CYBER WARFARE & NATIONAL SECURITY: IMPLICATIONS AND CHALLENGES

DR TUGHRAL YAMIN

ASSOCIATE DEAN CIPS, NUST

AIM

TO HIGHLIGHT THE STRUCTURAL & POLICY SHORTCOMINGS WITH REGARDS TO CYBER SECURITY IN THE OVERALL FRAMEWORK OF

PAKISTAN’S NATIONAL SECURITY

NATIONAL SECURITY

CONCEPT • NATIONAL SECURITY CALLS UPON A

GOVERNMENT, ALONG WITH ITS PARLIAMENT TO PROTECT THE STATE AND ITS CITIZENS AGAINST ALL KIND OF THREATS THROUGH A VARIETY OF POWER PROJECTION MEANS, SUCH AS

– POLITICAL POWER

– DIPLOMATIC INFLUENCE

– ECONOMIC CAPACITY

– MILITARY MIGHT

• MANY COUNTRIES INCLUDING PAKISTAN ARROGATE THE RESPONSIBILITY OF COORDINATING NATIONAL SECURITY MATTERS TO THE NATIONAL SECURITY COUNCIL (NSC)

SLICES OF NATIONAL SECURITY TERRITORIAL

POLITICAL

ECONOMIC

ENERGY & NATURAL RESOURCES

HOMELAND

HUMAN

ENVIRONMENTAL

CYBER

FOOD

ESSENTIAL ELEMENTS OF A COMPREHENSIVE SECURITY FRAMEWORK

• STRONG LEADERSHIP TO PROVIDE – VISION – ACROSS THE BOARD

COORDINATION

• CLEAR CUT POLICY & STRATEGY WITH PRECISE MISSION STATEMENT

• ADEQUATE FUNDS & HUMAN/MATERIAL RESOURCES

• UNAMBIGIOUS SET OF LAWS & LAW ENFORCEMENT CAPACITY

LEADERSHIP

RESOURCES

POLICY & STRATEGY

LAWS

CYBER SECURITY

REFERS TO PROTECTION OF OFFICIAL AND PERSONAL COMPUTER AND DATA PROCESSING INFRASTRUCTURE AND OPERATING SYSTEMS (OS) FROM HARMFUL INTERFERENCE, FROM OUTSIDE OR INSIDE THE COUNTRY

INVOLVES NOT ONLY NATIONAL DEFENSE & HOMELAND SECURITY BUT ALSO LAW ENFORCEMENT

CYBER WARFARE & CYBER ATTACKS

DEFINITION

AN INTERNET-BASED CONFLICT INVOLVING ATTACKS ON THE ADVERSAY’S INFORMATION & INFORMATION SYSTEMS

PURPOSE OF CYBER ATTACKS

DEFACE WEBSITES

DISABLE NETWORKS

DIRUPT/ DISABLE ESSENTIAL SERVICES

STEAL OR ALTER DATA

CRIPPLE FINANCIAL SYSTEMS

MANIFESTATION OF CYBER ATTACK

• SECURITY BREACHES

• ECONOMIC LOSSES

• PSYCHOLOGICAL TRAUMA

• PHYSICAL DAMAGE

DISRUPTION OF

COMPUTER SYSTEMS –

LONG DOWN TIME

FEAR & PANIC

FLIGHT

KNEEJERK REACTION

SMALLSCALE ID THEFTS

MASSIVE DATA

BREACHES

FRAUD

LARGESCALE MONETARY

THEFT

HOW CAN CYBER ATTACKS HURT NATIONAL SECURITY?

CYBER ATTACKS CAN:

• PARALYSE THE GOVERNMENT’S DECISION MAKING SYSTEMS

• CRIPPLE A NATION’S CRITICAL INFRASTRUCTURE

• CAUSE MASSIVE PANIC & TRIGGER INADVERTENT WARS

PARALYSIS

COLLAPSE PANIC

TYPES OF CYBER ATTACKS

• VIRUSES

• WORMS

• TROJAN HORSES SYNTACTIC

ATTACKS

• MISLEADING INFORMATION TO DISTRACT OR COVER OWN TRACKS

SEMANTIC

ATTACKS

CYBER TARGETS • PERSONAL COMPUTERS • COMPUTER NETWORKS

MANAGING THE INFORMATION SYSTEMS OF ORGANIZATIONS, BUSINESSES, FINANCIAL INSTITUTIONS ETC

• CRITICAL INFRASTRUCTURE (VITAL ASSETS OF A NATION – VIRTUALLY/PHYSICALLY) CONTROLLED BY SUPERVISORY CONTROL & DATA ACQUISITION (SCADA)

CRITICAL INFRASTRUCTURE

COMPUTER NETWORKS

PERSONAL COMPUTERS

HOW DOES A TYPICAL CYBER ATTACK TAKES PLACE?

MALICIOUS ACTS ORIGINATING FROM AN ANONYMOUS SOURCES HACKING INTO A SUSCEPTIBLE SYSTEM TO EITHER • STEAL • ALTER OR • DESTROY A SPECIFIED

TARGET

WHO CAN LAUNCH CYBER ATTACKS?

