unfortunate, in that serious doubt was cast on the capability of structures of the Sri Lankan state to evolve an appropriate mechanism, even in the face of as excruciating a disaster as the tsunami which claimed more than 35,000 lives.
VIII. Conclusion
Despite this unprepossessing trajectory of events, I would make bold to suggest that a sanguine outlook is not entirely unrealistic. The basis of my confidence in this regard is my experience, over the span of 26 years, as a teacher, Dean of the Faculty of Law, and Vice-Chancellor of the University of Colombo. It is my firm conviction that the youth of our country are not prey to narrow communal attitudes and prejudices.
Relations among the different ethnic communities in the environment of the country’s universities are typified by camaraderie rather than mutual acrimony or suspicion. Language, certainly, is a barrier. In my own undergraduate days in Peradeniya and Colombo, we made friendships on the basis of shared interests and values and were able to communicate comfortably in the English language. Stratification and compartmentalization are the implacable enemy of the forging of a national consciousness, especially in sentient minds.
When as Minister of Education and Higher Education, I was invited to preside over the annual prize-giving at the oldest girls’ schools in Sri Lanka and even South Asia, situated in Uduvil, I drew attention to the need for greater interaction with peers in the South through activities such as sports, debating, drama, and cultural pursuits. Reciprocally, I spoke to the leadership of schools in the South, urging them to reach out with enhanced vigour to the North to forge bonds which could potentially last a lifetime.
These are the values which informed the bedrock of the life and career of S. J. V. Chelvanayakam. The tempests of politics, in substance if not in style, were just as intense then as they are now, but the unwavering strength of what he held sacred, never succumbing to expediency, formed the wellsprings of the fortitude which sustained him through these tempests. He made his tryst with destiny in a fulfilling and inspiring career of dedicated service, which stands out today as a beacon of light, all the more redeeming amid the cynicism and apathy so sadly evident around us. It is my privilege this evening to honour a Colossus whose influence survives long after him.
The recent “hacking” incident involving Sri Lanka’s Ministry of Finance and the Treasury cannot be treated as a narrow technical glitch. It raises deeper questions about how public money is managed, who is accountable, and whether systems are designed to prevent—or enable—failure. When such an event occurs at the core of public finance, it does not remain an isolated IT issue. It becomes a test of institutional credibility. At stake is not only money, but trust—the invisible asset on which an economy rests.
Public communication around the incident has not helped. Instead of reducing doubt, it has widened uncertainty. When explanations are partial, delayed, or inconsistent, they create space for speculation. Markets dislike ambiguity. So do citizens. In the absence of clear facts, narratives compete, confidence weakens, and the perceived risk of the system rises. In this sense, poor communication can amplify the damage far beyond the original event.
This article therefore looks beyond the label of a “cyberattack.” It treats the incident as a system-level failure that sits at the intersection of technology, governance, and accountability. The goal is to identify what likely went wrong, what global experience already tells us, and what policy actions are necessary—not only to find the truth, but to restore confidence and prevent recurrence.
What is a “Hacking” incident? – A simple view
The term “hacker” often suggests a highly skilled outsider breaking into a system. In practice, most breaches are less dramatic and more mundane. They exploit weaknesses that already exist: unpatched software, weak passwords, poor access controls, or careless user behaviour such as phishing. These are not rare events. They are predictable outcomes of weak system hygiene.
Fully important is the role of internal access. Many serious incidents involve “insider access”—legitimate credentials used improperly, or privileges that are too broad and poorly monitored. Such access is harder to detect because it appears normal. It often bypasses external defences entirely.
For this reason, the key question is not simply “Who entered the system?” but “How was entry allowed?” That question shifts attention from the attacker to the system. It forces us to examine design, controls, and oversight. In other words, it moves the discussion from a technical story to a governance story.
Deeper questions raised by this incident
When a transaction of USD 2.5 million is involved, the issue cannot be reduced to a single breach. Financial systems—especially those handling public funds—are built with layers of control: approvals, audit trails, and separation of duties. These controls are meant to prevent exactly this kind of outcome. If a large transfer can occur despite them, then either the controls failed, were bypassed, or were never properly enforced.
