A special report on cybersecurity norms by Stockholm International Peace Research Institute (SIPRI) concluded that many engineered systems, around the world, which depend on digital-computational parts can be ‘hacked’. The states have been trying to deal with such vulnerabilities for many years and the development of protection is known as information-systems security or information technology (IT) security. Within this discourse, integrity is part of the ‘CIA triad’, which consists of the key IT-security system properties of confidentiality, integrity and availability.
While listening to the briefing on APCERT Cyber Drills in March 2018, organized by Pakistan Information Security Association (PISA), only one thing captured my mind. If some serious cyber incident occurs in Pakistan, God forbid, which of the government department will be responsible to protect the confidentiality, integrity and availability of Pakistan’s IT systems?
APCERT (Asia Pacific Computer Emergency Response Team) was established by leading national Computer Security Incident Response Teams (CSIRTs) from the Asia Pacific countries to enhance collaboration, response and information sharing among CSIRTs in the region. APCERT operational members comprise 30 CSIRTs from 21 countries which include Australia, Bangladesh, Brunei, Bhutan, China, India, New Zealand, Indonesia, Japan, South Korea, Mongolia, Macao, Myanmar, Singapore, Sri Lanka, Thailand, Vietnam, and Laos. APCERT conducts mock cyber exercises every year which not only involves its own members but it also invites few members from OIC-CERT (Organization of the Islamic Cooperation). As Pakistan has no national CERT, PISA has registered its Computer Emergency Response Team on Pakistan’s slot in OIC-CERT’s membership. PISA-CERT is a private entity, headed by former Additional Director in the Federal Government who was the pioneer of National Response Center for Cyber Crime (NR3C) in the country.
Like other years, PISA-CERT also secured right to represent Pakistan in APCERT’s annual cyber drills in 2018. At the end of cyber drills, PISA has arranged a briefing on full day activity of cyber exercises to share the experience with some of the government officials, academia and research institutions, private sector, and most importantly students. To my surprise, the number of attendees did not cross double figure. This is a reflection of seriousness for cybersecurity in Pakistan on behalf of government institutions and private sector.
In the twenty-first century, the interdependent, interconnected and globalized network of computers and devices has completely altered the scope of human interaction. Apart from innovation and enhancing well-being of mankind, there are some major problems caused by the ubiquity of the internet. Cyber-crimes, cyber terrorism, cyber espionage, and cyber warfare are score of the techniques used by state or non-state actors. Defacing websites and data/identity theft for ransomware are common upshots of cyber-attacks but data theft can have national level implications. In early 2018, an Indian journalist, RachnaKhaira, reported that she bought the Aadhar Data from some anonymous agent for only $7.84 on the WhatsApp. The hacking of the Unique Identification Authority of India (UIAI) and its Aadhar system provided the access to the personal data of more than one billion Indian citizens.
On March 22nd, around 8,000 government employees in Atlanta were sent home as the entire system went down after a ransomware cyber-attack. After the network was back after a whole week, citizens of Atlanta were not able to pay their tickets and bills online or use any public portal on city government’s website. The public Wi-Fi of Atlanta airport remained down for weeks. Atlanta Municipal Court was unable to authorize warrants totally. Police officers had to write reports by hand. Atlanta ransomware attack was one of the worst attacks on a major American city in history. It brought the city government to its knees for nearly a week. The hacker group called for a ransom of $51,000 in bitcoins to unlock digitally scrambled files. Atlanta City’s Mayor Keisha Lance Bottoms called it a hostage situation for the city government.
Federal Bureau of Investigation (FBI) estimated that hacker groups claimed around $1 million collectively only in 2016. In May 2017, a North Korean group undertook the most damaging attack in modern history. Hackers went after tens of thousands of victims in more than 70 countries around the world, forcing Britain’s public health system to reject patients, paralyzing computers at Russia’s Interior Ministry, at FedEx in the United States, and at shipping lines and telecommunications companies across Europe.
The risk in the cyber world has grown to the ultimate danger of causing physical damage or human causalities along with damage to the system and data. New York Times recently reported that 2017’s cyber-attacks on the Saudi petrochemical companies were not aimed to destroy data, but were intended to disrupt the company’s operational procedures and trigger an explosion to cause physical damage.
Coming to Pakistan’s context, which has no centralized authority responsible to deal with any major cyber-attack whether initiated by cyber criminals or any hostile states, the situation becomes grim. The e-governance services are becoming more popular in Pakistan for improving the effectiveness and delivery of government services. Some of the e-government components include National Database and Regulation Authority (NARDA) system, Federal Bureau of Revenue (FBR), Excise, Taxation and Narcotics departments, Karachi Metropolitan Corporation, Pakistan Stock Exchange, Civil Aviation Authority (CAA), and Federal Public Service Commission (FPSC) etc. What if any of these mentioned network systems got hacked by the attacker? NADRA could be an attractive target for cyber-attackers to block or sabotage its essential services, hack personal confidential information and use them for their illegal purposes as it maintains a centralized national ID database of Pakistan, which is shared among banks, passport offices, Election Commission of Pakistan (ECP), mobile networks and Federal Investigation Agency. Or imagine the impact of hacking of Pakistan Stock Exchange or smart-city project cameras, or air traffic control.
For confidentiality and maintaining the integrity of data, Pakistan needs to make serious efforts to establish national computer emergency response team, national cyber coordination center and sectorial CERTs. The government needs to come up with ideas to develop successful collaboration between sectoral and national CERTs. Government, universities and private sector can organize white-hat hacker’s marathon to raise a force for a robust cyber defense. Apart from national-level efforts, the country needs to utilize its membership in different regional platforms such as OIC and SCO to bring best practices home in the cyber domain.
Afeera Firdous is Research Assistant at Center for International Strategic Studies Islamabad (CISS). She is also M.Phil scholar at Department of Strategic Studies, National Defense University Islamabad. Previously, she worked with Institute for Strategic Studies, Research, and Analysis (ISSRA). Her area of interest includes cyberspace, counter extremism and counter-terrorism and strategic issues.