A Knight That Never Was: The Absence Of Strategic Comprehension Leading To Cyber Insecurity For Pakistan

Introduction

This article aims to dissect and analyze why Pakistan faces tremendous insecurity in cyberspace. The primary driver of the problem is a lack of appreciation of the strategic nature of cyberspace and a lack of comprehension of the distinct structure of cyberspace. Additionally, there seems to be a lack of commitment to pursuing effective solutions that can have a transformative and holistic impact on the state of cybersecurity in Pakistan. The article describes how it may be concluded that Pakistan has a weak cybersecurity posture while admitting that determining the true extent of the damage is not possible in current settings. We discuss some of the fundamental components required for an effective national cybersecurity arrangement before finally describing a national initiative that could have steered Pakistan in the right direction by addressing the need for these components.

Over the last decade, and specifically in the previous five years, Pakistan has been steering in a direction that is out of sync with the flow of cyberspace policies and initiatives in the rest of the globe. However, much of the focus of cyber discussion has been on ‘the high and right’ in Pakistan’s academic, military, and policy-making communities. There has often been a display of blatant adaptation of ideas showcasing transitory clever tactics but lacking strategic intent. There has been a failure to register correct policy prescriptions in terms of National level investments and initiatives. Investment has been significantly misaligned with National Cyber Security Policy, and there is incomprehension by the governing and academic bodies on the structural imperatives of cyberspace itself as a distinct environment. A weak cybersecurity posture can lead to strategic damage, while a strong one can be a doorway to achieving strategic outcomes.

Any researcher who approaches this discussion expecting to find any comprehensive systems of thought similar to that of nations participating in the great power competition will have to turn back disappointed. One may be profoundly impressed by the beautiful intellectual subtlety displayed in the official National policy and strategy documents, statements by the concerned bureaucrats or technical architects, and information conveyed in public postings showcasing a progressive cybernation. But documents, statements, and PR activities must be backed by positive action. The current Pakistani mindset in cyberspace is somewhat impatient with detail and consequently destitute of that organizing faculty that gradually works out a system of ideas by interpreting the fundamental principles with reference to the ordinary facts of observation.

The fundamental nature of the cyberspace environment rests on the structural conditions of ‘constant contact’ and ‘interconnectedness’as its core conditions. These conditions drive this environment, making the cyberspace environment distinctive in its characteristics compared to other strategic security environments. This posits that strategy in cyberspace must be unshackled from the premise that it deals only with the realm of coercion, militarized crisis, and war in cyberspace. The practical implications display two sentiments. One – the reverence of the occidental world despite the existing mental differences, and Two – policy and strategy writers need to be fully alive to present any theory in the form of a thoroughly reasoned out system.

The State of Insecurity for Pakistan in Cyberspace

The failure to recognize the strategic imperatives of cyberspace, coupled with a failure to invest in the right cybersecurity initiatives, has led to a precarious cybersecurity posture for the public and private sectors. Cyber resilience is, unfortunately, a concept without any relevance in Pakistan’s cyber landscape. Furthermore, the non-existence of detection capabilities and mechanisms implies that the true extent of the damage cannot be measured, and compromised networks have not been identified. More importantly, the strategic damage being dealt to Pakistan’s national power, which owes itself to the strategic nature of cyberspace, is also incalculable at the moment. And yet, there is some evidence that one may fall back on for analysis to reach insights reflecting a minimum level of compromise of Pakistan’s IT infrastructure and assets, i.e., insights guiding towards concluding ‘there is a high probability that at least this much is compromised.’ The most visible insight is that the Global Cyber Security Index (GCSI) by International Telecom Union (ITU) ranked Pakistan at 79. For comparison, India is ranked 10, and Iran is ranked 54.

This insight leads us to conclude that Pakistan’s cybersecurity posture is extremely fragile overall. Clearly, there are several vulnerabilities in Pakistan’s government digital infrastructure that threat actors can exploit. Recently, the Federal Bureau of Revenue (FBR) Hyper-V infrastructure was hacked, and the crucial PII data was advertised on dark web forums for a $26,000 bid. The FBR website, an essential part of the Bureau for filing tax returns, was down for more than 24 hours. Further investigation revealed that Hyper-V software server virtualization was pirated.

