The extent of malicious hacking on the internet, in pursuit of political or economic advantage, crime or just plain mischief, threatens to escalate the cost of even basic IT infrastructure. In the emerging economies, organised hacking is now beginning to impede economic growth so much that organised counter-measures are now required. Our Pakistan correspondent describes the problem there, and suggests some solutions.
A few days ago, I heard news that Indian hackers had attacked the official website of one of our major universities, the University of Punjab, and threatened that similar actions would follow. I began investigating the details, and was shocked to discover that this was not the beginning of the story.
Hackers from India and Pakistan have, in fact, been engaged in cyber warfare since 1998, leaving no stone unturned in attacking the websites of their opponents. Both countries blame each other for the initial aggression.
The intensity of the war increased last year in particular; after a reported attack by Pakistani hackers on the Central Bureau of Investigation (CBI), India’s top civilian investigation agency, Indian hackers attacked 40 Pakistani websites.
When I approached the relevant office in Islamabad to find out what measures the country was taking to defend itself from cyber warfare, I learned that Pakistan’s government isn’t taking any tangible measures at all to protect state websites from the looming threat of international hackers, particularly those based in India.
I spoke to a senior official in the Electronic Government Directorate (EGD), the agency officially responsible for monitoring the hacking saga in Pakistan. The official, who wished not to be named because he isn’t authorized to talk to the media, told me, “The government has so far secured only 33 websites belonging to government ministries and departments, out of thousands. And there is no system that can’t be hacked. You can break any kind of lock, and the same is the case with hacking websites.”
“The government never demonstrates seriousness in dealing with the hacking problem, which poses a constant threat to all state and privately-run websites,” he added.
He said that if the government wanted complete security it would have to adopt a unified trap system, firewalls, an intromission protection system (IPS), anti-spyware software, and protection against email-based and DDOS attacks.
DDOS - sending millions of requests which ultimately result in the shutdown of websites - is the preferred method of attack, because most proprietors, including companies and organizations, can’t afford a security system to protect adequately against it.
A system which can adequately protect your websites from hacking costs around one million rupees, according to the official I spoke to.
Meanwhile, a vendor from Islamabad, who runs a private firm, said, on condition of anonymity, that there are several firms and institutions, such as Faysal Bank and many cellular phone companies, that have spent more than one million rupees each to safeguard their websites from hacking. If the government of Pakistan were to spend such an amount, the issue would be solved for government websites to a great extent.
When I put these examples to my contact at the EGD, he agreed, but said that the government is not in a position to provide such a huge amount. He lamented that in the recent past the websites of the Ministry of Foreign Affairs and the Supreme Court of Pakistan were hacked as a result.
He said that government policy was that all state websites be hosted by the National Telecommunication Corporation (NTC), but that unfortunately not everyone follows this policy, instead hosting their websites abroad or with alternative local providers.
According to the official, “This hacking isn’t a specific problem between Pakistan and India; it is an international issue, which is going to spread and become more sophisticated. However, it does seem to be particularly intense between hackers in India and Pakistan.”
The government, he said, should invest in the security implementation policy provided by the Information Technology Department of the Government of Pakistan, adopting security systems along the lines of those used by private firms but, “unfortunately, it is a totally neglected area so far, with no investment by the government.”
“Let me tell you, frankly, that the government has no power over the ISPs to implement its policy. It tried, in 2009, when the EGD sent Planning Commission-1 to the Ministry of Information Technology, a document initiating a fair implementation of security across the databases and websites of the federal ministries, but again, this couldn’t be approved because of multiple reasons, including self-interest.”
He added that if the government of Pakistan wants to secure its websites then it should also invest in Pakistan’s emerging Information Technology sector, as millions of the country’s young people are trained in the area.
Internet hacking and the Pakistan-India cyber war
My next port of call was Munawar Iqbal, President of Pakistan Computer Association (PCA). As head of the PCA, Iqbal acts as spokesman for computing professionals, putting forward the issues that they’re concerned about to the Pakistani government. He also runs a thriving computer business in the main hub of Islamabad.
Iqbal told me, “As per my information there are two groups of hackers from both countries: one is called the Indian Cyber Army and the other is known as the Pakistan Cyber Army. Both are in competition to hack each other websites. It is totally illegal, and should be stopped in the greater regional and international interest, as well as that of both countries’ people.”
He said that in 2002, hackers in Pakistan hacked as many as 72 Indian websites, while Indian hackers hit almost 70 Pakistani websites. In 2010, the total of Indian websites hacked had increased to 270.
Indian hackers, meanwhile, hacked the websites of the Ministries of Education and Finance, Oil and Gas Corporation Limited (OGDCL), and even the State Bank of Pakistan.
