Need for a National Cyber Security Strategy in PakistanNovember 18, 2015
Everything You Need to Know about Mobilink-Warid Merger! :November 27, 2015
While the government of Pakistan focuses on fighting terrorism and extremism under the National Action Plan (NAP), another threat seems to be looming on the horizon, i.e. cyber warfare. “The advent of information age has profoundly impacted the thinking of states as well as sub-state groups in regard to warfare and security. While the state remains the principal political entity on the world stage, the diffusion of technologies and relevant knowledge has transcended borders and boundaries at a rapid speed.”
Modern day life depends on online services as one shops online, works online, plays online and hypothetically lives online. As our lives increasingly depend on digital services, the need to protect our information from being maliciously disrupted or misused is really important. The internet has become an uncontrollable creature. Mobile devices such as phones and tablets are more insecure as compared to personal computers and laptops.
The first spam email took place in 1978 when it was sent out over the Arpanet (Advanced Research Projects Agency Network). The first virus was installed on an Apple computer in 1982. The UK police arrested 16-year-old student, nicknamed “Data Stream”, in 1994. FBI’s e-mail system was hacked in February 2005. Travelling documents of NATO forces were hacked in Afghanistan. Denial of Service (DoS) attacks by “Mafia Boy” on eBay, Yahoo! and other popular sites took place in 2000. Swedish bank Nordea was hit with possibly the biggest internet fraud in history as around £600,000 (1 million US$) was stolen in three months from 250 customer accounts by obtaining the account information through an anti-spam software sent by emails.
Any activity is called cyber-crime where computers or networks are a tool, a target, or a place of criminal activity. Any use of a computer as an instrument to further illegal ends, such as committing fraud, stealing identities, and violating privacy is a crime. It also includes traditional crimes in which computers or networks are used to enable an illicit activity. As the computer has become central to commerce, entertainment, and government, cyber-crime has grown in importance. The main objectives of modern cyber crime include destructive purposes, intelligence collection, and economic espionage. There are following main types of cyber-crime:
E-Mail Bombing: Email bombing refers to sending a large amount of e-mails resulting in interruption in the victims’ e-mail account or mail servers.
Data Diddling: This kind of an attack involves altering the raw data just before it is processed by a computer and then changing it back after the processing is completed.
Salami Attacks: These attacks are used for the commission of financial crimes. A bank employee inserts a programme into bank’s servers, which deducts a small amount from the account of every customer.
Denial of Service: This involves flooding computer resources with more requests than it can handle. This causes the resources to crash thereby denying authorized users the service offered by the resources.
Cyber Crime in Pakistan
Cyber-crime rises rapidly in Pakistan. There are about 30 million internet users with 15 million mobile subscribers in Pakistan. According to Cyber Crime Unit (CCU), a branch of Federal Investigation Agency, only 62 cases were reported to the unit in 2007, 287 cases in 2008, ratio dropped in 2009 but in 2010, more than 312 cases were registered. But unreported incidents of cyber-crime are huge in numbers.
Laws in Pakistan
Laws regulating cyber-crimes in Pakistan have never been impressive. People of Pakistan hardly have any idea about the existence of such laws. There had been an “Electronic Transactions Ordinance 2002”, which mostly dealt with banking. But the first ever pertinent law, i.e. “Pakistan’s Cyber Crime Bill 2007”, which focuses on electronic crimes, i.e. cyber terrorism, criminal access, electronic system fraud, electronic forgery, misuse of encryption etc has been there. But if one sees its implementation, the statistics are poor.
The current government is planning to introduce first ever comprehensive law, i.e. “Prevention of Electronic Crimes Bill 2015”, which is struggling for oxygen as it was tabled in National Assembly (NA) of Pakistan but could not be approved due to criticism on its content. As per critics, there are many ambiguities in definitions of certain sections/clauses. It focuses more on moral aspects of internet use than cyber-crime itself. The Section 31of the proposed bill says that the govt could block access to any website “in the interest of the glory of Islam or the integrity, security or defence of Pakistan or any part thereof, friendly relations with foreign states, public order, decency or morality….” Now the question arises who is to decide what undermines the integrity of Pakistan, or its relations with other states? Who exactly are the “friendly foreign states”, and where would countries with which Pakistan has fluctuating ties such as the United States (US) be placed?
