Minister for Finance and Revenue Shaukat Fayaz Ahmed Tarin on Wednesday revealed that the Federal Board of Revenue (FBR) systems were constantly and on regular basis subjected to cyberattacks – on average, approximately 71,000 times a month.
The minister informed the National Assembly in writing that subject to the immediate request for procurement going through, a more secure organization would evolve over the next 4-6 months.
The minister elucidated that the volume of cyberattacks had, over the past couple of years, sharply increased, as the tools and methods available to the hacking community had become more powerful and sophisticated.
During the past three years, the FBR systems were breached three times (with around a 0.001% success rate). The details are as follows:
i. 18-02-2019 to 22-02-2020 (possible data exfiltration from legacy systems)
ii. 23-03-2021 to 23-03-2021 (website defacement)
iii. 13-04-2021 to 19-08-2021 (no data exfiltration; limited to destruction of virtual machines causing major disruption)
The (i) breach in 2019 was not detected till the investigation into the latest (iii) breach. The (ii) breach was minor in nature and the infrastructure hosting the FBR website was hardened. Therefore, a cyber-breach-related audit was not carried out to date.
However, there is an ongoing investigation into the current (iii) breach with the help of a third party. This third party is helping to deep-scan the entire FBR network, including all machines located in the field formations, in order to determine the possible point of the initial breach. Once this gets determined and remedial actions are taken, a full third-party security audit will be carried out to determine any remaining vulnerabilities. A full action plan to counter the vulnerabilities will be put together and its execution to be monitored.
The (i) breach in 2019 was not detected till the investigation into the latest (iii) breach. The (ii) breach was minor in nature and the infrastructure hosting the FBR website was hardened. Therefore, a cyber-breach-related audit was not carried out to date.
The National Assembly was further informed that technology continues to evolve at breakneck speed and requires constant re-investment. Historically, investment into technology at FBR has remained restricted to specific periods directly related to financing being made available by donor agencies. This method of investment creates technology debt in-between such periods, which can lead to vulnerabilities going unaddressed, which can consequently create opportunities for malicious actors, such as what transpired during this recent event.
It is highly recommended that an annual budget for technology refresh be allocated to FBR, which would allow the organization to keep its technology up to date and allow it to take full advantage of advancements taking place in that space.
This should be equivalent to 0.05% of revenue collected, which would have amounted to Rs. 2.4 billion last year. This amount would have been sufficient for FBR to have upgraded much of its information security infrastructure, which may have prevented this recent incident.
Based on the emergency declared by the Cabinet, considering the recent incident, FBR has been authorized to undertake emergency procurement of Cyber & Information Security-related hardware, software, and services to protect the organization from such future attacks. Having said that, the threat landscape is always evolving at a faster pace, as compared to organizations trying to protect themselves. Therefore, this initial procurement may protect FBR for the immediate & medium future.
However, continued investment, as described above, must be put in place to protect and allow the organization to evolve into a truly data-driven digital organization for the longer term.
Source: Pro Pakistani