Cyber defence policy needs rethink | #cybersecurity | #cyberattack


Thirty six years ago, Alvi brothers of Lahore received hundreds of phone calls when the infamous Brain Virus infected thousands of computers in the UK, Europe and the US with a message “Beware of Brain Virus. Contact us for Vaccination.”

Although the virus was activated only when their medical software was illegally copied, it is still regarded as one of the world’s first ransomware.

In 1986, this sounded like a techno-thriller movie. Fast forward to 2022, it is now routine and attacks on core state machinery are a new form of war.

With data breach costs increasing from $3.86 million in 2020 to $4.24 million in 2021, the cyber threat is as real as it gets.

As recently as August 2021, a threat actor vehemently challenged the credibility of Federal Board of Revenue (FBR) by offering to sell access to FBR’s machines for $26,000 after bringing down its network.

Private firms like Israel’s NSO Group sell software that intercept WhatsApp communications and collect data of targets besides tracking their location.

NSO has been openly selling its spyware products to fascist governments since 2011 and it was only in late November 2021 that the US has placed the company on blacklist.

Another Israeli project (Stuxnet) created a computer worm that destroyed Iranian centrifuge systems in 2010. The worm kept on spreading on a network till it reached the PLC (Programmable Logic Controller) for centrifuge control.

Reverse engineering by Kaspersky Inc showed that though Stuxnet was a relatively simple malware, yet it had the potential to become a strategic military weapon which could be triggered in case of war.

In fact, Russia has repeatedly capitalised on this new weapon of choice and has launched many cyber-attacks, codenamed NotPetya, against Ukraine, causing damages of billions of dollars since 2017.

For Pakistan, the Prevention of Electronic Crimes Act, 2016 takes a limited view of such cybercrimes as it mainly covers defamation and privacy issues on social media, besides aiming to moderate public opinion about the government and other state institutions on internet.

When it comes to cyber warfare as a state-sponsored geostrategic weapon, there is nothing in the law nor in the policy to combat it.

The National Cyber Security Policy 2021, drafted by the Ministry of IT and Telecom, recommends that an implementation framework needs to be developed by a dedicated wing of the federal government.

With an active defence approach at national, sectoral and enterprise levels, the critical national information infrastructure should be protected.

A cyber governance policy committee has been formed but it seems like the ministry is not ready to own the process completely and another autonomous body, which does not exist yet, will handle the execution.

The problem with the regulation of cyberspace is that if a malicious user abroad attacks and steals data from a server based in Islamabad, the authorities in Pakistan won’t be able to prosecute the individual.

All trans-border attacks define a grey area as there are no cyber boundaries between countries.

So cross-border cyber-attacks are in tension with international legal norms, and FIA’s attempt to collect foreign evidence will raise complex jurisdictional questions.

To address these cybercrime issues, the Budapest Convention on Cybercrime is the first international multilateral treaty that encourages harmonising national laws of states who have ratified it.

Co-drafted by the Council of Europe with USA, Canada and Japan, it was signed by 46 member states initially but only 25 countries ratified it later, by amending their national cyber laws.

If Pakistan chooses to ratify this treaty, it will coordinate cybercrime investigations involving the EU and the US, which will enable us to prosecute individuals engaged in illegal cyber activities from member states.

Attacks from enemy-held cyberspace could also be traced through the networks of states who are signatories of the Budapest Convention.

However, Pakistan has not yet decided to be a party to it, fearing that data sharing with foreign law enforcement agencies infringes on national sovereignty.

Moreover, the whole framework is legally binding and signing the treaty is by no means a mere formality as it must be passed as an act of parliament.

The inclusive parts of the Budapest framework related to racism, freedom of speech and xenophobia implies that it will be an uphill task to get it adopted by both houses.

The writer is a Cambridge graduate and is working as a strategy consultant



Published in The Express Tribune, March 7th, 2022.

Like Business on Facebook, follow @TribuneBiz on Twitter to stay informed and join in the conversation.

Original Source link

Leave a Reply

Your email address will not be published.

seventy eight − sixty eight =