The Cyber Secure Pakistan Premium Information Security Conference 2018 was held at NED University of Engineering and Technology on 5th May 2018. The conference was attended by well decorated members of various security agencies of Pakistan as well as cyber security professionals in the industry. The conference was organized by Syed Ammar Hussain Jafri, President of the Pakistan Information Security Association (PISA).
The aim of the conference was to discuss the various facets of cyber security and the cyber threats confronting the world today as well as what Pakistan is doing or is planning to do in the future to combat the increasing level and frequency of cyber attacks to come.
Ammar Jafri began the conference by speaking about various technologies transforming the world today including Artificial Intelligence, the Internet of Things and especially, Blockchain. Acknowledging the ban on Bitcoin in Pakistan, he encouraged those in attendance to not ignore blockchain because, in his opinion, it was the future. He identified that criminals, money launderers, smugglers and terrorists used blockchain to their advantage and reaped the benefits of the ignorance of several governments around the world including that of Pakistan. He also mentioned the Sustainable Development Goals outlined by the UN and how it was paramount that Pakistan adopt a serious attitude towards cyber security to ensure their achievement.
Cyber Security in Pakistan, Challenges and Solutions
Dr. Muhammad Asad Arfeen, an Assistant Professor at NED, kicked off the session by asking the panelists to comment on the absence of any local cyber-security solutions. Zainab Hameed, former CISO Engro and GSK and current Head IT ISACA Karachi, believed that it was due to the absence of interest from local companies and brands that couldn’t care less about an information security infrastructure. She lamented the fact that major banks were only now opening up positions for CISOs when a decade ago the position did not exist. This was due to estimates that 64-70% of bank transactions being carried out were via ATMs and less than 1% were being carried out online or through mobile apps. She was hopeful for the future however and admitted that the process needed to be sped up.
Asif Riaz, CEO Digital Arrays, concurred with her and claimed that one need only travel as far as the UAE for huge cyber security initiatives. He pointed to Dubai’s Smart City initiative and its incorporation of AI, IoT and blockchain to create a truly secure system. The lack of local computer science and software professionals was also cited as a reason for this absence.
Jamal Khan, President Digital & Global E-commerce, put forth the point that it was more important than ever to concentrate on cyber-security because the internet itself was ill equipped to deal with cyber attacks to begin with. The ARPANET was originally developed to carry information between military agencies and the government. “The infrastructure was built without security center in mind. It was more about redundant connectivity rather than security. The underlying plumbing is insecure by design, and hence the challenge of layering on security on a fundamentally insecure foundation,” says Jamal.
Cyber Security for Girls
One of the most important facets of cyber security is individual security, especially because of the recent Cambridge Analytica Scandal involving Facebook and Twitter. According to data published by the Digital Rights Foundation, Punjab has become a hotbed for cyberbullying in Pakistan, with 62% of the harassment complaints coming from women. Saud Mirza, Former DG FIA, highlighted the inability of government and private agencies in Pakistan to deal with these issues. According to him, the system was overwhelmed. There needs to be a separate specialized agency to deal with individual cyber security as well as software that sweeps the internet for bulk searches for extreme content.
Concerns were also raised on blackmail through sensitive photos, particularly by one audience member who highlighted the severity of the issue by citing that many girls tended to commit suicide over the shame and judgment from society. Ali Manzoor, Head of Task Force for Cyber Crimes CPLC pointed out that in order to get Facebook to take action against extortion or bullying through Facebook for example, one would have to report the offence to the FIA and get a court order and register a complaint through the American Consulate and all this would take 6-8 months to get done in Pakistan. In the UAE however, the same process would take 24-48 hours. Talea Zafar, CEO The New Spaces shared her own experience of identity theft on Facebook. It took her approximately 3 years to get a fake account removed from the social network. “I really don’t think there are differences in the challenges faced by men or women; the consequences might be more serious, but the challenges exist for everyone.”
