Cyber Security: A Multi-Stakeholder Approach

"Amir Malik, CEO - CIS"

Author: Amir Malik, CEO – CIS

The rapid growth of internet users has been phenomenal around the world, and consequently with that development there has been a stark increase is cybercrimes. Cybercrimes are being committed through computers, networks, smartphones,and over the Internet. They range from hate crimes, online harassment, spamming, phishing, identity theft, Internet fraud, copyright infringement, credit card account thefts, and child pornography.Every few months there is news of major attempts to hack financial systems, large corporations, industrial equipment, consumer devices, medical records, government and military computer systems. Now with the full emergence of Internet of Things, there is also a threat of the misuse of IoT devices. Cybercrimes have become a global issue with cyber warfare, espionage, and other online malicious activities being carried out across international borders.

In the “2015 Cost of Cyber Crime Study: Global”study by Ponemon Institute sponsored by Hewlett-Packard, the average costs of cybercrime attacks in the United States amounted to $15.42 million followed by Germany at $7.50 million and the United Kingdom at $6.32 million. This research also showed that all industries are falling victim to cybercrime. The average annual cost of cybercrime vary by industry segment, where organizations in financial services, utilities and energy experience substantially higher cybercrime costs than other sectors. This is reaffirmed by Cyber Attacks Statistics for October 2015 collected by Paolo Passeri, which states that the industrial sector has the highest reported incidents of cybercrimes followed by Governments and Education institutions as shown in the Distribution of Targets chart.

"Cyber Security - A Multi-Stakeholder Approachc"According to Cyber Attacks Statistics, an illustration in terms of Country Distribution shows that the US is on top of all the attack categories which include Cyber Crimes, Hacking and Cyber Espionage followed by the United Kingdom. Pakistan also faces many cyber-attacks which are mostly involve hacking. When it comes to motivations behind attacks, Cyber Crime ranks on top at 72% compared to Hacking at 16.7% and Cyber Espionage at 10.7%.

To counter cybercrimes, the use of cyber security or IT security has come to the forefront as a critical issue and a major topic of discussion across international governments. Cyber security involves mechanisms to protect digital equipment, information and services, and processes of applying security measures to ensure confidentiality, integrity, and availability of data. Governments all over the world are being asked to take actions against the outbreak of recent cyber-attacks. Although cyber security is typically thought to be a government’s responsibility; however, in reality its accountability is reliant on a multi-stakeholder environment which includes governments, financial institutions, telecommunication networks, insurance networks, medical institutions, corporations, internet service providers, academia, technical experts, civil society and the business community. The government does protect cyber security of government networks, but at the same time so many Critical Information Infrastructure are in the custody of private networks. Thus, it is necessary for the private sector to take ownership of protecting cyber security of data under its control. In recent years, the private sector has faced several major online security breaches and subsequently dealt with legal suits for not having appropriate measures in place against hacking of user data. Organizations are now proactively setting up security measures and incorporating cyber security legal compliances to protect the confidentiality of consumers’ data in their daily business operations.

"Cyber Security - A Multi-Stakeholder Approachc"Cyber Legislation is another significant defense against for cybercrimes provided it is well thought out, clear, and concise with the objective to protect citizens, organizations, and governments. In most developing countries cybercrime laws have not been developed or are exploitable due to which cybercriminals can remain undetected and commit crimes across international borders. Cyber criminals manage to find safe havens to avoid prosecution from the law enforcement. The United States of America continues to tackle this issue where President Barack Obama released in an executive order in April 2015 to combat cybercrime allowing the United States to freeze assets of convicted cybercriminals and block their economic activity within the United States. In October 2015, the U.S. Senate passed the Cybersecurity Information Sharing Act (CISA) to strengthen the country’s cyber defenses, and combat computer hacks that have hit a growing number of businesses and government agencies in recent years. CISA will expand liability protections to companies that choose to voluntarily share cyber-threat data with the government.

The Government of Pakistan in 2014 has also drafted the Prevention of Electronic Crimes Act 2015to criminalize offences committed over ICT infrastructure.The draft has been approved by the National Assembly’s standing committee on Information Technology,and is now to be presented in Parliament. The legislation is undergoing a comprehensive review to ensure a well-balanced approach is maintained in term of the rights of citizens and freedom of speech, and is therefore a work in progress which requires extensive collaboration from the government, technical specialists, legal experts and civil society to develop a more civil-centric and transparent law. Another step taken by the Government of Pakistan to counter terrorism was to establish the ‘National Action Plan’ (NAP) in January 2015. One of the plan’s objective is to develop measures against abuse of internet and social media for terrorism. The steps to be taken in order to implement this mandate now have to be defined.

There is a dire need for legislation to be in place to ensure that the responsibilities of stakeholders are defined and consequences of cyber offences are laid out impartially and equitably.In the particular case of defining the roles of stakeholders to counter cybercrimes, the draft Prevention of Electronic Crimes Act 2015 calls for protection of intermediaries and service providers. Section 35 of the draft legislation defines the limitations of the liability of the service providers where a service provider is not subject to any civil or criminal liability unless the person alleging has proof that the service provide raided or abetted any person in violating the law by misusing an information system, service, application, online platform or telecommunication system maintained, controlled or managed by the service provider. This is a very constructive step and will also help bring back YouTube in Pakistan.

The issue of cyber security needs to be dealt with a multi-stakeholder approach where every citizen and organization along with the government has a role to play. Pakistan has over 120 million phone subscribers, and 3G/4G subscriptions have reached 18 million in just 18 months. We have an estimated 25 million internet users in Pakistan. With this rapid increase in users and more organizations adopting ICT services, the need for cyber security will continue to gain momentum, and will continuously have to evolve to meet with the emerging challenges in the internet world. The government cannot be deemed the sole responsibility for cyber security. We need to form a collaboration with consultants from academia, technical, civil and business community to share their input for designing a conducive and functional cyber security policy. Effective and successful cyber security is possible only if we raise awareness for the treatment of cybercrime, focus on a comprehensive cyber security legislation and ensure that each stakeholder takes action against it.