• STATE ACTORS

• NON STATE ACTORS

• CRIMINALS

• HACKTIVISTS

• FREELANCERS

• KID IN THE BASEMENT

• INSIDERS

PROBLEMS WITH CYBER RESPONSES

NO RULES OF ENGAGEMENT

PROBLEM IN DETERMINING A PROPORTIONATE RESPONSE

DIFFICULTY IN ATTRIBUTION

BROAD SPECTRUM OF CYBER ATTACKS

US CYBER SECURITY AGENCIES

• OFFICE OF THE CYBER SECURITY COORDINATOR

• DEPARTMENT OF HOMELAND SECURITY (DHS)

• NATIONAL SECURITY AGENCY (NSA)

• CYBER COMMAND (CYBERCOM)

DEPARTMENT OF HOMELAND SECURITY (DHS)

NATIONAL SECURITY AGENCY (NSA)

LEVEL AUSTRALIA UK

STRAT CYBER SECURITY POLICY & COORD COMMITTEE (LEAD AGENCY: THE ATTORNEY GENERAL’S DEPARTMENT) FUNCTION: INTERDEPARTMENTAL COMMITTEE THAT COORDS DEVELOPMENT OF CYBER SECURITY POLICY FOR THE GOVT

OFFICE OF THE CYBER SECURITY (OCS) FUNCTION: PROVIDES STRAT LEADERSHIP & COHERENCE ACROSS ALL DEPTS OF THE GOVT

TAC CYBER SECURITY OPERATIONS CENTRE (UNDER DEFENCE SIGNALS DIRECTORATE) FUNCTION: PROVIDES GOVET WITH ALL SOURCE CYBER SITREP

CYBER SECURITY OPS CENTRE (CSOC) FUNCTION: ACTIVELY MONITORS THE HEALTH OF CYBERSPACE & COORDS INCIDENCE RESPONSE

OP CERT AUSTRALIA GOVCERTUK

PM OFFICE/ CABINET SECY (PMO/ CAB SEC)

MINISTRY OF HOME AFFAIRS (MHA)

MINISTRY OF EXTERNAL AFFAIRS (MEA)

MINISTRY OF DEFENCE (MOD)

MINISTRY OF COMMON INFO TECHNOLOGY (MCIT)

NON GOVT ORGANISATION (NGO)

NATIONAL SECURITY COUNCIL (NSC)

NATIONAL CYBER COORD CENTRE (NCCC)

AMBASSADORS & MINISTERS

TRI SERVICE CYBER COMMAND

DEPARTMENT OF INFORMATION TECHNOLOGY (DIT)

CYBER SECURITY AND ANTI HACKING ORGANISATION (CSAHO)

National Technical Research Org (NTRO)

Directorate of Forensic Science (DFS)

Defence Attaches

Army (MI) Department of Telecom (DoT)

Cyber Society of India (CySI)

National Critical Info Infrastructure Protection Centre(NCIIPC)

National Disaster Mgt Authority (NDMA)

Joint Secretary (IT) Navy (NI) Indian Computer Emergency Response Team CERT-IN

Centre of Excellence for Cyber Security Research & Development In India (CECSRDI)

Joint Intelligence Group (JIG)

Central Forensic Science Lab (CFSLs)

Air Force (AFI) Education Research Network (ERNET)

Cyber Security of India(CSI)

National Crisis Management Committee (NCMC)

Intelligence Bureau (IB)

Def Info Assurance & Research Agency (DIARA)

Informatics Center (NIC)

National Cyber Security of India (NCS)

Research & Analysis Wing (RAW)

Defence Intelligence Agency (DIA)

Centre for Development of Advanced Computing C-DAC

Cyber Attacks Crisis Management Plan of India (CACMP)

Multi Agency Center (MAC)

Defence Research Dev Authority (DRDO)

Standardisation, Testing and Quality Certification (STQC)

National Information Board (NIB)

CYBER SECURITY HIERARCHY IN INDIA

US

FOC

US

ON

IT S

ECU

RIT

Y

COMPUTERS/ICT FORM THE FOUNDATION OF US ECONOMY AND DRIVE THE TECHNOLOGICAL CHANGE THAT ALLOWS SMALL AND MEDIUM-SIZED BUSINESSES TO COMPETE IN THE GLOBAL MARKETPLACE

ECONOMIC GROWTH IS THREATENED BY A CORRESPONDING GROWTH IN CYBER THREATS

INCREASING DATA BREACHES, THEFT OF INTELLECTUAL PROPERTY THROUGH CYBER MEANS, AND CYBER ATTACKS ARE RESULTING IN REAL COSTS AND CONSEQUENCES FOR THE AMERICAN ECONOMY

US GOVERNMENT IS TAKING ACTIONS TO BETTER PREPARE ITSELF, ITS ECONOMY, AND THE NATION AS A WHOLE TO DEFEND AGAINST GROWING CYBER THREATS

