By: Hammaad Salik
It is the inherent nature of technology itself that security-related issues will always exist. Since the internet’s inception from a small MIT project commissioned by DARPA to a commercially global network of interconnected, hyper dependent devices and systems, security engineers around the world have been working to develop resilient solutions to the ever-growing cyber threats. Most of the technology in use today was created decades ago to advance humanity in the next era without keeping cybersecurity in mind. That changed as the world realized the plethora of cyber threats lurking in the wild.
Government agencies and departments are the frequent targets of cybersecurity attacks. No industry is immune to attack, and the list of Government departments compromised by hackers continues to grow. Our Government departments hold information about National Security and other vital Government functions, some of which could be dangerous in the wrong hands. In the last five years, Pakistan has witnessed the most massive breaches on its critical infrastructures. One example is the Banking industry compromise that includes a list of more than 20 banks with an estimated loss of 2.7 million and above. This data contained extensive personal and potentially compromising information. However, due to the lack of cyber incident response expertise and even essential cyber awareness on Executive levels, these incidents have been sidelined – “the Pakistani way.” But unless we are smart and proactive, we will solve the challenges we face in cyberspace only after multiple crises. After cyber-attacks cause blackouts in Pakistan, we will make the necessary investments to prevent them. After train derailments, ship collisions, or airplane crashes caused by malicious actors operating in cyberspace end up killing people or kinetic attacks as we security professionals call them, we will build systems that have near-zero tolerance for failure caused by hackers. But for now, we exist in a sorry and delusional state.
According to a report by Kaspersky and GCI (Global Cybersecurity Index) scores, Pakistan is the 7th most digitally insecure country in the world. The threat landscape list includes Military, Government and Strategic Targets, Telecoms, Healthcare, Nuclear research facilities, and individuals working in them, Islamic activists and scholars, the Media, and those working on Nanotechnology and Encryption technologies. Most of the critical infrastructures are vulnerable due to a lack of proper security infrastructure or nonconformity with established best industry practices. The notorious Shadow Brokers revelations were a wakeup call to Pakistan raising concerns on privacy, security, and confidentiality of its data. Pakistan’s nuclear program, like Iran’s, has always been a serious concern for its adversaries. Nation-states are continuously developing and testing weapons like Fanny to check out the viability of getting malware onto airgap machines and systems in Pakistan. Surprisingly enough, IR-2m and IR-4 centrifuges in Natanz Nuclear Facility – Iran holds the same design and configuration as Pakistan’s P-2 centrifuges at KRL. In 2010, the world came to know of Stuxnet, a multi-nation state designed malware with many zero-days integrated to disrupt Iran’s Nuclear Enrichment Program. Stuxnet is considered the first of many digital weapons the world will see and surely a reason for worry to Pakistan’s Intelligence Community if the configuration is the same as Iran.
Digital Transformation of Pakistan, although a great initiative by the Government, lacks the fundamentals – “Infrastructure security.” Cybersecurity is one of those gray areas that has been left only to the most technically inclined to worry their uncombed or bald heads over. Call it skeptics or concerns, but our Digital Transformation workforce will have to be mindful of the threat landscape in Pakistan, which in itself has too many moving parts. Pakistan, till now, has failed to establish a National Level CERT while it’s neighboring country India had CERT established in 2004. There is a void that needs to be filled with National Level Cyber Command, of course like any other relevant topic in Pakistan; there’s a controversial debate that will follow on the ownership of the National Level Cyber Command: Military, Government, or Intelligence – choose your pick. Perhaps the essential question would be that Pakistan’s entire digital infrastructure needs to be revamped to be more secure and resilient. State Bank of Pakistan and NADRA have taken positive steps into protecting the data. At the same time, all other Government departments – instead of stating the obvious let us entertain the idea of security auditing them. Having said that, there is an urgent need to establish a set of laws, policies, and a functioning body to cater to the digital security needs of Pakistan. Pakistan has the Prevention of Electronic Crimes Act, which is universally condemned for being flawed and the use of the wrong language. Policies on Information Espionage, Information Secrecy & Privacy, Secure Banking, Cybercrime, Immediate Incident Response, Breach of Data Notification, and Action against Child Pornography are nowhere to be found. Hopefully, our Government departments will stop ignoring their National responsibilities and focus more on the National interest as compared to personal. Here this quote fits quite well “Proximity to power deludes some into thinking they wield it!”
The question as to why some of our critical resources are still safe from serious external cyber threats? The answer lies in our non-digitalization, systems that are crucial to maintaining and sustaining National Security are still not fully digitized. Of course, I am not of the opinion that we should go against Digital Transformation; it is the need of time and a good business model that can help Pakistan grow. But let’s be honest and not open pandora’s box of the internet of threats till we have the right mix of infrastructure, standards, and policies in place. Our digital taskforce needs to learn from countries like Estonia that was brought down to its knees in 2007 when a three-week cyberwar was waged or Ukraine that’s now become a testbed for cyber weaponry pilot projects by Russia. Pakistan will face a similar fate if our leaders and executives fail to understand the gravity and depth of security in our current critical infrastructures.
Transformation doesn’t start at the end. That is what Pakistan is focused on. It starts at the beginning, and that is security. Read it. Understand it. Implement it.
The writer is an entrepreneur and member advisory Strategic Warfare Group. He aims to provide accurate and transparent cyber information to the general public. His expertise are Cyber Warfare Operations, SIGINT and Kinetic Warfare. He can be reached at [email protected].