Cyberspace Management in Pakistan
The Key to Moving into a digital era
On November 06, the head of the Federal Investigation Agency’s (FIA) cybercrime wing, Capt (retd) Mohammad Shoaib, revealed that data from “almost all” Pakistani banks was stolen in a recent security breach. This attack on banks has made it quite clear that there is a need for improvement in the security system of our banks. It is especially important because Pakistan is moving towards an era of e-commerce and information and communication technology (ICT). An extensive use of cyberspace creates opportunities as well as challenges and vulnerabilities for countries that possess cyber capabilities.
The importance of protecting data in today’s digital age cannot be underestimated. It needs to be protected at all costs because it is of vital importance to a country like Pakistan where e-commerce has made great strides in the recent years. All countries use all possible means to siphon off information populating the computer networks of their adversaries in order to gain a competitive edge over them. The proliferation of social media has made it easier to harvest information provided willingly by unwary users.
Data security in Pakistan has, unfortunately, not been on the top of our national agenda despite the fact that the loss of data can be extremely damaging to the nation as well as commercial concerns.
Why this neglect?
Although security ranks high on Pakistan’s national agenda in the increasingly complex threat milieu where cyberspace has become the fifth dimension of warfare, cybersecurity usually gets relegated to the bottom rung and sometimes it is literally ignored. There are a number of reasons behind this neglect. First and foremost, those at the helm of affairs fail to grasp the importance of cybersecurity management.
Pakistan does not have an official national policy on cyber security. From time to time cybersecurity makes an appearance in the national discourse but there is never a sustained discussion on the subject. While speaking at a conference “Cyber Secure Pakistan – A Policy Framework,” former National Security Advisor (NSA) Lt. Gen. (retired) Nasser Khan Janjua highlighted that the country pressingly needs e-governance council to formulate cyber policy on globally accepted parameters. So, the policy, or the lack of it, is conspicuously visible mainly in terms of statements by policy makers at policy forums.
The most visible activity on the Pakistani cyber landscape has been the legislation on cybercrime entitled “Prevention of Electronic Crimes Act (PECA)” which was passed by both houses of the parliament in 2016. Several amendments raised by digital rights activists in the interest of the digital consumers were incorporated in PECA. The very vocal activist lobby had waged a relentless campaign to oppose those parts of the bill they thought infringed upon the rights of the citizens. The animated discussion over the PECA actually diverted the attention of all concerned from the real issue at hand i.e. cybersecurity.
The subject of security figures high on any country’s national agenda. No government can afford to shirk this responsibility. Security covers a wide spectrum of issues, such as country’s territorial integrity, political sovereignty, economic autarky, self-sufficiency in food and energy, environment protection and in the modern age and era cybersecurity. Although informed circles in Pakistan are aware that cyber security is a matter of national security, this subject has yet to find a niche for itself in the pantheon of national security.
The ability of the government to provide security to its citizens depends upon its national power potential, which is directly proportional to its political power, diplomatic influence, economic capacity and military might. In dispensing its duty to ensure national security, the government is assisted by the parliament. It passes laws that simultaneously safeguard the interests of the state and protects it from external aggression and internal turmoil while also ensuring the civil rights and liberties to its citizen. To ensure that the writ of the state extends all over its sovereign territories, it uses all instruments, e.g. armed forces, law-enforcement agencies, judiciary, to implement its national security mandate.
All security issues need to be seen through the prism of a comprehensive security policy. Such policy should be supported by four essential pillars:
- Only a strong leadership with the backing of the authorities concerned can provide strategic vision and across-the-board coordination on security matters.
- A policy framework needs a clear-cut and precise mission statement.
- To execute the vision and mission there is a need for adequate material and human resources.
- The managers of any enterprise needing security must be equipped to operate under clear and unambiguous sets of rules and regulations that they can enforce firmly.
Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets. Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment.
Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment. The entire gamut of cybersecurity means protecting, detecting and responding to attacks directed against computers and servers storing private and official records; personal computers and cell phones; entertainment gadgets like digital cable, MP3s; intelligent systems controlling the means of travel like car engines and aeroplane navigation systems; online electronic shopping stores and credit cards, etc.
Cyber-attacks can result in long downtimes that can momentarily or for the long-term disrupt the decision making loop. There are minor irritations like the defacement of official and private websites. Major disruptions can be caused crashing of servers or loss of huge amounts of data. Cyber-attacks can cause not only psychological trauma but also physical damage and financial losses and acute loss of faith in a system. It can cause panic among the people, collapse of a system and paralysis at the highest echelons of decision-making.
Threat of Non-state Actors
Cyberspace is not the sole preserve of state actors; it is open territory for non-state actors, criminals, freelancers and the kid in the basement to operate with impunity. This makes it all the more difficult to forensically retrace the trail of a cyber-attack and attribute it to a particular person or entity. Many times the actual source of attack is an insider within the organization with the urge to settle a score or satisfy an ideological leaning.
It is difficult to mount a cyber-counterattack because of problems related to attribution, absence of set rules of engagement and the proportionality of the response. International norms and rules on the subject are hazy but countries and organizations have crafted laws to persecute those interfering with their digital systems.
Most countries of the world have designated organization or organizations to deal with national cybersecurity needs. Adequate sums of money are allocated for cybersecurity and clear-cut policy guidelines exist for cyberspace management. A great deal of resources is invested to secure the national critical infrastructure.
Three US agencies are responsible for cybersecurity i.e. Department of Homeland Security (DHS), the National Security Agency (NSA) and Cyber Command or Cybercom. The DHS, more or less, resembles the Ministry of Interior in Pakistan and was created after the 9/11 attacks. Its mandate includes the protection of national critical infrastructure (Security). In the United States, most national infrastructure like the electricity grid, water works, railways and airlines are controlled through Supervisory Control and Data Acquisition (SCADA). This remotely monitors, controls and operates systems with coded signals over communication channels and are extremely vulnerable to cyber-attacks. A designated Cyber Emergency Response Team (CERT) under the DHS provides a united response to cyber emergencies (CERT). The NSA and Cybercom carry out cyber surveillance and offensive cyber operations respectively.
The NSA won international notoriety after the Snowden leaks. US Army Cybercom and 2nd Army “directs and conducts integrated electronic warfare, information and cyberspace operations,” to “ensure freedom of action in and through cyberspace and the information environment, and to deny the same” to its adversaries.
In Australia, the lead agency in cybersecurity is the Australian Cybersecurity Centre (ACSC). “This Centre brings cybersecurity capabilities from across the Australian Government together into a single location. It is the hub for private and public sector collaboration and information sharing to combat cybersecurity threats.” The CERT Australia looks after national computer emergencies in Australia.
In the United Kingdom, computer emergencies are handled by Cert-UK (CERT). The Office of Cybersecurity & Information Assurance (OCSIA) in the UK supports the ministers and the NSC “in determining priorities in relation to securing cyberspace.” The unit provides strategic direction and coordinates the cybersecurity program for the government, enhancing cybersecurity and information assurance in the UK.
The OCSIA works with other lead government departments and agencies such as the Home Office, Ministry of Defence (MOD), Government Communications Headquarters (GCHQ), the Communications-Electronics Security Department (CESG), the Centre for the Protection of National Infrastructure (CPNI), the Foreign & Commonwealth Office (FCO) and the Department for Culture, Media & Sport.