CYBER THREATS POSE ONE OF THE GRAVEST NATIONAL SECURITY DANGERS TO THE US

US BUDGETARY STRATEGY FOR CYBERSECURITY

SEVERAL BUDGETARY, PROGRAMMATIC &

LEGISLATIVE STRATEGIES TO IMPROVE THE CYBERSECURITY

INFRASTRUCTURE AND COMBAT GROWING

CYBER THREAT DOMESTICALLY AND

GLOBALLY

UPDATED CYBERSECURITY LEGISLATIVE PROPOSAL THAT WILL PROVIDE THE FEDERAL GOVERNMENT

AND PRIVATE SECTOR THE NECESSARY TOOLS TO IMPROVE NATIONAL

CYBERSECURITY

IN FY 2016, THE PRESIDENT'S BUDGET

PROPOSES $14 BILLION IN CYBERSECURITY FUNDING FOR CRITICAL INITIATIVES

AND RESEARCH

US STRATEGIC INVESTMENTS IN CYBER SECURITY

DHS TO LEAD IMPLEMENTATION

OF THE CONTINUOUS

DIAGNOSTICS & MITIGATION

(CDM)

NATIONAL CYBERSECURITY

PROTECTION SYSTEM BETTER

KNOWN AS EINSTEIN

CYBERSECURITY CROSS-AGENCY PRIORITY GOAL

AND IMPLEMENT POSTWIKILEAKS

SECURITY IMPROVEMENTS ON CLASSIFIED

NETWORKS, PURSUANT TO E.O.

13587

$582 MILLION

US PRESIDENT’S BUDGET FY 2016

OUTREACH TO PRIVATE SECTOR

SHAPING THE FUTURE CYBER ENVIRONMENT

NATIONAL SECURITY

AND CYBER THREATS

$149 MILLION

$243 MILLION

$514 MILLION

CYBERCOM

XXXX

TO BE

BROUGHT TO FULL

STRENGTH

US DEPARTMENT OF DEFENSE BUDGET

FEDERAL CIVILIAN CYBER

CAMPUS

$227 MILLION TO FUND THE 1ST

PHASE OF CONSTRUC

TION

CYBER INTELLIGENCE INTEGRATION,

ANALYSIS & PLANNING WITHIN

THE FEDERAL GOVERNMENT

$35 MILLION

2015 US CYBERSECURITY LEGISLATIVE PROPOSAL

THREE CENTRAL ELEMENTS AIM AT ENSURING NATIONAL SECURITY, WHILE ALSO PROTECTING THE PERSONAL DATA AND PRIVACY OF CITIZENS BY: • FACILITATING GREATER VOLUNTARY SHARING OF CYBER THREAT INFORMATION BETWEEN THE GOVERNMENT AND PRIVATE SECTOR • INCENTIVIZING FURTHER DEVELOPMENT OF INFORMATION SHARING AND ANALYSIS ORGANIZATIONS TO IMPROVE THE VOLUNTARY SHARING OF CYBER THREAT INFORMATION WITHIN THE PRIVATE SECTOR AND BETWEEN THE PRIVATE SECTOR AND THE GOVERNMENT. PROTECTS THE PRIVACY OF AMERICANS BY REQUIRING PRIVATE ENTITIES THAT SHARE VOLUNTARILY UNDER THE PROPOSAL'S AUTHORITY, TO COMPLY WITH CERTAIN PRIVACY RESTRICTIONS, SUCH AS REMOVING UNNECESSARY PERSONAL INFORMATION IN ORDER TO QUALIFY FOR LIABILITY PROTECTION ESTABLISH DATA BREACH STANDARDS • ESTABLISHING A SINGLE FEDERAL STANDARD FOR NOTIFYING INDIVIDUALS IN A TIMELY, CONSISTENT WAY WHEN PRIVATE SECTOR DATA BREACHES OCCUR; THIS HELPS BUSINESSES AND CONSUMERS BY SIMPLIFYING AND STANDARDIZING THE EXISTING PATCHWORK OF 47 STATE LAWS THAT CONTAIN DATA BREACH REPORT REQUIREMENTS INTO ONE FEDERAL STATUTE. THIS IS PART OF OUR COMMITMENT TO BALANCE SECURITY AND PRIVACY, ENSURING CITIZENS RECEIVE TIMELY INFORMATION ON THEIR DATA IN THE EVENT OF A BREACH. THIS WILL:

– PROVIDE A SINGLE THRESHOLD FOR NOTIFICATION – ESTABLISH DEADLINES FOR NOTIFICATION OF CYBER INCIDENTS

US POLICY TO MODERNIZE LAW ENFORCEMENT AUTHORITIES

• ENSURE LAW ENFORCEMENT HAS THE TOOLS TO INVESTIGATE, DISRUPT & PROSECUTE CYBERCRIME • ALLOW PROSECUTION FOR THE SALE OF BOTNETS • ENABLE LAW ENFORCEMENT TO PROSECUTE THE OVERSEAS SALE OF STOLEN FINANCIAL INFORMATION LIKE CREDIT CARD AND BANK ACCOUNT NUMBERS • EXPANDS FEDERAL LAW ENFORCEMENT AUTHORITY TO DETER THE SALE OF SPYWARE USED TO STALK OR COMMIT ID THEFT • COURTS TO BE GIVEN THE AUTHORITY TO SHUT DOWN BOTNETS ENGAGED IN DISTRIBUTED DENIAL OF SERVICE ATTACKS AND OTHER CRIMINAL ACTIVITY

INTERNATIONAL CYBER BUDGETS

INDIA’S CYBER-SECURITY BUDGET ‘WOEFULLY INADEQUATE’: EXPERTS

• INDIA'S CYBER-SECURITY BUDGET WAS MORE THAN DOUBLED LAST YEAR. YET, IT IS “WOEFULLY INADEQUATE” IN THE WAKE OF REVELATIONS MADE BY US NATIONAL SECURITY AGENCY CONTRACTOR EDWARD SNOWDEN AND INCREASING CYBER-ATTACKS ON GOVERNMENT INFRASTRUCTURE, ACCORDING TO EXPERTS.

