Huzaima Bukhari, Dr. Ikramul Haq & Abdul Rauf Shakoori
The Federal Board of Revenue (FBR), the apex federal revenue collection body, is entrusted with the responsibility of collecting taxes of billions of rupees. Its jurisdiction extends throughout the country and due to the large volume and sensitivity of the data, FBR runs the largest data center in Pakistan. As technology is becoming more user-friendly and common, the functions and operations of FBR are getting more “technology-dependent” and its digital imprints are increasing every day. Hundreds of thousands of machines interact with FBR’s system on daily basis. This connectivity is increasing the risk of data breaches and digital vulnerabilities for the FBR. Cybersecurity-related risks are evolving and have now become national strategic issues. However, the failures in combatting these threats can lead to a national crisis, as it is an integral part of our country’s defense. Therefore, it is time to implement and maintain a security management framework, aligning people and technology, to survive in today’s competitive market.
Cyberattacks by state and non-state actors on key data websites, data, and data centers pose a threat that can undermine the security capabilities of a state. It can cause significant economic damages. In a recent lapse, FBR succumbed to a cyberattack as reported in the media, and its official website, “IRIS” system (for filing e-returns, obtaining e-registration, WEBOC (for Customs clearance), and all other critical tools remained non-functional. This should be a matter of grave concern that hackers did manage to infiltrate into one of the most critical data centers of the country. It will take a while before we get to know the exact magnitude of the damage. However, it is high time that government should reassess its cybersecurity capabilities, identify areas of improvement and conduct regular cyber risk assessments of all technological systems to ensure effective countering of internal and external threats.
Our joint article, Of cyber attacks and cybersecurity, TNS, [Political Economy] The News, August 15, 2021, ‘identified major weaknesses in existing systems and discussed what should be the priorities of the government and law enforcement agencies to overcome various possible attacks/threats. It was highlighted that until now our main focus has remained on employing traditional controls to address external threats, while no adequate protection is provided to counter threats from insiders, generated by people having legitimate access to the systems(s). The following remedies were suggested to improve our cybersecurity:
- Forming an independent national cybersecurity agency;
- making comprehensive laws about cybercrimes;
- a threat hunting and information sharing mechanism; and
- continuous management and monitoring
For implementing the above, the state has to make laws that should define minimum security standards, mandatory breach reporting, and training initiatives to strengthen cybersecurity but nothing worthwhile has been done. Even Personal Data Protection Bill, 2020 has yet to be tabled in Parliament.
The federal government should establish policies and regulations for identifying and prioritizing critical cyberspaces and safeguard them from any potential threats. To achieve better outcomes, laws, and regulations should be reflective of the threats, vulnerabilities, and potential consequences faced by the country. These regulations should identify responsibility for coordinating cybersecurity efforts. A special autonomous body should be designated to lead the nation’s development, coordination, alignment, and integration of cybersecurity policies, strategies, and plans for this activity. Experts within the designated agency should have in-depth knowledge of information and operational security processes. It is alleged that FBR like other government institutions is facing internal challenges like political appointees and nepotism that is posing a constant threat by making them more vulnerable to situations like the one that happened on Independence Day with the FBR website (www.fbr.gov.pk).
According to Tarin mulls options on FBR hack, The Express Tribune, August 17, 2021), the following is the background, actions taken so far, and report submitted by FBR:
- “Finance Minister Shaukat Tarin has decided to take a third-party view before taking any action in case of the worst ever cyber-attack that brought down the Federal Board of Revenue’s (FBR) data center for more than 72 hours.
- The fresh information revealed that Pakistan’s premier spy agency had forewarned the FBR about the high possibility of a cyber-attack, sources told The Express Tribune on Monday. But these warnings were ignored, resulting in either taking over or shutting down about 360 virtual machines of the FBR data center, said the sources.
- The 360 machines are almost half of the total virtual machines, indicating the extent of damage caused to the data.
