The state must make laws that establish regulations for identifying critical cyber spaces and safeguard them from threats
The evolving trends and technological advancements show that corporations are expanding their digital footprint at a rapid pace. With billions of connected people and machines, the data and information provide the élan vital between various organs of organisations and their external stakeholders. On the flip side, this also means that these entities are now exposed to new digital vulnerabilities, which enhances the significance of countering cyber attacks and ensuring cyber security and data privacy.
Cyber attacks may be driven by different motives, which can vary from ransom, fund embezzlement, data theft and damaging company goodwill to political battles between rival countries. When it comes to use of cyber attacks with reference to political battles among rival countries, the United States and Russia are the prime examples.
The New York Times in a report on May 28, highlighted accusations levelled against Russia, a few days prior to the visit of Russian President Vladimir Putin, of hijacking the email system of United States Agency for International Development (USAID). In the past, they have also accused the Russian government of what they called meddling in the US elections by leaking emails hacked from the Democratic National Committee (DNC) and other entities, according to a report published by The Wall Street Journal on January 8, 2019.
On July 19, a report by The New York Times said, “The Biden administration, for the first time, accused the Chinese government of breaching Microsoft email systems used by many of the world’s largest companies, governments and military contractors, as the United States rallied a broad group of allies to condemn Beijing for cyber attacks around the world.” According to this report, the US announced that it would join a group of North Atlantic Treaty Organisation (NATO) allies to condemn China for cyber attacks. It is claimed that in the past such cyber attacks have caused harm to the US. For the first time, the NATO has issued a statement: “We call on all states, including China, to uphold their international commitments and obligations and to act responsibly in the international system, including in cyberspace.”
According to the BBC: “China’s foreign ministry spokesman said the US had asked its allies to make unreasonable criticisms against it.” China strongly denied the allegations and called these fabrications by the US. Despite these accusations and denials, all the major nations including the US and Russia agreed to a new understanding against cybercrimes. The 75th session of the UN General Assembly unanimously adopted a resolution titled, “Countering the use of information and communications technologies for criminal purposes” on May 26, [UN Resolution GA/12328].
While the US is signing an agreement with major countries against cyber crimes, the ad hoc committee under UN Resolution GA/12328 will start its work in January 2022 by convening six sessions of ten days each and will submit a draft convention on countering cyber crime to the General Assembly at its seventy-eighth session in 2023. In the light of these developments, it will be a test for the US to use the sanctions option available under an executive order signed by President Obama that allows the US to block the properties of persons (individual and entities) involved in significant malicious cyber-enabled activities.
As we all know, cyber risks are evolving from a boardroom issue to a national issue and failures in combatting them can have severe global impact. It may be recalled that after global challenges in financial reporting we got Sarbanes-Oxley (SOX) as an antidote. Accordingly, against challenges like data theft, cybercrime, and manipulation of information, countries around the world are working on data privacy and security regulations. Cyber security is now viewed as an integral part of the organisations’ strategy. There is a growing need to implement and maintain a security management framework, aligning people and technology, to survive in today’s competitive market.
To address these challenges, companies need to conduct ongoing cyber risk assessments of their technological systems to ensure that outsiders are not creating risk exposure. Businesses need to adopt a customised approach to cyber security, which should be tailor-made as standard applications can pose higher risks. The same applies to the monitoring of cyber attacks. Historically, cyber risk management has been a reactive activity, which is about focusing on documented risks and cyber attack events that have taken place. However, the rising risks and availability of sophisticated tools to counter those have made this approach more proactive and forward-looking.
Apart from global efforts to curtail cyber crimes, Pakistan has passed cyber crimes laws that have been criticised within and outside the country. Most experts call thsis an effort to curtail free speech. Similar legislation has been implemented by various developing countries. Pakistan has till now used its controversial cyber crime law against bloggers and social media activists.
At times, law enforcement agencies (LEAs) have acted merely to please the incumbent government by taking actions against those having political aspirations. Unfortunately, our agencies are least interested in detecting sophisticated threats and modern cyber attacks designed to circumvent traditional controls by learning detection rules. The government of Pakistan has shown no interest in regularizing the legal framework, checks and balances that can stop arbitrary use of cyber crime laws.
The most important challenge that we are going to face is the use of electronic voting machines. It must be remembered that the purpose of designing traditional controls is generally to address external threats. These may not adequately address insider threats — generated from people with legitimate access.
Timely detection depends on an organisation’s technological ability to track patterns and behaviour that deviate from the normal. Given the fact that businesses are constantly changing, and human behaviour is unpredictable, it is important to figure out what is meant by normal. By applying artificial intelligence (AI) and analytics to internal and external data, we can generate predictive, valuable insights that help in making better decisions and protecting the organisation from threats. This requires chipping cyber security experts (internal or third party) into the arena. It can help organisations gain the much-needed insights. Third parties that specialise in threat intelligence monitor a wide range of sources. A successful cyber security system at the national level requires the following:
u An independent national cybersecurity agency
u Making comprehensive laws about cyber crimes
u A threat hunting and information sharing mechanism
u Continuous management and monitoring
The state must make laws that should define minimum security standards, mandatory breach reporting and training initiatives to strengthen cyber security. It should establish policies and regulations for identifying and prioritising critical cyber spaces and safeguard them from any potential threats. To achieve better outcomes, laws and regulations should be reflective of the threats, vulnerabilities and potential consequences faced by the country. At the same time, they should also protect fundamental principles like privacy and civil liberties and encourage innovation and progress.
These regulations should identify responsibility for coordinating cybersecurity efforts. A special autonomous body should be designated to lead the nation’s development, coordination, alignment and integration of cybersecurity policies, strategies and plans for this activity. Experts within the designated agency should have in-depth knowledge of information and operational security processes. This unit should be responsible for overseeing compliance with cybersecurity regulations, including but not limited to developing guidance and interacting with other regulators who can enforce compliance, establishing a reporting framework, etc.
For information sharing and coordination, a separate unit may operate under this agency which should coordinate regulatory and non-regulatory communications, including publications and statements to all stakeholders on behalf of the national agency. The unit should serve as a point of contact for enforcement organisations around the world pursuing legal recourse against cybercrimes.
The governments must continually invest in the expertise, systems, and governing frameworks required to keep pace with the evolving threats as for each new technology or step to enhance our cybersecurity, another is in the process of circumventing it. To succeed in handling this challenge, it is of paramount importance that governments and private corporations work in cohesion to create an apposite environment.
Huzaima Bukhari and
Dr Ikramul Haq, lawyers and partners in Huzaima, Ikram & Ijaz, are adjunct faculty at Lahore
University of Management Sciences (LUMS) and members of the Advisory Board and visiting senior fellows of Pakistan Institute of Development Economics (PIDE).
Abdul Rauf Shakoori is a corporate lawyer based in the USA and an expert in white collar crimes and sanctions compliance. They have recently coauthored a book,
Pakistan Tackling FATF:
Challenges and Solutions.