Pakistan Information Security Association (PISA) recently held a Cyber Security Conference at Islamabad. This paper analyzes key aspects of the discourse, captures important observations and recommends action points for securing Pakistan's cyberspace.
Cyber-espionage and cyber-terrorism are stark realities. Department of Home Land Security [DHS} reported 100,000 cyber-attacks in 2011, a five-fold increase over 2010. The hackers charts boast of such supposedly impenetrable and prestigious targets locations as the White House, Pentagon, NASA, State Department, Homeland Security, Nato, CIA and Google, Sony, Citibank, Twitter, and the New York Stock Exchange. This forced President Obama to name Jeff Moss, aka "dark tangent" a well-known hacker, on the Homeland Security's Advisory Council to do battle with organised cyber criminals responsible for internet viruses and worms.
Cyber attacks on websites and information systems target industrial control systems and critical infrastructures that are the central nervous system of nuclear power plants, electrical power grids, air traffic control, transportation systems, banking system, stock exchanges and other vital communication networks. Cyber-warfare is now considered the primary tradecraft to infiltrate, damage and destroy economic and defence capabilities of any nation.
Cybercrime is estimated to be a $388 billion industry [bigger than narcotics and human trafficking combined] by rigging ATMs and stealing personal information from credit cards, social security numbers, health records of more than a million victims each year. In a survey, even Fortune 1000 companies were found to have effective cybersecurity only 80% of the time, which exposed them to about a millions cyber-hits. In Pakistan, nearly half of 22 million internet users have some type of infected malware in their computer systems.
Cybersecurity is the protection of critical information, command and communication infrastructures, its processes and contents, from an electronic attack by deterring existing and potential cyber-threats and implementing effective safeguards to protect cyberspace. As technology is rapidly evolving and converging , mobile and internet technology devices are being integrated into critical information structures, further complicating security, creating new vulnerabilities and risks, albeit with more opportunity for innovative technology.
What is critical infrastructure? Simply put, any infrastructure that can put the security of the country at risk and endanger the lives of the people if that communication network is breached. Cybersecurity is not just about protecting computers or information systems and communication networks. It's more about securing national defence and economic assets. Cybersecurity is a multi-dimensional field with multi-stakeholders, cross-cutting defence and government institutions, banking, finance, commerce and industry, the media, academic institutions, down to the student or any ordinary person who clicks on the internet to join a game in a chat-room without knowing that the innocent-looking avatar he or she is playing with on the other end could potentially be a dangerous cyber-criminal.
Cross-border cybercrime has a global dimension. International co-operation is absolutely imperative because cybercriminals often have no loyalty to any country, do not need passports or visas, and can easily cross territorial borders to commit crimes. Unfortunately, however, our law enforcement is lagging way behind the state-of-art technology to counter more sophisticated cybercriminals. Most cybercriminals operate on a cloud located anywhere on the globe and do not comply with State Bank's unrealistic rule that for a cybercrime to have been committed the server must be physically located in Pakistan! While hackers are well-organised and tech-savvy, the law-enforcers, policy makers, regulators, industry executives, cyber-experts and consumers are, unfortunately, not united to fight them.
While opening the conference, President, Pakistan Information Security Association (PISA) Ammar Jaffri, said that policing cyberspace is not the government's job alone. Not only the security agencies, strategic installations, but all other sectors including health, education, industry and commerce, and above all, the government needs cybersecurity for good governance and economic growth.
He said that security threats are now a reality. We need to educate our government functionaries, business leaders, academicians, consumers other key players to come together on a single platform to develop critical infrastructures and to provide awareness and training to key stakeholders. Because of fast changing technology, it is not possible to achieve 100% cybersecurity at all times.
