Over the past few days, first social media and later mainstream media in Pakistan have been abuzz with the news of alleged leaked audio clips from the Prime Minister’s Office. The alleged hacker has reportedly claimed possession of 8 GB of data covering the audio time of 100 hours. A few short audio clips have been released as a sample. The authenticity of the audio clips and hackers’ claims are yet to be ascertained. Although extensive connectivity offers numerous benefits, interconnectivity with the freedom to cross international borders has also encouraged many governments to establish organisational set-ups for national defence as well as power projection. The ease of availability of this technology has also encouraged many non-state actors to exploit cyber vulnerabilities. During the last decade, cyber units have evolved at an unprecedented rate in militaries, and serious cyber-attacks from state-sponsored and non-state actors have become increasingly frequent.
In the case of alleged audio clips in Pakistan, there are numerous possibilities of communication leakage. Carrying a hacked mobile phone to official meetings can be used for the recording of conversations. E-office systems employed in workplaces could be another possibility if the hardware or software is not locally developed, opening the way for backdoors into the system. Data can also be stolen from any equipment installed to record meeting conversations. This can only be possible with insider help. However, if recorded data is transferred to some server, it can be hacked from the outside as well as stolen by an insider. Another possibility could be of a member of the meeting intentionally keeping their mobile or video recording on. As a rule, sensitive meetings are not recorded on electronic devices. Additionally, for reasons of security of information, mobile phones cannot be carried in sensitive official meetings. In case e-systems are used in meetings, the hardware and software should either be locally developed or verified by a Pakistani technical authority for its safety and security. Official meeting rooms are kept locked when not in use to prevent chances of placement of bugging devices. Additionally, intelligence agencies are responsible for scanning these rooms for any bugging devices. Such meeting rooms are well inside PM office premises and are (rather should be) physically secure. However, one of the audios suggests conversations in the PM office or his house as well, indicating the possibility of bugging multiple locations in the PM Secretariat.
In case this alleged data leak is true, then there seems to have been more than one violation. Either mobile phones were carried in meetings for intentional recording, or they were hacked or recording devices were placed in the meeting rooms as well as some other important offices. If the recording device was placed covertly, it raises the question of who could do it and why intelligence agencies failed to uncover such a massive setup. If true, we may never be able to estimate the damage caused to national security as the Prime Minister’s office is the hub of all national-level decision-making. We may never be able to estimate the economic, diplomatic, and security consequences of the leaked information. We may also not be able to ascertain the duration for which the information was stolen and who possesses the information. In any other country, those responsible for such failure would have owned/accepted responsibility and rendered their resignations. However, this is not expected in the land of the pure. Some serious incidents of a data breach in the SECP, NADRA, and Finance Ministry in the past were possibly not considered grave enough to demonstrate the fragility of our systems to cyber hacking and give a wake-up call to concerned offices. Even though the present incident is of catastrophic consequences as the data can be used by hostile states and agencies to harm Pakistan, there are no signs of seriousness of the government on the issue. The seriousness of the matter in my view requires rising above party politics, organisational interests, and inter-departmental rivalries. There is a need for a thorough inquiry by a professionally capable team mandated to assess the loss, reasons for the data breach, and identification of the individuals or organisations responsible for this national embarrassment and catastrophe. The team should also identify shortcomings in the existing cyber security policies within high-level government offices and recommend improvements to avert such incidents in the future. However, the failures, causes of failures, and those responsible for the failures must not only be brought to a fair trial but also be made public. To keep the inquiry objective, it must ascertain the data loss, and reasons for the breach and assign responsibility for the failure. The political aspects of the conversations, the legality of various individual actions involved in the conversations, etc. should be left to the courts and other responsible departments. Since this episode highlights weaknesses in our systems, it needs rigorous and immediate investigation because a nuclear power with 220 million people cannot be left rudderless and insecure like this.