In 2021, the forensic analysis indicated that state actors were using the Pegasus spyware to target individuals, journalists, activists, media groups, and people employed at human rights organizations or NGOs for monitoring and surveillance activities over smartphones. The Pegasus spyware was capable of extracting phone data, including data from the cameras, the microphone, location, call logs, and contacts list. Amnesty International’s Amnesty Security Lab (ASL) revealed that the surveillance spyware, which was supposed to be used against terrorists, had Amazon’s CEO Jeff Bezos, Spains Prime Minister Pedro Sánchez, and Ex-prime minister of Pakistan Imran Khan’s phone numbers, amongst a few on the victims’ list.

In September 2020, Pakistan’s largest electricity supplier, providing electricity services to more than 2.5 million people K-Electric (Karachi Electric), was hit by Netwalker Ransomware (previously known as Mailto, Kazkavkovkiz, Kokoklock, KoKo). Netwalker is usually available as Ransomware-as-a-service (RAAS) on several hacking platforms. The ransomware targeted the billing and helpline services operated by K-Electric. Hackers demanded $3.85 million for data decryption, warning that in case of a delayed ransom payment, the demanded ransom would be increased to $7.7 million, or all hacked data would be released on dark web forums. Interestingly, K-Electric denied this attack and claimed that all data remains intact while labeling the incident an “attempted cyber attack.”

Upon delay or denial of ransom from K-Electric, the hackers released data amounting to 8.5 GB, including financial statements and ledgers. Critical data in the leak included financial documents and Personally Identifiable Information (PII) such as national identification details, bank account details, addresses, contact details, and payment history. This critical customer-centric data may be used to execute future scams, social engineering, phishing attacks, or direct ransom attacks upon customers. The incident hugely impacted the K-Electric operational business as it disrupted financial and billing operations and led to high costs in conducting recoveries.

In November 2021, the National Bank of Pakistan (NBP) was breached and infected via malware, resulting in an outage of banking systems, mainly ATMs. Later, it was established that there was no ransom note on the systems infected, but the attack primarily aimed to disturb systems and create chaos for an extended period. The NBP attack was confirmed by the State Bank of Pakistan (SBP), with unconfirmed reports of nine private sector banks under attack as well. SBP claimed no suspicious activity was found at any bank except for NBP. 

Reportedly, ATMs faced downtime due to boot sequence corruption in the Windows systems the ATMs operated on, which was affected by Malware Injection into the Active Directory (AD) Boot Sequence. This was accomplished via a compromised NBP Privileged Account on the directory. A senior official at NBP claimed that the hackers did not penetrate the main servers but only “a few computers.” The fact is that NBP is a critical and vital national bank, and this downtime and IT systems corruption is evidence of an intrusion into the infrastructure of NBP. The bank claims that there was no data breach or financial loss to the bank as these attacks did not breach the bank’s firewalls, endpoint solutions, and information security protocols.

In another example, the Pakistan Railways ticketing system was hacked on 30th September 2022. A passenger traveling from Kot Adu to Wah noticed a comment in the ticket receipt where a field had been used to offer prostitution services. The text stated, “sex service available in AC class” on the ticket in the ‘Passenger Name’ response field. The passenger reported the issue to the official authorities. Upon initial investigation, the third party who developed the software for Pakistan Railways claimed in an official statement that their software was hacked, and the issue was reported to the FIA. This was not the first time the Pakistan railway was hacked. In January 2021, the Pakistan Railways reservation system was wiped out, and all online platforms, including websites and mobile apps, were unresponsive for more than 74 hours. Users with registered accounts could not log in as the registration data was deleted and unavailable. It was later estimated that Pakistan Railways suffered a loss of PKR 130 million caused by a decline in the number of reservations during the downtime of the web and mobile platforms.

The most worrying breach in Pakistan’s history is none other than the series of audio leaks concerned with the Prime Minister’s Office (PMO). The audio files were released on the dark web and quickly went viral on social media. Hackers who leaked the audio recordings claimed to be “indishell” on the dark web forum. The leaked data included audio recordings of current Prime Minister Shehbaz Sharif and Ex-Prime Minister Imran Khan. The alleged hacker “indishell” posted in a thread, claiming that there are 100 hours of recordings, and some estimate the data to be about 8.5 GBs. The hacker claims these audio recordings include conversations between the Prime Minister of Pakistan and Pakistan’s Chief of Army Staff (COAS), Gen. Qamar Javed Bajwa, and other high-profile recordings. “Indishell” priced the data at 180 Bitcoinsor $3.4 Million, up for grabs to anyone willing to pay the price. The hackers released three audio files via a file-hosting website to legitimize the attack.