CEO Nayatel, Wahaj-us-Siraj quoted a verse from the Holy Quran which clearly mentions fingerprints identification on Judgement Day. Kaukab Zuberi, CEO Forensics People and Founding Chairman International Association of Forensic Experts, focused on the new phenomenon of cyber-warfare, called the 5th Domain after land, sea, air, and space. In the US, $500 million are being spent on creating a specialised department to counter cyber-sabotage to protect national assets. Continuing the same theme, Dr Saad Zafar, Dean, Faculty of Computing RIU, warned that a dysfunctional infrastructure means systems-failure of airports, seaports, dams, tunnels, satellites, oil refineries, chemical plants, power grid lines, and telecommunication networks. Zubair Khan CEO Tranchulas, and author of Hacking Portal, strongly emphasised that top management must be on board to stop cyber-exploitation such as biometrics hacking, RFID hacking, VOIP sniffing, and GSM interception, rigging ATMs, even manipulating insulin pumps, among other crimes.
Badar Khushnood of Google Pakistan talked about how the fast changing information technology was impacting the consumers. Information technology is now an integral part of the business process. Increasingly, banks, financial institutions and telecom companies are making good use of IT for on-line banking, mobile banking, and other trendy ways of financial transactions. Adnan Shahid, Chief Idea Officer, Ideogeny, speaking about Technology Entrepreneurship in Information Security, said that innovative information technology had spawned ebusiness models like Dell customised laptops, eBay, Amazon.dot.com, Twitter and Facebook.
Amir Jamil, Chief Info-Security Officer, Interactive Group, highlighted risks associated with using cyberspace. His simple but useful message: "Think before you click. Nothing comes free on the internet". He warned about the dangers of 'digital guillotine', especially when, travellers risk exposure at airports or hotels. He underlined the importance of consumer education. Ateeq-ur-Rehman, Cyber Security Consultant-CCUREIT, quoting Sophos Security Report, said every half-second a unique malware file was being created, 150,000 Malware samples were created every day and 30,000 website were infected daily, a jump of 100% over 2011.
Amin Shareef, Head of Information Security, FFC talked about conducting regular compliance audit. He said humans are the weakest link in the security chain, with a insider involved in 80% of the cases. Muhammad Ali Khawaja, Information Security Officer ZTBL, underlining the need for cyber laws from an industrial and societal perspective, said that there's no Data Protection and Privacy Act in Pakistan. Barrister Zahid Jamil said absence of cyber-laws also provides us with a big opportunity to draft proper legislation to curb cybercrime. Nazir Vaid, Leader of PISA Sindh, said that just as traffic rules and regulations are vital for safety of human lives on the road, cyber-laws are as important to protect the users who surf the net and could be hit by any cyber criminal on the prowl.
Recommendations and action points for Pakistan's cybersecurity:
1. To protect our national strategic economic and security assets including telecommunication networks, power grids and transmission lines, the Government of Pakistan must seriously take cognisance and ownership of Cyber-Defence as the fourth pillar of national security and constitute an autonomous high-powered body that can be named the Cybercrime Control Organisation Pakistan (CYBERCOP.) CYBERCOP, as the name suggests, will be responsible basically for policing the cyberspace, but more importantly, CYBERCOP will be entrusted with tasks and responsibilities of formulating a national cybersecurity policy and strategy and developing the critical infrastructure within the strategic policy framework. CYBERCOP can be constituted through an act of parliament which can then also set up a Cyberspace Oversight Committee (COC) to monitor CYBERCOP's performance and appropriate budgets for its operational activities on a long-term basis.
2. For implementation of the strategy CYPERCOP will set up a Cybersecurity Task Force and establish its performance benchmarks and timelines .The first task of the Task Force will be to conduct a mandatory BASELINE CYBERSECURITY AUDIT through top cybersecurity experts to identify gaps and analyse needs with regard to persistent cyber threats to our communication infrastructures, Before getting down to the nuts and bolts, or bytes, for designing the critical infrastructure, the Task Force will bring all stakeholders on a single platform to formulate a national cybercrime policy and strategy, using a multi-pronged approach to develop an integrated cyber-communication architecture based on universal cybersecurity standards.
