Rapid digitalisation has unlocked tons of opportunities for everyone, but it has also given rise to a new set of digital threats that can jeopardise both our data and financial resources. Every now and then, a new case of a cyberattack surfaces and makes the news, and while the target is almost always a corporate or government entity, it is the general public that faces the highest risk.
On July 5, 2021, between 800-1,500 businesses around the world fell victim to a ransomware attack centred on US information technology firm Kaseya. Recently, a local bank reported cyberattack on its network however officials from the financial institution assured the customers that data of the users remained safe.
A cyberattack is when a person tries to gain unauthorised access to a computer system. Cybercriminals are known to copy data and either blackmail the affected company to pay compensation for return of the data or sell it on dark web.
There are many kinds of cyber threats with malware and phishing being the most prominent ones. The rising incidence of cyberattacks has widened the horizon of a subfield of IT knows as cybersecurity.
Not so new
Speaking to The Express Tribune, US based IT expert Sami Aadil stated that the concept of cybersecurity dated back to 1970s when the computers were beginning to gather fame around the world. “At that moment, the field of cybersecurity was neglected because not many people knew how to operate a computer,” he said. “It was also expected that cybersecurity would get wiped out owing to safe and secure computer programs.”
However half a century later, its significance has expanded by leaps and bounds and every company is now focusing on this area. Moreover, it has emerged as one of the most prominent sub fields of IT alongside big data, artificial intelligence and machine learning, he said.
He added that Internet systems are always at threat of a breach however not every security lapse is dangerous. “There are moments when people just intercept systems in an unauthorised manner for fun,” he said. “While a joke, it can have severe consequences in some countries.”
Amid the present age of smartphones and smart homes, the need for cybersecurity has enhanced manifold. Talking about himself, he said that his important data was stored on computer systems. “My mortgage papers, my car documents, phone numbers, essential work files, medical records, travel history, payment history and pictures are all stored somewhere digitally,” he said. “Some of this data is on phone while some is on the laptop therefore a simple breach can leak my data and me vulnerable.” He however saw no way around this because he was able to maintain his record well on computer systems.
According to him, the pace of digitalisation will accelerate further in a few years, every aspect of life would have a digital solution therefore the need for cybersecurity will deepen in the time to come. He added that the popularisation of smartphones has given a boost to digital threats because prior to 2008, hardly any company reported a cyberattack. “There is a reason behind this dismal figure and that is the fact that not a lot of data was required to be stored on the Internet at that time,” he said. “Fast forward 12 to 13 years, our phone numbers and locations are used by ride hailing and delivery firms, our faces are stored on social media applications. Even our fingerprints are now stored on the Internet because they have become essential for phone companies to provide security features.”
He cautioned that if a hacker stole fingerprint, he could withdraw money from a person’s bank account by using it. “This is no secret and such transactions happen,” Aadil said. He saw no escape from storage of data on digital systems and the only way to protect it was swift implementation of cybersecurity as well as stringent laws across the globe.
The European model
In 2018, the European Union implemented the General Data Protection Regulation (GDPR), which is often termed the toughest privacy and security law in the world. “The policy imposes obligations on all organisations that collect data of people living in EU,” Aadil said. “This law levies hefty monetary penalties against those who violate the privacy and security standards.”
At times, the penalties can amount to €1 million. According to him, GDPR bounded EU firms to follow seven principals including transparency, data minimisation, storage limitations and others. Detailing further he said that few principles such as data minimisation offered a lot of protection as it compelled companies to only seek and record information which is necessary and nothing else. Under this clause, companies cannot track a user, for instance, if it is not necessary for them to carry out their essential services. For example a food delivery app operating in the EU may justify that it needs a customer’s address and drop-off location, but may not be allowed to track a customer’s position in real time.
Similarly, the storage limitation clause forces companies to delete the data after the task is finished. For example if a user has exited a car of a ride hailing company and paid their bill, the firm has to erase the recent data regarding the pick up and drop off location of the user. “In many cases, companies have refused to give up data when they were approached by government agencies. Such is the quantum of this law,” he said.
Data sold for ads
He added that there is an on-going massive debate over the morality of firms that sell user’s data to advertising agencies. “It is a debateable matter and more clarity on it would emerge with time but from my point of view, the firm cannot keep on providing free services for no cost. It has to earn from somewhere so it earns by selling user data,” he said. “On the other hand, it is completely unethical as well because the companies giving advertisements are not thoroughly scrutinised.”
Citing that a simple Google search could change ads on all social media platforms, he added that there should be a limit to the user’s data sold by companies. He recommended establishing an authority, which can certify legitimate firms to use data from other companies. “This would largely ease and address the concerns of people,” he said. “The horizon of GDPR can be widened further and such clauses can be included.”
Secondly, he was worried that companies were selling data of minors as well which could have an adverse effect on them and make them vulnerable to threats. “It is no secret that minors excessively use social media and smartphones. However, it is unethical to store the data of minors,” he said.
