Cyber security is a serious topic with major real-world consequences. The world is plagued with Russian and Chinese hackers exposing databases, encrypting data, and disrupting services. While the rest of the world is worried about external treat factors, we in Sri Lanka are worried about incompetent professionals.

Recently 2000GB of data belonging to the National Medicines Regulatory Authority (NMRA) vanished from the Sri Lanka Government Cloud (LGC).

The LGC was built and maintained by a leading IT technology supplier in Sri Lanka. In a televised interview, its CEO claimed that an engineer's mistake resulted in the deletion of a "folder" containing the data.

This is not just a mistake, it's an "epic fuckup"!

Conspiracy?

Due to the controversies around the importation of medicines, politicians, news outlets, and citizens wondered if this was sabotage to destroy evidence against conspiracies and corruption. While the claims make some sense, let's go with the official story, an "accident".

There is a popular joke in Linux Sys Admin circles, "Don't drink and root".

Engineer Error

The claim was that a "maintenance engineer" accidentally deleted a "folder" containing the files of the NMRA at the Sri Lanka Government Cloud. When I heard that, the first question popped into my mind was, "is this intern season?"

I do not understand why a "maintenance engineer" has to SSH into the Linux server and delete files. Deleting the files is the responsibility of the NMRA website or web application. If the "cloud" ran out of storage, they should have expended it rather than resort to deleting files.

Secondly, what was in the engineer's mind when they logged on to a production server and chose to delete an entire folder without reviewing what was inside. In a Linux server, you can't accidentally press a delete button and lose files. To delete a folder, one needs to run a command in the format rm -rf /path/to/folder. If someone deleted a folder in a Linux server, it was deliberate.

Thirdly, who would give access to a server with repercussions to national security to such a reckless "maintenance engineer"?

Finally, why is there no backup and restore strategy. Backups are so obvious and widely used today, even in consumer-grade devices. A "cloud" developed by a leading company not having a proper backup and restore protocol is unfathomable.

Conclusion

The situation that took place in the LGC concerning the NMRA data is unfortunate. A skilled and disciplined engineer would have never made that "mistake". In my opinion, this mishap could have easily avoided using OS-level access control with user groups and permissions. This accident is so silly; I dare say it's not a mistake even an intern should make.

Before venturing into topics on cyber security, I ask the honorable president to invest in capable professionals and companies for the sake of this country. We can avoid a lot of embarrassment by not doing stupid mistakes!

Last but not least I would like to ask the president to make public a full report of all findings related to this unfortunate occurrence. It will help increase awareness and prevent future "mistakes" from happening.