Cyber Security

Why Cybersecurity is Critical to Our Future

Malware, which is a software designed to disrupt, damage, or gain unauthorized access to digital systems, is on a rising vector of volume and complexity, propelled by increasingly sophisticated criminal networks and state-sponsored “cyber armies.” Cybersecurity comprises the technology, processes, and practices that protect the digital (also called cyber) infrastructure and its ability to deliver critical and desired services. Pakistan is one of the most targeted countries in the world and needs to develop legal, technical and organizational capacity to secure its digital assets.

Symantec, which maintains the most prolific civilian database of incidents, ranks Pakistan among the ten most targeted destinations in the world. Pakistan’s nuclear and other sensitive installations are probably targeted, with publically reported attacks on a variety of telecommunications, banking, government, health, transport, utility, and ridesharing organizations. Snowden files revealed that the NSA was spying on Pakistan’s civilian and military leadership, using a malware called SECONDATE.

Cybersecurity is the Flip Side of Digitization

Digitization is driving growth, creating jobs, increasing human well-being, and force multiplying defence capability around the world and in Pakistan — whether it is Careem providing jobs and safe transport to women or Telenor mAgri increasing incomes of farmers, or Siemens’ controllers modulating electricity generation. Underlying these applications is foundational tech like telecom 3G/4G broadband networks, cloud infrastructure, NADRA NIC identification, and bank switches. Around the world, governments are bounding ahead to provide a platform — akin to an integration of the kind of data and services that NADRA, SECP, SBP, PRAL, and provincial IT boards and land record departments provide today in an isolated or “stove-piped” way. Only a unified architecture offers the possibility of substantial productivity gains through easy-to-use mobile apps for citizens and businesses, for example, that preclude visits to offices and use of paper.

The cost and time savings, along with an increase in accountability, transparency, and citizen engagement are gargantuan ; estimates it will save $50 billion a year while boosting citizen delight, ease of doing business and global competitiveness. UAE, on the other hand, expects to save 50% of government spending, while ratcheting up effectiveness and efficiency, using Artificial Intelligence (AI), Internet of Things (IoT) and Blockchain. McKinsey projects that by 2025 Pakistan can save $7 billion annually in government leakages, add 4 million new jobs, lift 100 million people out of poverty, and add $36 billion annually to GDP by integrating into the digital economy.
Yet all these current and future tech advances are threatened by cyber attacks, wilful or unintentional, that degrade or even destroy digital infrastructure as well as physical and biological assets that may be associated with it such as robots and sensors or wearables and implantables like Apple watches and SmartStents whose R&D is being funded in Pakistan by organizations like Ignite and others.

Of Spectacular Attacks and Rising Trajectories

Pakistan has a storied association with cybersecurity. In February 2008, PTCL “held hostage all the world’s cute cat videos,” when it inadvertently redirected 2/3rd of YouTube traffic to an internal site while trying to constrain access to YouTube from Pakistan. Seeking to protect their medical software from copyright infringement, two brothers from Lahore purportedly mistakenly launched one of the first computer viruses ever that went viral through floppy discs back in 1986, before the advent of the Internet. In this decade, three top-tier global cybersecurity companies were built and launched by Pakistani-Americans: FireEye, Elastica, and SparkCognition.