- Based on technical inputs and initial findings, the FBR has submitted a report to the finance minister about the cyber-attack that took place before 2:00 am on August 14, said the sources.
- “I will review the report and take a third-party view before taking any action”, said Shaukat Tarin on Monday while responding to a question sent by The Express Tribune. The minister had been requested to comment whether he would take any action in case of data hacking of FBR since a report had been submitted to him.
- The sources said that the premier intelligence agency had warned the FBR on Wednesday that a cyber-attack may take place on its data center. The sources said that after that the FBR chairman discussed precautionary measures.
- To a question on whether he issued any instructions to shut down systems to avoid data hacking, FBR Chairman Asim Ahmad replied, “No such instructions were given by me. In such circumstances, systems are not shutdown but very closely monitored, which was being done.”
- Hackers attacked Pakistan’s largest data center run by the FBR and managed to break those, bringing down all the official websites operated by the tax machinery.
- In a press statement issued on Monday, the FBR said that “all applications having public interface have been operationalized and running smoothly”. These operationalized projects include the FBR website, Paysis website, eFBR website, IRIS website, AJK IRIS website; IMS web service, PRA web service, and Tax Asaan Mobile application stated the FBR.
- The sources said that the Pakistan Revenue Automation Limited (PRAL), which provides technical support to the FBR and also houses the data, took a lenient view of the threat. This was even though the Chief Information Technology Officer (CIO) who has been hired from HSBC bank, had pointed out system vulnerabilities and the possibility of its hacking after assuming his responsibilities a few months ago.
- The FBR is the largest database that carries information on trillions of rupees transactions, details of wealth and income, and expenditures of its citizens. It also has details about their various personal and business transactions due to various types of withholding taxes that are being deducted on these transactions.
- The sources said that the hackers had managed to “intrude” in almost 360 virtual machines and shut them down. They said that till Monday evening nearly half of these machines have been restored. All the current data that was in these machines at the time of the attack has been lost, said the sources.
- They said that in its initial report, the FBR and its technical wing have recommended reviewing the licenses regimes of all the software that it operates. It has also been recommended to review the relationship with Microsoft Inc, they added.
- They said that the hackers intruded on the system by hacking the login and passwords of the data center administrators. This was done through Microsoft software.
- The FBR’s technical wing’s initial assessment was that the hackers intruded in the system through the Hyper-V link.
- Another report, having names of government and private cybersecurity experts, stated that attackers targeted multiple Pakistani government organizations using spear-phishing emails. Ultimately it affected the virtual environment by dismantling or destroying the virtual environment that was part of the infrastructure.
- This report further stated that some systems were compromised, and the attacker did have access to them through lures used email info stolen from the actual website of the Pakistan government and the subject used by this email was National Cyber Security Policy Draft”.
Best practices indicate that timely identification, communication, and recovery from major cybersecurity challenges can often reduce the damage resulting from any malicious cyber-activity. Whereas the recent communication released by the FBR spokesperson seems to be a failed attempt in oversimplifying such a critical situation, it tries to negate the general impression and terms this episode of hacking/lapse of cyber-security as a “data migration activity”. It states as following
“The Federal Board of Revenue (FBR) has issued a clarification regarding in-progress service optimization activities at the FBR House Data Center Islamabad. FBR has explained that the technical team is currently migrating services. The completion of this migration shall result in the increased overall productivity of FBR IT Operations. This migration is necessary to facilitate the up-gradation of the system to enhance the best services to our clients. The stakeholders, who are being provided services from the data center, are informed that there were unforeseen anomalies during the migration process, which has resulted in the unavailability of services, since the early hours of the last night. FBR team is ensuring restoration of services as soon as possible to keep the downtime to a minimum. This activity is expected to be completed in the next 48 hours. FBR regrets and apologizes for any inconvenience this may have caused and appreciates the continued cooperation of the stakeholders”.
