Recently an investigation by 17 well-reputed media organisations, led by a France-based non-profit journalists’ organisation “Forbidden Stories” disclosed that Pegasus spyware was successfully employed for the hacking of smartphones of high-ranking government officials, journalists, and political activists by different governments around the world. The list includes the names of Pakistan’s Prime Minister Imran Khan and French President Emmanuel Macron.

As per the makers of Pegasus, the spyware is only sold to a government through Israel’s Ministry of Defense for operations against terrorists and criminals. However, in the absence of any legal binding, the authoritarian governments use it against their rivals; for instance, in India, the Bharatiya Janata Party (BJP) government used Pegasus to spy on their arch-rival, the Congress leader Rahul Gandhi. Pakistan has also accused India of spying on Prime Minister Imran Khan’s smartphone using the spyware. The Foreign Office of Pakistan has condemned this act and asked the relevant United Nations (UN) bodies to investigate the Indian-state-sponsored spying attempt against the Pakistani Premier.

The Pegasus spyware first emerged in 2016. At that time, it used the phishing technique of hacking to steal data from mobile devices. Phishing is a hacking method in which social engineering is employed to lure a victim. A message or link is forwarded to the target’s smartphone. By opening a link or a message, the target is diverted to a suspicious website which results in the stealing of data, including messages, photos, and videos.

Since the users have become more aware of phishing, Israel’s Niv, Shalev and Omri (NSO) group made the spyware more lethal. The sophisticated version of the spyware uses “zero-click” hacking techniques that do not require any action from the victim to trigger the spyware. In 2019, it was observed that by simply calling the target through WhatsApp, Pegasus could surreptitiously download itself into smartphones, either android or iPhone.

Since the users have become more aware of phishing, Israel’s Niv, Shalev and Omri (NSO) group made the spyware more lethal. The sophisticated version of the spyware uses “zero-click” hacking techniques that do not require any action from the victim to trigger the spyware.

In August 2020, Pakistan Army’s Inter-Services Public Relations (ISPR) stated that espionage efforts by hostile intelligence agencies, hacking mobile phones of high-ranking officials, were thwarted and necessary steps were taken to avoid such incidents. More recently, the spyware has exploited vulnerabilities in Apple’s iMessaging software. It has opened access to over one billion Apple iPhones, while the phone-owners are unaware.

Non-state actors also pose a significant threat in this context. The Information revolution has resulted in the diffusion of power. Renowned scholar Joseph Nye in his seminal work, “Soft Power” has argued that non-state actors have the same access to information as state actors. As a result, they are well poised to project information and influence intended targets. Social networking platforms such as Twitter, Facebook, or Instagram leverage non-state actors to carry out their influencing operations.

But the use of cyberspace by non-state actors is often limited to low-scale hacking for monitory gains or information operations by hack activists.  The most prominent use of cyberspace by non-state actors is the Arab Spring or Facebook revolution which triggered a regime change in some Arab states in 2011 and resulted in instability across the entire region. However, they cannot carry out a sophisticated cyber-attack against a nation state’s critical infrastructure.

In the recent past, military-grade cyber weapons were launched by nation-states against their adversaries. For example, in 2010, Stuxnet was launched by the United States (US), presumably with the assistance of Israel, against the Iranian nuclear installations. It was the first recorded incident when a computer software destroyed a nuclear facility by altering the machine cycles of the plant. Similarly the Pegasus spyware is a state-sponsored malware which was initially developed by NSO group of Israel.

In the aftermath of the espionage attempted against the leadership of Pakistan, the cabinet approved the country’s first Cyber Security Policy. It outlines a roadmap to secure critical national infrastructure against cyber threats. This includes protecting – internet based services, creating cyber security awareness, and building law enforcement agencies and ministries, among others.

Keeping in view the emerging cyber landscape, it is now mandatory for Pakistan to gain the requisite capability to counter the impending challenges that come under the purview of hybrid war. The ability to defend against cyber threats and launching cyber offensives against adversaries is the need of the hour. Pakistan has 64% of its population below the age of 30. The country also has a fast-growing Information Technology (IT) market. Therefore, it is necessary to equip the younger generation with the requisite IT skills to counter challenges such as the Pegasus spyware to safeguard our critical national infrastructure.