FBR under cyberattack—I: Wake-up call

The Federal Board of Revenue (FBR), the apex federal revenue collection body, is entrusted with the responsibility of collecting taxes of billions of rupees. Its jurisdiction extends throughout the country and due to the large volume and sensitivity of the data, FBR runs the largest data center in Pakistan. As technology is becoming more user-friendly and common, the functions and operations of FBR are getting more “technology-dependent” and its digital imprints are increasing every day. Hundreds of thousands of machines interact with FBR’s system on a daily basis. This connectivity is increasing the risk of data breaches and digital vulnerabilities for the FBR. Cybersecurity-related risks are evolving and have now become national strategic issues. However, the failures in combatting these threats can lead to a national crisis, as it is an integral part of our country’s defense. Therefore, it is time to implement and maintain a security management framework, aligning people and technology, to survive in today’s competitive market.

Cyberattacks by state and non-state actors on key data websites, data, and data centers pose a threat that can undermine the security capabilities of a state. It can cause significant economic damages. In a recent lapse, FBR succumbed to a cyberattack as reported in the media, and its official website, “IRIS” system (for filing e-returns, obtaining e-registration, WEBOC (for Customs clearance), and all other critical tools remained non-functional. This should be a matter of grave concern that hackers did manage to penetrate one of the most critical data centers of the country. It will take a while before we get to know the exact magnitude of the damage.

However, it is high time that government should reassess its cybersecurity capabilities, identify areas of improvement and conduct regular cyber risk assessments of all technological systems to ensure effective countering of internal and external threats.

Our joint article, Of cyber attacks and cybersecurity, TNS, [Political Economy] The News, August 15, 2021, ‘identified major weaknesses in existing systems and discussed what should be the priorities of the government and law enforcement agencies to overcome various possible attacks/threats. It was highlighted that until now our main focus has remained on employing traditional controls to address external threats, while no adequate protection is provided to counter threats from insiders, generated by people having legitimate access to the systems(s). The following remedies were suggested to improve our cybersecurity:

(i) Forming an independent national cybersecurity agency;

(ii) making comprehensive laws about cybercrimes;

(iii) a threat hunting and information sharing mechanism; and

(iv) continuous management and monitoring.

For implementing the above, the state has to make laws that should define minimum security standards, mandatory breach reporting, and training initiatives to strengthen cybersecurity but nothing worthwhile has been done. Even Personal Data Protection Bill, 2020 has yet to be tabled in Parliament.

The federal government should establish policies and regulations for identifying and prioritizing critical cyberspaces and safeguard them from any potential threats. To achieve better outcomes, laws, and regulations should be reflective of the threats, vulnerabilities, and potential consequences faced by the country. These regulations should identify responsibility for coordinating cybersecurity efforts. A special autonomous body should be designated to lead the nation’s development, coordination, alignment, and integration of cybersecurity policies, strategies, and plans for this activity. Experts within the designated agency should have in-depth knowledge of information and operational security processes. It is alleged that FBR like other government institutions is facing internal challenges like political appointees and nepotism that is posing a constant threat by making them more vulnerable to situations like the one that happened on Independence Day with the FBR website (www.fbr.gov.pk).

According to Tarin mulls options on FBR hack, (The Express Tribune, August 17, 2021), the following is the background, actions taken so far, and report submitted by FBR:

• “Finance Minister Shaukat Tarin has decided to take a third-party view before taking any action in case of the worst ever cyber-attack that brought down the Federal Board of Revenue’s (FBR) data center for more than 72 hours.

• The fresh information revealed that Pakistan’s premier spy agency had forewarned the FBR about the high possibility of a cyber-attack, sources told The Express Tribune on Monday. But these warnings were ignored, resulting in either taking over or shutting down about 360 virtual machines of the FBR data center, said the sources.

• The 360 machines are almost half of the total virtual machines, indicating the extent of damage caused to the data.

• Based on technical inputs and initial findings, the FBR has submitted a report to the finance minister about the cyber-attack that took place before 2:00 am on August 14, said the sources.

• “I will review the report and take a third-party view before taking any action”, said Shaukat Tarin on Monday while responding to a question sent by The Express Tribune. The minister had been requested to comment whether he would take any action in case of data hacking of FBR since a report had been submitted to him.

