Muhammad Shareh Qazi
From a malware attack on the Kudankulam Nuclear Power Plant in India in 2019 to audio leaks from the office of the Pakistani Prime Minister in 2022, India and Pakistan have had their fair share of such experiences of security failure. For two states that value national security and its multifarious aspects in high regard, cybersecurity failures seem almost unbelievable. This new domain of national security, in all its paraphernalia, features unattributability of events, which means tracing and tracking of incidents cannot be done traditionally. With both states focusing extensively on enhancing their information technology footprints and arguing in favor of digitization and digitalization practices, cybersecurity stands to become a paramount concern. For India, the Ministry of Electronics and Information Technology was able to draft a Cybersecurity Policy in 2013 and for Pakistan, the Ministry of Information Technology & Telecommunication was able to do the same in 2021. The policies of both states, however, have no mention of cyber- hygiene practices, or a roadmap to achieve the same.
Cyber-hygiene is not merely about changing passwords, or keeping personal information in digital lock and key. It also includes practices and behaviors of designated personnel working in sensitive installations at places of national importance. In the cybersecurity domain, if a virtual insurgent is able to preempt, their chances of achieving a similar advantage remain significant. Once a hacker or an intruder is able to bypass checks and balances, their ability to replicate a similar intrusion makes the entire security apparatus futile. Coupled with non-attributability, such attacks are considered superior to any conventional/traditional canons of national security. For the aforementioned cases, however, insider threat is also a subject of principal importance. The ability of a cyberattack to receive impetus from insiders not only truncates the entire security matrix of the institution but also implores restructuring the entire clearance and operability framework. For a nuclear installation or a sensitive office of government, this means a whole host of further erosion. Pakistan and India cannot afford to ignore cyber-hygiene practices in their installations and institutions and they certainly cannot let cyberspace become a source of an event horizon in their fragile national security architectures.
For Pakistan and India, cyberattacks will increase with their transitions into the digital world and it also means critical infrastructure would require personnel to learn more about the threat perceptions. Despite implementing tighter controls which range from designing specific institutions to counter cybersecurity challenges to outsourcing cybersecurity services , both Pakistan and India have a lot to learn. To state officials and government functionaries, cyber-hygiene seems like an event horizon beyond incident response and detection & prevention protocols. By instituting an academic discourse and stakeholder engagement, an effective system can be designed towards organizational resilience for the protection of critical infrastructure. India already takes the lead with a significant number of academic institutions engaged in cybersecurity learning. That said, their theoretical input is not effectively resonating with practical accomplishments. This indicates that, despite being able to explore the field, stakeholders are either not evolving in line with threat perceptions, or their technological ineffectiveness is proving to be a major hurdle. Apropos of Pakistan, data preservation and combating cybersecurity threats require the provision of more operability to the National Center for Cyber Security (NCCS) and National Response Centre for Cyber Crime (NR3C) within the Federal Investigation Agency (FIA).
Cybersecurity awareness campaigns need to be included not only in academic institutions but also at sensitive installations and state institutions, to raise awareness of impending challenges. Each awareness program can be customized and tailored to suit the needs of places they are to be conducted at. A practice of simulated cybersecurity vulnerabilities is implemented by the United States through its Cybersecurity and Infrastructure Security Agency (CISA) called the cybergames. This practice is a very effective method to make cyber-hygiene a regular feature for institutions and organizations beyond regular sweeps and detection practices which surely have their fractures and caveats. Each institution in the government and each installation that require cybersecurity services will have to design its own infrastructure and cyber-hygiene practices. Designing a national response mechanism or creating a national cybersecurity strategy does not effectively solve the problem; it may only stand to make it worse by generalizing threats. Cyber-hygiene practices are meant not only for the systems and software but also for users and management teams. Acquiring sophisticated technology or developing high-end software is only a partial fulfillment of an effective cybersecure environment. The people that operate, calibrate, manage, and render services in and around such infrastructures are equally important and their adaptability is imperative in averting any future incidents.
With each incident, Pakistan and India learn more about how complex the digital world is, but, by the time they are able to fully comprehend the scope and severity of the problem, their threat calculi change. With each detection or prevention that turns out to be successful, intruders and bad actors change tactics and targets, something which keeps pressure on state infrastructure. Each sensitive installation targeted and each essential data breached is a step backwards for national security because it raises questions that state functionaries are unable to answer, owing to their deficiencies in grasping this new domain. Pakistan and India might be able to acquire sophisticated technologies and may have designed cybersecurity infrastructures, but the Achilles’ Heels for such projects are personnel who are not adequately trained to deal with the intensity of threats. Cyber-hygiene, as it should be, looks to be the weakest of links in cyberspace learning in Islamabad and New Delhi. Nuclear installations and highest offices are sufficiently significant targets that must be protected. Therefore, it is important to initiate cyber-hygiene practices on a grander level, not within a generalized, often overreaching national cybersecurity policy. It would require both states to allow their institutions an opportunity to design personalized cybersecurity practices for men and machines alike.
Dr. Shareh Qazi is an Assistant Professor at the Department of Political Science, University of the Punjab.