Toward the end of the George W. Bush administration, American and Israeli intelligence launched a futuristic cyber attack, categorized as an Advanced Persistent Threat (APT) on the Iranian nuclear reactor at Natanz. Stuxnet, considered the Oceans 11 of cyber attacks – after the Hollywood movie about a highly sophisticated gambling casino heist, managed to cripple the nuclear reactor even though it was air gapped i.e., not connected to the internet. A tactic called candy drop was used, where infected USB drives are offered to workers at sensitive installations with the hope that at least one of them will insert the USB into internally networked computers. Stuxnet USB drives were infected with a worm, or network virus, which infected computers worldwide, including in Pakistan, but was configured specifically to only impact the Siemens Programmable Logic Controllers (PLC) models connected to the specific number of centrifuges and frequency converters known to be deployed at Natanz, as reported by International Atomic Energy Association’s (IAEA) routine monitoring visits. The centrifuges were made to spin excessively until they broke down, without the Iranian nuclear scientists even suspecting what was happening.
Estonia was perhaps the earliest adopter of digital governance and commercial services. Back in 2007, its citizens could vote, file taxes, access emergency services, verify identity, and conduct banking online. Then, around the same time as the Stuxnet attack, the tiny European nation suffered a cyber attack emanating from Russia, with whom it was embroiled in a political spat. Russian hackers were able to commandeer over a million computers in seventy-five countries to launch what is called a Distributed Denial of Service (DDOS) attack, which paralysed Estonia’s digital infrastructure. Such was the enormity of the disruption, that Estonia, a member of NATO, considered the cyber attack an act of war, and invoked Article 5 of the NATO charter to demand reprisal against Russia. Other NATO members decided that Article 5 did not apply in this instance as there was no loss of life or damage to property, and an outbreak of war was averted. In the future though, a cyber attack may well do so if critical defence or civilian infrastructure like power generation and transmission, water supply, telecommunications, banking, nuclear reactors, nuclear and missile weapons systems, or military C4I systems are disrupted and damaged.


Several universities in Pakistan are now offering degrees in cybersecurity or information security, though overall course quality needs improvement, much like other disciplines. Examples include NUST, COMSATS, NUCES, Bahria, and Riphah, with NUST offering Ph.D. as well and having awarded four. Many other universities offer courses in cybersecurity. Several foreign Ph.D.s were trained under the Ministry of Science and Technology and HEC programs, with returning scholars working in academia and the military.


In 2016, over $100 million were removed through fraudulent online instructions from the Central Bank of Bangladesh on the heels of a similar unsolved heist of $250,000 from Sonali Bank in 2013. This time though, the attack was traced to hackers in Sri Lanka and Philippines using FireEye, a product developed by a Pakistani, Ashar Aziz, which was employed by American investigators invited by the Bangladesh Government.
Such attacks and other more mundane ones comprising malware like virus, trojans, zero day attacks, phishing, spoofing, spyware and ransomware, which propagate through clicking on apps, e-mails or URLs, by installing external storage devices, through merely being connected to the Internet, or even by existing in hardware, firmware and operating systems of commercial computing and communication devices, cause hundreds of billions of dollars of loss annually around the world and compromise confidential information.

Many Pakistani websites and other data are hosted overseas, where system and network administrators, who may hail from other South Asian countries, can provide confidential corporate data to competitors in those countries. Compromised details of textile and leather shipments, with customer names, prices and dates, in the hands of competitors is a powerful weapon of corporate espionage, which hurts Pakistani exports. Spoofing, where e-mails are sent from the target’s e-mail address, and are not discernible from genuine e-mails, are also a threat. Unsuspecting recipients can click on a fake URL contained in the spoofed e-mail, a threat termed phishing, which can open them up to all sorts of data theft. Such data can then be used to extort from recipients or targets through ransomware. Hacking of mobile phones remotely or of Windows machines using pirated operating systems results in similar outcomes and is happening across the country.
The volume and, what is more menacing, types of cyber attacks are increasing; the World Economic Forum estimates that by 2020, $3 trillion will be lost annually to cybercrime. Symantec, which maintains the most prolific civilian database of incidents, ranks Pakistan among the ten most targeted destinations in the world. Pakistani nuclear and other sensitive installations are probably targeted, with publically reported attacks on a variety of telecommunications, banking, government, health, transport, utility, and ridesharing organizations. Snowden files revealed that the NSA was spying on Pakistan’s civilian and military leadership, using a malware called SECONDATE. Then there is the Dark Web, which is not indexed by search engines and does not return in any search results, but is accessible through anonymous browsers like Tor, where a parallel marketplace of illicit goods and services exist, often transacted through cryptocurrencies. The horrific Zainab snuff incident may well have Dark Web connections. Stolen corporate and Government data is also sold on the Dark Web.