On the contrary, the chairman of the “National Database and Registration Authority (NADRA) in replying to a tweet of Mr. Shahbaz Rana (Journalist) confirmed that “NADRA was approached last night to help #FBR- I immediately deployed NADRAs Tech Team to control damage and restore operations. Working 24/7 with FBR, we can restore customs’ operation on priority to avoid public inconvenience. We will restore all data center Ops Insha’Allah”
The tweet by Tariq Malik confirms that there was something wrong and his team played a role to control the damage. On the other hand, it also confirms that FBR’s claim of data migration is misleading and tantamount to an effort to hide their incompetence. Moreover, it is not the first time that the FBR data is under attack. A similar unsuccessful attempt was made in March 2020. Despite knowing the vulnerabilities in their system FBR did not bother to make special arrangements to secure their systems.
Interestingly, FBR is not only collecting taxes but is also responsible for dealing with Anti-Money Laundering and Combating Financing of Terrorism (AML-CFT) matters of Designated Non-Financial Businesses and Professions (DNFBPs), despite repeated warnings of cyber-attacks by the global watchdog on this issue. The Financial Action Task Force (FATF) president’s statement asks for the allocation of sufficient resources to deal with AML-CFT and cybercrimes. Moreover, a Group of Seven (G7) finance minister urges the countries to implement FATF standards to deal with increased malicious cyber-enabled attacks. However, our lenient approach brought us to the position where we have miserably failed to counter potential threats as proven in FBR’s case.
This development, on the one hand, compromises the privacy of the taxpayers and on the other, raises concerns on FBR officials due to their questionable role in the recent development concerning the reputation of the institutions.
The matter needs investigation, and a team should be formed to investigate the allegations leveled against the FBR officials regarding sharing of taxpayers’ information with outsiders. As per media reports FBR officials allegedly shared the tax-related information of Imran Khan for the last 37 years. Similarly, Justice Qazi Faiz Isa also blamed FBR officials for sharing his data with Prime Minster Special Advisor without legal authority which is mentioned in his order by Justice Yahya Afridi in Constitution Petition No. 17 of 2019, etc while on merit dismissing his right of direct petition against reference by the honorable fellow brother judge while declaring the Act of President in violation of the law and the Constitution [page 274].
The recent development concerning FBR was noted in Peshawar High Court (Court) where the writ petition was filed by five Inland Revenue Commissioners of FBR against the Office of Federal Tax Ombudsman (FTO) who has ordered the Chairman of FBR to form an inspection team to check corrupt practices in the tax machinery. The court observed that the petitioners, being civil servants, shall in no manner be considered as aggrieved persons. The court held that the office of FTO did not require the presence of a complaint, particularly when there was an overwhelming perception of rampant corruption in the tax hierarchy as reported in The Express Tribune on August 13, 2021. The Express Tribune further reported concerning tax lawyer Waheed Shahzad Butt, a whistleblower for the FTO, that it was rare that a government department, responsible for collecting revenue, had approached a court against a constitutional office that was responsible for checking corrupt practices. Some tax experts allege that destroying internal data received from OECD can be another motive after this judicial pronouncement, though there exists a remote possibility of it unless proved by an independent inquiry committee of experts in detecting hackers behind cyberattacks.
The current attack on FBR systems has compromised the privacy of information though Chairman FBR has denied it. Unfortunately, there is no specific data protection law in Pakistan. In the current cyberattacks, taxpayers’ information was accessed, though FBR denied it. However, NADRA’s Chairman confirmed damage control in a tweet. In this entire episode, the victims may be the taxpayers of Pakistan unless proves otherwise in the inquiry. Their information is allegedly compromised, they are not even aware of the consequences—are left with no remedy.
