Cybersecurity Threats: Policy gaps, challenges and way forward
One of the most recent cyber-attacks took-place in mid of October, 2018 in Pakistan, where some hackers entered into a Pakistanis banking security system and breached the security. Hackers hacked thousands of credit and debit cards customer’s data. Around 19864 cards were compromised from 22 different Pakistani Banks, as per PakCERT (Pakistan Computer Emergency Response Team) Threat Intelligence Report. Reportedly, around $6 million were stolen from 6,000 accounts which were being maintained by Bank of Islami on October 27, 2018 through international ATMs.
This cyber-attack and breach of banking security system shows weaknesses in our preparedness to cyber threats at the corporate organizational level. Pakistan is also struggling to counter cybersecurity attacks largely due to lack of capacity and gaps in the country’s cybersecurity strategies. Though, cybersecurity is a complex issue, thus it requires in-depth analysis from various perspectives to formulate counter strategies.
We should realize that we are living in the era of the 4th industrial revolution of knowledge, information and technology which is fundamentally changing our lives and the way we communicate and deliver public services. In this rapidly changing world, we have to change and revisit our security strategies. Amid ongoing digital transformation and expanding cyberspace, the growing prevalence and severity of cyber-attacks are posing a serious threat to the global economy, governments, multinational corporations, national security and relations between states and regions.
A recent study titled ‘Understanding the Cybersecurity Threat Landscape in Asia Pacific: Securing the Modern Enterprise in a Digital World’, commissioned by Microsoft revealed that the potential economic loss across Asia and the Pacific region as a result of cyber-attacks can hit a staggering USD 1.745 trillion, which is more than seven percent of the region’s total GDP. This study is a clarion-call for businesses and governments, especially in South Asia, to take concrete preventive measures in order to thwart future cyber-attacks.
A recent study titled ‘Understanding the Cybersecurity Threat Landscape in Asia Pacific: Securing the Modern Enterprise in a Digital World’, commissioned by Microsoft revealed that the potential economic loss across Asia and the Pacific region as a result of cyber-attacks can hit a staggering USD 1.745 trillion, which is more than seven percent of the region’s total GDP
In this technology controlled society, cybersecurity must form an integral part of our security strategies. Unfortunately, cybersecurity is not yet at the core of many national and industrial technology strategies. Corporations need to be aware of their current capability to tackle this emerging challenge. In a digital world where cyber threats are constantly evolving and the attack surface is rapidly expanding, Artificial Intelligence (AI) is becoming an effective tool against cyber-attacks as it can detect and act on cyber threats based on data insights. Among other measures, organizations must incorporate AI in their security strategies to maintain a robust cybersecurity infrastructure.
The International Telecommunication Union (ITU), a specialized agency of the United Nations responsible for issues that concern ICTs, in its recent publication ‘Global Cybersecurity Index 2017′ ranked Pakistan at 67 out of 193 member countries. The ranking measures the commitment of the member states to cybersecurity in order to raise awareness around five pillars of ITU’s Global Cybersecurity Agenda (GCA) which include legal, technical, organizational, capacity building and cooperation. The ranking placed Singapore at first place followed by United States of America (USA) and Malaysia. Whereas, China, India, Bangladesh and Iran placed at 32, 23, 53 and 60 positions, respectively. This ranking also shows that Pakistan is lagging behind in its own region for its commitments towards cybersecurity.
Another ITU’s Cyber-wellness Profile publication, which provides an overview of the countries’ levels of cybersecurity development based on the aforementioned five pillars of the GCA, highlighted potential areas for improvement and driving cybersecurity to the forefront of national plans for the country. As per the profile, Pakistan does not have any officially recognized national or sector-specific cybersecurity policy strategic framework for implementing internationally recognized cybersecurity standards, as well as certification and accreditation of national agencies and public sector professionals in the country. The report shows that Pakistan does not have any officially recognized national benchmarks or referentials for measuring cybersecurity. Also, there is no national governance roadmap and specific recognized agency for cybersecurity in the country.
However, on the legal front, specific legislation and regulation related to cybersecurity have been enacted through the Prevention of Electronic Crime Act (PECA) 2016 which extends to the whole country. Chapter 3, section 26 of PECA Act says that the Federal government may establish or designate a law enforcement agency as an investigation agency for the purpose of investigation of offences under the Act. Though, the Federal government designated FIA (Federal Investigation Agency) Cyber-Wing to investigate offences under the Act, but lack capacity to respond and investigate modern cyber-attacks.
Moreover, on the capacity building front, the country lacks an officially recognized agency certified under internationally recognized standards for manpower development in cybersecurity. However, PakCERT and PISA-CERT (Pakistan Information Security Association) are the only public sector information security companies that provide data/information security services and trainings to help the public, government and private sector build a secure information infrastructure. However, the government should take lead in establishing an agency of international standards coupled with a comprehensive research and development program to cater to the information security needs of the country.
When it comes to international cooperation, Pakistan recently won a four-year term (2018-22) on the administrative council of ITU by securing 155 votes out of 177 to becoming one of the thirteen countries elected to this trans-governmental body from Asia and the Oceania-Pacific region. This is certainly a significant achievement for Pakistan, which would help the country to further improve its cybersecurity profile as per international standards.
In 2012, a Senate Task Force on Cyber Security committee, comprising of around 40 experts, was established to prepare cybersecurity policy, strategy, laws and national CERT (Computer Emergency Response Team). The task force spent around two years and prepared an excellent draft on cybersecurity policy which was presented to the House as private member bill, but yet to be considered. The draft bill was a comprehensive document and with few requisite amendments can be considered now.
To meet the challenges, colleges and universities should produce cyber leaders and cyber managers. Think tanks, such as the Sustainable Development Policy Institute (SDPI) can be consulted for research support and evidence-based policy advice.
There are so many institutions working on cybersecurity, be it civilian, military or the academia, but all of them are working in isolation, thus they require strong coordination to face the issue at hand. There is an urgent need for the country to form a consensus among stakeholders to develop a comprehensive national strategy for cybersecurity. Also, the country needs to have a separate sectoral level strategy to tackle more sector-specific challenges. Academia should focus more on cybersecurity issues and it should be taught as a subject in school and at the college level to raise awareness among the public at large. Also, to ensure individual privacy and security from cyber-attacks, we must act now.
This article was originally published at:
The opinions expressed in this article are the author's own and do not necessarily reflect the viewpoint or stance of SDPI.