Kanwal Masroor, Chairman TECH Pakistan, and Sharafat Bibi, a Cyber Security Professional, suggested adapting the parenting for girls in Pakistan to suit today’s needs. They argued that sheltering girls from the hostility of the world was a bad idea and that it was the parent’s duty to inform them of the dangers of the internet as well as warn them of the downsides of oversharing. Common practices like Checking In for restaurants and theatres and airports and posting pictures online from every outing was a bad idea. As Kanwal pointed out, there is no antidote for stupidity.
Policing In Cyber Space & CERTs
It had already been established in the conference that Pakistan’s Cyber Security was more than wanting. Ammar Jafri lamented the fact that there were very few CERTs (Computer Emergency Response Teams) operating in Pakistan, in fact there were only two according to him, one that he founded called the PISA CERT and the Khyber Pakhtunkhwa Provincial Government CERT. He pointed out other countries like Japan that had a national CERT and even blocs that had formed CERTs to work for multiple countries like the Asia Pacific CERT. He repeated the fact that local companies and the federal government as a whole did not demonstrate an interest to set up CERTs and very few cyber security professionals were being produced in the country as it is.
His solution to the problem was offering free CERT courses to different agencies and companies and encouraging the establishment of nationwide CERTs. He also suggested the establishment of a suspicious IP Addresses database that would help catch criminals by reviewing past history.
Dr. Masuma Hassan of the Aurat Foundation expressed a pessimistic view of things bringing up the Sustainable Development Goals set by the UN. She believed that Cyber Security was a crucial part of those goals and that Pakistan would be unable to meet them by 2030 since it didn’t even meet the Millennium Development Goals. Nevertheless she suggested some safeguards to be put in place to ensure greater security such as dedicated response centers in each major city, and prohibition on establishing multiple identities on Facebook.
Fintech & Security in Banking
The State Bank of Pakistan’s vision 2020 outlines that 50% of the adult population should have access to the legal financial system by then. This would mean the data of 50-60 million people would ostensibly be vulnerable. Javed Jabbar, CEO Tech Companion, emphasized the importance of following the global standard of multiple factor authentication. Biometric sensors like fingerprint sensors and retina scanners could be installed at ATMs to beef up security and a central framework could be developed to service all banks centrally. If the government would institute a policy to mandate such a move, banks would evolve to the next level.
Shariq Khan, Former Additional IG Investigation Balochistan Police, said that banks needed to work together with fintechs to improve financial inclusion and security. This would alleviate poverty and safeguard the finances of the most vulnerable classes in the country.
The discussion also veered towards language. How were the masses expected to understand technology when most of it was in a foreign language. Aun Abbas Bokhari, CISO Telenor Microfinance Bank spoke in favour of an initiative to mainstream the urdu language for mobile applications and websites since countries like China, Japan, France and Germany all had the option to operate thousands of apps in their national languages.
Event management may not be the forte at every conference, but certainly needs to be. Conducting a cyber security conference and publicizing it as an international platform, should demonstrate some professionalism. Granted, the Information Security community is very open to supporting initiatives, but seriousness matters. Professionalism matters even more.
Great panelists fill up on the website and program, but few actually showed up. Upon a little investigation, most panelists were simply not informed about the event.
Over time, Information Security specialists have matured. Global speak is relevant to all businesses and individuals. However, having sessions specific for law enforcement and police demands more carefully curated material that is relevant to them. The hands-on experience of what the local ‘thana’ needs to do when they have users filing a cyber-issue complaint; how they should grapple with the challenges of various agencies working in complete isolation; take their issues to the higher authorities so there is an actual milestone achieved through a discussion forum like this.
The event, which seemed to have members from law enforcement. While it was great that the ‘right’ audience was invited, the void between the content and the audience was too vast. Some police officials spoke to the TNS team to express their appreciation for the gathering, but wanted more hands-on tools and workshops to be able to do their jobs more effectively. One commented, “As police of a local thana, it takes us more than 2 weeks to determine the identity behind a cellphone number. This is why the burden of all cases increases at the top; because we don’t have the tools nor the know-how to service citizens at the local level.”
The sad truth of the situation is this: a nation-wide forum like this one, seems to have not matured or grown at all since 2003. While it is understandable that it takes constant, ongoing effort, one would expect more tangible outcomes from a forum and platform such as this.