Pakistan’s track record of national and sector-specific cyber security remains abysmal. While targeted Distributed Denial-of-Service (DDoS) attacks and amateur website ‘hacks’ continue, as do overt information operations campaigns aiming to exploit internal faultlines on platforms such as Twitter; a more insidious campaign of cyber espionage has surfaced that is unusually indiscreet in its manifestation.
Over the past few months, highly sensitive official correspondence, planning documents, personnel forms and logs from Government of Pakistan’s departments have been ‘leaked’ online by a select group of Twitter accounts originating in India; this particular coterie, while exhibiting impressive technical competence, indulges in outward behaviour that is typical of cyber mercenaries and their choice of targets are of very high value. Whether it is a national intelligence agency, the Pakistan Air Force (PAF) base in Bholari, technical procurement plans of Pakistani tri-services procurement plans or even proclaimed communication logs of Pakistan’s premier; the messaging is clear: Pakistan’s sensitive government departments remain dangerously susceptible to targeted Indian cyber espionage.
The online persona of these accounts bears striking similarities: general affinity for the ruling Bharatiya Janata Party (BJP) and particular support for Hindutva, a jingoistic level of patriotism, utter loathing for the very existence of Pakistan and complete disdain for a code of conduct in cyberspace that would otherwise be applicable for official ‘cyber warriors’ working under an organised institution. These accounts operate on Twitter but maintain a centralised communication and coordination channel on Telegram. Thus, even if they are suspended routinely, they re-emerge with different usernames and manage to regain high following. They operate with a ‘herd mentality’ and prefer engaging in group conversations publicly, sometimes even mingling with Indian military veterans.
Primarily, this negligence is due to the absence and/or ineffective implementation of adequate cyber security protocols issued at the national level.
Accounts like these became prominent around the year 2018 and were traditionally involved in information operations campaigns, with a particular interest in attempting to discredit the credibility of Pakistan Army. During the standoff with Pakistan in early 2019, these and other accounts amplified disinformation and propaganda that conformed to the official narratives coming out from the Union Government in New Delhi.
This on-off ‘unity of purpose’ adds credence to speculations that such Twitter accounts may be part of a network of cyber mercenaries who may be contracted or ‘outsourced’ by various Indian government organs as and when required. This is further reinforced by the fact that these accounts are neither fully convergent nor divergent on matters that directly concern the Union Government.
Actors based in both Pakistan and India have been accused of conducting cyber operations against each other. As implied earlier, the traditional modus operandi involves discreet network and system intrusions that are usually reported by international cyber threat firms. The emerging contours of cyber espionage from India reveal a shift to a ‘declared posture’; if it is intentional, for the purposes of political signalling and/or deterrence, the associated messaging is subpar and below known standards of strategic communications. If it is the work of a mercenary, the gains lie more in public attention and community influence instead of anything strategic; therein lies the distinction that needs to be carefully ascertained by authorities concerned in Pakistan. In this author’s personal assessment, the most prominent among those ‘leaking’ sensitive government information from Pakistan are strongly suspected of being mercenaries-for-hire working beyond the remit of an institutionalised environment.
Officials responsible for the management of Information and Communications Technologies (ICTs) assets across the Government of Pakistan remain at high risk of sophisticated cyber intrusions. Primarily, this negligence is due to the absence and/or ineffective implementation of adequate cyber security protocols issued at the national level. The prevailing situation justifies presuming that there is a non-serious attitude toward periodic technical audits of government-owned systems and networks. A complete whole-of-government ICT sanitisation is long overdue and must be carried out through a multi-agency taskforce to identify and mitigate recurring grey areas. The most important among these are computer systems used by the lower end of the bureaucracy, such as clerical staff in various government departments whose compliance to computer safe-use protocols may be questionable. These systems usually contain archived copies of passports, medical documents and other identification particulars of individuals who are considered high value targets by an adversary. The habit of delegating personal data responsibilities, apart from routine personnel files and documentation etc to clerks (‘lower staff’), is a bureaucratic norm in former British colonies of the Indian Subcontinent. This issue is likely very far from over keeping in view the privileged ‘shahi’ (royal) lifestyle preferred by civil servants who usually do not even bother drafting their own communiqués.
Broadly, the absence of necessary cyber-related policies remains the biggest hurdle to ensuring a legally-enforcing and comprehensive cyber security regime in Pakistan.
Apart from the ‘technical’ backdoors due to plain ignorance, the ‘human’ dimension i.e. insider threats also need to be accounted for. Some of the material shared online by Indian accounts, such as communication logs among specific mobile phone users in Pakistan, can only be obtained through individual processing requests to ‘data traders’ operating online and in the dark web. Navigating in the latter may prove challenging, but even a cursory open source intelligence scan of Facebook and Google can lead to individuals/ forums that can provide individual Call Data Records (CDRs) for as low as $6 in Pakistan. The elements behind the screen would either be directly employed by various telecom companies or acting as middlemen with links. In this context, the ‘cyber’ security aspect can be covered through rigorous and regular vetting of staff with known direct access to communication logs across the government and also the private sector.
Broadly, the absence of necessary cyber-related policies remains the biggest hurdle to ensuring a legally-enforcing and comprehensive cyber security regime in Pakistan. The draft Personal Data Protection Bill as well as the National Cyber Security Policy are a long shot from parliamentary approval; rushed passage through executive powers would result in blowback, as experienced earlier.
The passive attitude toward cyber security can also be gauged from the fact that during the recent Islamabad Security Dialogue, there was no particular theme or session focused on this domain. If an inter-governmental forum cannot shortlist cyberspace among priority subjects for discourse, expecting timely policymaking is a dream too good to be true.
By the time the Government of Pakistan and lawmakers get serious, the damage could become too massive to contain.