• IN 2014-15, THE DEPARTMENT OF IT HAS SET ASIDE RS 116 CRORE FOR CYBER SECURITY. THE COUNTRY HAS PROPOSED TO SET UP A NATIONAL CYBER COORDINATION CENTRE (NCCC) WITH A SEPARATE BUDGET OF RS 1,000 CRORE. THE COORDINATION CENTRE IS STILL AWAITING CABINET CLEARANCE. “ALLOCATION IS WOEFULLY INADEQUATE GIVEN SNOWDEN'S REVELATIONS - WE NEED AT LEAST 10 TIMES THAT AMOUNT,” SAID SUNIL ABRAHAM, EXECUTIVE DIRECTOR AT CENTER FOR INTERNET AND SOCIETY.

THE ECONOMIC TIMES 28 JANUARY 2015

CYBER SECURITY ARCHITECTURE

& COORD MECHANISM

CYBER SECURITY POLICY

CYBER LAW

CYBER EMERGENCY RESPONSE

SLOW PROGRESS

LITTLE OR NO PROGRESS

SURROUNDED BY CONTROVERSY

LITTLE PROGRESS

CYBER FUNDS ?????????

WH

ITH

ER C

YB

ER S

ECU

RIT

Y IN

PA

KIS

TAN

?

WHO IS RESPONSIBLE FOR CYBER SECURITY

IN PAKISTAN?

NO DESIGNATED

LEAD AGENCY

MULTIPLE STAKEHOLDERS

GOVERNMENT INDUSTRY ACADEMIA

CIVIL SOCIETY PUBLIC

CYBERSECURITY STAKEHOLDERS

GOVERNMENT • CABINET COMMITTEE ON NATIONAL

SECURITY • NATIONAL SECURITY COUNCIL (NSA: LTG N.K. JANJUA) • SENATE COMMITTEE ON DEFENCE (CHAIR: SEN. M.H. SAYED) • SENATE COMMITTEE ON TECH & IT (CHAIR: SEN. SHAHI SAYED) • NA STANDING COMMITTEE ON TECH &

IT (CHAIR: CAPT SAFDAR) • MINISTRY OF DEFENCE • MINISTRY OF INTERIOR • MINISTRY OF FOREIGN AFFAIRS • MINISTRY OF IT • JS HQ • INTELLIGENCE AGENCIES

PUBLIC • PAKISTAN SOFTWARE HOUSES

ASSOCIATION (PASHA)

• INTERNET SERVICE PROVIDERS ASSOCIATION OF PAKISTAN (ISPAK)

• PAKISTAN INFORMATION SECURITY ASSOCIATION (PISA)

• E COMMERCE ENTREPRENEURS

• DIGITAL RIGHTS ACTIVISTS (BOLO BHI)

• SOCIAL MEDIA ACTIVISTS

• ORDINARY CITIZENS

SENATE COMMITTEE FOR DEFENCE

ACTION PLAN FOR CYBER SECURE PAKISTAN (JULY 2013)

• POINT 1. RELEVANT LEGISLATION TO PRESERVE, PROTECT AND PROMOTE PAKISTAN’S CYBER

SECURITY

• POINT 2. CYBER SECURITY THREAT TO BE ACCEPTED AND RECOGNIZED AS NEW, EMERGING NATIONAL SECURITY THREAT BY THE GOVERNMENT OF PAKISTAN, SIMILAR TO THREATS LIKE TERRORISM AND MILITARY AGGRESSION

• POINT 3. ESTABLISH A NATIONAL COMPUTER EMERGENCY RESPONSE TEAM (PKCERT).

• POINT 4. ESTABLISH A CYBER-SECURITY TASK FORCE WITH AFFILIATION WITH MINISTRY OF DEFENCE, MINISTRY OF IT, MINISTRY OF INTERIOR, MINISTRY OF FOREIGN AFFAIRS, MINISTRY OF INFORMATION AND OUR SECURITY ORGANIZATIONS PLUS RELEVANT AND LEADING PROFESSIONALS FROM THE PRIVATE SECURITY SO THAT PAKISTAN CAN TAKE STEPS TO COMBAT THIS NEW EMERGING THREAT AND FORMULATE CYBER SECURITY STRATEGY FOR PAKISTAN.

• POINT 5. UNDER THE OFFICE OF THE CHAIRMAN JOINT CHIEFS OF STAFF COMMITTEE, AN INTER-SERVICES CYBER COMMAND SHOULD BE ESTABLISHED TO COORDINATE CYBER SECURITY AND CYBER DEFENCE FOR THE PAKISTAN ARMED FORCES.

