In July 2023, the federal cabinet approved the final draft of the Personal Data Protection Bill 2023, aimed at providing a data protection mechanism to prevent cyber-security threats. According to Cybersecurity Ventures, cybercrime costs the world $8 trillion annually. Pakistan, cognisant of emerging cyber perils, is also taking stringent measures as malware attacks possess the potential to pave the way for cyber warfare.
Malware is a cyber-security threat, wherein software designed to get unauthorised access to a system, is used by hackers, for a variety of purposes, including jamming the networking system of an organisation and demanding ransom. In the Shadowpad malware attack in July 2023, sensitive institutions of Pakistan possessing the personal data of citizens were attacked. The hackers modified a Microsoft installer developed by a government entity for the E-office app. This capability of malware to intrude into sensitive institutions is an indicator of its potency for cyber-warfare.
Malware is also a cheaper way for economically developing countries to conduct offensive cyber operations against powerful ones. These operations could be conducted directly by attacking the networking systems of security agencies or indirectly by earning capital for weapons through ransom money. For example, the North Korean government-sponsored hacking-group ‘BlueNoroff’ is accused of targeting financial institutions to steal billions of dollars for its nuclear missile programme.
Moreover, there are some other destructive uses of malware like cyber terrorism. For instance, in the ongoing Israel-Hamas conflict, the Iranian backed hacker group Agonising Serpens is being suspected of using malware to attack Israeli tech institutions. These malware attacks are conducted to propagate offensive campaign against Israel by spreading stolen personal data of citizens on social media and Telegram channels to spread fear. Moreover, Wipers are used to erase information about citizens from government institutions. Such offensive uses of malware against adversaries indicate that state institutions must take pre-emptive measures to combat them. This is particularly important for countries like Pakistan that have digitised their National Critical Infrastructure and face a constant cyber threat.
In November, China’s biggest industrial and commercial bank came under malware attack which badly damaged its trade and transaction. Keeping in view the previous cyber-attack on the State Bank of Pakistan and the inclination of malware hackers toward financial institutions, Pakistan should also revisit its cyber-security checks. Although Pakistan faced no financial loss due to malware, such an attack on a highly secured Chinese state bank gives a wake-up call. For this, Pakistan could work on Patch Management and Endpoint Protection. In Patch Management, all the software, applications, and operating networks are regularly updated with advanced security patches. Pakistan could specifically invest in prioritisation of patches in which anti-viruses of suspected malware are given priority. Pakistan being well-aware of its adversaries, should prioritise such security patches that protect its financial institutions from them. Similarly, in Endpoint Protection, computers and servers being used in an institution are deployed with antimalware. Pakistan could install indigenously codified antimalware in its banks to minimise the threat of malware attacks.
Notwithstanding the financial institutions, all the vital organisations of Pakistan could be upgraded in the line of cyber hygiene. To do so, network firewalls and multi-factor authentication could be incorporated in networking systems. Such institutions whose dysfunction could cause emergencies like grid stations, hospitals, and railways should be given priority in incorporating cyber hygiene measurements.
In 2021, Counter Ransomware Initiative (CRI) was established by the United States of America which has expanded to the membership of 48 countries. It aims at tactical training of member countries to combat malware attacks by tracking down illicit wallets to freeze the transactions of hackers. Pakistan being a major target of malware attacks in past years, should also consider joining CRI to advance its technology and cooperation in the cyber domain.
Since war tactics are speedily changing and security remains a major concern for Pakistan, it needs rapid measures to protect its citizens’ data. Although Personal Data Protection Bill 2023 is a constructive measure in this line, cyber savants have highlighted some loopholes in it. Therefore, stakeholders should consider addressing these loopholes and move toward the implementation phase. As Pakistan is already going through an economic crisis, a malware attack could further aggravate its intensity.