An interesting aspect of the attack is that ‘indishell’ was a founding member of the Indian Cyber Army (ICA) group. Even though the information was posted via a profile labeled ‘indishell,’ the ICA has not yet made any claims. The ICA would have proudly claimed this attack on social media,  given the attack’s impact and complexity. Our research indicated that this is not the actual ‘indishell’ but an imposter. The last claimed activity from ‘indishell’ can be dated back to 2012 when the Multan district government website was hacked. The Government of Pakistan has involved security agencies in investigating the incident further. Cybersecurity researchers have different perspectives on this cyber attack. Some suggest there are recording and bugging devices installed at the PMO. In contrast, others claim that PMO official mobile phones were hacked and used for environmental recordings after compromising these devices’ command and control (C2). Nevertheless, the data is lost and remains a national security risk.

These cyber incidents, and several others that have been made public, lead to one clear conclusion; the state of cybersecurity in Pakistan is that it is almost non-existent. Every asset is at risk, from critical infrastructure to financial systems to sensitive offices such as the PMO. It should be kept in mind that this is only the visible extent of the damage, while the actual state of cyber insecurity is yet to be determined. The argument here is not that Pakistan may face severe damage through cyber attacks in the future. The argument is that, quite possibly, Pakistan is already a target of extensive, aggressive cyber activity. Additionally, we cannot even hope to ascertain the damage being dealt by cyber espionage operations and cyber counterintelligence operations, as their success depends on staying undetected for extended periods of time.

It should also be noted that all stakeholders in Pakistan are at equal risk, given that the defining characteristics of cyberspace are interconnectedness and constant contact. This is precisely how the Cyber Kill Chain is used to propagate an intrusion through a series of interconnected networks. The attacker breaches a single network and then escalates privileges to establish a beachhead in that network. This allows the attacker to identify what other networks may be connected or accessible from this base network and then proceeds to penetrate those networks. Hence, one compromised network in a series of connected networks poses a cyber risk for all connected networks. Even more worrisome is that we now live in an age where air-gapped networks, those not connected to the outside world or the internet, are also being breached all over the globe. Unless a coordinated strategic effort is mobilized at a national scale that mirrors the interconnected nature of cyberspace and is intended to compete and defend in a fashion similar to the constant nature of competition in cyberspace, Pakistan cannot hope to develop effective cybersecurity.

The Fundamental Components of Effective National Cyber Defense

The following section intends to establish a frame of reference via the example of the United States to communicate the authors’ opinions better. It does not imply that the details shared are exhaustive in listing the fundamental components required of an effective national cyber defense arrangement. Since CERTs are the most visible component of a cyber defense arrangement, we begin this discussion as such. According to several definitions, the role of a CERT is to respond to cybersecurity incidents. The mission of US-CERT, the national Computer Emergency Readiness Team in the United States, is to analyze and reduce cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinate incident response activities. A measure of the effectiveness of US-CERT when protecting U.S. interests in cyberspace is a different debate, but it owes its effectiveness to a holistic system of cyber defense platforms, agencies, and solutions. US-CERT falls under the U.S. agency Cybersecurity and Infrastructure Security Agency (CISA), which in turn falls under the Department of Homeland Security (DHS).

The US-CERT provides several tools and services and facilitates coordination among various agencies and stakeholders. US-CERT operates a website that disseminates threat alerts and possible solutions for all sectors. It maintains a cyber alert system that delivers timely, actionable threat alerts, targeted at potentially vulnerable network owners. It houses the National Cyber Response Coordination Group (NCRCG), which allows a partnership between the CERT, the U.S. Department of Defense (DOD), and the U.S. Department of Justice (DOJ). Through the NCRCG, the CERT can coordinate activities responding to cyber incidents or attacks bearing national significance. The CERT also hosts the Government Forum of Incident Response Teams (GFIRST), composed of more than 50 incident response teams cooperating to secure U.S. cyberspace. The CERT operates the US-CERT Portal, allowing the government and other stakeholders to share sensitive cybersecurity information and data securely. To top it all off, the CERT has also developed the Einstein Program, which is a tool that automatically collects, correlates, analyzes, and shares cybersecurity information for all networking activities in the U.S., with all government agencies and stakeholders.