Their searches are used to recommend ads on diverse platforms. This in particular can have a severe impact on the society. “There are laws in place where even parents can’t access their children’s data but data of minors is freely available to be used by companies for ads,” he expressed concern. “This demands a debate and so far, this issue is not highlighted.”
There is a need to add this factor to cybersecurity as well, he argued. He stressed that there should be limits on whose data would be used by companies for advertisements. He was of the view that similar to minors, the data of senior citizens should also be spared by the advertisement companies. Surprisingly, senior citizens’ data is more widely used that one can imagine because retail and delivery firms know that they would prefer home delivery of items.
Finally, there is also a need to check the legitimacy of companies that buy data from social media platforms for the purpose of ads, Aadil stressed. “There are many platforms which are running ads of shady investment schemes and people are losing their money due to it,” he said. “In such an incident, the company that sold the user’s data to the shady firm for ad purpose should be held accountable.”
Accelerating cybersecurity
Aadil added that world was transforming at a rapid pace and since Covid-19 accelerated digitalisation, there was a need to boost the cybersecurity segment as well. To achieve this, he was of the view that there was a need to make efforts on the grassroots level because the primary problem was lack of cybersecurity professionals.
On one hand firms are unable to find a cybersecurity expert according to their requirement while on the other hand, there are firms that are not doing enough on this front despite holding a massive amount of user data, he said. “Lets take this step by step. Because this field recently came into the limelight, there is a dearth of professionals,” he said. “Up until two decades ago, even universities did not focus on this area.” He added that its significance increased 10 to 12 years back and only then did academia begin focusing on this. “So partly it is fault of academia and partly the industries,” he said.
He detailed that the industry failed to focus on it as well. “Even when the present tech giants were in their emerging stages, they failed to focus in this area. This action further saturated this segment because while companies hired extensively for data handing, research and development, they failed to invest in the vital area of data security.”
He added that the precious time to focus on this area hasn’t passed yet and the first thing that countries, industries and academia can do to encourage data security is investment. No progress on data security front can be achieved without substantial investment.
Giving further details, he said that global cybersecurity infrastructure is weak at this point in time, international countries need to join hands to work in this vital area similar to the global minimum tax.
“Secondly, academia has to enhance its role and in this regard, universities can announce scholarships exclusive to cybersecurity disciplines so that two to four years later, a massive amount of experts would be available in the market,” he said.
“Finally, the industry will have to act as well and it needs to expand its cybersecurity departments and add more people to it because it will be beneficial in the longer run. While cybersecurity departments might seem overcrowded if the industries expand them, it will benefit whole digital ecosystem of the world in future because cybersecurity is here to stay and grow,” he added.
How Pakistan is faring
Pakistan has also reported its fair share of cyberattacks, however the country has remained secure from any massive incident similar to what was witnessed in the US in July.
SI Global CEO Noman Said pointed out that cybersecurity infrastructure in Pakistan was still in its infancy stage. “Protocols are there in some places while they are missing from others,” he said. “We are in the learning phase where we implement new solutions to check whether they would yield the desired results or not.”
He added that the global information security market is worth $104 billion and Pakistan’s IT segment registered a growth of 47% in the past year which was lower compared to international and regional countries.
While the country is lagging behind, it has the opportunity to excel in this area given the huge proportion of youth. He held the opinion that aggregation was the central aspect of cybersecurity and this segment is widening with each passing day. In absence of focus on information security, third parties can unlawfully misuse networks the networks, he said.
Talking about 5G, he said that the emerging technology had different set of protocols and its implications have to be kept in mind while moving towards it. “With every advancement in digital infrastructure, we need to keep cyber threats in mind because any progress in IT raises the risk of digital breaches,” he highlighted. “Many firms use artificial intelligence to controlling cyber security and that is a good option as well.”
Talking about threats, he said malware posed mammoth threats to digital infrastructure and ransomware, which is a form of malware, targets critical business aspects and steals data.
According to him, policymakers needed to keep in mind that cybersecurity has to be treated on an individual level rather than on an aggregate level. Every cyber threat has its classification and a different strategy is needed to rectify it therefore targeted initiatives need to be taken. The world is rapidly moving towards digitalisation hence whenever a new systems is put in place, cybersecurity has to be focused.
Citing figures, he said that 25% of all cyberattacks in history took place in 2020 and targeted multinationals, health and financial sectors. He emphasised that health and public education sectors were largely targeted in each attack. “Pakistan’s cybersecurity in these two sectors is weak and that is why we have a cash economy,” he said. “Our economic indicators encourage online banking but due to occasional lapses, we do not expect transactions to increase by leaps and bounds. Therefore data security departments need to be sustainable.”