• POINT 6. WITHIN THE FRAMEWORK OF SAARC, PAKISTAN SHOULD TAKE THE INITIATIVE TO INITIATE TALKS AMONG THE 8-MEMBER STATES PARTICULARLY INDIA TO ESTABLISH ACCEPTABLE NORMS OF BEHAVIOR IN CYBER SECURITY AMONG THE SAARC COUNTRIES SO THAT THESE COUNTRIES ARE NOT ENGAGED IN CYBER WARFARE AGAINST EACH OTHER.

• POINT 7. SPECIAL MEDIA WORKSHOPS ON CYBER SECURITY AWARENESS

NATIONAL CYBER SECURITY COUNCIL BILL (INTRODUCED 14.04.2014)

• WITHIN SIXTY DAYS OF THE ENACTMENT OF THIS ACT, THE SENATE STANDING COMMITTEE ON DEFENCE SHALL CONSTITUTE THE NATIONAL CYBER SECURITY COUNCIL

• NO ACT OF THE COUNCIL SHALL BE INVALID BY REASON ONLY OF THE EXISTENCE OF ANY VACANCY AMONG ITS MEMBERS OR ANY DEFECT IN ITS CONSTITUTION DISCOVERED AFTER SUCH ACT OR PROCEEDING OF THE COUNCIL: PROVIDED THAT AS SOON AS SUCH DEFECT HAS BEEN DISCOVERED, THE MEMBER SHALL NOT EXERCISE THE FUNCTIONS OR POWERS OF HIS MEMBERSHIP UNTIL THE DEFECT HAS BEEN RECTIFIED

• THE COUNCIL SHALL MEET AT LEAST ONCE IN EACH QUARTER OF A YEAR • THE COUNCIL MAY FROM TIME TO TIME DELEGATE ONE OR MORE OF ITS

FUNCTIONS AND POWERS TO ONE OR MORE OF ITS MEMBERS, HOWEVER, UNDER NO CIRCUMSTANCE SHALL BE FURTHER DELEGATED.

• DECISIONS OF THE COUNCIL SHALL BE TAKEN BY A MAJORITY OF THE MEMBERS. • SAVE AS PROVIDED HEREIN, THE TERMS AND CONDITIONS OF SERVICE OF THE

MEMBERS OF THE COUNCIL SHALL BE SUCH AS MAY BE PRESCRIBED. • CHAIR. CHAIRMAN SENATE STANDING COMMITTEE ON DEFENCE • MEMBERS

– FEDERAL GOVT (21) – PRIVATE SECTOR (9)

MANDATE OF THE NATIONAL CYBER SECURITY COUNCIL

• DEVELOP POLICY, RENDER ADVICE, CONDUCT RESEARCH AND ESTABLISH START UP INITIATIVES • ESTABLISH A NATIONAL CYBER SECURITY STRATEGY WHICH MAY BE UPDATED FROM TIME TO TIME, AS AND WHEN

DEEMED APPROPRIATE, BUT NOT LATER THAN EVERY THREE YEARS • ESTABLISH AN INTERNATIONAL CYBER SECURITY STRATEGY WHICH MAY BE UPDATED FROM TIME TO TIME, AS

AND WHEN DEEMED APPROPRIATE BUT NOT LATER THAN EVERY THREE YEARS • UNDERTAKE INITIATIVES AS PROVIDED FOR UNDER SECTION 6; • DEVELOP AND DRAFT POLICY, GUIDELINES AND GOVERNANCE MODELS RELATED TO EVER EMERGING CYBER

SECURITY THREATS; • ADVISE AND MAKE RECOMMENDATIONS TO THE SENATE AND THE NATIONAL ASSEMBLY, JUDICIARY AND ALL

MINISTRIES, DEPARTMENTS AND BRANCHES OF GOVERNMENT ON POLICY AND LEGISLATION WITH RESPECT TO CYBER SECURITY;

• MONITOR LEGISLATION AND PROVIDE ADVICE AND RECOMMENDATIONS WITH THE OBJECTIVE OF ENSURING THAT LEGISLATION REFLECTS INTERNATIONAL BEST PRACTICES WITH RESPECT TO CYBER SECURITY;

• ADVISE AND MAKE RECOMMENDATIONS TO GOVERNMENT DEPARTMENTS ON MECHANISMS TO IMPLEMENT POLICIES RELATED TO CYBER SECURITY AND MONITOR AND HAVE PERFORMANCE AUDIT CONDUCTED THEREOF;

• MAKE RECOMMENDATIONS TO THE GOVERNMENT FOR ADOPTION EITHER THROUGH POLICIES AND REGULATORY MEANS OF STANDARDIZATION, HARMONIZATION AND ACCREDITATION WITH REGARDS TO CRITICAL INFORMATION INFRASTRUCTURE;

• COORDINATE AND CONSULT WITH ALL REPRESENTATIVE STATE AND NON-STATE ACTORS ON IMPLEMENTATION OF POLICIES, INITIATIVES AND LEGISLATION ON CYBER SECURITY;