This leads to a more important question: How was such an event permitted within the system? Was it a one-off technical error? A pattern of weak controls? Or a breakdown in oversight? Each possibility points to a different kind of failure, but all point to the same conclusion—this is not a simple incident.
Trust is the operating system of any economy. Once trust is weakened, the effects spread quickly. Citizens begin to question institutions. Investors reassess risk. Lenders demand higher returns. What starts as a technical incident can evolve into a credibility problem. And credibility, once lost, is difficult and costly to rebuild.
Concerns are compounded when responses are delayed or incomplete. If critical system access was known but not acted upon, or if disclosure to responsible authorities was postponed, the issue becomes one of governance. Timely reporting is not a formality; it is a control mechanism. When it fails, the system loses its ability to correct itself.
Key Arguments
1. Erosion of Institutional Trust
Trust in public financial institutions underpins economic stability. When information is unclear or inconsistent, confidence declines. This affects expectations, investment decisions, and the willingness to engage with the system. Over time, weak trust translates into weaker economic performance.
Information Asymmetry and Narrative Control
When full information is not shared, a gap emerges between what authorities know and what the public understands. This asymmetry allows simplified labels—such as “hacker”—to dominate the narrative. Complex issues become reduced to convenient explanations. The cost is delayed truth and prolonged uncertainty.
3. System Reality
Large-value transactions typically require multiple approvals, verifications, and recorded trails. If such a system allows a questionable transfer, it signals a deeper problem. Either controls are ineffective, monitoring is inadequate, or responsibilities are not clearly enforced. In any case, it points to a system weakness, not an isolated glitch.
4. Governance Over Technology
Most major cyber incidents succeed not because technology is absent, but because governance is weak. Accountability is unclear. Oversight is fragmented. Operational discipline is inconsistent. Without these, even advanced systems fail. The central lesson is simple: technology cannot compensate for poor governance.
International lessons
Global experience reinforces these points. Repeated incidents across different countries show a consistent pattern: the root cause is rarely technology alone.
The Bangladesh Bank heist demonstrated how weak internal controls can enable large unauthorised transfers through international payment systems. Monitoring and verification failures were as important as any technical breach.
The Banco de Chile incident highlighted the importance of real-time monitoring and rapid response. Delayed detection allowed attackers to move funds before controls could react.
mex ransomware attack showed that preparedness matters as much as prevention. Without clear response plans and leadership accountability, organisations struggle to contain damage once an incident occurs.
These cases are not isolated. They are lessons. They show that effective protection requires a combination of sound technology and strong governance. The critical question, therefore, is not whether such incidents happen elsewhere—they do—but whether those lessons have been learned and applied.
Real consequences
The visible loss in a case like this is financial. The real cost is broader.
First, public trust declines. When institutions appear uncertain or opaque, confidence erodes. This weakens the effectiveness of policy and administration.
Second, foreign investment becomes more cautious. Investors prioritise stability and transparency. Perceived risk rises when systems appear unreliable.
Third, borrowing costs increase. International markets price risk. Lower credibility leads to higher premiums, making financing more expensive.
h, financial stability can be affected. Doubts about institutions can influence liquidity, flows, and overall system confidence.
Over time, these effects accumulate. Growth slows. Development is constrained. The long-term cost exceeds the immediate loss.
Policy Response
A narrow technical fix will not suffice. The response must be comprehensive.
An independent investigation is essential. It must be credible, free from interference, and supported by both local and international expertise. The objective is to establish facts, not narratives.
A full forensic analysis is required. System logs, access records, and transaction trails must be examined in detail. The aim is to understand both the breach and the conditions that enabled it.
Transparent communication is critical. Regular updates and a final public report help rebuild trust. Silence or delay does the opposite.
Accountability must be clear. Where negligence, misconduct, or failure is identified, appropriate legal action must follow. Responsibility should not be diffused.
System reforms are necessary. Stronger controls—such as dual authorisation, multi-factor authentication, and real-time monitoring—should be standard, not optional.
