Global Editions

Securing Cyberspace for Pakistan

Mapping Pakistan’s cyberspace vulnerabilities.

By Ahmad Raza

In Brief

  • The Information Age is so vulnerable that no country can claim to have achieved 100 percent cybersecurity. However the countries are still striving—to achieve maximum protection.
  • India has an officially recognized National Cyber Security Policy (NCSP) and a national governance roadmap for cybersecurity. Shouldn’t we go for the same?

Bangladesh’s central bank governor, Atiur Rahman, tenders his resignation on March 15, following one of the biggest cyber heists in the history of the world. Over $81 million are stolen from the bank’s account at the Federal Reserve Bank of New York in February this year.

Media reports state unknown hackers breached the computer systems of Bangladesh bank and transferred the money from its account at the New York Fed to Sri Lanka and Philippines. Preliminary investigation indicates cybercriminals had tried to withdraw around $1 billion but the other transactions were thwarted after a typo in instructions that raised a red flag.

Investigators claim hackers stalked the bank’s computer network for almost two weeks before they launched the attack. They deployed malware on servers housed at the central bank to make payments seem genuine.

Bangladesh’s bank cyberattack has proved that neither developed nor developing or least developed countries are completely prepared to tackle the ever increasing vulnerabilities of the Information Age.

How vulnerable is the Information Age?
Symantec Corporation, the company that maintains one of the world’s most comprehensive vulnerability databases currently consisting of more than 66,400 recorded vulnerabilities, underlines in its ‘Internet Security Threat Report – ISRT20’ that over one-third of the websites scanned by the corporation, in 2014, have vulnerabilities and 20 percent of them have critical loopholes. The corporation, through its Global Intelligence Network made up of 57.6 million attack sensors spread across over 157 countries, detected 6,549 new vulnerabilities in the year 2014.

The report highlights almost no company—large or small—is secure vis-à-vis Internet security threats. “Five out of every six large companies (2,500+ employees) were targeted with spear-phishing attacks in 2014, a 40 percent increase over the previous year.” Similarly an uptick was noted in attacks at small and medium-sized businesses, with 26 percent and 30 percent, respectively.

It indicates 60 percent of all targeted attacks struck small and medium-sized organizations. “These organizations often have fewer resources to invest in security, and many are still not adopting basic best practices like blocking executable files and screensaver email attachments. This, puts not only the businesses, but also their business partners, at higher risk.”

The corporation finds non-targeted attacks still make up the majority of malware, which increased by 26 percent in 2014. According to the report more than 317 million new pieces of malware were created last year.

The Symantec report also states malware authors have various tricks to avoid detection; one is to spot security researchers by testing for virtual machines before executing their code. In 2014, up to 28 percent of all malware was “virtual machine aware.”

“This should serve as a wake-up call to security researchers who are dependent on virtual sandboxing to observe and detect malware. It also makes clear that virtual environments do not provide any level of protection,” the report notes.

Digital extortion is another alarming phenomenon. The corporation observes 45 times increase in incidents of digital devices or content hostage in 2014. The report states: “While most people associate “extortion” with Hollywood films and mafia bosses, cybercriminals have used ransomware to turn extortion into a profitable enterprise, attacking big and small targets alike.”

It also noted that ransomware attacks grew 113 percent in 2014, driven by more than a 4,000 percent increase in crypto-ransomware attacks. The report also indicates cybercriminals are leveraging social networks and apps to do their dirty work. Though, email remains a significant attack vector for cybercriminals in previous years, but there is a clear movement towards social media platforms. In 2014, Symantec observed that 70 percent of social media scams were manually shared.

Read more: The Debate on Cybercrimes Law

001

002

003

According to the report, mobile was also ripe for attack, as many people ‘only associate cyber threats with their PCs and neglect even basic security precautions on their smartphones.’ Symantec found that 17 percent of all Android apps were actually malware in disguise. “Additionally, grayware apps, which are not malicious by design but do annoying and inadvertently harmful things like track user behavior, accounted for 36 percent of all mobile apps.”

Symantec continued to see attacks against Point of Sales systems, ATMs, and home routers in 2014. These are all network-connected devices with an embedded operating system, though they’re not often considered part of the Internet of Things (IoT). Whether officially part of the IoT or not, attacks on these devices further demonstrate that it’s no longer only our PCs at risk. And the potential for cyberattacks against cars and medical equipment should be a concern to all of us.

As per the report risks to many of the Internet of Things (IoT) devices are exacerbated by the use of smartphones as a point of control. It discovered that 52 percent of health apps—many of which connect to wearable devices—did not have so much as a privacy policy in place, and 20 percent sent personal information, logins, and passwords over the wire in clear text.

Read more: Cybersecurity: Work in Progress

Global cybersecurity landscape
According to the International Telecommunication Union (ITU), the United Nations’ specialized agency for information and communication technologies (ICTs), the United States is the most committed country in the world in terms of cybersecurity readiness. The ITU in its recent publication ‘Global Cybersecurity Index and Cyberwellness Profiles’ ranked the United States at first place followed by Canada. Australia and Malaysia shared third rank on global index.