• The sources said that the premier intelligence agency had warned the FBR on Wednesday that a cyber-attack may take place on its data center. The sources said that after that the FBR chairman discussed precautionary measures.

• To a question on whether he issued any instructions to shut down systems to avoid data hacking, FBR Chairman Asim Ahmad replied, “No such instructions were given by me. In such circumstances, systems are not shutdown but very closely monitored, which was being done.”

• Hackers attacked Pakistan’s largest data center run by the FBR and managed to break those, bringing down all the official websites operated by the tax machinery.

• In a press statement issued on Monday, the FBR said that “all applications having public interface have been operationalized and running smoothly”. These operationalized projects include the FBR website, Paysis website, eFBR website, IRIS website, AJK IRIS website; IMS web service, PRA web service, and Tax Asaan Mobile application stated the FBR.

• The sources said that the Pakistan Revenue Automation Limited (PRAL), which provides technical support to the FBR and also houses the data, took a lenient view of the threat. This was even though the Chief Information Technology Officer (CIO) who has been hired from HSBC bank, had pointed out system vulnerabilities and the possibility of its hacking after assuming his responsibilities a few months ago.

• The FBR is the largest database that carries information on trillions of rupees transactions, details of wealth and income, and expenditures of its citizens. It also has details about their various personal and business transactions due to various types of withholding taxes that are being deducted on these transactions.

• The sources said that the hackers had managed to “intrude” in almost 360 virtual machines and shut them down. They said that till Monday evening nearly half of these machines have been restored. All the current data that was in these machines at the time of the attack has been lost, said the sources.

• They said that in its initial report, the FBR and its technical wing have recommended reviewing the licenses regimes of all the software that it operates. It has also been recommended to review the relationship with Microsoft Inc, they added.

• They said that the hackers intruded on the system by hacking the login and passwords of the data center administrators. This was done through Microsoft software.

• The FBR’s technical wing’s initial assessment was that the hackers intruded in the system through the Hyper-V link.

• Another report, having names of government and private cybersecurity experts, stated that attackers targeted multiple Pakistani government organizations using spear-phishing emails. Ultimately it affected the virtual environment by dismantling or destroying the virtual environment that was part of the infrastructure.

• This report further stated that some systems were compromised, and the attacker did have access to them through lures used email info stolen from the actual website of the Pakistan government and the subject used by this email was National Cyber Security Policy Draft”.

Best practices indicate that timely identification, communication, and recovery from major cybersecurity challenges can often reduce the damage resulting from any malicious cyber-activity. Whereas the recent communication released by the FBR spokesperson seems to be a failed attempt in oversimplifying such a critical situation, it tries to negate the general impression and terms this episode of hacking/lapse of cyber-security as a “data migration activity”. It states as following

“The Federal Board of Revenue (FBR) has issued a clarification regarding in-progress service optimization activities at the FBR House Data Center Islamabad. FBR has explained that the technical team is currently migrating services. The completion of this migration shall result in the increased overall productivity of FBR IT Operations. This migration is necessary to facilitate the up-gradation of the system to enhance the best services to our clients. The stakeholders, who are being provided services from the data center, are informed that there were unforeseen anomalies during the migration process, which has resulted in the unavailability of services, since the early hours of the last night. FBR team is ensuring restoration of services as soon as possible to keep the downtime to a minimum. This activity is expected to be completed in the next 48 hours. FBR regrets and apologizes for any inconvenience this may have caused and appreciates the continued cooperation of the stakeholders”.

On the contrary, the chairman of the “National Database and Registration Authority (NADRA) in replying to a tweet confirmed that “NADRA was approached last night to help #FBR- I immediately deployed NADRAs Tech Team to control damage and restore operations. Working 24/7 with FBR, we can restore customs’ operation on priority to avoid public inconvenience. We will restore all data centre Ops Insha’Allah”

The tweet by Tariq Malik confirms that there was something wrong and his team played a role to control the damage. On the other hand, it also confirms that FBR’s claim of data migration is misleading and tantamount to an effort to hide their incompetence. Moreover, it is not the first time that the FBR data is under attack. A similar unsuccessful attempt was made in March 2020. Despite knowing the vulnerabilities in their system FBR did not bother to make special arrangements to secure their systems.

(To be continued)

Copyright Business Recorder, 2021