The official highlighted that security of key installations needed to be reviewed in a serious manner. “The future is all about data and if we use high end phones, we are giving away fingerprints, facial recognition scans and it is being sold,” he said.
Alpha Beta Core Managing Director Farhan Bashir Khan stated that Pakistan was facing the same cybersecurity challenges that the world was facing. However, he expressed concern that Pakistan was not entrenched in it like the world was and cybersecurity in the country existed at individual level rather than collective one.
“There are many different aspects and cybersecurity is at infrastructure level, cloud level, application level as well as network security level,” he said. “There are many layers and Pakistan has network security and infrastructure issues and it is tackling them.”
On the other hand, cloud integration has not made its mark in the country yet and the application level is in its early stages therefore the country does not have substantial cyber threat but with rising broadband penetration, it can emerge as a challenge. He added that in emerging phases, data breaches are normal however payment systems are most vulnerable at this point in time because financial interest is involved. “Financial transaction and data need to be secured because these are the most common areas where breaches can take place,” he said.
Geopolitical issues
Arif Habib Commodities Managing Director and CEO Ahsan Mehanti said that data security issues were unprecedented and the enhanced role of Pakistan in regional geopolitics had brought the country to the attention of cybercriminals. “The changing dynamics of the world have placed many countries under threat of cyberattacks and Pakistan is one of them,” he said.
However, he claimed that Pakistan was performing way better than expected and countering all attacks effectively. Earlier, there used to be occasional issues of data leaks in financial and capital market but SECP has strengthened all of them. The regulator’s role is of significant importance and it is being reflected from the strengths of the new systems that were placed to combat data breaches in old technologies. “I believe that all systems need to update from time to time and hefty penalties should be imposed in case of data breaches,” he said.
What can be done
Highlighting measures to enhance cybersecurity, Said added that the country could not depend solely on the government because cyber security had a huge horizon and a there was a need to make efforts at micro, macro, regional and provincial level as well to implement the policies.
He lamented that most policies were lacking implementation in Pakistan.
“If we take first step correctly, we will survive all future attacks and have a good experience with our digital ecosystem,” he said. “Creation of rules and implementation are two different things.”
For foolproof implementation, there is a need to keep an eye on all departments where data transfer is high. He further underlined the need to collaborate with neighbouring countries to strengthen regional cybersecurity.
Talking about the financial revolution in Pakistan over the past few years, he added that such a scenario seemed impossible a few years ago but all major entities of Pakistan worked side by side to advance Pakistan to the current level of digital finance. “Technology is growing rapidly. If we are unable to protect it, companies will leave Pakistan,” he said. “The case would be similar to entrance of foreign investment in a nation that could not promise security of the investment and the company chose to leave.”
The official called to inspect all digital transactions and keep an eye out for irregular activity as the first important step towards ensuring cybersecurity in the country. Secondly, review and renewal of infrastructure in direly required and in this regard, specialists should be hired all firms. He further emphasised upon investment in human resource According to him, Pakistan possessed ample potential to excel if all these conditions were met.
“Fortunately, the country has faced and escaped a lot of crises and in this case, we do not need a revolutionary idea rather, we need things that are already there and we need planning,” he said. “The country needs to utilise young talent to implement the processes.”
He added that to meet Pakistan’s demand for cybersecurity the supply is already there. He underscored the need to regulate cybersecurity with the help of a tech policy and appreciated that relevant ministries had begun working on it. He cautioned that failure to act right now could hinder foreign investment. Moreso, he warned that Pakistan’s adversaries could also use the opportunity to steal data from the country.
Khan was of the view that a lot of space for improvement existed in Pakistan’s cybersecurity framework. “Fast paced digitalisation is taking place but at the same time, cybersecurity is lagging behind,” he said. “Security features are not integrated the way they should be and since our reliance is on the mainstream Internet, there can be problems.”
Supporting Said’s view he said government was a part of the ecosystem but other players also had to act. On an infrastructure level there is no cybersecurity ecosystem in Pakistan and due to this, all the digital services provided by the government are vulnerable to data breaches.
He called upon the government to make a policy and facilitate private sector to aid the cybersecurity of the country. Banking sector comes as a part of the private sector and federal level regulators can work alongside banks to aid cybersecurity.
According to him, a lot of work was going on but still Pakistan was functioning way below its true potential in terms of information security. In addition, overprotective measures are restricting certain features of applications, he said. “When the application is being developed and the developer already has limitations in mind, the final product will function below its capacity,” he cautioned.
Cloud services are also under threat all over the world and technology sector has a huge role to play to steer digitalisation in Pakistan. Government can introduce a policy framework and companies falling under SBP, SECP and other regulators can be asked to ensure all protocols of data security, he said.
“The world is moving towards Internet 3.0 and decentralised networks and in the near future, even communication network will be decentralised freeing customers from relying on a single one,” he pointed out. “With such a projection, Pakistan needs to adopt breakthrough tech,” he said.