• FACILITATE COMMUNICATIONS BETWEEN THE GOVERNMENT AND PRIVATE SECTOR ENTITIES, ACADEMIA, CYBER SECURITY EXPERTS THROUGH MULTI-STAKEHOLDER MEETINGS HELD WITH SUCH FREQUENCY AS DETERMINED NECESSARY BY THE COUNCIL;

• ESTABLISH THE ADVISORY GROUPS AS PROVIDED BY SECTION 10 TO PROVIDE NON BINDING INPUT TO THE NATIONAL CYBER SECURITY COUNCIL ON STRATEGIC PLANS AS AND WHEN CALLED UPON TO DO SO FROM TIME TO TIME;

• IN PARTICULAR ADVISE, ASSIST, COLLABORATE AND COORDINATE WITH NATIONAL SECURITY APPARATUS OF THE STATE OF PAKISTAN FOR CONTINUALLY IMPROVING THE STATE OF CYBER SECURITY WITH RESPECT TO ALL ASPECTS AND INTERESTS OF THE STATE;

• COORDINATE, COLLABORATE AND CONDUCT EXCHANGES WITH INTERNATIONAL BODIES, FORA AND ENTITIES, INTERALIA, IN CONNECTION WITH THE FUNCTIONS AND POWERS HEREIN;

• CAUSE RESEARCH AND DEVELOPMENT TO BE CONDUCTED WITH RESPECT TO KALEIDOSCOPIC CYBER SECURITY THREATS, DEVELOPMENTS, BEST PRACTICES AND INTERNATIONAL LAWS AND OBLIGATIONs;

• PROMOTE GENERAL AWARENESS WITH RESPECT TO CYBER SECURITY AWARENESS, PARTICULARLY THE IN-HOUSE ROLE AND RESPONSIBILITY OF INDIVIDUALS, CORPORATE ENTITIES AND ORGANIZATIONS ;

• DEVELOP A TEN YEAR AND TWENTY YEAR VISION WITH REGARDS TO CYBER SECURITY; • LEGISLATE AND UPDATE SUCH RULES FOR THE INTERNAL ADMINISTRATION AND OPERATIONS OF

THE COUNCIL, ITS PERSONNEL AND ADVISORY GROUPS, AS IT MAY CONSIDER APPROPRIATE FOR CARRYING OUT THE PURPOSES OF THIS ACT;

• INCLUSIVELY, COLLABORATE WITH THE CORPORATE ENTITIES, PRIVATE SECTOR, CYBER SECURITY ACADEMIA, PROFESSIONALS, CIVIL SOCIETY AND COMMUNITY TO ACHIEVE THE OBJECTIVES;

• THE COUNCIL MAY DELEGATE THE FUNCTIONS AND POWERS TO ANY ONE OR MORE OF THE ADVISORY GROUPS, AS IT DEEMS APPROPRIATE.

2015 JOINT STATEMENT BY PRESIDENT BARACK OBAMA AND PRIME MINISTER NAWAZ SHARIF

CYBERSECURITY • RECOGNIZING THE OPPORTUNITIES AND CHALLENGES PRESENTED

BY INFORMATION AND COMMUNICATIONS, TECHNOLOGIES PRESIDENT OBAMA AND PRIME MINISTER SHARIF AFFIRMED THAT INTERNATIONAL COOPERATION IS ESSENTIAL TO MAKE CYBERSPACE SECURE AND STABLE

• BOTH LEADERS ENDORSED THE CONSENSUS REPORT OF THE 2015 UN GROUP OF GOVERNMENTAL EXPERTS IN THE FIELD OF INFORMATION AND TELECOMMUNICATIONS IN THE CONTEXT OF INTERNATIONAL SECURITY

• THE LEADERS LOOKED FORWARD TO FURTHER MULTILATERAL ENGAGEMENT, AND DISCUSSION OF CYBER ISSUES AS PART OF THE US-PAKISTAN STRATEGIC DIALOGUE

ARCHITECTURE

POLICY & LAWS

FUNDS & RESOURCES

AWARENESS & PREPAREDNESS

DEVELOPMENT PLAN

INTERNATIONAL RELATIONS

NATIONAL CYBER SECURITY COUNCIL TO BE MADE

PART OF THE NSA

PK CERT TO BE ESTABLISHED WITHOUT FURTHER DELAY

COMPREHENSIVE CYBER SECURITY POLICY TO COORDINATE & ENSURE ALL CYBER MATTERS WHILE ADDRESSING THE CITIZEN’S RIGHT TO PRIVACY

GOVERNMENT SHOULD ALLOCATE ADEQUATE FUNDS & RESOURCES FOR CYBER SECURITY

PROPOSALS

CYBER SECURITY AWARENESS TO BE CREATED WITHIN THE GOVT, CORPORATE SECTOR, INDUSTRY, PRIVATE BUSINESSES & ACADEMIA

•DEVELOP OWN HARDWARE & INFRASTRUCTURE •DEVELOP INDEPENDENT OS FOR THE ARMED FORCES & SECURITY ORGANIZATIONS •IN THE LONGTERM DEVELOP OWN INTERNET