Transparency is one of the foremost principles of governance and such acts of sweeping this dust under the carpet will serve no purpose for the system. Therefore, to set the best example of accountability and transparency, the government should form a team of independent professionals to investigate the entire matter and submit a detailed report related to the inadequacy of protection of the systems, allegations leveled against FBR officials who shared the taxpayer information with outsiders as reported in the media.
The motive behind filing of writ petitions against FTO, alleged abuse of information received from the Organization for Economic Cooperation and Development (OECD), and failure to maintain the privacy of taxpayers is highly undesirable. The investigation team should also probe the element of internal involvement in the current attack as well. Moreover, as highlighted in the cybersecurity policy Pakistan relies heavily on imported hardware, software, and services. This reliance, coupled with inadequate national security standards has made computer systems in Pakistan vulnerable to external cyberattacks and internal data breaches. Knowing the potential risks to our system no concrete steps have been taken to address these challenges. The government should identify the loopholes and make an example of those who were entrusted with the responsibility to ensure the security of data. Simultaneously, the government must continue to invest in technology, systems, and governance framework, which are required to keep pace with the ever-evolving threats.
Ms. Huzaima Bukhari, MA, LLB, Advocate High Court, Visiting Faculty at Lahore University of Management Sciences (LUMS), member Advisory Board and Visiting Senior Fellow of Pakistan Institute of Development Economics (PIDE), is author of numerous books and articles on Pakistani tax laws. She is editor of Taxation and partner of Huzaima & Ikram and Huzaima Ikram & Ijaz, leading law firms of Pakistan. From 1984 to 2003, she was associated with the Civil Services of Pakistan. Since 1989, she has been teaching tax laws at various institutions including government-run training institutes in Lahore. She specializes in the areas of international tax laws, ML/CFT related laws, corporate and commercial laws. She is the review editor for many publications of Amsterdam-based International Bureau of Fiscal Documentation (IBFD) and contributes regularly to their journals.
She has co-authored with Dr. Ikramul Haq many books that include Tax Reforms in Pakistan: Historic & Critical Review, Towards Flat, Low-rate, Broad and Predictable Taxes (revised/enlarged edition of December 2020), Pakistan: Enigma of Taxation, Towards Flat, Low-rate, Broad and Predictable Taxes, Law & Practice of Income Tax, Law, Practice of Sales Tax, Law and Practice of Corporate Law, Law & Practice of Federal Excise, Law & Practice of Sales Tax on Services, Federal Tax Laws of Pakistan, Provincial Tax Laws, Practical Handbook of Income Tax, Tax Laws of Pakistan, Principles of Income Tax with Glossary andMaster Tax Guide, Income Tax Digest 1886-2011 (with judicial analysis).
The recent publication, co-authored with Abdul Rauf Shakoori and Dr. Ikramul Haq, is Pakistan Tackling FATF: Challenges & Solutions
available at: https://www.amazon.com/dp/B08RXH8W46
She regularly writes columns/articles/papers for Pakistani newspapers and international journals. She has contributed over 1500 articles and research papers on issues of public finance, taxation, economy, and various social issues in various journals, magazines, and newspapers at home and abroad.
Dr. Ikramul Haq, Advocate Supreme Court, specializes in constitutional, corporate, media, ML/CFT related laws, IT, intellectual property, arbitration, and international tax laws. He established Huzaima & Ikram in 1996 and is presently its chief partner as well as a partner in Huzaima Ikram & Ijaz. He studied journalism, English literature, and law. He is Chief Editor of Taxation. He is country editor and correspondent of the International Bureau of Fiscal Documentation (IBFD) and a member of the International Fiscal Association (IFA). He isVisiting Faculty at Lahore University of Management Sciences (LUMS) and member Advisory Board and Visiting Senior Fellow of Pakistan Institute of Development Economics (PIDE).
