—– Adds such products threaten country’s information infrastructure
—– Informs authorities of threat via a cyber security advisory
—– Directs departments to consult with P@SHA to find alternatives
Staff Report
ISLAMABAD: The federal government has advised all informational technology (IT) and financial institutions, including regulators, to “refrain from collaboration, installation and use of Indian origin” artificial intelligence (AI)/information and communication technology (ICT) products as it may poses a “constant, concealed and force multiplier threat” to Pakistan’s critical information infrastructure (CII).
The government informed the authorities concerned of the threat via a “cyber security advisory”— shared with federal and provincial ministries including sectoral regulators.
It noted that globally AI products and services are being used by various industries including financial and banking sectors to accelerate enterprise growth.
“It has been learnt that [the] fintech sector of Pakistan including a few banks are engaged with Indian-origin companies who are offering them IT products, Cyber Security and AI solutions, etc,” the document stated.
It added that the “use of Indian security products/solutions” was a constant, concealed and force multiplier threat” to Pakistan’s CII, including banking sector, for two reasons.
The factors were identified as a “possibility” of “backdoor or malware” in the products to collect “logs/data traffic analysis and personal identifiable information (PII)”.
The other factor it pointed out was that it was “direct Indian ingress in Pakistan’s CII through technical means/access control with passive monitoring capability”.
The document added: “Above in view, all Federal/Provincial Ministries including sectoral regulators are requested to sensitise their affiliated setups/organisations/licensees, on the risks involved in the use of Indian origin products/solutions.” While refraining the authorities from using Indian products the government directed them to instead consult with the Pakistan Software House Association (P@SHA) to “find Pakistani technical companies for suitable economical alternatives”.
US company believes India used its software to spy on Pakistan, China
Two years ago, Exodus Intelligence, a US company based in Texas, had stated that India used its “zero-day”, security vulnerabilities that hackers can use to attack systems, to spy on Pakistan and China, according to a report published in Forbes.
Exodus CEO and co-founder Logan Brown said that, after an investigation, he believes India handpicked one of the Windows vulnerabilities from the feed—allowing deep access to Microsoft’s operating system—and Indian government personnel or a contractor adapted it for malicious means.
The Exodus CEO maintained that India was subsequently cut off from buying new zero-day research from his company in April and it has worked with Microsoft to patch the vulnerabilities.
The Indian use of his company’s research was beyond the pale, though Exodus doesn’t limit what customers do with its findings, Brown said, adding, “You can use it offensively if you want, but not if you’re going to be . . . shotgun blasting Pakistan and China. I don’t want any part of that.” (The Indian embassy in London hadn’t responded to requests for comment.)
Major cyber attack by India targeting devices of govt, military officials identified: ISPR
Furthermore, in 2020, Pakistan’s intelligence agencies had identified a major security breach whereby phones and other gadgets of government officials and military personnel were targeted by Indian hackers.
According to a statement by the Inter-Services Public Relations (ISPR), the cyber-attack by Indian intelligence agencies involved “a range of cyber crimes including deceitful fabrication by hacking personal mobiles and technical gadgets”.
“Various targets of hostile intelligence agencies are being investigated,” the military’s media wing had said.
“The Pakistan Army has further enhanced necessary measures to thwart such activities including action against violators of standing operating procedures (SOPs) on cybersecurity,” added the statement.
Back then an advisory was also sent to all government departments so they may identify security lapses and enhance cybersecurity measures.