•BRING FORTH NATIONAL VIEWPOINT ACCURATELY IN THE UN GGE & OTHER INTERNATIONAL MEETINGS •CONCLUDE CYBER CBMs WITH INDIA (SAARC SUMMIT 2016)

PROPOSED CYBER COMMAND

CYBERCOM

ARMY AIR FORCE NAVY

SECTT

EXAMPLES OF CYBER ATTACKS & THEIR IMPACT ON NATIONAL SECURITY

THE CASE OF ESTONIA (APRIL 2007) • ESTONIA RELOCATED THE BRONZE SOLDIER OF TALLINN, A SOVIET-

ERA GRAVE MARKER TO THE ANNOYANCE OF THE RUSIANS • A SERIES OF CYBER ATTACKS WERE LAUNCHED AGAINST ESTONIA

SWAMPING WEBSITES OF ORGANIZATIONS, INCLUDING THE PARLIAMENT, BANKS, MINISTRIES, NEWSPAPERS AND BROADCAST STATIONS

• DISTRIBUTED DENIAL OF SERVICE (DDOS) LAUNCHED AGAINST THE GENERAL PUBLIC, RANGING FROM SINGLE INDIVIDUALS USING VARIOUS METHODS LIKE PING FLOODS TO EXPENSIVE RENTALS OF BOTNETS USUALLY USED FOR SPAM DISTRIBUTION

• SPAMMING OF BIGGER NEWS PORTALS COMMENTARIES AND DEFACEMENTS INCLUDING THAT OF THE ESTONIAN REFORM PARTY WEBSITE

CYBER & PHYSICAL ATTACK ON GEORGIA • 20 JULY 2008. ZOMBIE COMPUTERS ATTACK GEORGIAN NETWORKS. WEBSITE OF THE

GEORGIAN PRESIDENT SUFFER OVERLOAD & IS TAKEN DOWN FOR 24 HOURS. TRAFFIC DIRECTED AT THE WEBSITE INCLUDED THE PHRASE "WIN+LOVE+IN+RUSIA”.

• 5 AUGUST. GEORGIAN NEW AGENCIES AND TELEVISION STATIONS HACKED.

• 5 AUGUST. TERRORIST ATTACK ON BAKU–TBILISI–CEYHAN PIPELINE SUBJECTED TO A TERRORIST ATTACK NEAR REFAHIYE IN TURKEY COUPLED WITH A SOPHISTICATED COMPUTER ATTACK ON LINE'S CONTROL AND SAFETY SYSTEMS THAT CAUSE AN INCREASE IN PRESSURE AND EXPLOSION.

• 7-8 AUGUST. MANY GEORGIAN INTERNET SERVERS UNDER EXTERNAL CONTROL

• 9 AUGUST. KEY SECTIONS OF GEORGIA'S INTERNET TRAFFIC REROUTED THROUGH SERVERS BASED IN RUSSIA AND TURKEY, WHERE THE TRAFFIC IS EITHER BLOCKED OR DIVERTED. RUSSIAN AND TURKISH SERVERS ARE ALLEGEDLY CONTROLLED BY THE RUSSIAN HACKERS.

• 10 AUGUST. RIA NOVOSTI NEWS AGENCY'S WEBSITE DISABLED FOR SEVERAL HOURS

• 10 AUGUST. MANY ONLINE GEORGIAN SITES SUSPECTED TO BE FAKE

• 11 AUGUST. GEORGIA ACCUSES RUSSIA OF WAGING CYBER WARFARE ON GEORGIAN GOVERNMENT WEBSITES SIMULTANEOUSLY WITH A MILITARY OFFENSIVE

• 14 AUGUST. CEASEFIRE

NORTH KOREAN ATTACK ON SONY PICTURES

• NOVEMBER 24, 2014. CONFIDENTIAL DATA BELONGING TO SONY PICTURES ENTERTAINMENT RELEASED

• DATA INCLUDES PERSONAL INFORMATION ABOUT THE EMPLOYEES AND THEIR FAMILIES, E-MAILS BETWEEN EMPLOYEES, INFORMATION ABOUT EXECUTIVE SALARIES, COPIES OF (PREVIOUSLY) UNRELEASED SONY FILMS, AND OTHER INFORMATION

• HACKERS CALLING THEMSELVES GUARDIANS OF PEACE (GOP) DEMAND CANCELLATION OF PLANNED RELEASE OF THE INTERVIEW, A COMEDY FILM ABOUT A PLOT TO ASSASSINATE NORTH KOREAN LEADER KIM JONG-UN

• US BLAME NORTH KOREA FOR THE HACKING. NORTH KOREANS DENY COMPLICITY. SOME CYBERSECURITY EXPERTS CAST DOUBT ON THE EVIDENCE, ALTERNATIVELY BLAMING CURRENT OR FORMER SONY OFFICIALS FOR THE BREACH

US CYBER ATTACKS AGAINST NORTH KOREA

STUXNET ATTACK • STUXNET, A COMPUTER WORM WAS DISCOVERED IN JUNE 2010 • IT IS DESIGNED TO ATTACK INDUSTRIAL PROGRAMMABLE LOGIC