Cyber security capability must be strengthened. Continuous monitoring, training, and regular risk assessments are essential.
Finally, legal and institutional frameworks need reinforcement. Transparency laws, digital governance standards, and protection for whistleblowers can improve long-term resilience.
Can government remain silent?
Silence is not neutral. It increases uncertainty.
When information is withheld or delayed, speculation fills the gap. Markets react. Confidence weakens. Trust erodes. In public finance, this is costly.
The response must be timely and clear. Facts should be disclosed. Responsibility should be assigned. Weaknesses should be corrected. The process must be seen as fair and independent.
If these steps are not taken, the issue will not remain contained. What appears to be a USD 2.5 million problem can evolve into a wider crisis of confidence. And once confidence is damaged, the cost of repair is far greater than the cost of prevention.
Strong systems depend on capable leadership and sound institutions. Positions of responsibility must be matched by competence and experience. Where gaps exist, they must be addressed.
In the end, the question is simple: will this incident be treated as a minor event to be managed, or as a warning to be acted upon? The answer will determine not only accountability for the past, but the credibility of the system going forward.
By Prof. Ranjith Bandara
The President has taken the bold decision to get rid of the office bearers of Sri Lanka Cricket (SLC) and appoint an interim committee till such time suitable persons are elected to run the SLC. All Sri Lankan cricket lovers will applaud and endorse President Anura Kumara Dissanayake’s action as the SLC was one of the most corrupt sports organizations in Sri Lanka for a long time.
The office bearers had organized it in such a manner that no other persons could get elected to this den of thieves. They increased the number of clubs as members to collect their votes. Large amounts of funds were doled out to the clubs to which the office bearers belonged.
All cricket lovers would remember how when a previous Minister holding the Cabinet portfolio pertaining to sports tried to get rid of the corrupt officials which the then Parliament endorsed unanimously and how they manipulated to remain in power and get the President at that time to get rid of the Minister instead of the corrupt officials of the SLC.
They were able to get round the ICC too to get what they wanted. The Minister who was appointed in place of the ousted Minister fell into the pockets of the SLC officials and they continued happily thereafter. The Minister was happy and the corrupt officials were happy!
It is not only the elected officials who have to be removed. There are executive employees and other permanent employees who have to be relieved of their duties as otherwise they could get round the incoming officials, and the activities of the bandwagon could go on.
We would appreciate if the President and the Minister in charge would go the whole hog and relieve the SLC of all corrupt personnel so that Sri Lanka’s cricket could get back to its halcyon days again.
HM NISSANKA WARAKAULLE
Plane crashes near South Sudan’s Juba, killing all 14 on board
Gunmen kidnap 23 children from Nigerian orphanage
US press gala shooting suspect charged with attempting to kill Trump
Showers above 75 mm are likely at some places in the Western, Sabaragamuwa, Central, North-western, North-central and Southern provinces and in Mannar district
Hazlewood and Bhuvneshwar lead rout of Delhi Capitals
Govt. assures UN of readiness to introduce ‘vetting process’ for troops on overseas missions
‘Dates have the highest sugar content to fight Coronavirus’
Sunday Island 27 December – Headlines
#SundayIsland 17th December – Headlines
Sunday Island – 28th March
Sunday Island Headlines – 21 March
Sunday Island – 21st February – Headlines
-
News6 days agoLanka faces crisis of conscience over fate of animals: Call for compassion, law reform, and ethical responsibility
-
News5 days agoWhistleblowers ask Treasury Chief to resign over theft of USD 2.5 mn
-
News5 days agoNo cyber hack: Fintech expert exposes shocking legacy flaws that led to $2.5 million theft
-
News2 days agoBIA drug bust: 25 monks including three masterminds arrested
-
Business3 days agoNestlé Lanka Announces Change in Leadership
-
News2 days agoBanks alert customers to phishing attacks
-
News3 days agoHackers steal $3.2 Mn from Finance Ministry
-
News6 days agoUSD 2 mn bribe: CID ordered to arrest Shasheendra R, warrant issued against ex-SriLankan CEO’s wife