The National Database and Registration Authority (NADRA) is an organization under the Ministry of Interior entrusted with the collection, maintenance and renovation of Pakistani citizens’ national identities through Computerized National Identity Cards (CNICs), Smart Cards and other biometric data.
Over the past few years, NADRA has received international acclaim for pioneering identity database maintenance efforts, including the use of biometric technologies to assist in program registrations and disaster-relief operations. At least 5 foreign governments (Sudan, Kenya, Bangladesh, Sri Lanka and Nigeria) contracted NADRA to provide them identity management solutions.
But keeping these notable achievements to one side, a very important question that directly concerns Pakistani citizens is this: Can NADRA be entrusted with the protection of our sensitive information? Are its critical information systems secure enough, especially on networks?
In 2010, a data breach was reported at NADRA’s Karachi office in Shah Faisal Colony. A spokesperson for the authority had issued a statement in September 2012 quoting then Chairman Tariq Malik that NADRA had established an Information Security Department to evaluate and mitigate threats to the sensitive information of Pakistani nationals. Just a few months after these grand claims, in December 2012 a Turkish hacker calling himself “EBOZ” said he managed to penetrate critical information systems belonging to NADRA and the Federal Investigation Authority (FIA) through the amateur method of employing SQL Injections; this revelation laid bare the authority’s claims of Information Security. More alarmingly, in August 2014, there were concerning revelations, for example, that the CIA and other US intelligence agencies had obtained access to passport data of Pakistani citizens, including biometric records, as part of a secret program called “HYDRA”.
More recently, in September 2015, a report said that Pakistan’s premier intelligence agency Inter-Services Intelligence (ISI) had expressed concerns that sensitive data was possibly leaked to hostile elements, including the Israeli spy service Mossad. An extract from the ISI’s letter to Chairman NADRA read:
“We [the agency] can’t rule out the possibility of leakage of sensitive database [of Pakistanis] to hostile agencies – the Research and Analysis Wing (RAW), Central Intelligence Agency (CIA) and Mossad,”
In September 2015, NADRA signed an agreement with InfoTech Group by which the latter installed IBM Websphere (an application middleware) to host the online CNIC/Smart Card registration facility on the former’s website. Basically, citizens would be able to get their new or existing cards processed with the few clicks of a button. In July 2009, a Cyber Security and Critical Infrastructure Cyber Advisory issued by the State of Alaska, US, issued a report that IBM WebSphere Application Server had two vulnerabilities which allowed malicious elements to bypass authentication protocols. It categorized risks to government-owned systems as “High”. IBM WebSphere is prone to simple exploit attacks. In October 2015, the website of retail chain David Jones was hacked after its WebSphere application server was penetrated by hackers.
It would be wise for NADRA to draft and release its Information Security SOPs so that ordinary citizens familiar with the concepts can scrutinize potential weaknesses and grey areas. There is no openly available information which comprehensively sheds light on how exactly NADRA protects critical information systems from hostile intrusion.
Should we fear the day when our sensitive biodata might be leaked online by criminals or non-state actors? Let’s hope not.
Top image credit: businessinsider.com