That means we are extremely vulnerable once connected over the Internet. So what could be the solution; a simple solution could be to stay away from the Internet, never be connected, and do not be a part of this new global ICT connectivity. Well, the option is available but the price for this isolation is going to be too high which we may not be able to afford. We need to utilize and get benefit from modern ICT services while securing ourselves and information assets. We must realize the dangers and take necessary safeguards, so the key here is to stay connected with caution and always take necessary safeguards.
The world has indeed become a global village with the expansion of communication and IT services across the globe. Internet is the basic platform that offers a great number of ICT (Information and Communication Technology) services. Political and geographical boundaries do not matter over the Internet and people across the entire world can communicate with each other without any restrictions.
Internet provides a connected platform for a host of services like the World Wide Web, downloads and retrieval, instant messaging, email, chat, discussion forums, blogging, and video conferencing etc. Even sometimes your regular landline phone or mobile phone call may actually be using Internet telephony through VoIP (Voice over Internet Protocol). Nowadays almost everyone has gone online for office work, education, commerce (e-commerce), meetings, conferences, shopping, health services (telemedicine) and many other reasons.
ICT connectivity has turned the entire world into one community where people can communicate freely with each other. Like any other community or society, this community also has good and bad actors. Unlike the physical world, the bad guys do not have to move around to commit some crime but they can reach anywhere in the world in real-time through the modern means of communication over the Internet. Moreover, there are no boundaries or borders in the cyber world so access is not restricted or controlled. These bad guys are not alone, they are well organized and sometimes even sponsored by the governments to be used against other nations or states.
This aspect has made security in the modern world a very complex phenomenon where real security has gone much beyond just physical security. The challenge is to make everyone, starting from a common ICT user to a top decision-maker understand this complicated state of security. Unfortunately, we mostly lack awareness in this regard although we can see some efforts being made in this area. We must move forward with a deliberate plan to make everyone aware of the security issues linked with these modern ICT services.
Use of Social Media
The increasing use of social media and networking applications in Pakistan give rise to possibilities of abuse, misuse, data theft, and identity theft. Social bots (bots controlling social networking accounts) are likely to surface. The use of mobile devices for carrying out regular financial transactions and weak Bring-Your-Own-Device (BYOD) policies at offices will increase cyber-attacks using botnets, exploits, malware, phishing, etc. On the other hand, Edward Snowden, the popular whistle-blower revealed in the year 2013 that the National Security Agency (NSA) from the U.S. is carrying out extensive surveillance of information infrastructure worldwide, and Pakistan is the second most spied over country by the NSA.
The main concern over the Internet is privacy and security. Not only the information that goes over the internet could land in the wrong hands but even the information that you contain on any computer or any other smart device connected over the Internet could be retrieved by others. Any device connected to the Internet can be accessed through hacking covertly. Any information that we exchange over the Internet, may it be voice, video, message, photo, email, file, or any other type of data, can possibly be intercepted by a third party through a man-in-the-middle attack. State and non-state actors are equally involved in such activities.
We must understand that routing of Internet traffic does not follow the ‘physically shortest path’ but the ‘cheapest path’, which as per Internet design, is mostly through the U.S. This provides an opportunity for U.S. intelligence agencies to have an effective monitoring and surveillance mechanism over the Internet. Management of Internet and associated services is mostly managed from U.S. with servers, routers, data and information stored within U.S. territory. These companies are providing full access to U.S. intelligence and surveillance agencies to their core servers where encrypted Internet traffic is also available in clear.
There are reports about installing backdoors in routers and other C&IT equipment exported worldwide by the U.S. and even EU manufacturers. It is rightly said that ‘surveillance is the business model of the Internet which means we are extremely vulnerable once connected over the Internet. This needs a simple solution; to stay away from the Internet, never be connected all the time/for longer periods of time, and do not be a part of this new global ICT connectivity. Well, the option is available but the price for this isolation is going to be too high which we may not be able to afford. We need to utilize and get benefit from modern ICT services while securing ourselves and information assets. We must realize the dangers and take necessary safeguards, so the key here is to stay connected with caution and always take necessary safeguards.
Social Media Models
The business model of social media is based on selling users’ information. Facebook was fined £500,000 in the UK due to data protection and privacy violations, interestingly that much amount was being collected by Facebook in revenue every five and a half minutes in the first quarter of 2018. Facebook is also facing a number of lawsuits in the EU under the General Data Protection Regulation (GDPR). On the other hand, in Pakistan’s case, we are still unable to make foreign social media service providers accountable due to the absence of local laws to protect our citizens on their platforms.
The frequency of cyber-attacks has grown over the recent years, causing breach of integrity, confidentiality, and availability of data, leading to heavy financial losses. As more and more devices get connected, cyber-attacks and associated losses will further go up. Cyber threats are perpetrated from various type of hackers.