In India the special secretary in charge of Cybersecurity in the Prime Minister’s Office (PMO) is the cybersecurity chief. Dr. Gulshan Rai became the first person to occupy this position in 2015. India has a number of cybersecurity cooperation forums with other countries of the world, e.g. CERT-In has three pacts for cybersecurity cooperation with counterparts in Malaysia, Singapore and Japan. India has a regular cybersecurity dialogue with the US that was resumed in 2015. In a joint declaration released after a cyber-dialogue, it was announced to increase global cybersecurity and promote the digital economy, the United States and India have committed to robust cooperation on cyber issues. India is also expanding relations with Israel in the area of cyber cooperation. In January 2018, the Israeli Prime Minister Benjamin Netanyahu made a six-day long visit to India. During this high profile visit, cybersecurity and big data were identified as the new area of cooperation. In February 2018, the second round of “India-Russia Consultation on Security regarding use of Information and Communication Technologies (ICT)” was held in New Delhi.
Cybersecurity in Pakistan
Pakistan is one of the most cyber spied upon country in the world. It is not India alone that wages a strong cyber offensive against Pakistan, many other countries are also using cyber means to siphon off critical data. The United States is among the countries that actively and regularly spy upon Pakistan. Before Chinese President Xi Jinping’s landmark visit to Pakistan, the computers of the China Desk at the Pakistan Foreign Office were hacked. Although the FO spokesperson was quick to deny that such an attack had taken place, it was enough to erode the confidence of the public in the safety and security of our official data. Actually, more troubling are Edward Snowden’s allegations that UK alone has acquired vast amounts of communications data from inside Pakistan by secretly hacking into routers manufactured by the US-based company Cisco. It is unfortunate that the issue of cyber-spying has not been raised with either the US or the British governments; notwithstanding the fact that London and Washington remain the favourite ports of call for our politicians.
There are clearly identifiable hurdles in establishing a meaningful cybersecurity architecture in Pakistan e.g. there is no central authority to coordinate on cybersecurity matters and advise the prime minister on emerging cyber threats. There is a palpable lack of awareness within the policymaking circles. Apart from the cybercrime bill, there is no clear cut policy on the subject of cybersecurity. The cybersecurity stakeholders are not clearly defined and their turfs not properly marked out. There is no PK-CERT and no funds allocated for cybersecurity purposes. The Federal Investigation Agency (FIA) has a National Cyber Response Centre for Cyber Crime (NR3C) but its mandate is limited and it lacks the wherewithal to act as first responder in case of a computer emergency.
Pakistan has a very huge and talented human resource. Some of the best IT graduates are being produced in universities like NUST and FAST-NU. The only thing that we lack is direction and policy and that is not possible without good cyber managers and planners. Following steps are advised for effectively and effectively manage syberspace in Pakistan:
- There is an urgent need for a well-defined national cybersecurity architecture. The powers of coordinating all issues related to cybersecurity may be vested in the office of a cyber-security coordinator working directly under the prime minister. He may be provided secretarial services by the NSC. The NSC could be one forum, where all cybersecurity measures may be discussed.
- A cyber-taskforce (CTF) under the NSC is another important step. The mandate of the CTF should include issuing policy guidelines on cybersecurity.
- A national CERT should be established and asked to practice cyber emergency on regular basis.
- Cyber funds should be allocated in the national budget and their proper utilization ensured by the national cybersecurity coordinator.
- Cybersecurity cooperation with other countries, particularly SAARC member states would have been ideal but unfortunately this association has become moribund due to Indian intransigence. Pakistani Foreign Office may consider raising the issue of regional cooperation in cyber security at the forum of Shanghai Cooperation Organization (SCO).
- A cybersecurity debate in the parliament may help set up a long term plan. It would be a good idea for political parties to have cyber security issues included in their election manifestos.
- Pakistani universities should group together for promotion of cyber security awareness under the umbrella of Higher Education Commission (HEC).
For confidentiality and maintaining the integrity of data, Pakistan needs to make serious efforts to establish national computer emergency response team, national cyber coordination center and sectoral CERTs. The government needs to come up with ideas to develop successful collaboration between sectoral and national CERTs. Government, universities and private sector can organize white-hat hacker’s marathon to raise a force for a robust cyber defense. Apart from national-level efforts, the country needs to utilize its membership in different regional platforms such as OIC and SCO to bring best practices home in the cyber domain.