The global threat trajectory is fuelled, firstly; by easy availability of cheap softwares like SkyGrabber (cost: $30) which can intercept video feeds from drones costing millions of dollars, and satellites costing billions of dollars, secondly; by AI, which can render attacks undetectable, and thirdly; by the mobilization of offensive cyber attack “armies” by countries like USA, with its Department of Homeland Security’s National Cyber Security Division, China, with its Information Security Base, and others.

Lifting the Fog

With attacks like Stuxnet, which ushered in a new era of sophisticated copycats, and Estonia DDOS, some analysts liken the situation today to the one that existed at the eve of World War II, when governments and armies didn’t know the impact of tech in the field of war and inadvertently triggered it. Technological advances can make attacks exponentially more destructive, akin to a 1000 mph tank, while being much harder to detect than, say, a missile silo or fighter jet manufacturing facility. General Michael Hayden, former Director of the CIA, laments: “Rarely has something been so important and so talked about with less clarity and less apparent understanding than this phenomenon… [we have] been unable to decide on a course of action because we lacked a clear picture of the long-term legal and policy implications of any decision we might make.”
Part of the reason for this lack of clarity is the complexity of concepts involved, which specialists, researchers and academics find hard to translate into simple language that non-technical policymakers can understand. At Ignite, which seeks to commercialise research and innovate, we grapple with this problem on a daily basis and have made some headway in coaching researchers to speak the language of business. A similar simplification is required here, else policymakers will not grasp the threat until it manifests, which may be too late. FireEye’s story is instructive. When Ashar Aziz left his CTO job at Sun to grapple with the challenge of AI based cyber attacks that could not be detected as their signature kept changing, he had an epiphany: How about testing incoming traffic on a virtual replica of a network — much like a cat tasted the King’s food to detect the presence of any poison in the old days? His gamble paid off when he came up with a stellar product, the problem was that no one wanted to buy it and the company almost folded. Then a series of spectacular attacks on corporate networks in U.S. caused executives to scramble for cover. Overnight the demand for his wares soared. Today FireEye is a multi-billion dollar public company in U.S. with a global customer base. It is has become first responder on major attacks.

Global Cyber Risk Level and Spending

Estonia also paid heed after it got burnt. To its credit, it did not back down from its ambitious X-Road e-Estonia program — the brainchild of its Prime Minister, a former programmer. Conversely, it became the first government in the world to adopt blockchain, which it used to segregate its databases, appreciably improving their resilience to future attacks, while expanding digitization. The resolve of Estonia should be a lesson to risk-averse bureaucrats and policymakers everywhere, who often cringe at the notion of eGovernment due to the threat of attacks that they cannot fathom. The way forward is to prioritize cybersecurity by putting it high on the national agenda as many other countries have done.
How does one mitigate the risk? The first step is to profile the current situation in the country in terms of what has been done in Pakistan till now and where are the gaps.

With respect to preparedness, Pakistan, stood 67th on the respected Global Cybersecurity Index (GCI) of the International Telecommunications Union (ITU) in 2017. That should ring alarm bells because, while low rankings in ease of doing business, competitiveness, human development, transparency, and innovation are also concerning, inadequate cybersecurity means critical telecom, electricity, and banking networks can be compromised, and digital financial inclusion and eGovernment initiatives stifled. Cybersecurity preparedness can be divided into three strategic thrust areas: legal, organizational and capacity building. Legal refers to legal frameworks and institutions, policies and rules underlying and helping formulate cybersecurity initiatives. Organizational refers to policymaking and technical institutions and frameworks responsible for formulating and implementing cybersecurity strategy. Capacity building is a catch-all term with a wide application toward cybersecurity initiatives like research, education, industry, international collaboration and the rest of the ecosystem. In some elements, headway has been made, while others are both nascent and important, demanding higher prioritization.