Different Types of Hackers
Low-cost access to the Internet and increased utilization of smart-phones in Pakistan enhanced the reach of common users to e-banking, e-commerce, and other online services. The present COVID-19 situation has further increased Internet usage in Pakistan like in other countries manifolds where people are working from home, online meetings are becoming a regular feature and even students are attending online classes. This situation has exposed everyone to cyber threats. Pakistan Telecommunication Authority (PTA) statistics from July 2020 indicate that Pakistan has around 83 million broadband internet subscribers (above 39% internet penetration rate), 81 million 3G/4G subscribers, and 167 million cellular subscribers with almost 79% teledensity. It may be noted that the literacy rate of Pakistan is around 65%. Most of the users lack basic cybersecurity education and awareness about the online threats they could face.
SOCMINT (social media intelligence) is now used for gathering real-time information on social media users. Anyone, friend or foe, a state or non-state actor, can use SOCMINT tools to collect information including our personal and private information. The collected information is analyzed to generate users’ profiles and future predictions. Edward Snowden tweeted in March 2018 that Facebook is a surveillance company that sells users’ personal data. He is of the opinion that surveillance companies have been actually renamed as social media who are collecting user information and doing surveillance in the garb of social networking. We are well aware of global intelligence alliances like, ‘Five Eyes’, ‘Nine Eyes’, and ‘14 Eyes’ and their global surveillance-related activities.
The wide usage of social media and networking applications in Pakistan has increased the possibilities of abuse, misuse, data theft, and identity theft. Social bots (bots controlling social networking accounts) are likely to surface. The use of mobile devices for carrying out regular financial transactions and weak Bring-Your-Own-Device (BYOD) policies at offices has increased cyber-attacks using botnets, exploits, malware, phishing, etc. On the other hand, Edward Snowden, the popular whistle-blower revealed in the year 2013 that the National Security Agency (NSA) from the U.S. is carrying out extensive surveillance of information infrastructure worldwide, and Pakistan is the second most spied over country by the NSA.
The business model of social media is based on selling users’ information. Facebook was fined £500,000 in the UK due to data protection and privacy violations, interestingly that much amount was being collected by Facebook in revenue every five and a half minutes in the first quarter of 2018. Facebook is also facing a number of lawsuits in the EU under the General Data Protection Regulation (GDPR). On the other hand, in Pakistan’s case, we are still unable to make foreign social media service providers accountable due to the absence of local laws to protect our citizens on their platforms.
SOCMINT (social media intelligence) is now used for gathering real-time information on social media users. Anyone, friend or foe, a state or non-state actor, can use SOCMINT tools to collect information including our personal and private information.
The collected information is analyzed to generate users’ profiles and future predictions. Edward Snowden tweeted in March 2018 that Facebook is a surveillance company that sells users’ personal data. He is of the opinion that surveillance companies have been actually renamed as social media who are collecting user information and doing surveillance in the garb of social networking. We are well aware of global intelligence alliances like, ‘Five Eyes’, ‘Nine Eyes’, and ‘14 Eyes’ and their global surveillance-related activities.
With the emergence of 5G and growing trend of Cloud Computing and Internet of Things (IoT) is giving rise to a wave of attacks as well. Cloud computing involves a shared pool of computing resources for data storage etc., and IoT offers connecting everyday devices, e.g., TV, washing machine, fridge, oven, lights etc. with the Internet which ultimately widens the attack surface as well. We have recently witnessed a ransomware attack at K-Electric, managing power distribution (critical infrastructure) of our biggest city. New technologies like Artificial Intelligence (AI) powered attacks could occur in near future.
Global ICT connectivity has brought new dimensions to hybrid warfare. The situation for Pakistan is already very challenging as our enemies are already utilizing their full potential and all available means to exploit our fault lines. Hybrid war may not be a declared war; the enemy is not visible but still, we are in a state of war. Internet and social media are being used to attack our minds, ideology, and national integrity. Social media is effectively utilized to launch propaganda campaigns etc. We have seen the role of social media during the ‘Arab Spring’, U.S. elections, and ethnic conflicts.
The good or bad thing about hybrid war is that soldiers and the civil populations are equally affected but at the same time equally effective too. Thus cybersecurity must be given the topmost priority but unfortunately, the prevailing indicators are not very encouraging as Pakistan still has no National Cyber Security Strategy, regulatory framework, or dedicated government organization responsible for securing the national cyberspace.