CONTROLLERS (PLCs) • PLCs ALLOW THE AUTOMATION OF ELECTROMECHANICAL

PROCESSES SUCH AS THOSE USED TO CONTROL MACHINERY ON FACTORY ASSEMBLY LINES, AMUSEMENT RIDES, OR CENTRIFUGES FOR SEPARATING NUCLEAR MATERIAL

• EXPLOITING FOUR ZERO-DAY FLAWS, STUXNET FUNCTIONS BY TARGETING MACHINES USING THE MICROSOFT WINDOWS OPERATING SYSTEM AND NETWORKS, THEN SEEKING OUT SIEMENS STEP7 SOFTWARE

• STUXNET IS TYPICALLY INTRODUCED TO THE TARGET ENVIRONMENT VIA AN INFECTED USB FLASH DRIVE

• STUXNET COMPROMISED IRANIAN PLCs, COLLECTING INFORMATION ON INDUSTRIAL SYSTEMS AND CAUSING THE FAST-SPINNING CENTRIFUGES TO TEAR THEMSELVES APART, DESTROYING ALMOST ONE-FIFTH OF IRAN'S NUCLEAR CENTRIFUGES

SPOOFING OF AMERICAN DRONE OVERFLYING IRAN

• ON 4 DECEMBER 2011 AN AMERICAN RQ170 SENTINEL UAV WAS SPOOFED AND FORCED TO LAND IN EASTERN IRAN

• AIRCRAFT WAS DETECTED IN IRANIAN AIRSPACE 225 KILOMETERS (140 MI) FROM THE BORDER WITH AFGHANISTAN

• ON 9 DECEMBER 2011, IRAN LODGED A FORMAL COMPLAINT TO THE UN SECURITY COUNCIL OVER THE UAV VIOLATING ITS AIRSPACE

• ON 12 DECEMBER 2011, US ADMINISTRATION ASKED IRAN TO RETURN THEIR DRONE. IRANIANS REFUSED.

WHAT IS SPOOFING?

• SPOOFING IS THE CREATION OF TCP/IP PACKETS USING SOMEBODY ELSE'S IP ADDRESS

• ROUTERS USE THE DESTINATION IP ADDRESS IN ORDER TO FORWARD PACKETS THROUGH THE INTERNET, BUT IGNORE THE SOURCE IP ADDRESS

• THAT ADDRESS IS ONLY USED BY THE DESTINATION MACHINE WHEN IT RESPONDS BACK TO THE SOURCE

DATA BREACH – US OFFICE OF THE PERSONNEL MANAGEMENT (OPM)

• DATA BREACH STARTING MARCH 2014, AND POSSIBLY EARLIER, NOTICED BY THE OPM IN APRIL 2015

• IN JUNE 2015, OPM ANNOUNCED THAT IT HAD BEEN THE TARGET OF A DATA BREACH EFFECTING THE RECORDS OF AS MANY AS FOUR MILLION PEOPLE. LATER, FBI PUT THE NUMBER AT 18 MILLION.

• INFORMATION TARGETED IN THE BREACH INCLUDED PERSONAL INFORMATION SUCH AS SOCIAL SECURITY NUMBERS, AS WELL AS NAMES, DATES AND PLACES OF BIRTH, AND ADDRESSES.

• THE HACK ALSO INVOLVED THEFT OF DETAILED BACKGROUND SECURITY-CLEARANCE-RELATED BACKGROUND INFORMATION OF PEOPLE DEPLOYED ON SENSITIVE MISSIONS

• ON JULY 9, 2015, THE ESTIMATE OF THE NUMBER OF STOLEN RECORDS INCREASED TO 21.5 MILLION. THIS INCLUDED RECORDS OF PEOPLE WHO HAD UNDERGONE BACKGROUND CHECKS, BUT WHO WERE NOT NECESSARILY CURRENT OR FORMER GOVERNMENT EMPLOYEES.

• SOON AFTER, KATHERINE ARCHULETA, THE DIRECTOR OF OPM, AND FORMER NATIONAL POLITICAL DIRECTOR FOR BARACK OBAMA'S 2012 REELECTION CAMPAIGN, RESIGNED

CYBER WARGAME SCENARIO

IN A CYBER WARGAME CONDUCTED IN THE US IN JULY 2015

• THE SCENARIO IN THE WAR GAME BEGAN WITH A MAJOR EARTHQUAKE HITTING SOUTHERN CALIFORNIA

• FOLLOWED BY A SERIES OF COORDINATED CYBERATTACKS, INCLUDING OIL AND GAS PIPELINE DISRUPTION

• INTERFERENCE AT A MAJOR COMMERCIAL PORT IN THE U.K.

• ATTACKS ON PENTAGON NETWORKS • A FREEZE ON ACCESS TO CASH AT BANKS AND LONG

LINES FOR FOOD AT STORES.

CYBER ATTACKS BY NON STATE ACTORS

CYBER CBMs

• CYBER SECURITY IS A NON-CONTERVERSIAL AREA BUT HAS THE POTENTIAL OF CONFLICT

• THERE IS NO CYBER SECURITY COOPERATION IN SOUTH ASIA

• ISSUE NEEDS TO BE PUT ON THE AGENDA OF THE NEXT SAARC SUMMIT