In 2019, the mobile phones of some senior Pakistani officials were hacked for covert surveillance. The hacking was done via WhatsApp using a special type of malware called “Pegasus,” allegedly developed by Israeli spyware company the NSO Group. The malware could infiltrate a phone by making a missed call on the targeted WhatsApp number and turn on the phone’s camera and microphone as well as gain access to messages, emails, contacts, and passwords. The malware also has the capability of determining GPS location. After the hacking incident, reports suggested that the Pakistani government was working on developing an alternative to the WhatsApp application for protecting sensitive or classified information.
It still remains unknown who had targeted the Pakistani officials. However, concerns were exacerbated after reports emerged that Indian intelligence agencies were using the same Israeli spyware to carry out surveillance of Indian lawyers, opposition political leaders, human rights activists, and members of civil society.
In recent years, India has stepped up efforts to strengthen its defensive and offensive cyberwarfare capabilities. Due to its rivalry with Pakistan, both countries could potentially target the other with cyberattacks. Although neither Pakistan nor India has carried out a large-scale cyberattack against each other so far, small-scale cyberattacks between both neighbors are becoming frequent. Web vandalism especially is very common.
The threat of Indian cyberattacks against Pakistan becomes more serious given India’s growing cybersecurity cooperation with Israel. The latter is a center of cybersecurity research and development. In June 2019, Israeli Prime Minister Benjamin Netanyahu, while speaking at the 9th Annual International Cybersecurity Conference, said, “I set the goal for Israel of becoming one of the top five cybersecurity powers in the world… It’s a goal we have met.” He emphasized, “When it comes to cybersecurity, Israel has invested more than any other country proportionally.” Indian policymakers are now also looking towards Israel’s Talpiot training program, which is the first of its kind in the world. Under this program, Israeli Defense Forces recruit some of the country’s most talented and innovative young individuals and then teach them advanced physics, mathematics, and computer science. It is known for producing experts that bolster the Israeli military’s research and development and cybersecurity.
In March 2013, former CIA contractor Edward Snowden revealed that Pakistan was among the countries most targeted for surveillance by the U.S. National Security Agency (NSA). In June 2017, Pakistan’s Senate Committee on Foreign Affairs also warned the government that Pakistan was a principal target of cyberespionage. With Pakistan being one of the top targets of foreign espionage, there are increased calls within the country to devote more resources for securing computer systems, investing in the security of the country’s digital infrastructure, and strengthening cybersecurity research and development. Pakistan also needs a strong cybersecurity framework to counter identity theft, financial data theft, and surveillance of critical infrastructure.
The government needs to invest in modernizing its agencies to enable them to deal with cyber threats. Currently there is no agency or organization fully committed to the country’s cybersecurity. Pakistan needs a full-fledged agency for protecting the country from cyberattacks. For example, the United States has the Cybersecurity and Infrastructure Security Agency (CISA) and Israel has Unit 8200 or the National Cyber Security Authority (NCSA). In Pakistan, the National Response Center for Cyber Crime (NR3C), a unit of the Federal Investigation Agency (FIA), deals with cybercrimes; however, it lacks the capacity to shield the country’s critical national infrastructure and is deficient in resources, manpower and facilities.
Pakistan also lacks sufficient legislation for countering cyber threats. In 2016, Pakistan passed a cybercrime law called the Prevention of Electronic Crimes Act, 2016; however, the act does not cover many crucial aspects of cybersecurity. Pakistan needs more stringent cybersecurity regulations that require companies and organizations to protect their computer systems and information from cyberattacks. The regulations should mandate government departments, the energy industry, as well as healthcare and financial institutions to protect their computer systems and information from being breached. Such measures are particularly important since the systems of almost all organizations are now connected to the internet and are becoming dependent on artificial intelligence and big data analytics. This makes them a vulnerable target for hackers. Cybersecurity experts, however, argue that companies will not invest in cybersecurity unless governments compel them.
Pakistan needs to realize the dire threat to its critical infrastructure and the government should make all out-efforts to ensure the security of interconnected infrastructures of the country. For this it is important to identify the national infrastructure that remains critical to the national and economic security of Pakistan. In sum, it is important for Pakistani policymakers to identify the immediate and future cyber threats and formulate a cybersecurity strategy accordingly. Pakistan cannot ensure comprehensive national and economic security without effectively managing these threats.
Muhammad Abdul Qadeer is a Fellow at the Strategic Studies Institute Islamabad (SSII). His area of research focuses on South Asian politics. Follow him on Twitter @MuhamadAQadeer