Need for a National Cyber Security Strategy in Pakistan

CYBER ALERT SERVICE By NATIONAL RESPONSE CENTRE FOR CYBER CRIME
November 18, 2015
Cyber Warfare and Pakistan – Cyber Security Report
November 18, 2015

Need for a National Cyber Security Strategy in Pakistan

Several countries around the world, including less-developed ones, understand the significance of Cyberspace; it is often dubbed as the “fifth” war-fighting domain after Land, Sea, Air, and Space.

Owing to rapid advances in information and communications technologies, nation states are integrating their critical infrastructure with organizational processes in a bid to make them more efficient. With the passage of time, more and more countries are “digitizing” their national assets; these include the electronic filing of records in various government ministries, autonomous regulatory bodies.

In Pakistan, the state is digitizing sensitive data of its citizens primarily through the NAtional Database Registration Authority (NADRA) and Pakistan Telecommunication Authority (PTA). Though these efforts are commendable and bring us closer to the level on which our international contemporaries have long been, the risks associated with these initiatives are innumerable. Most importantly, Information Security is a prime concern when it comes to sensitive data related to ordinary citizens and state machinery. Not too long ago, it was reported by The Intercept through Edward Snowden’s leaked documents that the US National Security Agency (NSA) has access to millions of Call Data Records (CDRs) from major Pakistani telecom companies (Project SKYNET and DEMONSPIT). Furthermore, according to a report which came much before this revelation, the US Central Intelligence Agency (CIA) was reported archiving biometric data of Pakistani citizens in its Terrorist Identities Datamart Environment (TIDE), which it operates jointly with the Department of Homeland Security (DHS). TIDE is essentially a product used by the US National Counter Terrorism Centre (NCTC). The CIA and DHS regularly filter out data from Pakistan and other countries to classify suspected individuals’ information as ‘Known Suspected Terrorists’ (KSTs) under a project named ‘HYDRA’.

Based on Snowden’s revelations, the CIA and NSA regularly acquire such sensitive data from Pakistan “through clandestine means”. What exactly does this mean? The possibility of senior officials in NADRA, PTA and other important bodies supplying data to the US in exchange for hefty benefits cannot be ruled out. Indeed, such a massive intelligence extraction technique is impossible without some level of Human Intelligence (HUMINT) involvement. Electronic interception and cyber espionage are the primary means, of course. Do we not read reports every now and then of some government website being hacked? What about the Turkish hacker who claimed to have sensitive data of Pakistani citizens which he purportedly stole from back-end online servers used by PTA?

The most ambiguous part of investigating cyber intrusions is the anonymity or “amorphous” nature of the intruder. Who carried out the attack or exploitation, where they are from, are they non-state actors or state-sponsored? Ascertaining such crucial facts is quite a tedious task. In today’s age, there are a variety of known and unknown cyber criminals and terrorists. There is a big difference between the two: criminals engage in data theft or other illegal attacks as ransom for financial benefit or, in most cases, publicity. They may also stalk individuals for their own personal grudges. On the other hand, as far as cyber terrorism is concerned, it is a strategic threat which poses grave national-level consequences for a state. A famous example is the notorious Stuxnet attack on Iran’s Supervisory Control And Data Acquisition (SCADA) systems, reportedly developed by the US and Israel. It badly retarded Iran’s ambitions for nuclear enrichment.

Perhaps the most narrated example in cyber security is that of the 2007 cyber attacks on Estonia. These attacks targeted websites of Estonian organizations, including its parliament, banks, ministries, newspapers and broadcasters. Since Estonia was enthusiastic in integrating its entire critical national infrastructure with the Internet, it received heavy blows. What followed were a series of case studies on how cyber attacks can effectively cripple an entire nation’s infrastructure and completely damage it. Today, this very country hosts the headquarters of NATO’s Cooperative Cyber Defence Centre Of Excellence (NATO CCD-COE), a sub-organization tasked with research and analysis among NATO member states into cyber threats and which also proposes effective mechanisms for cyber defence.

Our neighbor India published its National Cyber Security Policy in July 2013, ultimately joining the ranks of countries whose governments give serious consideration to cyberspace and the threats associated with it. It is quite embarrassing to note that little known countries like Ghana and Latvia also have such strategies. Even the tiny Gulf state of Qatar, with a meagre population of 2 million or so people, has a national cyber security strategy. Why has Pakistan lagged behind for so long?

On 14 April 2014, a document was introduced in the Senate of Pakistan called “National Cyber Security Council Act 2014”. Some of the notable points listed in this act are as follows: Section 3, sub-section (3) mentions that the proposed council would meet at least once in each quarter of a year. Section 4, sub-section (1) mentions that members from the Federal Government and nominated private research bodies, associations will have representatives as part of the council. Most importantly, sub-sections (b) and (c) of Section 5 clearly indicate that this council will develop a national and international cyber security strategy for the state, respectively.

Keeping aside an International Cyber Security Strategy, zero progress has been made as far as a national-level case is concerned. It is also worth mentioning here that no meetings on the issue of national cyber security have taken place so far. Why are the government and private stakeholders silent on this issue? Is cyber security not a state priority? How much more vulnerabilities will Pakistan’s national information and communication assets have to face so that decision makers in the top echelons of power give due consideration to it?

As far as the controversial Prevention of Electronic Crimes Bill is concerned, that is another debate and one which has received more than its due share of limelight. What the state needs to focus on now is the development of a national and, in the long run, an international cyber security strategy. If Pakistan is to secure its foothold in cyberspace and present state policy before the world further advances ahead, the time is now. We simply cannot afford further delays.

Comments are closed.