Building Legal Foundations and Making Tradeoffs
The government introduced cybercrime legislation in 2016, which imposed criminal penalties on infractions like spamming, libel, stalking and unauthorized access. The Prevention of Electronic Crimes Act (PECA) did not pass through without controversy, which is not surprising because cybersecurity legislation in general has to balance three often competing needs: On one hand state security, legitimat e interests of businesses and other organizations, and well-being of citizens have to be protected; while on the other hand, the civil liberties guaranteed by the constitution, such as freedom of speech and right to privacy, have to be safeguarded. And finally, everything comes with an economic cost, which is often a constraining factor. For example, when traffic is stopped for a motorcade security protocol, it will exact both an economic cost and cause inconvenience to commuters. An allegation hurled as an exercise of freedom of expression may attract anti-libel penalties, which was the concern of rights activists.

Nevertheless, the passing of the PECA has not yet attracted the kind of human rights violations that were feared, though it has provided a vehicle to address online harassment, particularly of women. If anything, there are calls to expand and diversify the staff of the FIA’s National Response Center for Cyber Crimes (NR3C) and district prosecutors, who deal with such crimes. In FY 2017-18, NR3C conducted 2,295 inquiries, registered 255 cases and made 209 arrests in 2018.
The Ministry of IT has been working on a Data Protection Act, which hopefully will be passed soon. It is required to safeguard the data rights of citizens, organizations, and the government in a broader and more nuanced manner than the few data-related clauses in PECA, such as rights to access and grant access to your data, to be “forgotten,” to be able to port your data to other users, and timely notification of any breaches. Such an act would also establish compliance verification requirements and penalties.

The most important action required, though, is the articulation of a cybersecurity strategy, which will define the following strategic elements to the level of detail where they can be implemented: research focus, development of industrial and technical resources, public-private partnerships, international collaborations and multilateral agreements, establishment of more CERT (computer emergency response team), compliance and standards bodies, public awareness, and, most importantly, the contours of an apex cybersecurity body. Even some Gulf, African, and South Asian countries, like Qatar, Ghana and India, have come up with cybersecurity policies, though their success in implementation, and in attaining outcomes like cyber resilience and reduction in cybercrime is questionable. Nevertheless, like any challenge involving complexity, significant expenditure of resources, and deep, broad, and long-term impact, a strategic approach has to be taken, and Pakistan will hopefully execute the strategy much better.

Command, Control and Clear Organisational Roles

CERT keeps an eye on threats, disseminates information, and responds to incidents. It may also provide training, audits, forensics, compliance and other services. Around the world, CERT are hosted by universities, government ministries and in the private sector. Multiple CERT are needed at the national level by government and critical sectors. Pakistan has a couple of low profile CERT outside the defence sector, PakCert and NTISB in addition to some forensics and device security testing labs. PTA has formed a directorate to conduct surveillance of social media to detect and remove immoral and blasphemous material. Pakistan also needs Level 4 and Level 5 data centers, which are highly resilient and trustworthy, and affordable to customers so that important and confidential data can reside inside the country and be less vulnerable to espionage and stealth.
In 2014 there was an abortive attempt in the Senate of Pakistan to introduce a National Cyber Council Act, which sought to establish a large, high level, public-private sector body, that would meet quarterly to oversee an ambitious agenda including the developing of a cybersecurity strategy, setting up CERT, awareness creation, and other strategic elements, but with a part-time CEO, skeleton staff, and “modest” budget. A much more rigorous, focused, well-funded and well-staffed effort is required in the shape of a high level apex organization for cybersecurity, which would formulate strategy and oversee or coordinate its implementation with bodies around the country, monitor metrics, and enter into agreements and collaborations with international bodies to avoid mutually destructive incident precipitation and to learn from each other.

Perhaps because of its long pre-WW2 history of SIGINT (signals intellegance), in the U.S., there is a bit of hodgepodge of mandate, which some blame for the recent unchecked Russian cyber interference in the U.S. presidential election: “The Department of Homeland Security is responsible for national protection, including prevention, mitigation and recovery from cyberattacks. The FBI, under the umbrella of the Department of Justice, has lead responsibility for investigation and enforcement. The Department of Defense, including U.S. Cyber Command, is in charge of national defense. What is needed is a sixteenth branch of the Executiv e — a Department of Cybersecurity — that would assemble the country’s best talent and resources to operate under a single umbrella and a single coherent policy.”