The US-CERT’s parent agency CISA also provides tools and services such as the Cyber Security Assessment Tool (CSET). CISA is responsible for advising the U.S. government on cyber threats and incidents. It maintains its expertise in cybersecurity through a combination of research and development, threat intelligence, government policies, and information it obtains through the US-CERT. Apart from US-CERT and CISA, U.S. DOD has also established the U.S. Cyber Command (USCYBERCOM), one of the eleven unified combatant commands in the U.S. USCYBERCOM now operates as a command independent of the Pentagon. The U.S. Department of Commerce has established the National Institute of Standards and Technology (NIST), which provides a voluntary cybersecurity framework known as the NIST Cybersecurity Framework. The framework allows businesses and organizations of all sizes to reduce their cyber risk and increase cyber resilience.

Then comes the valuable contributions of the U.S. private sector, with firms such as Lockheed Martin and MITRE ATT&CK leading the way in threat intelligence, risk assessment, and analysis tools. Or firms such as Acalvio Technologies that develop active cyber defense tools such as deception platforms or shadow networks. This has only been possible by the U.S. government’s policies to promote such partnerships and activities. Finally, the U.S. government has established the National Initiative for Cybersecurity Education (NICE) program. The National Security Agency (NSA) manages the program in collaboration with the National Science Foundation (NSF), CISA, FBI, NIST, DOD, and USCYBERCOM. NICE has led to the establishment of academic and government partnerships in the form of the National Centers of Academic Excellence in Cybersecurity (NCAE), with three different paths individuals can choose from; Cyber Defense (CAE-CD), Cyber Operations (CAE-CO), and cybersecurity research (CAE-R). CAE status has been granted to several academic institutes to accelerate human resource capacity building in the U.S.

The point of explaining the above is that several fundamental components must be present if a nation-state even hopes to ensure adequate cybersecurity. These components, which may also be viewed as national initiatives, are the following: 1) A primary agency or ministry that is mandated with the responsibility of public and private sector’s cybersecurity needs, setting minimum and mandatory cybersecurity standards and industry best practices, providing risk assessment tools, conducting cyber audits to ensure compliance with minimum standards and industry best practices, and developing inclusive cybersecurity policies. 2) National CERTs possessing effective detection and response capabilities, inter-agency or inter-department coordination and information sharing mechanisms, and a targeted threat alert dissemination system. 3) Partnerships between the public sector and academia to build human resource capacity aligned with national requirements. 4) Tools for training human resources in cyber defense operations and a system of certifications considered legitimate by the public and private sectors. 5) Partnerships between the public and private sectors to develop cybersecurity solutions. 6) Incorporating security by design practices for new components added to the national IT infrastructure such as Authority to Operate certificates (ATO)s. 7) The honest intent to empower public sector networks to manage their cybersecurity independently, develop cyber resilience, and support or impose costs as applicable. 8) A National Cyber Command to direct the overall orientation of cyberspace operations and to engage in global cyberspace strategic competition.

A Knight That Never Was

To avoid any miscommunication, we wish to begin this section by stating that, in our opinion, Pakistan is indeed in dire need of an effective national CERT. Nevertheless, we argue that Pakistan needs several other solutions in support of and in coordination with a national CERT to achieve security in cyberspace. The overall strategy should be one focused on empowering public sector networks so that Pakistan’s cyberspace can develop cyber resilience, and developing human resource cyber capacity. Within that focus, a CERT should be an integral component.

Working as Consultants for National Cybersecurity with the Prime Minister’s Task Force for Knowledge Economy, we developed the project plan (PC-1) for a national cybersecurity initiative over approximately 2 years, from conception to official approval. The PC-1 was approved in a Departmental Development Working Party (DDWP) meeting (which is regularly hosted by the Planning Commission of Pakistan and is one of the primary methods for evaluating national projects) in March 2021, with a budget of PKR 1944 Million and a project lifecycle of five years. The project was but a component in the larger national arrangement we envisioned, with planning underway to develop further national components. However, it was to be a challenging undertaking in itself.

The project’s overarching objective was to lay down a foundation of cyber resilience in Pakistan. This objective would have been achieved by bringing together four cross-functional teams whose outputs would have generated feedback loops creating an interconnected system of several services and solutions. At the core, the project was to develop a National CERT accompanied by an Artificially Intelligent (AI) Cyber Threat Intelligence Platform that could continuously generate prioritized, actionable reports by comparing and analyzing the global threat landscape with Pakistan’s local vulnerability landscape. The CERT would also have housed a national first responder team to be engaged in cyber incidents of national significance.

