Huzaima Bukhari, Dr. Ikramul Haq & Abdul Rauf Shakoori
The evolving trends and technological advancements show that corporations are expanding their digital footprints at a rapid pace, and with billions of connected people and machines, the data and information works as an élan vital between different organs of organisations and their external stakeholders. However, on the flip side, this digitisation also means that entities are now exposed to new digital vulnerabilities, which enhances the significance of countering cyberattacks and ensuring cybersecurity and data privacy.
These cyberattacks may be driven by different motives, which can be ransom, fund embezzlements, data theft, damaging company goodwill, or even political battles between rival countries. When it comes to use of cyber-attacks with reference to political battles among rival countries, United States (US) and Russia are the prime examples. The New York Times in its report of May 28, 2021 highlighted accusations levelled against Russia, a few days prior to the visit of Russian President Vladimir V. Putin, of hijacking the email system of United States Agency for International Development (USAID). In the past, they also alleged that the Russian government for what they called meddling in the US elections by leaking emails hacked from the Democratic National Committee (DNC) and other entities, according to a report published by Wall Street Journal on January 8, 2019.
A report of July 19, 2021 by the New York Tomes said, “The Biden administration for the first time accused the Chinese government of breaching Microsoft email systems used by many of the world’s largest companies, governments and military contractors, as the United States rallied a broad group of allies to condemn Beijing for cyberattacks around the world”. According to this report, the US announced that it would join a group of North Atlantic Treaty Organization (NATO) allies to condemn China for cyberattacks. It is further claimed that in the past such cyberattacks caused harm to the US. For the first time, NATO issued the statement: “We call on all states, including China, to uphold their international commitments and obligations and to act responsibly in the international system, including in cyberspace”.
According to BBC: “The China’s Foreign Ministry spokesman said the US had its allies to make “unreasonable criticisms” against it. China strongly denied the allegations and called these as fabrication by US. However, despite the above accusation and denials, the US, Russia and all major nations agreed to a new understanding against cybercrimes. Similarly, the 75th session of UN General Assembly unanimously adopted a resolution titled “Countering the use of information and communications technologies for criminal purposes” on May 26, 2021 [U.N Resolution GA/12328].
While the US is signing an agreement with major countries against cybercrimes, simultaneously, the ad hoc committee under U.N Resolution GA/12328 will start its work in January 2022 by convening six sessions of ten days each and will submit a draft convention on countering cybercrime to General Assembly at its seventy-eighth session in 2023. In the light of these developments, it will be a test for the US to use the option of sanction available under the Executive Order signed by the President Obama that allows the US to block the property of certain persons (individual and entities) involved in significant malicious cyber-enabled activities.
As we, all know that Cyber risks are evolving from a boardroom issue to a national issue and any failures in combatting them can have severe global impact. It may be recalled that after global challenges in financial reporting we got Sarbanes-Oxley (SOX) as an antidote. Accordingly, against challenges like data theft, cybercrime, and manipulation of information, countries around the world are working on data privacy and security regulations, and cybersecurity is now viewed as an integral part of the strategy of the entire organisation. There is a growing need to implement and maintain a security management framework, aligning people and technology, to survive in today’s competitive market more securely.
To address these challenges, companies need to conduct ongoing cyber risk assessments of their technological systems to ensure that outsiders are not creating risk exposure. Businesses need to adopt a customized approach to cyber security, which should be tailor-made as standard applications can pose higher risks. The same applies to the monitoring of cyberattacks. Historically, Cyber risk management has been a reactive activity, which is about focusing on risks and cyberattack events that have taken place. However, with the rising risk and availability of sophisticated tools to counter it has made this approach more proactive and forward-looking.
Apart from global efforts to curtail cybercrimes, Pakistan has also passed cybercrimes laws that have been criticised within and outside the country. Experts call it an effort to curtail free speech. Similar legislation has been implemented by various developing countries. By looking at Pakistan’s profile, it has till now used the controversial cybercrime law against bloggers and social media activists. At times, law enforcement agencies (LEAs) have acted merely to please the incumbent government by taking actions against those having political aspirations. Unfortunately, our agencies are least interested in detecting sophisticated threats and modern cyberattacks normally designed to circumvent traditional controls by learning detection rules. Similarly, the Government of Pakistan has shown no interest to regularise legal framework, checks and balances that can stop arbitrary use of cybercrimes laws.
The most important challenge that we are going to face is wanting use of electronic voting machines. It must be remembered that the purpose of designing traditional controls is generally to address external threats and may not adequately address insider threats—generated from people with legitimate access.
Timely detection depends on an organization’s technological ability to track patterns and behavior that deviate from the normal trend. Given the fact that businesses are constantly changing, and human behavior is unpredictable, it is important to figure out what is meant by normal. By applying Artificial Intelligence (AI) and analytics to internal and external data, we can generate predictive, valuable insights that help in making better decisions and protecting the organization from threats. This requires chipping cybersecurity experts (internal or third party) into the arena. It can help organisations gain the much needed insights. Third parties that specialise in threat intelligence monitor a wide range of sources. A successful cybersecurity at the national level requires the following:
- An independent national cybersecurity agency
- Making comprehensive laws about cybercrimes
- Threat Hunting & Information sharing mechanism
- Continuous management and monitoring
The state must make laws that should define minimum security standards, mandatory breach reporting, training initiatives to strengthen cybersecurity, and should establish policies and regulations for identifying and prioritizing critical cyberspaces and safeguard them from any potential threats. To achieve better outcomes, laws, and regulations should be reflective of the threats, vulnerabilities, and potential consequences faced by the country and at the same time, it should also protect fundamental principles like privacy and civil liberties, encourage innovation and progress.
These regulations will identify responsibility for coordinating cybersecurity efforts and a special autonomous body should be designated to lead the nation’s development, coordination, alignment, and integration of cybersecurity policies, strategies, and plans for this activity. Experts within the designated agency should have in-depth knowledge of information and operational security processes. This unit should be responsible for overseeing compliance with cybersecurity regulations including but not limited to developing guidance and interacting with other regulators who can enforce compliance, establishing a reporting framework, etc. For information sharing and coordination, a separate unit may operate under this agency which should coordinate regulatory and non-regulatory communications, including publications, and statements to all stakeholders on behalf of the national agency. The unit should serve as a point of contact for enforcement organizations around the world pursuing legal recourse against cybercrimes.
The Governments must continually invest in the expertise, systems, and governing frameworks required to keep pace with these evolving threats as for each new technology or step to enhance our cybersecurity, another is in the process to circumvent it. To succeed in handling this challenge, it is paramount that governments, private corporations work in cohesion to create apposite environment.
Huzaima Bukhari & Dr. Ikramul Haq, lawyers and partners of Huzaima, Ikram & Ijaz, are Adjunct Faculty at Lahore University of Management Sciences (LUMS), members Advisory Board and Visiting Senior Fellows of Pakistan Institute of Development Economics (PIDE). Abdul Rauf Shakoori is a corporate lawyer based in the USA and an expert in ‘White Collar Crimes and Sanctions Compliance’. They have recently coauthored a book, Pakistan Tackling FATF: Challenges and Solutions.