He said that there seem to be some official hands of the two governments behind the hacking story, adding that it is another face of a war that’s taking place with the unseen support of both governments.
“There are established laws on cyber crimes in Pakistan, and there are also international laws to prevent it, but these are either not followed or not implemented. There should be tough punishment for those who break these laws - it would go a long way to controlling the problem.”
He added that there should also be a public awareness campaign to tell individuals and organizations how to protect and secure themselves from hackers, and that the government should work out a multi-pronged policy to create job opportunities for youths who have Information Technology degrees, allowing Pakistan to use their skills to help discourage the cyber crime menace.
“Our country is producing 15,000 to 16,000 IT graduates each year, but only 25 per cent are employed in the sector, and I’m sure the rest of them are squandered in different ways due to lack of job opportunities. If there were more job opportunities, it would reduce the number of these jobless IT graduates, which would discourage the business of hacking in the long-run,” he added.
He said that the hacking isn’t a Pakistan-India specific problem but an international issue which should be tackled at world level.
“Hacking poses a great threat to world peace because every entity and organization is going computerized or online,” he said.
Iqbal cited the recent, prominent example of Wikileaks, contending that Wikileaks were basically hackers who accessed secret information belonging to the US government.
Concerns From Commerce
In search of a commercial perspective on the problem, I contacted Abid Jan, a trader who owns a computer business in Islamabad’s bustling Blue Area market. He told me, “We ourselves face no particular problem or threat from hackers, but those institutions that have their data online face a great threat.”
He told me that the government should make sure to provide enough online information for businesses to protect themselves from hackers, because most of the time hacking takes place due to lack of information.
“I’m sure there are international laws, but on the ground they aren’t implemented. We also face a real problem from viruses - there should be tangible measures to control their spread as well.”
I also spoke to Arshad Ali, chief executive of a private computer firm, who shared his concerns with me, “Until recently, states used to fight wars just with forces on the ground, but with advances in computing, they’re now being fought through the internet as cyber wars. These days, hackers from almost all countries, including India, are out to fight cyber war against their rivals. Countries want to dismantle and derail each other’s economies through cyber war, in particular. ”
Cyber war and hacking are great threats to international peace and security, he added, citing the example of reports in 2009 that the Pentagon’s $300 billion F-35 project had been attacked, allegedly by Chinese hackers, with several terabytes of information about the aircraft stolen.
A Possible Solution
Ali noted that Pakistan faces significant barriers to reaching a solution. “In Pakistan, government systems aren’t yet automated across the board. Time and energy that could be spent on securing these systems is being wasted keeping records in physical files. Compare that to countries such as China and the U. S., who possess dedicated cyber warfare units. Our government lacks basic automation of its systems, but getting to that point requires considerable investment.”
In the face of the emerging threat, “we neither have proper expertise nor does our IT infrastructure have any advanced systems because of the government’s lukewarm approach to improving Pakistan’s nascent computing field.”
The government, he said, doesn’t take any steps to improve the Information Technology sector, and its condition is pathetic. There is only one unit working on cyber crime, a section of the Federal Investigation Agency (FIA) known as NR3C. On a national level, an Email and Internet Policy was approved in 2005 but it hasn’t been implemented so far.
He said the tragedy is that that cyber-attack tactics are changing almost day-by-day, while Pakistan’s government doesn’t consider coping with the challenge a serious affair.
For example, the Electronic Government Directorate (EGD) has also initiated a project known as the Federal Government IT Security Audit Cell, but it has not yet got approval.
The official suggested that, “if you want to completely protect yourself against hacking, then you will have to follow the ISP policy in letter and spirit.”
He went on to say that, by contrast, most of the big firms and organizations such as private and state-run banks were already investing heavily to protect themselves and secure their websites from hacking.
Arshad Ali added that central government needs to take some practical steps to create awareness among common users, and should explore measures to secure the websites of leading government institutions.
A Common Perspective
My correspondents were almost unanimous in agreeing that there is the utmost need to allocate more funds to the relevant government departments, so that the constant threat of hacking can be tackled to reduce it to a tolerable level. They echoed that the government should make efforts to accommodate unemployed IT professionals in mainstream employment, which should put the menace of hacking in reverse gear.
Some of those I spoke to also suggested that representatives from the governments of Pakistan and India should come together to develop a joint strategy for discouraging cyber warfare between the two countries. The ideal solution would be for both countries to formulate a shared code of conduct and impose strict rules to discourage individuals and organizations form attempting to harm the cyber-world. At this critical juncture, the UN can also play a tangible role, not just in mediating between India and Pakistan, but across the globe.