The project was to initiate a national effort towards human resource capacity building, in line with current and future requirements of Pakistan, through the development of a Learning Management System (LMS) paired with a certification process. Furthermore, several training solutions were to be developed; virtual training environments, organizational role-based training modules, table-top exercise modules, and wargaming modules. To ensure effective policy development and governance, a team was to develop in-depth policy, risk assessment tools, and minimum national standards and conduct enforcement activities in the public sector through cyber audits, cyber licensing, and issuance of Authority To Operate (ATO) certificates. Another objective was to create national awareness, which would have been achieved through an annual national-level cyber competition for defense conditioning and information dissemination mechanisms for the general public.

Finally, the project would have aspired to form international partnerships as well as inter-agency partnerships, establish a system of sectoral Information Sharing and Analysis Centers (ISACs), establish a Vulnerability Disclosure Platform (Bug-Bounty Program), engage in strategic cyber research, and become the principle interagency mechanism to coordinate and facilitate national cybersecurity matters. Given the fragile nature of the economy of Pakistan, the project plan also included a sustainability model, which would have led to financial self-sustainability after the five-year project lifecycle was complete. Hence, the initiative was in line with several of the fundamental components required for an effective national cyber defense arrangement and was tailored to meet Pakistan’s specific challenges. Unfortunately, this initiative never saw the light of day and the execution failed to reflect the true intent of the project. This is how things stand despite the project finding a spot in the Public Sector Development Program 2021-22, and bearing continuation in 2022-23.

Due to a lack of visibility, we cannot confirm the following, but it seems that the Government of Pakistan is interested only in establishing a National CERT. If that is the case, we can foresee several problems and challenges for a standalone CERT to grapple with. 1) Pakistan lacks the human resource capacity to establish and then effectively staff a CERT. The training mechanisms required to generate the required HR capacity do not yet exist. 2) Even if the CERT is made functional, the HR capacity does not exist for public sector network owners to heed the alerts issued by the CERT; who will listen in? In cases where a public sector network operator acknowledges the alerts, how will they discern if the alert is relevant to their network or not? If somehow they realize that a specific alert is relevant for their network’s security, will they have the capacity, the budget, and the mandate to make the required changes? Will they understand what changes are to be made to ensure the security of their network concerning the particular threat identified?

3) The CERT may not be able to detect ongoing cyber attacks as no such mechanism exists. Even if detection is made possible, the CERT may very well be overwhelmed by the sheer number of individual offensive cyber activities. How will the CERT prioritize the resolution of cyberattacks when faced with many threats instantaneously? 4) In case a cyber attack is successful, who will be held responsible, the CERT or the network operator? Since the 18th amendment in the constitution of Pakistan, how will a federal government entity force provincial government-operated networks to take defensive actions?

These challenges and problems are only those readily identifiable at the surface. On an operational level, a standalone CERT will face much more severe complexities. A standalone CERT may only aspire to become a glorified technical awareness mechanism with no real impact on Pakistan’s cyber resilience outlook. Furthermore, it would be unfair to rely on such a CERT to perform effectively active cyber defense duties under the current circumstances. Unless and until the Government of Pakistan initiates a process of empowering public sector networks to perform cybersecurity activities, providing support to them via a CERT, encouraging HR capacity building, and enforcing policy and minimum standards, the state of cyber insecurity for Pakistan will persist.

*About the authors:

• Dr. Hammaad Salik is a consultant to the Prime Minister’s Task Force on Knowledge Economy (Pakistan) and a Strategic Warfare Group (SWG) member advisory. The author aims to provide accurate and transparent cyber information to the general public. Expertise includes Cyber Warfare Operations, Kinetic Cyber Warfare, AI, and Cyber Conflict Management. The author can be reached at [email protected].
• Rao Ibrahim Zahid is a Prime Minister’s Task Force on Knowledge Economy (Pakistan) consultant and a member advisory Strategic Warfare Group (SWG). The author tends to research to provide awareness for a developing Pakistan. Expertise includes International Relations, Cyber Warfare, and Cyber Conflict Management, Cyber Threat Intelligence, AI, and Air Defense analysis. The author can be reached at [email protected].
• Babar Khan Akhunzada is a cyber wizard and entrepreneur, Founder of SecurityWall, a cyber security firm focused on Digital Risk Protection and Hybrid Auditing approach serving top-international firms and government organizations. Babar is acknowledged by tech giants within Silicon Valley for security contributions. The author is a well-known speaker who gives his thoughts and analyses on Application Security, Cyber Warfare, OSINT, Cyber Policy, Forensics and Red Teaming. He was listed among 25 Under 25 Young Achievers and featured in international media. The author can be reached at [email protected]