Cyber Security in Afghanistan

Online threats grow as the nation adopts information technology 

4th APT Cybersecurity ForumBy Zmarialai Wafa, director of Information Systems Security and head of PKI Management Authority, Ministry of Communications and IT, Islamic Republic of Afghanistan

In today’s virtual world, where online communication is a necessity, government and business face the likelihood of cyber attacks. In order to fight cyber crimes and mitigate the risk from those threats, we must cooperate globally to develop an effective model.

Afghanistan has achieved much in cyber security since 2002. Before 2001, the country had fewer than 15,000 local landlines. The Internet effectively didn’t exist for Afghans — the country possessed no information and communications technology (ICT) institutions and no Internet service providers (ISPs). To make and receive international phone calls, Afghans usually had to travel to neighboring countries. Pakistan’s country code served sections of Afghanistan.

That’s not to say computer technology didn’t exist in Afghanistan.

Such technology was introduced in 1973 with the purchase of a big IBM mainframe computer. The job of this first-ever computer system was to keep records on foreign trade, help issue bills for utilities and act as a national data bank. After more than 40 years, this obsolete equipment now resides in a museum.

Modernizing communications

Afghanistan’s Ministry of Communications and Information Technology (MCIT) is playing a leading role in ICT promotion in the country. We developed an ICT policy in 2003 and followed that up with new telecom policies and laws in 2003 and 2005. Passing a comprehensive ICT law in 2009 proved more difficult. The draft submitted to the Ministry of Justice was too complicated and technical. We had no choice but to boil down the policy into separate documents, some of which have yet to get final approval: a Cyber Crime Law, an e-Transaction and e-Signature Law, and a Cyber Security Policy.

Afghanistan developed its first telephone landline in 2005, under the corporate guidance of Afghan Telecom. We now have 58 Internet service providers, where just 13 years ago we had none. Most of these ISPs act as resale points. They don’t provide all services themselves; they provide no content. They just provide the ability for Afghan customers to link to the Internet. A major number of the connections are coming through the fiber optic ring of communications around Afghanistan. About 70 percent of the ISPs get their Internet from Afghan Telecom.

Fifty-eight ISPs create major concerns for security. With such a large number, how are you going to enforce laws and control traffic over the Internet? That is one of the main challenges we have in the country. We are working on a new design of Internet infrastructure. Hopefully in upcoming years, we’ll be in a position to implement that design.

Afghan election workers count votes at their computer terminals at the Independent Election Commission (IEC) headquarters in Kabul on June 16, 2014.Afghan officials opened an investigation after front-running presidential candidate Abdullah Abdullah made fraud claims that could threaten a smooth transition of power during a pivotal year. Abdullah demanded the sacking of Zia-ul-Haq Amarkhail, head of the Independent Election Commission (IEC) secretariat, over an alleged attempt by Amarkhail to remove unused ballots from the IEC headquarters on polling day. Abdullah also said the IEC's turnout figure of seven million voters in the run-off election was probably false. The allegations put former foreign minister Abdullah in direct conflict with election authorities as counting got underway after the second-round vote pitting him against ex-World Bank economist Ashraf Ghani. AFP PHOTO/SHAH Marai (Photo credit should read SHAH MARAI/AFP/Getty Images)

Afghan election workers count votes at computers in 2014. As part of an information technology upgrade, the country is instituting e-voting through national ID cards with the goal of improving the integrity of the electoral system. afp/getty images

A total of $2.4 billion has been invested in the ICT sector since 2002. Close to 89 percent of the population has mobile phone access. That means more than 23 million Afghans out of a population of 32 million have access. The price of a SIM card (a portable memory chip used in mobile phones) was $300 years ago, but you can buy them today in Afghanistan almost for free.

I remember when I was getting my first SIM card, I had to wait three months, even though I had proper documentation. Demand was too high compared to supply. But the price for each card is dropping day by day. International calls used to cost about $2 per minute. Now they cost just 10 cents per minute.

ELECTRONIC national ID card (e-NID), or e-Tazkira Project

An important advancement has been our electronic national ID card project. The project was initially signed into being in 2010. That process was delayed temporarily because of the complexity of technological and political issues we faced in the government, but the project is rolling again.

