While the motive of the recent cyber-attack on Afghan government websites is still not known, the incident has certainly put the Ministry of Communications and Information Technology (MCIT) on the spot and the administration and management of the IT programs and projects are under scrutiny.
A number of Afghan government websites were compromised on December 19, where a JavaScript file was modified on the Content Delivery Network (CDN), allowing malicious java applet to run on the webserver affecting the visitors of the websites. The affected government agencies included Afghan Embassy in Australia, Herat Province Government, Office of Administrative Affairs and Council of Ministers, Ministry of Foreign Affairs, Ministry of Commerce and Industries, Ministry of Education, Ministry of Finance, Ministry of Justice, and Ministry of Women’s Affairs. MCIT officials released a press release three days after the incident, and a day after the US cyber security company ThreatConnect, had released news about the incident. ThreatConnect provided details and evidence on the attack, it went further to link the attack with the government of China. . The company also related the attack explicitly with China’s Prime Minister Li Keqiang, who was meeting with Afghan Chief Executive Officer Abdullah Abdullah during that time. The linking and blaming by ThreatConnect indicates the company’s aggressive and political position in this incidence. Afghan technology civil societies also raised questions on why the US company performed penetration testing on Afghan National Data Center.
Although this attack did not pose significant implications to the infrastructure nor a severe data leakage has been reported, however it did draw attention of many civil societies and IT technologists of the country, to the hardware and software infrastructure in the country, the administration of the ministry, the technical capacity of the engineers and as well the policies and strategies set by the government for the development and adoption of Information Technology.
Shortly after the incident, MCIT officials tried to detract citizens’ attention from the severity of the incident by stating that maintaining 100% security was not possible anywhere. Among other concerns that the officials showed, two important issues were raised in order to mitigate the problem in the future. The first ‘solution’ included an improved compensation system for the IT staff in the ministry and the second was the possibility of outsourcing their programs to a company outside of the ministry or possibly outside of the country. As an expert in the field, these are red flags in the priorities set by our officials in tackling the incident. It was expected by the officials to take responsibility for their failure and work towards a more realistic operational plan in providing strong cyber protection to the citizens and their data. The request for further financial support to IT projects might be truthful but it is not timely, given that no immediate solutions have been provided to the issue.
Information security practices in an organization requires global standards set by a number of global organizations, such as ISO 27001 & 27002, which ensures that the organization has the processes in place to secure its data. Unfortunately the MCIT does not hold this standard but these practices are within the human skills and budget available to them. The practice of ensuring multiple layered server signing in feature, the practice of providing instructions and guidelines in protecting server access passwords and other authentication methods are within their capacity but perhaps not their priority. And the question of outsourcing the national data center service is again not timely and most certainly the priorities have been confused. It would have been less costly and more realistic if the government data center was outsourced when we didn’t have the infrastructure establish and then slowly bring the technologies in to the country and work towards developing the human capacity of the ministry.
The implications of this incident might not be big but it has taken our attention to the capacity of the administration and the processes established in the organization. The administration should set their short term and long term goals to address the issue. Implementing long term strategies of outsourcing or increasing compensation is not going to provide a workaround or a quick fix to the current vulnerable networks. Afghan university graduates and self-learned IT technologists have the capacity to provide the technological solutions to such incidents. MCIT administration need to develop a strategy to work together with the students in order to develop their skills and also work towards providing equal recruitment opportunity to its citizens.