He has coauthored with Huzaima Bukhari many books that include Tax Reforms in Pakistan: Historic & Critical Review, Towards Flat, Low-rate, Broad and Predictable Taxes (revised & Expanded Edition, Pakistan: Enigma of Taxation, Towards Flat, Low-rate, Broad and Predictable Taxes (revised/enlarged edition of December 2020), Law & Practice of Income Tax, Law, Practice of Sales Tax, Law and Practice of Corporate Law, Law & Practice of Federal Excise, Law & Practice of Sales Tax on Services, Federal Tax Laws of Pakistan, Provincial Tax Laws, Practical Handbook of Income Tax, Tax Laws of Pakistan, Principles of Income Tax with Glossary andMaster Tax Guide, Income Tax Digest 1886-2011 (with judicial analysis).
The recent publication, co-authored with Abdul Rauf Shakoori and Huzaima Bukhari is Pakistan Tackling FATF: Challenges & Solutions
available at: https://www.amazon.com/dp/B08RXH8W46
He is the author of Commentary on Avoidance of Double Taxation Agreements signed by Pakistan, Pakistan: From Hash to Heroin, its sequelPakistan: Drug-trap to Debt-trap and Practical Handbook of Income Tax.
He regularly writes columns/articles/papers for many Pakistani newspapers and international journals and has contributed over 2500 articles on a variety of issues of public interest, printed in various journals, magazines and newspapers at home and abroad.
Abdul Rauf Shakoori, Advocate High Court, is a subject-matter expert on AML-CFT, Compliance, Cyber Crime, and Risk Management. He has been providing AML-CFT advisory and training services to financial institutions (banks, DNFBPs, Investment companies, Money Service Businesses, insurance companies, and securities), government institutions including law enforcement agencies located in North America (USA & CANADA), Middle East, and Pakistan. His areas of expertise include legal, strategic planning, cross border transactions including but not limited to joint ventures (JVs), mergers & acquisitions (M&A), takeovers, privatizations, overseas expansions, USA Patriot Act, Banking Secrecy Act, Office of Foreign Assets Control (OFAC).
Over his career, he has demonstrated excellent leadership, communication, analytical, and problem-solving skills and has also developed and delivered training courses in the areas of AML/CFT, Compliance, Fraud & Financial Crime Risk Management, Bank Secrecy, Cyber Crimes & Internet Threats against Banks, E–Channels Fraud Prevention, Security and Investigation of Financial Crimes. The courses have been delivered as practical workshops with case study-driven scenarios and exams to ensure knowledge transfer.
His notable publications are; Rauf’s Compilation of Corporate Laws of Pakistan, Rauf’s Company Law and Practice of Pakistan, Rauf’s Research on Labour Laws and Income Tax, and others.
His articles include Revenue collection: Contemporary targets vs. orthodox approach, It is time to say goodbye to our past, US double standards. Was Due Process Flouted While Convicting Nawaz Sharif?, FATF and unjustly grey listed Pakistan, Corruption is no excuse for Incompetence, Next step for Pakistan, Pakistan’s compliance with FATF mandates, a work in progress, Pakistan’s strategy to address FATF Mandates was Inadequate, Pakistan’s Evolving FATF Compliance, Transparency Curtails Corruption, Pakistan’s Long Road towards FATF Compliance, Pakistan’s Archaic Approach to Addressing FATF Mandates, FATF: Challenges for June deadline, Pakistan: Combating the illicit flow of money, Regulating Crypto: An uphill task for Pakistan. Pakistan’s economy – Chicanery of numbers. Pakistan: Reclaiming its space on FATF whitelist. Sacred Games: Kulbhushan Jadhav case. National FATF secretariat and Financial Monitoring Unit. The FATF challenge. Pakistan: Crucial FATF hearing. Pakistan: Dissecting FATF Failure, Environmental crimes: An emerging challenge, Countering corrupt practices.
The recent book, coauthored with Huzaima Bukhari & Dr. Ikramul Haq is Pakistan Tackling FATF: Challenges & Solutions
available at: https://www.amazon.com/dp/B08RXH8W46