The government should see whether it is in line with the implementation of the National Action Plan to counter terrorism? Because, soon after 9/11, to fight terrorism effectively at home, the US Congress passed the “Patriot Act”, which curtailed certain rights given by the US Constitution under the bill of rights (first ten amendments). Pakistan government should also introduce such laws that could not only address cyber-crimes but cyber terrorism. Because, in modern terrorist environment, terrorists/non-state actors make full use of internet for fund raising, propaganda, threats and recruitment, etc. The new law must be crystal clear in its definitions so that it could not be used for or against through different interpretations of the sections/clauses.
Cyber Security and Cyber Warfare
Cyber security as a concept represents a radical departure from the previous view of IT-related security. In the past, security was often viewed as a separate discipline or as an afterthought. Cyber Security acknowledges that Information Technology (IT) security must be symbiotic from now on.
Cyber warfare is by nature asymmetric, when conducted by traditional nation-state opponents. It is non-kinetic only in the most direct sense, if one views cyber operations separate from conventional operations. As soon as one considers conventional operations that rely on IT capability can become both Kinetic and non-Kinetic in nature.
Cyber attacks can be real-time events or time-delayed events. These can originate from anywhere or be triggered from anywhere and originate from within. They occur in multi-dimension cyber space as well as in conventional warfare frames of reference. Cyber security is not something that will go away. As long as our infrastructure remains networked and interdependent cyber security will remain critical.
Cyber warfare is internet-based conflict involving politically motivated attacks on information and information systems. Cyber warfare attacks can disable official websites and networks, disrupt or disable essential services, steal or alter classified data, and cripple financial systems – among many other possibilities. It is getting complicated as there is no longer any realistic expectation of a single solution or even a single family of solutions that can provide a comprehensive approach to the problem space. It is personal as cyber security issues now impact every individual who uses a computer. It is no longer science fiction – millions of people worldwide are the victims of cyber-crimes. It is a business as almost every business today is dependent on information and vulnerable to one or more types of cyber-attacks. It is war; in fact it is already becoming the next Cold war. Cyber operations are also becoming increasingly integrated into active conflicts. Even the US President Obama remarked on May 29, 2009 at 60-Day Cyber Space Policy Review, “Our interconnected world presents us, at once, with great promise but also great peril.”
Pakistan Cyber Warfare and Cyber Security
The Internet security company McAfee stated in its 2007 annual report that approximately 120 countries have been developing ways to use the internet as a weapon and target financial markets, government computer systems and utilities. The US is being called the number one “watching country” and snooping is a common feature in the US. It is an open secret that Edward Snowden – an American computer specialist and former Central Intelligence Agency (CIA) employee and National Security Agency (NSA) contractor – disclosed up to 200,000 classified documents to the press.
Indian hackers often hacked and penetrated the government websites of Pakistan and left derogatory messages. In “Operation Hangover” against Pakistan, cyber analysts in Norway claimed that hackers based in India have been targeting government and military agencies in Pakistan since 2010 and extracting information of national security interest to India.
“Black Dragon Indian Hackers Online Squad” defaced official websites of Pakistan People’s Party (PPP), apparently annoyed by PPP Chairman Bilawal Bhutto-Zardari’s remarks about Kashmir, Pakistan Railways, National University of Modern languages (NUML), Quaid-e-Azam Public College, Gujranwala, Pakistan Electric Power Company (Private) Limited, and National Manpower Bureau.