3. Cybersecurity Task Force will also put up recommendations for drafting appropriate cyberspace legislation for the approval of the President and the Parliament. Task force will also review and redefine the functions of the existing regulatory bodies (Pemra, PTA, SBP, etc.) regarding content and connectivity issues as well as for financial crimes, and reorganise the cyberspace regulatory set-up to ensure efficiency and transparency. In grey areas where control functions overlap or appear to be in conflict, CYPERCOP will constitute a Dispute Resolution Committee for arbitration among key stakeholders.
4. To prevent 'over-regulation' giving regulatory bodies excessive power of 'kill switch' [shutting down networks] it is important to strike a healthy balance between civil liberties, consumer rights and regulatory requirements. Cyber Security Taskforce will take all major stakeholders on board from civil society, NGOs, lawyers with knowledge of best practices and international experience in cyber-laws, IT and cybersecurity experts, teachers, and industry leaders from public and private sectors and policymakers.
5. CYBERCOP must have sufficient long-term funding for research, training and cyber-education programs. To enable CYBERCOP to develop in-house capabilities and technical capacities in the fight against the best brains in cybercrime, specialised courses recognised by HEC, and training programs in state-of-the-art cybercrime prevention and detection technologies will be provided to develop human resource potential and workforce that will trigger creation of a million plus job opportunities for talented youth not only in the Cybersecurity Industry but also across multiple industrial and commercial enterprises. CYBERCOP will also offer incentives to top cyber experts working abroad to loan their professional services to Pakistan.
6. Public-private partnerships should be encouraged and private initiatives for research and development through innovative idea incubation such as digital identity authentication technologies that strengthen our nation's cybersecurity, must be recognised on merit for national awards, research grants, sponsorships and soft loans for start-up and venture capital.
7. Consumer education and awareness campaigns, especially school education programmes should be launched in collaboration with the electronic, print, and social media. A dedicated CYBERCOP Website will provide the citizens information, education and proper guidance on consumer protection from cyber-attacks and cyber-bullying or harassment, and the procedure consumers can follow to lodge complaints. CYBERCOP will facilitate the consumers in redressing their genuine grievances.
8. Access to affordable and speedy justice is the linchpin of consumer protection in any working democracy. Separate ICT benches must be constituted in the superior courts to dispense of cybercrime related cases speedily at low cost. Unfortunately, the term "Social Engineering' is now euphemistically used for defrauding people on the internet. CYBERCOP will also take serious note of unethical internet advertising like 200% return on investment on gold. "Replicas" of branded phones such as Nokia, Android, Black Berry, IPods and iPads [actually fake] are shamelessly advertised and sold by internet marketing companies. Google is a search engine claiming it's not responsible for advertising content, but does Google not have a corporate social responsibility to protect its customers by checking false advertising claims, at least, if not to promote ethical values? Google owes society that much to protect customers from becoming easy bait for cybercriminals posing as internet marketers.
9. Branding Pakistan to change negative perceptions by projecting pro-business cyber and intellectual property laws and by signing the Cybercrime Convention, can positively attract billion-dollar investment in information technology and related fields, creating job opportunities for millions of talented but jobless youth. World's big business houses want Pakistan to upgrade cybersecurity laws to international standards and link up with the global markets. From the international investors perspective, companies like Oracle, Cisco, IBM, Google, Intel and BlackBerry have already entered the Pakistan market, but they are constrained to expand their business activities because of lack of effective cyber-laws, consumer protection and intellectual property laws. On the economic front, we are losing substantial investment by not tapping into the huge potential of ecommerce. Foreign investment is choked due to lack of proper cyber-laws and efficient compliance mechanism. Not passing cyber-laws and not signing the Cybercrime Treaty raises a red flag to potential investors like PayPal to stay away from Pakistan. Out of 193 countries, PayPal is registered in 190 countries, but Pakistan is among the three countries that PayPal does not serve. Even Nigeria, Zambia and Togo have the PayPal facility. Similarly, Visa and MasterCard are not registered in Pakistan permanently due to inadequate cyber-laws. Once Cybercrime and Intellectual Property laws are implemented, ecommerce will explode in Pakistan, creating thousands of small e-businesses and generating millions of jobs for well over 100 million youth.
(The writer is a management and marketing strategy specialist)