“The threat is advancing quicker than we can keep up with it. The threat changes faster than our idea of the risk. It’s no longer possible to write a large white paper about the risk to a particular system. You would be rewriting the white paper constantly…” This is how Adam Vincent, the CTO at Layer 7 Technologies (a security services provider to federal US agencies), describes the current cyber security problem going into 2016.
When it comes to Pakistan, the question mark over cybersecurity is more glaring than ever before. “People don’t even know how to differentiate between cybercrime and cybersecurity here,” says Nighat Dad founder of Pakistan’s Digital Rights Foundation (DRF). “Cybersecurity is a fast topic, which involves cross-border cyberattacks and is multi-dimensioned depending on a particular state’s policies.”
- The growing number of internet users and simultaneous lack of digital literacy in Pakistan pose a serious threat which according to experts should be dealt with through massive awareness and inclusion of digital education in curriculum.
- With technological advancements taking place everyday cybersecurity has become a global concern and challenge no matter where we are on the map. Pakistan needs to get ready.
- The proposed cybercrime bill is under heated debate as rights groups highlight concerns over provisions in clash with fundamental rights.
“Senator Mushahid Hussain proposed law related to cybersecurity, but nothing happened. You need a proper policy to deal with cross-border cyberattacks,” Dad says.
Recently the Government Communications Headquarters (GCHQ), a UK government security agency tried to hack into Pakistan’s internet exchange gateway. “According to Snowden revelations, Pakistan was the second most targeted country in terms of surveillance,” she added.
As cybersecurity becomes a global concern, many countries are shoring up their defenses. This includes Middle Eastern states, who are taking cybersecurity measures like setting up IT departments and creating awareness of significant infrastructure challenges. The UAE government developed the Dubai Centre for e-Security to come up with secure ways to exchange information.
What about Pakistan?
“The concerns over safety and security potentially impede the objective of accelerated development and affect the confidence of people in using applications and services offered to traverse the cyberspace.” This was stated by Pakistan’s IT Minister Anusha Rehman in her policy statement while addressing a high level meeting of the UN General Assembly in December.
“Cyber-criminal activity which represents a dark side of internet needs to be dealt collectively through collaborative efforts. In this context, there is also a need to build capacity among nations to effectively address emerging issues,” she further said.
Gul Bukhari, a human rights and digital rights activist affiliated with Bytes4all says that during her research on online violence against women, she discovered ‘the ease’ with which cybercrimes are committed against natural persons, (in jurisprudence, a natural person is a human being, as opposed to a legal person, which may be a private – i.e., business entity or non-governmental organization – or public – i.e., government – organization. In many cases, fundamental human rights are implicitly granted only to natural persons). According to her, the impunity with which perpetrators continue to get away with it, is one of our biggest challenges.
She adds: “At the national level, we have yet to begin seeing cybercrimes against people as something serious. This is reflected in the attitude of the law enforcement agencies like the police and the Federal Investigation Agency—FIA—which is specifically tasked with tackling cybercrime. Many times FIA has cited its inability to trace offenders.”
Bukhari says at times, a lack of mutual legal assistance treaties (MLATs) is cited as an excuse to not stop a continuing crime. “An example of a continuing crime would be a blog on a UK server providing private information on someone like their address, photos, Identification, photos of their families and accusing them of being a blasphemer and calling for their rape and murder. In addition, they cite their inability to get to the criminal.”
“Hence, the impunity attached to cybercrime is one of the major challenges we face today,” she says adding as a result, harassment and violence against women online, for example, is on the rise.
And time and again, we see that online harassment and violence has led to what people refer to ‘real’ crime, be it physical, mental, economic, social or emotional.
In August last year, police in Pakistani city Peshawar had arrested two boys who through a Facebook account allegedly harassed and blackmailed some female students. Reportedly both the suspects had confessed their crimes during the interrogation but denied the same in court of law.
High court advocate Aleena Alavi says the first challenge for Pakistan is that we do not have a law which addresses cybersecurity specifically. “The only law which is in the field right now is the Electronic Transaction Ordinance 2002 for cybercrimes etc., which is outdated and does not fulfill the purpose. To draft a legislation on the subject you need to understand the complexities that arise in cybersecurity,” she says.
Alavi says different countries have their own mandate to deal with such issues. “In most countries Ministry of Defence is involved as the armed forces are generally involved in developing the offensive and defensive cyber capabilities. The offensive and defensive cyber capabilities that we have right now are not reported but our armed forces are working on it. According to my understanding, there is no coordination between the Ministries right now to address the issue and thus the Ministry of Information Technology (MoIT) shows no knowledge of such capabilities,” she further says.
Farieha Aziz, director at Bolo Bhi, says many countries have computer emergency response teams (CERTs) that deal with cyber safety. “They not only put in place measures to protect installations etc., but are also equipped to deal with an attack and response in case of any eventuality. That’s one of the approaches,” she adds.