Cyber Warfare and Other States
The Internet security company McAfee stated in its 2007 annual report that approximately 120 countries have been developing ways to use the internet as a weapon and target financial markets, government computer systems and utilities. Major powers increasingly rely on digital networks for critical services. The US turns to a cyber-arms race, quite similar to the nuclear arms race, is building up stockpiles of software and malware to attack computer systems of rival states. China, Iran, North Korea, and Russia have demonstrated an ability to conduct robust cyber activity.
North Korean cyber actors are suspected of having conducted destructive operations that compromised South Korea’s national identification system – damage that may cost more than US$1 billion and over a decade to repair. The US suspects Iran’s involvement in a 2012 cyber-attack against two energy firms, one in Saudi Arabia and another in Qatar, that destroyed data and crippled thirty thousand computers.
The US financial firms subsequently suffered tens of millions of dollars in losses resulting from Iranian denial-of-service attacks launched in retaliation for economic sanctions. In 2014, Iran became the first country to carry out a destructive cyber-attack on US soil when it damaged the network of Las Vegas Sands after its chairman advocated a nuclear strike against the country.
- Pakistan’s digital infrastructure is vulnerable. About cyber espionage, one knows who, how, where, and why it matters? But there is paucity of knowledge about “what to do”? Pakistan does have cyber-crime law but unfortunately it is not being implemented effectively. There is also a lack of awareness about the law.
- There is need of holding workshops and seminars to create awareness among the masses.
- There must be severe actions against criminals.
- Anti-virus and anti-spam soft wares should be installed.
- Vulnerability assessment of famous Apps for smart phone may be done.
- “National cyber security awareness day” be organised to make people aware of this.
- With hyperactive social media in Pakistan, it is critical to study the potential and limitations of the internet.
- It is crucial academics to try and better understand the landscape of internet in Pakistan.
- Cyber-attacks and defence should eventually be part of Pakistan’s military strategy.
- Cyber defences, elevation of the role of the private sector, and support research need improvement.
- “Bureau of Internet and Cyberspace Affairs” should be established in the Ministry of Information Technology.
- Emergency mechanisms for dealing with internet attacks be developed.
- Formation of a Cyber Working Group (CWG) between Pakistan and India should be discussed with India to make it part of the “Composite Dialogue” to have regular discussions on the subject to avert the possibility of resorting to cyber warfare.
 Seminar, “Security in Cyber Space: Implications and Challenges,” Center for International Strategic Studies (CISS), Islamabad Marriot Hotel, September 30, 2014.
 Fahad Abbasi, “Cyber-crime and Security in Pakistan,” Slide Share, March 19, 2014, http://www.slideshare.net/fahdabbasi7/cyber-crime-and-security-in-pakistan (accessed June 2, 2015).
 Arslan Meher, “Cyber-crime,” Slide Share, January 28, 2012, http://www.slideshare.net/arslanmeher/cyber-crime-11308281 (accessed June 1, 2015).
 Imtiaz Gul, “Cyber-crime, Security and Rights,” Express Tribune, April 25, 2015, http://tribune.com.pk/story/875273/cybercrime-security-and-rights/ (accessed June 4, 2015).
 Irfan Haider, “NA Committee Approves ‘Controversial’ Cyber-crime Bill,” Dawn, April 16, 2015, http://www.dawn.com/news/1176299 (accessed June 7, 2015).
 Stephen Lahanas, “Introduction to Cyber Security,” Slide Share, August 25, 2010, http://www.slideshare.net/slahanas/introduction-to-cyber-security (accessed June 2, 2015).
 Saleem Shahab, “Cyber World is Not in Safe Hands,” Logic is Variable, April 4, 2012, http://logicisvariable.blogspot.com/2010/05/cyber-world-is-not-in-safe-hands_11.html (accessed June 5, 2015).
 Benjamin Brake, “Strategic Risks of Ambiguity in Cyberspace,” Council on Foreign Relations (CFR), May 2015, http://www.cfr.org/cybersecurity/strategic-risks-ambiguity-cyberspace/p36541 (accessed June 4, 2015).
Disclaimer: Views expressed are of the writer and are not necessarily reflective of Tier3 policy.