Listen to this article

Perils of Cyber Insecurity

The world has entered in the era of Fourth Industrial Revolution, that is, the automation of traditional manufacturing and industrial practices with the help of smart technologies. Now that cyberspace has engaged almost every person on planet Earth, the innovations in this field are redefining socioeconomic developments and have also provided the users with ample opportunities to excel in commercial, economic, social and cultural domains. ICTs are being employed to offer a wide range of services; from entertainment, advanced communication, research and education to transportation and shopping. These are being used even to perform critical and sensitive infrastructure functions like banking and controlling of centrifuge machines in nuclear facilities. Resultantly, the enhanced global connectivity, mobility and versatility of digital services have created vulnerabilities and produced a host of new and evolving cybersecurity threats. Cybercrimes, cyber warfare, cyber vandalism, cyber reconnaissance, spying and surveillance, cyber terrorism and cyber hacktivism have emerged as formidable challenges for national governments and their security agencies because unstable and unsafe cyberspace has the potential to pose serious security risks to economic vitality and social development, smooth digital service-delivery and safety and security of nuclear installations. Particularly, the Covid-19 pandemic has caused rapid digitalization of human interactions – e-commerce, online education, remote working and telehealth – that have further increased vulnerabilities of cyberspace to manipulation and exploitation.
Before we dwell on the unprecedented cybersecurity challenges to Pakistan, a brief overview of cybersecurity is warranted here.
Cybersecurity is the preservation of confidentiality, integrity and availability of information in cyberspace (Pakistan National Cyber Security Policy, 2021). In other words, cybersecurity is the art of protecting networks, devices and data from unauthorized access or criminal uses. The deployment of different tools for ensuring cybersecurity is made to protect the critical sectors, e.g. government systems, utility infrastructure, transportation, banking and finance, critical information infrastructure, e.g. energy, telecommunication, and digital assets, e.g. systems, applications, devices, against any malicious attack. Cybersecurity is breached to have access to sensitive information to change and destroy that, using stolen information for extorting money from cyberspace-users, interrupting normal function of business practices and disrupting public service delivery.
Despite the self-evident nature of the gravity of threats associated with cyberspace, cybersecurity has been a neglected field in Pakistan. The country has been ranked seventh in the worst cyber-secured state by Global Strategies Index and Global Security Index 2018 reports. There are multiple reasons for this sorry state of affairs, but poor data governance, absence of data stewardship, poor resources, weak laws and regulations, lackluster enforcement of statutes to ensure compliance to cyber laws are some worth-mentioning Achilles’ heels of Pakistan’s cyber ecosystem.
Data governance is the enactment of effective policies and safeguards for efficient management, control and processing of raw data or information. The absence of any such institutionalized mechanism leads to a situation that cybersecurity experts call data colonization where processing and managing data is performed outside the legal jurisdiction. There are legitimate fears that these extraterrestrial actors may pollute the information domain and citizens or other sensitive state data may be sold to third party(ies) without consent. Therefore, weak data governance and data stewardship are exposing our cyberspace to various threats.
Another soft underbelly is the reliance of Pakistan on external resources – software, hardware, applications, etc. – to manage and protect the information and data. Poor availability of local ICT resources would continue to provide a soft target to cyber-vandalists and hacktivists. Poor quality of resources has further undermined the ability of law-enforcement agencies (LEAs) to effectively identify the potential threats and mitigate the associated consequences. Pakistan’s LEAs have failed to constantly update their set of skills and resources commensurate with the rapidly improving sophistication level of cyber-attacks and manipulations. Since the nature of the threats associated with the cyber domain is multifaceted and cross-section, it does require cross-departmental collaboration to effectively tackle this unprecedented challenge, but Pakistan lacks such centralized and coordinated efforts to address vulnerabilities and risks associated with cyberspace.
These systematic shortcomings, and the resultant cyber insecurity, could expose Pakistan to a multitude of threats. Cyber espionage or surveillance – a form of cyber-attack that is employed to dig sensitive and classified data to gain an advantage over competitive companies or governments – is one such threat. The information stolen in this way is used by state or non-state actors for political, economic and military gains. Such information can also be utilized to malign any particular country or organization, influence the outcome of the election (as Russia allegedly did in the US presidential election of 2016), or can be deployed to wreak havoc on international events. The UK Government’s Code and Cipher School has estimated that 34 nations have well-funded cyber espionage teams. North Korea, China, Vietnam and Israel are some countries that occupy headlines in this regard. For multiple geo-strategic reasons, Pakistan is the prime target of cyber espionage. Edward Snowden, a CIA contractor and whistleblower, revealed in 2013 that Pakistan was among the countries most targeted for surveillance by US National Security Agency. The recently unearthed Pegasus scandal has also underlined the cyber-spying threats to Pakistan.