According to a recent study by the Internet Corporation for Assigned Names and Numbers (ICANN), Pakistan was rated low in terms of its cyber preparedness.
Former FIA Additional Director General Ammar Jafri believes Pakistan needs to engage with the global community through meaningful international legal instruments to counter the cybersecurity threats. “All the stakeholders should collaborate and try to devise a robust mechanism to answer emerging cyberworld challenges.”
Jafri says cybercriminals have their own encrypted and secure networks. “We need a CERT to resolve cybercrime incidents,” he says adding “Threats to satellite communications are increasing. Hacking a satellite is not too different from hacking a computer. Future wars will not be physical; they would be fought by destroying infrastructure.”
According to the FIA statistics, the National Response Center for Cyber Crime (NR3Cs) received 2,100 complaints last year while 434 of these were pending from the previous year. As many as 371 of the 2,100 were converted into enquiries, 1,604 were disposed of while 559 are still pending.
In the year 2014, NR3Cs registered 460 enquiries out a total of 758 complaints. As many as 46 of these were converted into cases, 441 were disposed of, closed, transferred or merged while 271 are still pending. In 2014 the NR3Cs had 44 proclaimed offenders. Two more were added to the list last year.
FIA officials say they can’t take action against many of the complaints, because the proposed cybercrime bill is yet to be approved. According to them this is affecting FIA’s conviction rate as well.
Debate on the proposed cybercrime law
Last year’s proposed Prevention of Electronic Crimes Bill 2015 drafted by the MoIT was the first attempt as a cybercrime bill since the Musharraf regime introduced Pakistan Electronic Crime Ordinance (PECO). While forwarding a bill to counter cybercrimes was appreciated as the need of the hour, many of its sections attracted criticism.
Nighat Dad says some of the provisions in the bill violates fundamental rights including freedom of speech and freedom of expression. “The proposed bill’s Section 34 violates Article 19 of the Constitution. It gives massive power to authorities for banning content deems as being against national interest, against the glory of Islam, or affecting relations with a ‘friendly country’.” Dad says all these terms are ambiguous. “They are clearly legalizing censorship by leaving these terms open to a wide range of interpretations. This is arbitrary online censorship.”
She also criticizes Section 29 of the proposed bill. “The section deals with the retention of traffic data by Internet Service Providers (ISPs). Practically this is impossible to do, because it needs a lot of resources, which we do not have. Furthermore, it violates the right to privacy. Without any proper mechanism how are they going to retain data for one year?” she demands.
Dad also says the provisions being criticized in the proposed cybercrime bill in Pakistan had been present in other countries as well. “But they struck them down, once it was established that they violate basic human rights,” she adds further.
Farieha Aziz says the proposed cybercrime bill is a mixed plate. “It contains telecom offences, speech crimes which already exist in law, but because they are executed through the use of electronic means or in cyberspace, they have been termed ‘cybercrimes.’
“Then, there are things in it that don’t even constitute a crime – or shouldn’t at least. Spamming for instance. In other countries, there are whole pieces of legislation on spamming, and it is dealt with through regulation, not forced into a cybercrime bill as an offence. Then, Section 34, which empowers Pakistan Telecommunication Authority (PTA) to regulate and censor content online, doesn’t deal with a crime per se. It oddly sits in the middle of a piece of criminal law, empowering an executive authority,” Farieha observes.
Gul Bukhari says the bill is designed to consolidate the state’s power giving it legal cover to censor, block access to information, and surveil at will. “It extends arbitrary powers of censorship to an instrument of the executive (the PTA), without recourse to a court of law; it extends the power to block or filter any content a junior officer at the executive body deems blasphemous, against the glory of Islam, or the integrity, security or defence of Pakistan, against friendly relations with foreign states, against public order, decency or morality, or considered contemptuous of a court of law,” Gul says adding “It criminalizes (with up to 14 years in prison as punishment) interference with any government owned technology infrastructure, program or software in such vague and opaque language, that it can clearly be invoked to prosecute someone who has simply circumvented government censorship by using a VPN, or used encryption to circumvent surveillance.”
She says the bill is an invitation to abuse by government authorities. “For example, law enforcement is not required to establish a probable cause to a magistrate for obtaining a warrant to enter and search a premises, or to confiscate hardware, and all information contained therein. Nor is there any provision within the bill for penalties on law enforcement agencies’ misuse or abuse of data, whether confiscated intentionally or unintentionally. Contrast this with the fact that the bill contains not a single clause against incitement to violence, nor against grooming of children.”
Aleena Alavi agrees saying “The biggest issue according to me is how they have tried to intermingle cybersecurity, cybercrime and cyber-terrorism in one bill. They have included the definition of critical infrastructures but seem to be unfamiliar with the complexities that surround the notion of attribution of such cyberattacks which can cause a major issue in identifying a perpetrator and whether the attack was by an individual itself or an attack against the State. In cybersecurity, the threshold of cyberattacks is also of critical importance and this has not been addressed in the bill. The definition of cyber-terrorism is also problematic.”