Similarly, New Zealand and Norway share fourth rank while India shares fifth position with Brazil, Estonia, Germany, Japan, Korea and the United Kingdom. ITU on its global cybersecurity index ranks China among countries at 14th place, Sri Lanka at 15th, Bangladesh and Iran at 19th, Afghanistan at 20th and Pakistan at 23rd place along with smaller countries, like Syria, Senegal, Slovenia, Samoa, Malawi, Kazakhstan, Bosnia, etc.

The regional analysis of the Global Cybersecurity Index (GCI) shows in Asia Pacific region Australia and Malaysia are leading at first place, followed by New Zealand at second and India at third place. It shows China at sixth rank, Sri Lanka at seventh, Bangladesh and Iran at 11th, Afghanistan at 12th and Pakistan at 13th place along with Samoa.

The report points out that everywhere in the world nations seem to have done more work on legal aspects of cybersecurity, but lack capacity to counter cyberattacks.

Australia has taken various legal initiatives for better cybersecurity according to the report. It has acceded to the Council of Europe Convention on Cybercrime in 2013. It has introduced Cybercrime Legislation Amendment Act 2012, Australian Cybercrime Online Reporting Network and the Cybercrime Strategic Framework, Spam Act 2003. The Australian Competition and Consumer Commission (ACCC) provides advice about scams and how to report them.

Australian Federal Police (AFP) High Tech Crime Operations (HTCO) is responsible for investigating high tech crime in Australia. Australian Securities and Investment Commission (ASIC) investigate scams relating to financial services such as phishing.

It points out that Malaysia has exceled in technical side of the cybersecurity. Malaysia Computer Emergency Response Team (MyCERT) was formed back in 1997 and it has developed relations with 55 other CERTs around the globe. It has also introduced various legislations to ensure better security of digital assets.

On the other hand, India has achieved leading positions through capacity building. The country is running several research and development (R&D) projects and awareness programs. Cybersecurity training facilities have been set up to provide training to law enforcement agencies and facilitating cybercrime investigations. Special training centers have been established for cybercrime training. Computer forensic labs have been set up. It shows that India has conducted 94 cybersecurity related training programs in which 3,392 people have been trained. It appears Korea is better at organizational arrangements and Japan in cooperation.

Cyberwellness profile: Pakistan versus India
In cyberwellness profile of Pakistan the report indicates, the country lacks criminal legislation. Electronic Transaction Ordinance is the only regulation available to tackle cybersecurity related issues. While on technical side the country does not have any officially approved national or sector specific cybersecurity framework for implementing internationally recognized cybersecurity standards. There is no cybersecurity framework for the certification and accreditation of national agencies and public sector professionals in Pakistan.

Furthermore, on the policy side the country does not have an officially recognized national or sector-specific cybersecurity strategy. As per the profile there is no national governance roadmap and responsible agency for cybersecurity in Pakistan. The country does not have any officially recognized national benchmarks or reference standards for measuring cybersecurity.

On capacity building, there is no officially recognized national or sector-specific R&D program or project for cybersecurity standards, best practices and guidelines. Though the country has recognized PakCERT as official cybersecurity response team but its role is limited to creating public service cybersecurity awareness. There is no system to quantify the exact number of public sector professionals certified under internationally recognized certification programs in cybersecurity. The country does not have any certified government and public sector agencies certified under internationally recognized standards in cybersecurity.

The report points out that the country has no framework for interstate cooperation or system to share cybersecurity assets across borders or with other nation states. It lacks intra-agency cooperation or sector-specific program for sharing cybersecurity assets within the public sector.

It indicates PISA R3C is the newly formed collaborative project where multi-sector teams can join together to leverage each other’s skills set and resources to better address the needs of its partners. The core objective of the project is to bring experts, academia, the public sector and law enforcement closer.

Pakistan is a member of the ITU-IMPACT initiative and has access to relevant cybersecurity services. It participates in Asia Pacific Security Incident Response Coordination Working Group APSIRC-WG.

Based on ITU study findings, Pakistan has some child online protection legislation, like Section 293 of the Criminal Code. It has also acceded, with no declarations or reservations to articles 16, 17(e) and 34(c), to the Convention on the Rights of the Child. In addition, Pakistan has acceded, with no declarations or reservations to articles 2 and 3, to the Optional Protocol to ‘The Convention on the Rights of the Child,’ on the Sale of Children, Child Prostitution and Child Pornography. But it lacks institutional support to implement these legislations because there is no agency responsible for online child protection and has no proper mechanism of reporting such incidents in place.

On the other hand, India has various criminal legislations and regulations, including The Indian Penal Code and Information Technology Act, to specifically deal with cybercrimes in the country. It has officially recognized national CERT also known as CERT-IN. The country has a comprehensive cybersecurity policy compliance arrangement. The government mandated implementation of security policy within government agencies in accordance with the Information Security Management System (ISMS) Standard ISO 27001. Computer Security Guidelines have been issued for compliance within government and are being circulated to all departments and ministries. Cybersecurity drills are being conducted to assess preparedness for critical organizations. The Five Year Plan on Information Security also has guidelines on standards.