Pegasus scandal, which has been unearthed by a consortium of 17 international media organizations, has brought clandestine cyber surveillance to the fore. This software can covertly be installed on mobile phones and it can read text messages, track calls, collect passwords, access cameras and microphones, and harvest information from installed apps. Pegasus spyware, developed by an Israeli cyber firm NSO (Niv, Shalev, and Omri, the names of the company founders), is being used by at least 10 governments including those of India, UAE, KSA. Fifty thousand numbers on android- and iOS-based mobile phones have been revealed to be actual or potential surveillance targets. Worryingly, many heads of state including French President Emmanuel Macron, President European Council Charles Michel, and PM Imran Khan are on the list. Pakistan has demanded the UN to probe into the scandal and hold perpetrators accountable, so has Reporters with Borders (RSF). Though it is yet to be known whether PM Imran Khan’s number was cracked or not, this state-sponsored, widespread surveillance does speak volumes about the gravity of the situation.
Information warfare is also fast emerging as a serious threat to Pakistan’s national security, sectarian harmony and international standing, and it has the potential to undermine the projects of strategic importance. By applying data analytics, the Digital Media Wing of the Ministry of Information and Broadcasting released a report titled Anti-State Trends on August 11, 2021, in which it was revealed that Baloch and Pukhtoon ethno-nationalist organizations were working in unison with hostile foreign governments of India, Afghanistan and Israel to malign Pakistan. As per Dr Moeed Yousaf, Pakistan’s National Security Advisory the underlying objectives of the misuse of Twitter space are to discredit the state of Pakistan and its institutions, fan sub-nationalist sentiments, keep Pakistan on FATF Grey List or downgrade its status to Black List, target directly CPEC and scapegoat Pakistan for unravelling of Kabul administration. The report shows that systematic and targeted campaigns have been launched during two years in which thousands of handlers, including India- and Afghanistan-based accounts, participated to internationalize the anti-state hashtags. The handlers resorted to propaganda, misinformation, half-truths and false news to malign state institutions, particularly Pakistan Army. For instance, the hashtags #StateKilledUsmanKakar, #StateKilledKarimaBaloch, #RapistArmyinBalochistan were launched despite knowing the fact that their underlying assumptions were wrong. Later, it was confirmed that the death of Usman Kakar and Karima Baloch had nothing to do with Pakistani institutions and video circulating on social media regarding the rape of a Baloch child was also fabricated.
In order to fuel separatism and national disintegration, hashtags were launched on national events to fuel sub-nationalism. For example, #BalochistanSolidarityDay kept on trending for the whole day on August 14, 2019. The report has made it clear that apart from Pukhtoon sub-nationalists and Baloch separatists, a greater number of handlers based in India boosted that trend and provided video content also to internationalize the hashtag. Indian National Investigation Agency took a direct part in it and made it trending throughout the day.
Efforts are also afoot to isolate Pakistan by scape-goating it for the failure in Afghanistan. A trend under the hashtag #SanctionPakistan kept on trending on 9th and 10th August 2021 and it succeeded to attract more than 150k tweets. After applying data analytics, it emerged that Afghan and Indian handlers, which include the handlers of the Afghanistan’s Vice President, National Security Advisor, and Defense Minister, massively participated in this trend to force the international community to sanction Pakistan for its alleged support to Afghan Taliban.
Discrediting Pakistan’s international image is another intended objective of the ongoing systematic and malicious online campaign. Noor Mukadam’s ruthless murder in Islamabad, which was a criminal activity that can happen anywhere in the world, was exploited by handlers based in hostile countries to project Pakistan as a country unsafe for women. Indian handlers were found involved in fanning sectarianism in Pakistan. The sectarian material is spread through Facebook and Twitter, and well-delineated efforts are made to further broaden the sectarian fault lines in Pakistan. Briefly speaking, a deliberate, conscious and state-sponsored disinformation campaign is being launched in order to harm Pakistan’s national and economic security and, unfortunately, many followers of mainstream political and ethno-nationalist parties are, intentionally or unintentionally, taking part in this 5th generation or hybrid war against Pakistan. So much so that PTM initiated more than 150 anti-state trends and tweeted more than 3.7 million tweets against Pakistan. India and Afghanistan boosted these trends by adding more than 700,000 tweets to make hashtags international trends. Though the report is inconclusive and many analysts have criticized its content, these info-ops and online malicious campaigns must be the source of serious concerns for policymakers because they may have real-world consequences.