Then there is a question of cybersecurity amidst state efforts to counterterrorism at all levels, especially since the implementation of the National Action Plan (NAP) in January 2015. Farieha Aziz says cybersecurity doesn’t tackle terrorism as most of us would understand it.
“Cybersecurity is a component of tackling cyberwarfare and attacks, not necessarily terrorism in the conventional sense in which we understand it. The kind of terrorism we are faced with online has to do with propaganda and propagation of material that serves as bait to recruit people,” she says.
“And the second part of it is the ability of terror outfits to interact with potential recruits. The approach taken so far – to try and block material – isn’t one that has worked very well because it is next to impossible to identify and remove what is out there. What’s largely missing is a counter-narrative of the same scale. It’s the convincing power of these outfits that needs to be diminished. And that has to be done with an equal amount of effort – if not more – to dissuade people by trying to convince them otherwise. Just telling them no, or trying to keep them from certain material – which will be available to them one way or another – isn’t enough.”
Aziz says cyber safety and security, and crime need to be treated separately. “Safety has to do with measures a citizen or state can and must take to protect themselves from external threats. For a citizen this can be as basic as employing the right kinds of practices to managing settings and using certain software. At the state level, it has to do with taking more sophisticated measures not only to prevent attacks but respond if attacks are made.”
“Crime is the commission of an offence, traditionally, against a citizen, but can also be committed against a state. The purpose of a law would be to enable an aggrieved party to seek legal recourse and prosecute the person(s) responsible. The law can never serve the purpose of a deterrent, unlike, the popular narrative surrounding the proposed cybercrimes law: ‘Had the law been in place this would not have happened.’ There are many laws that exist. Crime still takes place. A law simply allows a criminal to be prosecuted for a crime,” argues Aziz.
Gul Bukhari says while terrorists use cyberspaces to further their ends, cybersecurity will remain important in the fight against terror. “But let’s be very clear, that no matter what, we cannot allow civil liberties enshrined in our constitution to be compromised in the name of fighting terror. We cannot allow mass surveillance, mass or arbitrary censorship, or arbitrary blockage of content by the state,” she says.
“Secondly, and specifically in context of what is happening in Pakistan today, we are seeing political dissent and liberal thought becoming the target of government’s cyberattacks of blocking and filtering. On the other hand, jihadi websites and social media accounts proliferate unfettered. So one has to take this whole spiel of cybersecurity vis-à-vis terrorism with a truckload of salt, and examine with a fine-tooth comb the measures proposed to tackle terrorism through ‘cyber security measures.’ Often Big Brother governments will just infringe on rights of citizens while criminals and terrorists roam free on digital highways,” she asserts.
Bukhari also stresses upon the importance of securing one’s digital security. “In a country where internet penetration and social media usage runs into tens of millions now, and only a handful of organizations that train people, they consider at the highest risk in digital security, I consider this almost an emergency level issue,” she says.
“Close to 20 million men, women and children are online in Pakistan, without a clue of the risks attached to insecure communications or to their digital footprints. The tools and trainings available to be cyber-secure are no rocket science, fairly comprehensive and very helpful in cutting down chances of becoming a victim of cybercrime. But they are neither widely available, not widely known about,” she continues.
“Personally, I would like to see them become part of the ICT courses children take in schools. Our children are being enabled and encouraged to use computers and the World Wide Web. They must, then be made aware of the booby traps that come with the use of technology, and taught how to protect themselves against them.”
What about Pakistan’s strategic installations? Farieha Aziz says over the past year, there has been a spate of attacks against government websites. “The Health Ministry’s website was defaced recently. Sometimes it’s just a prank. But sometimes the damage is worse – such as the loss or theft of data etc.,” she says.
“So this has to do with how secure these websites are kept, for example, by those managing these platforms and their ability to respond to the situation in the event something happens. Servers and other installations, where sensitive data is stored require different kinds of measures. A lot of it has to do with technical ability and keeping up to date.”
Nighat Dad says the only way to enhance cyber-readiness in Pakistan is by increasing digital education. “There is no digital literacy in Pakistan. People don’t know why they need to be careful. They can’t connect online threat to physical space. They think if someone is trying to attack them online, it is not a threat. That’s also how the authorities feel as well,” she says.
“Journalists, for example, are not convinced that they need to take care of their security. They say ‘I’m not doing anything wrong, why would I hide my information?’ Similarly, while media houses take care of the physical security, they won’t encourage their employees to pursue cybersecurity. It’s the same for civil society as well.”
Dad says it’s the same all over the world. “People from Germany, US, Britain, you name it – they just don’t realize why they need to be careful. It’s simply because of lack of education. Digital security is not integrated in our education system,” she says.
“We need massive awareness campaigns even for those people who don’t use internet. Parents have no idea what their children are doing online. Everyone needs to know what’s going on around them, in the digital world. That’s the only way they’d be able to protect themselves and those around them.”
Kunwar Khuldune Shahid is a journalist. He writes for leading news dailies.