Joining league of cyber powers: a long, winding road
In June 2024, the US government announced additional export restrictions on Russia and Belarus concerning EAR99 software and IT services provided by American companies. EAR99 is the default category in the Export Administration Regulations (EAR) regime and includes commercially available software. This move was somewhat surprising as the EAR already restricts software exports with potential for dual-use (EAR 5A002 and 5D002) to many countries.
In 2020, the US Department of Commerce’s Bureau of Industry and Security (BIS) added several cyber surveillance and hacking tools to the Commerce Control List (CCL), followed by similar actions under the European Union’s Dual-Use Regulation. In the last year alone, five new categories of cyber surveillance tools have been added to the control lists of the Wassenaar Arrangement, which includes 43 participating states and the European Union.
Pakistan has yet to secure a place among the top-30 cyber powers, according to Harvard’s Belfer Center’s Cyber Power Index. Achieving this status will become increasingly difficult as export controls and cyber proliferation measures tighten. For example, Fortra’s Cobalt Strike software, used for adversary simulations and operations, is now subject to US export control regulations. The company screens every export order against US government prohibited party lists.
For Pakistani buyers, acquiring this software involves a tedious vetting process, as purchases are limited to responsible buyers. The proposed use-case is likely to be rejected. If not, it will require an end-user certificate with constant monitoring to ensure compliance with the original use-case agreed upon at the time of import.
Similarly, acquiring the latest versions of software under EAR, including data carving tools, cyberwarfare simulation programmes, rootkits, vulnerability assessment, and penetration testing tools, is becoming increasingly difficult. Despite these hurdles, the market for cyber weapons is projected to grow at an annual rate of 10%, from $11.6 billion in 2024 to $17 billion in 2028.
This growth trend is evident from numerous billion-dollar mergers and acquisitions in the cybersecurity industry this year. For instance, CyberArk acquired Venafi in a $1.54 billion deal in May, and Akamai Technologies announced plans to purchase Noname Security for about $450 million. Additionally, Cohesity is acquiring Veritas’ data protection business, with hundreds of similar cybersecurity M&A deals in the pipeline.
However, in Pakistan’s public and private sectors, there is minimal progress, particularly on the offensive side.
In key policy documents of Pakistan, references to cyber primarily focus on defence against cyber-attacks, with no mention of acquiring cyber weapons. Cyber weapons come in many forms, and offensive cyber operations are relatively misunderstood from a traditional military perspective.
These operations can range from identifying vulnerabilities in conventional ballistic weapon systems to exfiltrating classified information from isolated networks. They use a variety of technologies for side-channel attacks, such as software-defined radios, chip whisperers, and software-defined networks (SDNs).
Offensive cyber operations can directly target installations by deleting critical data, altering data to render systems unreliable, denying communications, and taking control of critical infrastructure systems.
For example, if a state-sponsored cybercriminal gains access to the National Transmission and Despatch Company’s (NTDC) website and manipulates its management panel to report incorrect frequencies, it could force grid operators to make unnecessary corrections, resulting in a countrywide power outage.
The US government launched a project codenamed Tempest as early as World War II, involving the espionage of information systems through leaking emanations, including unintentional radio and power signals, EMF signatures, and sounds. Now overseen by the NSA, the US has perfected numerous techniques to spy on computer devices, including smartphones, laptops, and smart TVs, regardless of their internet connection. These technologies fall within the category of cyber weapons and COMINT (communication intelligence).
Even during peacetime, countries maintain a ‘Software Bill of Materials (SBOM)’ for various systems installed in foreign adversaries, an activity that requires OSINT and tracking public procurement systems. Later, it becomes relatively simple to buy zero-day exploits (unpublished vulnerabilities) for targeted software components to compromise them. Companies like Zerodium (formerly Vupen) sell these exploits to government agencies for use in their cyber weapons.
In a nutshell, cybersecurity is not about antiviruses and firewalls, and cyber warfare is not about common hacking anymore. It has evolved into a complete ecosystem, similar to nuclear and missile technologies, and is increasingly under the purview of US export control regimes. Under such circumstances, becoming a cyber power remains a long, winding road unless there is substantial technology transfer from the US or China.
THE WRITER IS A CAMBRIDGE GRADUATE AND IS WORKING AS A STRATEGY CONSULTANT