Read more: Change is the only Constant

It indicates that India does not have any officially approved national or sector specific cybersecurity frameworks for the certification and accreditation of national agencies and public sector professionals. However, it has in place the Information Security Management System (ISMS) Standard ISO 27001.

On the policy side, the neighboring country, India, has an officially recognized National Cybersecurity Policy (NCSP). It also has a national governance roadmap for cybersecurity through the Five Year Plan on Information Security. The Department of Electronics and Information Technology and Ministry of Communications and Information Technology are the officially recognized agencies responsible for implementing a national cybersecurity strategy, policy and roadmap.

Cybersecurity training facilities have been set up to provide training for law enforcement agencies and facilitate cybercrime investigation. CERT-IN in collaboration with CII, NASSCOM and Microsoft has also created PortalSecureYourPc.in to educate consumers on cybersecurity issues. Training centers have been set up at CBI, Ghaziabad and Kerala Police to facilitate advanced training in cybercrime investigation. Ninety-four training programs have been conducted by CERT-IN on specialized Cybersecurity topics in which 3,392 people have been trained. However, there are no statistics showing how many professionals in India are certified under internationally recognized certification but Controller of Certifying Authority (CCA) has licensed seven Certifying Authorities (CA).

SAARC

In order to facilitate sharing of cybersecurity assets across borders or with other nation states, India has signed specific cybersecurity cooperation agreements with US, Japan and South Korea. India participated in cybersecurity drills of US (Cyber Storm III). CERT-IN experts helped in establishment of CERT-Mauritius. However, there is no officially recognized national program that supports the sharing of cybersecurity assets within the public sector.

India is also a member of the ITU-IMPACT initiative and has access to its relevant cybersecurity services. India is also a member of the UN Committee of Group of Experts as well as in the Council of Security Cooperation in Asia Pacific (CSCAP) for enhancing cooperation in the area of cybersecurity.

The country has a specific legislation on child online protection under Sections 67, 67A and 67B of the Information Technology (Amendment) Act and Section 20 of the Protection of Children from Sexual Offences Bill. However like Pakistan, India also does not have an officially recognized agency that offers institutional support to child protection online. However, in India there is a security incident report mechanism available on CERT-IN website.

Cyberwellness: Pakistan vs India

Cyberwellness

Read more: Banking on Luck

The way forward
Syed Hassan Mussana, a cybersecurity analyst at Ebryx, a network security firm, believes that Pakistan needs to have a multipronged strategy to counter cybersecurity related threats. According to him both public and private sectors have great disparity in their information security requirements and strategies to deal with threats and attacks.

Law enforcing and security related institutions have very stringent cybersecurity arrangements. Most of these organizations have isolated networks guarded with state of the art technologies. In some cases, these organizations have developed their own set of indigenous tools to ensure maximum information security.

While on the other hand, public sector organizations, except some regulatory bodies and authorities, in the country are not giving due importance to information security. Generally, in most government organizations data is exposed to cyber threats due to lack of awareness and unavailability of information security strategies.

Similar is the situation in the private sector. Only financial institutions, telecommunications and IT companies are concerned about information security. Rest of the manufacturing and services’ sectors remain unconcerned, Mussana adds.

Individuals are another area of concern that has almost zero awareness about information and cybersecurity. Though individuals do not have critical data but their identities in social cloud are at great risk.

Mussana points out that the Prevention and Control of Cyber Crimes Ordinance (PECO), lapsed in 2009, is the only piece of cyber legislation available in Pakistan. The much talked about Prevention of Electronic Crimes Bill 2015 is still pending before the Senate as general public and IT sector have raised concerns about penalties proposed under the new law.

It will not be wrong if we say cyber legislation in Pakistan is at preliminary stage, though our neighboring India adopted such legislation in 2000. In Pakistan, cyber or information-security is relatively a new subject though the country has started to think about it. Hardly a few educational institutes, like National University of Science and Technology (NUST) and Military College of Signals, are doing some research work on information security and have developed their own Cyber Emergency Response Teams (CERTs). In cities like Lahore, there is not a single university that offers a degree in information security, though all institutes teach one Network Security subject.

While explaining the multipronged strategy to counter such threats Mussana says all stakeholders including academia, industry and government have to jointly evolve a cybersecurity strategy or policy. Universities cannot alone produce information security professionals because there is virtually no demand in the Pakistani market. He says 95 percent of IT graduates join software development while the rest work in networks, security and hardware.

But if the country has some national cybersecurity policy and system of certification in place, the country’s information security could be handled in a better way like some high-end IT and software firms have already devised their own cybersecurity strategies and set of policies to safeguard their networks.

Ahmed Raza has an abiding interest in Technology. He writes under a different pen name for leading dailies.

اسے اردو میں پڑھیں

Authors

Related posts

  • maverick

    Still a long long way to go. coming behind Afghanistan is hugely embarrassing.

  • Alizay Rehman

    good infographics

Top