We need to protect and provide a safe environment to our citizens on the Internet, may it be domestic or global threats. Female users are more vulnerable to the use of modern ICT services, especially over social media. Around 80% of the cyber complaints reported to the National Response Centre for Cyber Crime (NR3C) in the last year were related to cyberstalking of female Facebook/Twitter users. This is often followed by cyber-harassment or cyber-bullying, where private pictures or conversations are leaked, and the victim is blackmailed. Spam and phishing emails carrying malicious attachment or malware downloaded through web links help the attacker to comprise the victim’s computer, laptop or smartphone, and affiliated accounts.
As per the report published by International Telecommunication Union (ITU) in 2018, Pakistan was ranked 94th out of 155 in Global Cybersecurity Index (GCI), which is significantly lower in the region, India (47), Iran (60), Bangladesh (78) and Sri Lanka (84). GCI is a composite index combining 25 indicators into one benchmark measure to monitor and compare the level of ITU Member States’ cybersecurity commitment with regard to the five pillars identified by the experts.
We can improve the state of affairs by focusing on these pillars and indicators. We have to focus on policies, regulations, laws, institutions (organizational, legal, and technical), education, training, research and cooperation (national/regional/global), etc. as indicated in the figure. National cybersecurity policy is a need of the present time which must come up without any delay. Our essentially required cybersecurity strategy will be derived from this policy.
Cybersecurity education not only at the higher education level but also needs to be included in the part of basic education as young children to are using the Internet where they are much exposed to cybercriminals. Enforcement of cybercrime legislation like “Prevention of Electronic Crime Act 2016” needs more attention. As this act deals with part of the issue, we need to make and implement comprehensive legislation dealing with the complete cyber domain.
Any country lacking effective cybersecurity measures offers an attractive target for cyber-perpetrators. Cybersecurity should be treated as the shared responsibility of everyone within cyberspace. An effective incident monitoring, reporting, recognition, preparedness, response, and recovery mechanism to handle cyber incidents is essentially required in our country.
This necessitates national and sector-specific CERTs (Computer Emergency Response Teams) at different levels. A cybersecurity hotline may be established where netizens can report cyber incidents. Content filtering mechanism for internet traffic and SMS shall be deployed at Internet Exchanges, protecting the privacy rights of the citizens. The activities of cybercafes shall also be strictly monitored/checked and only registered Virtual Private Networks (VPNs) shall be allowed.
This is the time that we must realize the seriousness of the issue and take effective measures to provide safe cyberspace to our citizens. To prevent foreign surveillance and malicious eavesdropping and to confine domestic information within the national cyberspace, security assessment of all IT products, search engines, social networking platforms, and over-the-top (OTT) communication applications, etc. is recommended.
Foreign applications with vulnerabilities and backdoors, compromising the privacy and security of our citizens shall be replaced with indigenously developed secure and reliable alternatives at priority. Demanding ‘data localization’ from foreign companies providing different services (especially social media) over the Internet to store data in local servers is justified, however, we need to develop associated regulations along with meeting the technical requirements and requisite security controls. We also need to provide a secure cyber environment to our citizens and need to aim for cyber sovereignty to define cyberspace boundaries with national borders.
An indigenously developed and controlled national firewall over the Internet may be established, and an indigenous software-based firewall may be deployed on all devices connected to the Internet. There is a need to improve cybersecurity awareness and cyber-consciousness among the public, law enforcement agencies (LEAs), and the judiciary. As ICT and cybersecurity is a specialized technical issue there could be special courts dealing with cases in these domains, like the banking courts. Cybersecurity training may be arranged to enhance the capabilities of IT professionals. National cybersecurity degree programs need to be enhanced to meet the shortage of cyber experts in the country.
Cybersecurity education/training is required to be integrated in the curriculum from basic primary till higher education. We need to develop the culture of R&D in Pakistan which should be able to provide basic skills like critical thinking and creativity also must facilitate the development and commercialization of secure indigenous ICT products (hardware and software) in order to attain national self-sufficiency in cybersecurity to our students starting from their early education, where we normally lack. Hardware development may be difficult at this stage and will take some time, however software development needs little infrastructure and technology.
Looking at the global cyber threats which could exploit our vulnerabilities are arising from using foreign hardware and software, use of foreign social media and OTT communication applications, Internet routers and servers in foreign countries, our data including personal information of our citizens stored at foreign locations, unchecked cyber activities, weak legislation and its implementation, weak organizational infrastructures, capacity issues and above all lack of awareness and our non-serious attitude/approach at all levels towards cybersecurity.
Overall cyber-safety has become the top-most concern of national security worldwide that we must also realise. We need cohesion at national level to tackle the issue of cybersecurity. Our civil society representatives, government/law enforcement agencies, service providers, technocrats, human and digital rights activists, media, policymakers, etc. need to sit together in an environment of trust, mutual respect and open minds to develop a national policy and strategy with full consensus that could effectively tackle this critical issue of extreme importance.