In early May 2015, we performed an end- to-end test that produced no errors in the cards. Everything worked perfectly. We have already received a presidential decree to use biometrics and issue the national ID card. The issuing authority for the cards is the Ministry of the Interior. We at MCIT are the technical partners.

The card is a smart card technology. Most of us know how smart card technology works. It’s one of the most secure mediums for authenticity. It has fairly strong encryption. The e-NID or e-Tazkira project uses state-of-the-art technology. Every card has a Public Key Infrastructure-enabled chip inside. It means that every citizen can have three keys in his or her ID card: one for signing, another for authentication and the third for encryption.

Smart card technology offers many national benefits as well. Every time a citizen encrypts a message, it generates a unique algorithm. If a single ID card is compromised, only that card is compromised, not the entire system. Every card is uniquely coded.

The e-NID card is the foundation for e-government services. We can use it for single sign-on, for e-health, e-taxation, e-wallet, you name it. In the beginning, we were thinking of installing up to 17 services on one card but feared that by doing so were creating a single point of failure.

For example, we wanted to put driving licenses on the same ID cards, but decided to issue them separately.

The ID is also being used for e-voting. The integrity of the electoral system is a major concern locally and internationally. We saw that in the previous elections in Afghanistan, when observers worked for months to ensure voting was sound. Despite this transparency, it’s hard to keep everything clean and clear. Using the e-NID platform for e-voting would be the most secure way to hold elections.

MCIT programs

MCIT also sponsors many promotional programs. The aim is to promote young talented students in Afghanistan. One program allows students and young people to work on special applications for governmental services. So far they have developed more than 30 apps for the government, including one that allows citizens to pay for utilities using their mobile phones.

Then we have the program that disburses innovation grants to students from various universities. They come up with special ideas in the ICT field. Last year we handed out three ICT champion awards and one student award. We also host business incubators through a program that provides students with office space, Internet service and computer equipment. They can develop their businesses and do marketing from the incubator.

Then we have Tech-Woman Afghanistan, which provides training in various programs and applications from companies such as Google and Microsoft. We’ve recently begun publishing a bimonthly newspaper called the Tech Times Afghanistan. It discusses ICT-related activities in the country.

Increased vigilance

In 2009, MCIT established the first Computer Emergency Response Team in the country with help from an International Telecommunication Union (ITU) feasibility study. We named it AFCERT. It now resides under an information systems security directorate. It has developed a forensic lab to help government and business track cyber security problems. By the end of 2015, AFCERT will be connected to the ITU’s Global Response Center. We’d like to connect to other centers as well to receive threat and incident information from them.

From 2011 to 2015 the total loss associated with cyber crimes was 1.3 billion AFN (afghani), the equivalent of $28 million. Most of these — 70 percent — were committed by internal staff at financial institutions. Another 30 percent was caused by ID theft, email forging and “spoofing.” The year 2014 was our highest recorded for cyber crimes, with losses totaling 827 million AFN. Three out of four computers in Afghanistan are infected with malware, meaning roughly 75 percent of Internet traffic is infected.

During investigations of cyber crime victims, we learned some of those organizations had no security policies in place, which was shocking to everyone. Just imagine: A bank doing transactions of millions of dollars every day had no major security policies in place.

Based on all those crimes, the government decided to come up with the National Cybersecurity Strategy of Afghanistan in 2014. If you go to any country, such a strategy is usually the same: to establish safe and secure cyberspace for government and business. Our strategy is also based on all these goals.

The strategy is based on the ITU’s cyber security guidelines consisting of five pillars. The first is legal measures. In Afghanistan, no such thing existed for cyber. What would our penalties be for noncompliance? Second is technical and procedural measures, which are tied to the legal measures. Third is organizational structure, something that we lack. We don’t have a chief security officer in our government. This is something we’d like to have. Fourth is capacity building, and fifth is international cooperation.

International cooperation is critical. Cyber doesn’t have boundaries. It’s a global issue. We need to work together. That’s the only way to mitigate threats in cyberspace. One body cannot fight these threats alone.  

PROTECTION MECHANISMS OF AFGHAN CYBER POLICY

  • Intergovernmental support
  • Proper budgeting
  • Effective organizational structure
  • Public private partnership Standards and baselines for information security
  • Regulatory body, strategy, policy and best practices
  • Incident response and disaster recovery
  • Regular review and update of policies
  • International cooperation