Events over past six weeks have exposed cyber threats to Pakistan’s digital payments infrastructure. Issued last week, the central bank’s specific guidelines on digital payment security are a belated, but much-needed awakening. A lot more needs to be done. To start with, Pakistani state needs to recognize that organised cyber crimes, especially of the financial kind, pose a direct threat to national security.
In the wake of the recent breach, there is confusion over where the buck stops. The SBP is the banking custodian. But its mandate covers reducing financial risk and ensuring business continuity – not fighting off cyber threats in particular. Globally, central banks like the Federal Reserve and the Bank of England regularly issue guidelines on cyber security and take steps to ensure compliance, but they are not responsible for or expected to reduce cyber thefts in the broader environment.
So who is in charge? It was in 2007 when the Pakistani state decided to fight cyber crimes in an organised manner, through a ‘National Response Centre for Cyber Crimes’ (NR3C). The institution chosen to house NR3C was the Federal Investigation Agency (FIA), which falls under the Ministry of Interior. (Countries such as the US, France and India have housed their cyber-security wings under their Interior/Homeland ministries; the UK, however, opted for a military umbrella in its GCHQ directorate).
But the NR3C may be ill-equipped to fight organised cyber crime, especially of trans-national nature. Its current mandate is really broad – covering cyber crimes (hacking, cyber bullying/stalking, data/identity theft, financial fraud, denial of service attacks, etc.) and providing forensic services (computer/ mobile/video forensics, network forensics and technical training).
And as the name suggests, NR3C is a reactive organisation that mostly “responds” to cyber crimes, often undertaken by individuals and small groups. Even there, a complaint’s journey through “enquiry” to “case” to “prosecution” to “conviction” to “arrest” is terribly slow. A different, “cross-sectional” setup is required to proactively focus on reducing “systemic risk” arising from a spectrum of “organised” cyber crimes.
Until that happens, the banking regulator has, between the lines, made it clear it won’t be made a scapegoat. As differences emerged last month between FIA and SBP over how to reduce banking system’s cyber exposure, the SBP officials reportedly told FIA officials that “the ultimate responsibility for IT security rests with the board of directors and the senior management of the banks/DFIs”.
https://www.dawn.com/news/1445665
For the matter in question, digital payments security, it is the responsibility of the banks to boost their IT capabilities and secure their customers’ deposits and trust. (In the coming days, this column will analyze the likely impact of the SBP’s recent payment security rules on the banking and IT industries). But that alone will not cut it in the absence of an effective cyber-coordination mechanism among the state’s financial, telecoms, judicial and law enforcement authorities.