Ayesha Urooj

PAKISTAN probably suffered the biggest cyber-attack in its history when country’s baking system took a hit in the month of October this year. The statements issued by Pakistan’s Computer Emergency Response Team (PakCERT) and Federal Investigation Agency (FIA) declared that data of over 20000 credit and debit belonging to the customers of over 22 Pakistani banks was hacked, sold and misused to perform illegal transactions of worth millions rupees. While talking to news channels, FIA Cyber Crime Cell Director told that data of major banking networks in the country was compromised. The incident is a classic example of cyber-terrorism as defined in the cybercrime laws of Pakistan. According to the cybercrime bill 2014, Cyber terrorism as acts of violence, which may result in casualties or monetary losses, induce fear or panic among citizens, inflict direct or indirect damage to any state department or state function, gain unauthorized access of information critical to national security or cause disruption in the distribution of essential services, enacted or facilitated by the internet.

As per the cybercrime laws of Pakistan, any act of cyber terrorism will bet met with severe consequences thanks to these laws. It could lead to fourteen years of prison time or a fine of up to fifty million or both for its perpetrators. The law defines cyber terrorism as any act that intends to infiltrate, alter, destroy or copy critical information in relation to state function or state defence resulting in inducing fear, panic or a breach of national security or cause disruption in the distribution of essential services, enacted or facilitated by the internet. The impact of the act may be a community, city, sect or any state department. Any person found guilty of such crime will pe prosecuted under the cybercrime laws of Pakistan and be severely punished.

Some of the examples of such acts of terror could be controlling the transmission station of a television channel and broadcasting false messages that stir the public and induce fear and suspicion, taking control of the transmission system of sim Card Company and start distributing content that triggers paranoia The ATM hack cyber-attack was well planned which involved hacking the international transaction and payment networks of different Pakistani banks. Later, the hackers used ATMs outside Pakistan to execute illegal transfer of funds.

As soon as the banks came to know about the illegal transfer of funds, they immediately blocked their international payment services. Data belonging to the hacked ATM cards was put up for sale on the dark web. The buyers could use the information to create duplicate ATM cards to perform illegal transactions. Furthermore, the information could be used to make online payments without having to create any duplicate cards. Some of the largest Pakistani banking network that suffered includes: HBL, UBL, MCB, Bank Islami, Meezan Bank and Standard Chartered Bank. As per the punishment defined in the cybercrime laws, access to critical information structure or network without permission or authority could result in prison time ranging from three years to seven years or a fine ranging from rupees one million to ten million or both depending upon the impact of the crime. A cyber attack on such a large scale mounts to cyber terrorism as it could cause a national security crisis.

This clause is very important in relation with this incident as its definition of critical defines what a possible cyber terror attack might look like. The law defines critical infrastructure as such networks, systems, facilities or assets which deliver necessities of life to the citizens and any interruption, alteration of infiltration of these could result in casualties of material loss of significant value.

The law specifies that such services or assets include the ones that have direct impact on defense of the country, national security or state functions. Furthermore, it includes any institution, department or person that is declared critical by the Government of Pakistan. A very explicit example of infiltrating into critical structure would be if someone hacked into the data network of armed forces servers. Same laws apply if someone alters/deletes or transfer any data existing within any of the critical infrastructure of the government of Pakistan. Immediate steps were taken in the aftermath of this incident by banks as well as by our security agencies. These steps included updating security on information networks, real time monitoring of card-based banking operations and immediate response to any suspicious payment or transaction related activity.

Even though the culprits were apprehended, the investigation into the incidents highlighted some major issues and invoked thoughtful insights. The fact that Pakistan ranks 67th in the global cyber security index and the recurrence of such incidence in the online banking system of Pakistan puts a question mark over the future of secure online banking in the country? With more and more state departments turning to online networking, virtual data structures and internet communication, would the current cyber crime laws suffice to ensure the national security of the country? Increased funding and technological sources may be designated to cyber security of Pakistan as it will require more budget to update a field that is updating itself every passing minute. An institution may be separately designated to pursue all pending investigations of every successful or unsuccessful cyber-attack on state departments. This is necessary as the data collected through these investigations will help predict the nature of future attacks as well as counter further attacks. These measures will help to ensure secure cyberspace in every private and public sphere of the country.

—The writer is M Phil scholar at the Department of Government & Public Policy, FCS, National Defence University, Islamabad.

