The long road to becoming cyber power

Pakistan has not yet signed new Cybercrime Convention owing to national sovereignty concerns

PHOTO: REUTERS/FILE

ISLAMABAD:

In September 2022 when Harvard’s Belfer Centre released the National Cyber Power Index (NCPI), India and Pakistan were the only nuclear states which were not among top 20 cyber powers.

Indian cyber controls at strategic sites were so weak back in October 2019 that its nuclear plants got infected with a malware designed by the North Korean Lazarus group, which resulted in shutdown of one of the reactors at the Kudankulam Nuclear Power Plant after the theft of intellectual property.

But now fast forward to mid-2023, Indian state-sponsored cyber groups have considerably upped the ante in their cyber warfare strategy.

As recent as in May 2023, an Indian cybersecurity company Innefu Labs released an app on Google Play Store, named nSure Chat, which was falsely projected as a secure messaging platform and links to that app were sent only to high-profile politicians, journalists, scientists, and senior government officials.

This app has now been removed from Google Play Store on numerous reports of data theft. More than 3,000 individuals from Pakistan were invited to download this app but only around 100 chose to download it.

Similarly, in the aftermath of the unfortunate May 9 incident, there was an increased demand for VPN apps for Android to access blocked social media websites. Taking benefit of this opportunity, the same cybersecurity firm released an app on Google Play Store known as iKHfaa VPN under the flag of a fake company called SecurITY Industry.

The link to this app was again sent only to selected Pakistani politicians, government officials and scientists as it was not a general-purpose espionage or ransomware mission. It mines locations (especially unmarked places on Google maps) of Pakistani individuals even if GPS is turned off and reads contact lists as well as messages and chats for confidential info.

However, when it comes to Pakistan, our cyber capabilities leave a lot to be desired. Our public sector institutions such as NIFT are frequently being attacked by adversaries and private data of masses is being published on the dark web, eg LeakBase accessed and leaked consumer data of Paysys Labs, an intermediary that integrates SBP’s Raast services, earlier this year.

Similarly, the Election Commission of Pakistan has issued an advisory for its employees to not open any phishing emails, which might lead to election data being leaked.

Though the Pakistan Telecommunication Authority (PTA) is investing a lot on cyber defence, the major challenge is the involvement of multiple foreign jurisdictions in cyber-attacks and the limitation of law enforcement powers due to territorial boundaries.

This is where the second additional protocol to the Cybercrime Convention can help. Signed by 41 states since opened for signatures in May 2022, this treaty can help governments retrieve traffic data when attacks are launched via proxies in foreign soils and supports the idea of joint investigation teams.

Compared to the older Budapest Convention (2001), there is much more emphasis on data protection and enhanced cooperation regarding sharing of electronic evidence.

The Budapest Convention was signed by 46 states initially but only 25 countries ratified it, resulting in a limited scope of cooperation for member states.

Pakistan has not yet decided to become a party to the new Cybercrime Convention nor the older Budapest Convention, owing to concerns that sharing data with foreign law enforcement agencies infringes on national sovereignty.

The existing Prevention of Electronic Crimes Act, 2016 takes an inadequate view in respect of cybercrimes as it mainly covers defamation and privacy issues on social media, and there is no provision for international cooperation.

In the meanwhile, the National Cyber Security Policy 2021, drafted by the Ministry of IT and Telecom, provides some guidance for securing critical assets and infrastructure.

It calls for the need of a dedicated government wing for implementation of the policy but the blueprint for such an institution needs more clarity when it comes to coordinating among various agencies.

The National Centre for Cyber Security (NCCS) was established by the Planning Commission and HEC back in 2018 but it was mainly focused on research and development with no mandate in policy and regulatory spheres.

Also, taxpayers have yet to see a standard security product spinning out of the cluster of NCCS such as an indigenously designed antivirus or firewall software with regular online updates.

Pakistan had a head start when Alvi brothers of Lahore engineered “Brain virus” to protect their proprietary medical software but unfortunately that advantage is long gone. Becoming a cyber power remains a long and winding road, with multiple policy roadblocks and detours.

The writer is a Cambridge graduate and is working as a strategy consultant

 

Published in The Express Tribune, July 10th, 2023.

Like Business on Facebook, follow @TribuneBiz on Twitter to stay informed and join in the conversation.

Load Next Story