FBR under cyberattack-II: Wake-up call

Interestingly, FBR is not only collecting taxes but is also responsible for dealing with Anti-Money Laundering and Combating Financing of Terrorism (AML-CFT) matters of Designated Non-Financial Businesses and Professions (DNFBPs), despite repeated warnings of cyber-attacks by the global watchdog on this issue. The Financial Action Task Force (FATF) president's statement asks for the allocation of sufficient resources to deal with AML-CFT and cybercrimes. Moreover, a Group of Seven (G7) finance minister urges the countries to implement FATF standards to deal with increased malicious cyber-enabled attacks. However, our lenient approach brought us to the position where we have miserably failed to counter potential threats as proven in FBR's case.

This development, on the one hand, compromises the privacy of the taxpayers and on the other, raises concerns on FBR officials due to their questionable role in the recent development concerning the reputation of the institutions.

The matter needs investigation, and a team should be formed to investigate the allegations leveled against the FBR officials regarding sharing of taxpayers' information with outsiders. As per media reports, FBR officials allegedly shared the tax-related information of Imran Khan for the last 37 years.

The recent development concerning FBR was noted in Peshawar High Court (Court) where a writ petition was filed by five Inland Revenue Commissioners of FBR against the Office of Federal Tax Ombudsman (FTO) who has ordered the Chairman of FBR to form an inspection team to check corrupt practices in the tax machinery. The court observed that the petitioners, being civil servants, shall in no manner be considered as aggrieved persons. The court held that the office of FTO did not require the presence of a complaint, particularly when there was an overwhelming perception of rampant corruption in the tax hierarchy as reported in a newspaper. That newspaper further reported concerning tax lawyer Waheed Shahzad Butt, a whistleblower for the FTO, that it was rare that a government department, responsible for collecting revenue, had approached a court against a constitutional office that was responsible for checking corrupt practices. Some tax experts allege that destroying internal data received from OECD can be another motive after this judicial pronouncement, though there exists a remote possibility of it unless proved by an independent inquiry committee of experts in detecting hackers behind cyberattacks.

The current attack on FBR systems has compromised the privacy of information though Chairman FBR has denied it. Unfortunately, there is no specific data protection law in Pakistan. In the current cyberattacks, taxpayers' information was accessed, though FBR denied it. However, Nadra's Chairman confirmed damage control in a tweet. In this entire episode, the victims may be the taxpayers of Pakistan unless proves otherwise in the inquiry. Their information is allegedly compromised, they are not even aware of the consequences-are left with no remedy.

Transparency is one of the foremost principles of governance and such acts of sweeping this dust under the carpet will serve no purpose for the system. Therefore, to set the best example of accountability and transparency, the government should form a team of independent professionals to investigate the entire matter and submit a detailed report related to the inadequacy of protection of the systems, allegations leveled against FBR officials who shared the taxpayer information with outsiders as reported in the media.

The motive behind filing of writ petitions against FTO, alleged abuse of information received from the Organization for Economic Cooperation and Development (OECD), and failure to maintain the privacy of taxpayers is highly undesirable. The investigation team should also probe the element of internal involvement in the current attack as well. Moreover, as highlighted in the cyber security policy Pakistan relies heavily on imported hardware, software, and services. This reliance, coupled with inadequate national security standards, has made computer systems in Pakistan vulnerable to external cyberattacks and internal data breaches. Knowing the potential risks to our system no concrete steps have been taken to address these challenges. The government should identify the loopholes and make an example of those who were entrusted with the responsibility to ensure the security of data. Simultaneously, the government must continue to invest in technology, systems, and governance framework, which are required to keep pace with the ever-evolving threats.

(Concluded)

(The writers Ms. Huzaima Bukhari, MA, LLB, Advocate High Court, Visiting Faculty at Lahore University of Management Sciences (LUMS), member Advisory Board and Visiting Senior Fellow of Pakistan Institute of Development Economics (PIDE), is author of

numerous books and articles on Pakistani tax laws, Dr Ikramul Haq, Advocate Supreme Court, specializes in constitutional, corporate, media, ML/CFT related laws, IT, intellectual property, arbitration, and international tax laws and Abdul Rauf Shakoori, Advocate High Court, is a subject-matter expert on AML-CFT, Compliance, Cyber Crime, and Risk Management)

Copyright Business Recorder, 2021