The UK-headquartered cyber threat research and security firm, Sophos Labs, recently published a report dissecting the replicas of legitimate Android apps injected with malware, primarily intended to exfiltrate the personal data of users in Pakistan.

More prominently, one of these applications was a near-perfect replica of the Citizen’s Portal app developed by the Prime Minister’s Development Unit (PMDU) in Pakistan. This choice of targeting reveals that the back-end developers are familiar with the growing importance of this app for the Pakistani citizens, i.e., exploiting a direct interface between the Prime Minister of Pakistan and the ordinary citizens.

As far as the personally identifiable information goes, the Citizen’s Portal app asks for the most sensitive details and can be considered a goldmine for the elements looking for high-end commercial gains in the darknet.

The Citizen’s Portal app authenticates the users’ accounts using Computerised National Identity Card (CNIC) verification through the National Database Registration Authority (NADRA) database and the associated mobile numbers. It also asks for users’ residential addresses. As far as the personally identifiable information goes, the Citizen’s Portal app asks for the most sensitive details and can be considered a goldmine for the elements looking for high-end commercial gains in the darknet.

Since the Citizen’s Portal, in and of itself, is layered with security and vulnerability controls, the alternate option was to develop a matching replica mimicking the app. Though the replica was unable to secure space on the Google Play Store, the malicious cyber actors that developed it were able to host it on the official website of the Trading Corporation of Pakistan (TCP), a private limited company operating under the Ministry of Commerce.

An important observation is that TCP’s official website, hosted on the Government of Pakistan’s domain (gov.pk) was developed and still maintained by Karachi-based Interactive Media, a private company.

Screenshot of TCP website captured by the author

This is a concerning predicament since the National Information Technology Board (NITB), an autonomous organisation working under the watch of the Ministry of Information Technology and Telecommunication (MoITT), was mandated to digitise all the federal government departments and take responsibility for their back-end management. While the TCP is not a government organ, per se, it is state-controlled and thus falls under the purview of the NITB.

It is the responsibility of the National Telecommunication & Information Security Board (NTISB) under the Cabinet Division to proactively identify and alert the government organs about any cybersecurity vulnerabilities that could disrupt or degrade the functioning of any government department. Some of the mentioned functions include:

• “Assess the effectiveness of the policies issued by the Government to regulate security aspect of ICT services and identify the weak links to the organisations concerned for taking remedial measures (sic)”.
• “Bring to the notice of controlling authority and authorities concerned (Prime Minister/Defence Committee of the Cabinet) about the occurrence of major violations of ICT Security and failure of any organisation to comply with the major decisions/instructions of NTISB”.
• “Task any Government Department/Organisation, Government Agency to carry out investigations/ ground check of any matter related to improving the security of ICT services in a specific Department/Organisation/Institution (sic)”.

That the official website of the TCP was itself hosting a malicious replica of the Citizen’s Portal app indicates the negligence by Interactive Media and the failure of the authorities concerned to issue pertinent advisories through the NTISB. Going by the passive attitudes inherently found in the local bureaucratic organs, there is little expectation of directing a thorough security audit of all the government websites.

Legally, the larger dilemma is that the private companies cannot, as of yet in Pakistan, be held to account for any cybersecurity negligence in the absence of the relevant national laws.

Legally, the larger dilemma is that the private companies cannot, as of yet in Pakistan, be held to account for any cybersecurity negligence in the absence of the relevant national laws. Lack of interest by all lawmakers to pass adequate legislation gives impetus to the carefree environment prevalent today.

Technically, the broader issue is the absence of a National Cyber Security Authority (NCSA), which could operate 24/7 and proactively identify the spectrum of cyber threats. Such a focal authority could have an Incidence and Response Team (IRT) that can establish discreet liaison channels with threat research firms such as Sophos, FireEye, Symantec, etc. to mitigate the flagged threats on a routine basis. Reliance upon the conventional bureaucratic channels to “pass the file on” would continue to incur high costs to the ordinary citizens and, ultimately, the government itself.

The proposed NCSA should be an autonomous organisation staffed with a dedicated pool of specialists whose primary objective will be to pre-empt future cyber risks, mitigate flagged threats and liaise within and outside the federal government quarters including private corporations, multinational institutions, and provincial governments.

Thus far, the reaction to cyber-related issues by the MoITT and Pakistan Telecommunication Authority (PTA) has been exaggerated and counterproductive. There are genuine concerns that the government authorities do not possess the required domain expertise to manage and address the issues pertaining to cyberspace adequately. Moreover, the politicisation of cyber governance issues is detrimental in the long run, eroding confidence among the lawmakers to legislate and approve rational measures in the form of laws or establishing dedicated bodies (such as NCSA) with vested prosecution powers.

Existing civilian and military departments in Pakistan should not be given the responsibilities of cybersecurity and governance due to conflict of interests and dangers of misdirected operations. Optimal functioning necessitates establishing a new organisation staffed with dedicated human resources inducted through lateral entry based on proven skills and competence. Technical resources include setting up a state-of-the-art headquarters in Islamabad along with Security Operations Centres (SOCs) in Islamabad, Quetta, Karachi, Lahore, Peshawar, Gilgit and Muzaffarabad. Ideally, the head of the NCSA would serve as the Focal Person to the Prime Minister of Pakistan on cyberspace-related issues.

As an immediate step, the Government of Pakistan should direct the Federal Investigation Agency’s (FIA) National Response Centre for Cyber Crime (NR3C) to carry out a thorough investigation of the fake Citizen’s Portal app beginning with a thorough scrutiny of Interactive Media’s systems and coordination with counterparts in countries hosting the command-and-control servers of the malware. The exploitation of a national app and the subsequent deception targeting unsuspecting citizens is a monumental crime that cannot, and must not, be brushed under the carpet.

Lastly, the Cabinet Division should issue an executive directive binding the NITB to take the responsibility and control of all the websites belonging to the government-owned and government-controlled entities. Control of private contractors must be discontinued at priority.