Despite cyber security being an utmost security concern for Pakistan, the current situation seems to be unveiling the vulnerability and unpreparedness of the state in this regard. The recent anonymous cyber intrusion questions national cyber security mechanisms. Who is to be held responsible? What should be more of a concern: the mishandling of sensitive information or the context of information? Is cyber security a matter of national security? All answers remain foggy. At the same time, no one, from the state to the stakeholders, is ready to take the blame for the lack of cyber literacy and relevant defence systems.
In the latest report by Comparitech, the rate of mobiles infected with malware in Pakistan is stated to be 9.96 %. While the perpetrator and malware vary as per their motivation, the two remain unknown in the context of recent cyber intrusion where multiple audios of government officials got leaked. The major hacking of officials’ mobile phones can be traced back to 2019, when “Pegasus”, Israel-originated spyware, targeted Pakistan’s defence and intelligence personnel, including many others. After the incident, it was reported by Dr Arslan Khalid, the focal person of then Prime Minister Imran Khan, that an alternative app would be developed for the secure transfer of governmental data, which is likely to be capitalised on. Later on, it was claimed by the Minister of Information Technology and Telecommunication, Syed Amin-ul-Haque, that by June 2021, a WhatsApp-like app named” Smart Office” would be launched for the transfer of sensitive official data. However, a recent attack of similar nature indicates that, like every other cyber-related effort, this one also remained futile. Even if it does materialise somehow, reckless management of such private communication channels would still leave a pathway for intruders.
Although the National Cyber Security Policy (NCSP) of Pakistan incorporates “Protection of Government’s Information Systems and Infrastructure”, it is yet to be implemented. Nonetheless, the sporadic leakage of WhatsApp voice notes of government figures reveals the security of the Prime Minister’s Office. It not only raises concerns over governmental sector security but also over the security of the wider public. The one who can get access to such high-profile telephonic conversations can harm others in a similar manner without leaving behind much trace. Under such circumstances, human security and, ultimately, national security come into question.
Although the National Cyber Security Policy (NCSP) of Pakistan incorporates “Protection of Government’s Information Systems and Infrastructure”, it is yet to be implemented.
Such a cyber attack can be considered an attempt at the sovereignty of a nation-state. Gaps in Pakistan’s cyber defences provide a gateway to sophisticated perpetrators from all over the world who may intrude and get access to a vast amount of crucial data without much obstruction. This can then impede national security since the core of cyber security, and national security is adjoined. The leakage of critical information is one of the many aspects which contributes to the undermining of security. Therefore, Critical Information Protection (CIP) should be a vital concern for the state to preserve its sovereignty and integrity. Unfortunately, the reflection of weak cyber-defence style has alerted potential intruders. The time has come for the state to take necessary steps towards the protection of sensitive information. But reality seems different; every victim appears to be more concerned about their reputation than considering the security challenges at hand.
The debate of whom to be held responsible has started a blame game in the country. Diverging discourses show no one in the state is willing to take responsibility for the attack. Many, including ex-information minister Fawad Chaudhry and ISPR senior military officials, have criticised the Intelligence Bureau (IB). The latter’s adage is that there is no role of military and spy agencies in bugging. Meanwhile, an IT specialist, Shehzad Ahmed, represented a need for investigation and considered it a flaw in governmental strategy to thwart or counter cyberattacks. On the other hand, political stakeholders are invested in cleaning up their reputations. For instance, the former finance minister countered allegations by saying that it is unfair to call him a “traitor”, and Information Minister claimed that there is nothing “illegal” in the leaked files. Nonetheless, concerned authorities deny taking responsibility.
Besides the unconcerned stance of the stakeholders, room for human error is also present when it comes to the cyber domain. It is wrong to address emotive issues over minimally secured apps, like, in this case, WhatsApp, which has already been hacked. Moreover, using an outdated version of the software also enhances unauthorised accessibility. Due to no national-level programs to address cyber insecurity awareness among the constituents, cyber insecurity is not considered great of a threat in the state of Pakistan.
Although the present audios reveal no major national secrets, it can be expected that a real hazardous incident is not so far away with such persisting cyber security conduct. Motivations behind cyberattacks are diverse; however, the actions of the perpetrator can lead to a suitable conclusion. In this case, the intrusion might be triggered by the deteriorating political scenario of the state. Whether it is an insider threat or not, and whatever motivation is involved behind the recent attack, the perpetrator did not fail to reflect upon the cyber defence style of the state and the response we get from our powerholders.
One fact which needs to be highlighted is that no technology is exempt from flaws. One way or another, it brings perpetrators to our electronic doorsteps. However, the intent and capability of the state to deal with such cyber threats create a difference. As per the under-discussion incident, the question here is not about tracing the intrusion or identifying if its an endogenous or exogenous threat. But rather what a state must do to curtail cyber intrusion and further execute national-level efforts aimed at reducing devastating fallouts. The crisis mitigation procedures remain subjective to the states.
In Pakistan, the counter-cyberattack mechanism has never been a top priority concern, regardless of the state’s increasing efforts towards digitalisation. The people of the state are wondering if they should worry about the flawed cyber defences of the state or be astonished by the political elites who prioritise self-interest over national interest and are “sold like sheep and goats”. Hence, it can be inferred from the current series of cyber attacks and related developments that the urgency to strengthen cyber security within the context of national security is not completely realised by state officials. Instead of involving the responsible stakeholders and relevant institutions in strengthening cyber defence, the officials seem to be occupied with restoring their reputation. This begs an important question for all of us – How many more cyber attacks will it take until the officials realise that beyond damages to their political standing, the recent breaches of cyber security are a serious matter of national security as well?