In the UK, which also has a long history of SIGINT, a unification of organizations with overlapping mandates, that acreted over the years, has already been undertaken: “The National Cybersecurity Centre (NCSC) is the UK’s authority on cybersecurity. The NCSC brings together and replaces CESG, the information security arm of GCHQ, the Centre for Cyber Assessment (CCA), Computer Emergency Response Team UK (CERT UK) and the cyber-related responsibilities of the Centre for the Protection of National Infrastructure (CPNI).” Cybersecurity Malaysia is the apex federal government body in that country mandated to operate CERT, “conduct outreach and capacity building, strategic study and engagement, and industry and research development.” Malaysia is ranked third-best in the world in the ITU Global Cybersecurity Index (GCI). As militaries usually possess deep technical expertise, serving and retired officers usually play important roles in cybersecurity agencies serving the government. The U.S. National Security Agency (NSA), for example, is headed by a serving four star general, who also heads the U.S. Cyber Command of the Department of Defense, though other government cybersecurity agencies in U.S. and UK are headed by civilians.

Spreading the Word and Inculcating Good Habits

According to PTA there are now over 150 million cellular subscribers and over 60 million broadband Internet subscribers in the country, with penetration continuing to rise, particularly among youth. Alongside, 38% Pakistanis bully others online, compared with a global rate of 24%, according to Microsoft. “This means that awareness campaigns about cyberbullying and protection need to be conducted through social, electronic and paper media, with visits to schools and colleges,” says Idrees Awan, Cybersecurity Evangelist at Ignite, who has put together a roadmap, and also contributed to the research for this article., an online digital skills training portal (and example of eGovernment platform) designed and funded by Ignite, which is becoming increasingly popular across the country, offers cyberbullying and protection orientation as part of its regular training. NR3C has provided over 10,000 courses on the subject. The Cloud Security Alliance and Pakistan Information Security Association (PISA) are industry associations that evangelize cybersecurity and provide services, as does Cybersecurity Pakistan.
Smaller companies, which constitute 90% of all enterprises in Pakistan, are easy targets because they often lack resources and expertise to defend themselves. SMEDA published “Cybersecurity for Your Business” in 2017 as a guideline for small businesses. Schools, clinics and smaller charities could benefit from the same guidelines.

Advanced Persistent Threats (APT) whose zenith is Stuxnet have become more widespread both as cyberwar perpetrated on state institutions and as cybercrime where corporations are targeted. APTs are difficult to detect through traditional cybersecurity measures like firewalls and antivirus, leaving organizations particularly vulnerable to data breaches. Many are initiated by employees, usually unwillfully. Employees need training about this threat. Organizations also need AI based solutions, which cater to new threat vectors. Finally, honeypots – deployed parallel to deceive attackers – record their activities, and counter them. FireEye is an example of a virtual honeypot. State Bank of Pakistan has issued an “Enterprise Technology Governance and Risk Management Framework for Financial Institutions.”
Several universities in Pakistan are now offering degrees in cybersecurity or information security, though overall course quality needs improvement, much like other disciplines. Examples include NUST, COMSATS, NUCES, Bahria, and Riphah, with NUST offering Ph.D. as well and having awarded four. Many other universities offer courses in cybersecurity. Several foreign Ph.D.s were trained under the Ministry of Science and Technology and HEC programs, with returning scholars working in academia and the military.

Local companies like Trillium, Security Wall, Ciklum, [email protected], Five Rivers Technologies, Cyphlon, CGRC, Tranchulas, the aforementioned PakCert, and experts like Shahmeer Amir and Rafay Baloch are important parts of the ecosystem, providing a host of services from training to compliance, corporate cybersecurity strategy formulation to system integration.