Cyberwarfare is not only limited to clandestine surveillance and reconnaissance efforts, but can also cause physical destruction and disruption. The Iran-Israel shadow war in the Middle East is a relevant example. In 2010, Israel and the US intelligence agencies carried out a cyberattack on Iran’s Natanz nuclear facility. The attack caused the running of centrifuge machines at ultra-high speed and, ultimately, resulted in widespread disruption and delayed Iran’s nuclear program for many years. In 2020, Israel orchestrated a cyber attack again at the Natanz reactor that caused a large-scale blackout because it disrupted the power supply for the reactor. Iran had also blamed Israel for assassination of its top nuclear scientist, Mohsen Fakhrizadeh, by satellite-based, remote-controlled machine gun.
Pakistan, which has rapidly expanding nuclear stockpiles and nuclear installations, can be the prime target for Indian hackers. Though India has not carried out a large-scale attack, small-scale denial-of-services attacks have been a frequent occurrence in recent years. In 2020, Pakistani intelligence agencies tracked a major security breach and DG ISPR instructed the military officials not to share sensitive information on social media platforms like WhatsApp or Facebook. Rattlesnake, a denial-of-service malware, targeted the Pak Navy website in 2019 and attempted to upload misleading documents masquerading as the official statements of Pak Navy regarding India and China. At the time of writing this article, Pakistan’s federal tax collecting institution, FBR, is reeling under the denial-of-service attacks and Pakistan’s largest data center is at the risk of cyber manipulation. These examples make it amply manifest that cyber threats are real and can cause serious harm to Pakistan’s critical informational infrastructure.
It is, indeed, heartening that the incumbent PTI government is well aware of the threats and is fully agile to combat these. The approval of Pakistan’s first Cyber National Security Policy is a welcome step in this regard. The salient features of this policy have been discussed below.
The National Cyber Security Policy (NSCP) has recognized cyber-attacks on Pakistan’s communication infrastructure and critical information infrastructure as an act of aggression against national security and it has mandated state authorities to take retaliatory response. NSCP has underlined the need for a secure, robust and continually improving digital ecosystem and adherence to the pillars of accountability, confidentiality, integrity and availability of digital assets. It has termed cyber security critical for socioeconomic development and national security. The policy has aimed at improvement of security of national information system and infrastructure, creation of national security standards and protocols for smooth application of cyber laws across the country; protection of online privacy of citizens; establishment of the mechanism of testing, forensic and accreditation, creation of cybersecurity awareness through mass communication and education programs; and development of human resources in cybersecurity through capacity-building, skill-development and training programs; steady investment in R&D to support indigenization of cybersecurity solutions; and most importantly, improvement in regulatory and legislative regimes as per the recommendations of IT exports.
In order to implement NSCP in a coordinated and holistic manner, the cyber policy has mandated to establish Cyber Governance Policy Committee. CGPC would be a multi-departmental and inter-ministerial institution that will be responsible for national-level coordination, undertaking policy initiatives related to cyber governance and security, and maintaining strategic oversight over national cybersecurity issues. Pakistan’s first-ever National Cyber Security Policy envisions protecting internet-based services, informational and communication infrastructure, critical digital assets, strategic information systems and infrastructure, and effective response mechanism to thwart cyberattacks and mitigating their impacts.
It is certainly heartening that the government has started realizing the potential threats emanating from cyber insecurity, but we have to go a long way to fully secure our information systems and infrastructure. In this regard, the establishment of a fully committed and full-fledged agency on the pattern of the US’ Cyber Infrastructure Security Agency or Israel’s National Cyber Security Agency should be given serious consideration. In recent years, China has strengthened its cybersecurity considerably and proved a serious threat to the US critical infrastructure. Pakistan can ask China to add a separate Working Group on Cyber Security under CPEC and both states can exchange their expertise and technologies. Given the expanding bilateral strategic partnership between the US and India that also includes satellite-based reconnaissance capabilities, Pakistan must explore these options seriously and shield its resources and assets against any future penetration. In this regard, the newly-found rapprochement between Pakistan and Russia can also be tapped. A strong cybersecurity framework is the need of the hour and a business-as-usual approach could cause irreparable damage to our national interests. The sooner we realize the gravity of the situation, the better it will be for the physical, economic and human security of our country.
The writer is a graduate of the University of Agriculture, Faisalabad. He writes on national and international affairs.