Why Paul Romer Won the Nobel Prize

Research and innovation can produce solutions to local problems that no foreign products can address to the same degree. In fact Paul Romer won a Nobel Prize this year for his research on the power of ideas to advance even backward societies that are willing to change and become unfettered from old ways of thinking, defeatist attitudes, and stifling rules. Local innovation creates higher value addition, generates employments, creates an export opportunity if globally competitive, and is more trustworthy from a security perspective. Other times of course, the complexity and scale of products is such that they have to be obtained from global suppliers, as is the norm in our country today. Determining which products fall into which category is part of research strategy. Every link in the digital security value chain should be monitored, and the opportunities for local and global product development identified.
Public private partnership (PPP) is foundational to productization and commercialization. A couple of decades ago, the U.S. Department of Defense spent $60 billion trying to develop a secure database inhouse before it abandoned the project and reverted to Oracle. Innovative startups and new companies drive transformation around the world. Kaspersky, Symantec, Microsoft, and Oracle were all startups in the early stages, and new startups with new products are emerging every day around the world. Over 80% of the components of the first smartphone were outcomes of decades of government, defence, and academic research, but it took a Steve Jobs to pull all that together, create a device of such elegance that almost anyone anywhere in the world could use it, and then produce, market, legally secure and finance it so the iPhone could be placed in the hands of customers around the world. The business challenge can be tougher than the technical challenge. In fact, Mariana Mazucatto argues that all radical innovation is funded by the government because its development cycles are too long for private sector appetite. The computer chip and the Internet are other examples; PakVitae, which has filed international patents for a dirt cheap nanotech water filter, and has attracted international funding that will enable it to provide clean drinking water to 10 million Pakistanis by 2020, is a local example. 100 million Pakistanis do not have access to clean drinking water, causing malnutrition and stunting. PakVitae was incubated at an Ignite funded incubator, NIC Lahore – one of five across the country. The problem with local funding for security and defence innovation in economies that are not at the technology frontier is that the taps are turned on only when there is a ban placed by suppliers, which is harmful in the long run.

As cybersecurity becomes key to operations, larger companies are acquiring cybersecurity startups: “Airbnb acquired the digital identity proofing startup Trooly. In June 2017, Honeywell acquired NextNine, a provider of security management solutions and technologies for industrial cybersecurity, while Microsoft acquired Hexadite, an Israeli startup that uses AI to identify and protect against attacks. Uber, Docker, Dropbox, Twitter, GoDaddy, and others have founded the Vendor Security Alliance (VSA), a coalition determined to establish cybersecurity standards that businesses can use to assess how secure third-party providers really are.”


Public-private partnership (PPP) is foundational to productization and commercialization. A couple of decades ago, the U.S. Department of Defense spent $60 billion trying to develop a secure database inhouse before it abandoned the project and reverted to Oracle. Innovative startups and new companies drive transformation around the world.


Ignite has funded 15 information security projects, whose primary purpose was developing technical expertise and furthering research. Recent projects, awarded to startups, are expected to have a shot at commercialization: xFlow Research, which uses deep packet inspection to enhance network security, N-Spire, which uses AI based cognitive analytics for network monitoring, and a 5G Software Defined Radio (SDR). The recently established National Center for Cybersecurity, with its hub at Air University, networks and funds existing computer science departments in select universities, will pursue research directions like forensics for computer, mobile and social media, secure blockchain, implications of quantum technology, honeypot advanced threat protection, and secure IoT.
Future cybersecurity research directions should include lightweight cryptography for embedded systems, cryptographic aspects of next generation identity management e.g., biometrics, computing on encrypted data, and privacy and anonymity. A homegrown CPU, though a challenging undertaking, would cover one of the links in the platform layer of the digital security value chain.

As Pakistan’s trajectory of digitization continues with initiatives like Government as a Platform, digital financial inclusion, and fourth industrial wave tech like IoT, AI, and blockchain, cybersecurity must keep pace. CPEC also has a strong digital component with respect to digital corridors, tech parks, and smart cars. There is no other way to help lift the bottom half of the population out of poverty, enter the realm of upper middle income countries, and ensure well-being and security of citizens. Given the challenge, a strategic approach is required, which begins with the formulation of a cybersecurity strategy and an empowered, high level apex cybersecurity body.

The writer is the CEO of Ignite.
E-mail: [email protected]

Read 1642 times