How Secure Are NADRA’s Critical Information Systems?

The National Database and Registration Authority (NADRA) is an organization under the Ministry of Interior entrusted with the collection, maintenance and renovation of Pakistani citizens’ national identities through Computerized National Identity Cards (CNICs), Smart Cards and other biometric data.

Over the past few years, NADRA has received international acclaim for pioneering identity database maintenance efforts, including the use of biometric technologies to assist in program registrations and disaster-relief operations. At least 5 foreign governments (Sudan, Kenya, Bangladesh, Sri Lanka and Nigeria) contracted NADRA to provide them identity management solutions.

But keeping these notable achievements to one side, a very important question that directly concerns Pakistani citizens is this: Can NADRA be entrusted with the protection of our sensitive information? Are its critical information systems secure enough, especially on networks?

Image Source: hackingtrainer.com

In 2010, a data breach was reported at NADRA’s Karachi office in Shah Faisal Colony. A spokesperson for the authority had issued a statement in September 2012 quoting then Chairman Tariq Malik that NADRA had established an Information Security Department to evaluate and mitigate threats to the sensitive information of Pakistani nationals. Just a few months after these grand claims, in December 2012 a Turkish hacker calling himself “EBOZ” said he managed to penetrate critical information systems belonging to NADRA and the Federal Investigation Authority (FIA) through the amateur method of employing SQL Injections; this revelation laid bare the authority’s claims of Information Security. More alarmingly, in August 2014, there were concerning revelations, for example, that the CIA and other US intelligence agencies had obtained access to passport data of Pakistani citizens, including biometric records, as part of a secret program called “HYDRA”.

More recently, in September 2015, a report said that Pakistan’s premier intelligence agency Inter-Services Intelligence (ISI) had expressed concerns that sensitive data was possibly leaked to hostile elements, including the Israeli spy service Mossad. An extract from the ISI’s letter to Chairman NADRA read:

“We [the agency] can’t rule out the possibility of leakage of sensitive database [of Pakistanis] to hostile agencies – the Research and Analysis Wing (RAW), Central Intelligence Agency (CIA) and Mossad,”

In September 2015, NADRA signed an agreement with InfoTech Group by which the latter installed IBM Websphere (an application middleware) to host the online CNIC/Smart Card registration facility on the former’s website. Basically, citizens would be able to get their new or existing cards processed with the few clicks of a button. In July 2009, a Cyber Security and Critical Infrastructure Cyber Advisory issued by the State of Alaska, US, issued a report that IBM WebSphere Application Server had two vulnerabilities which allowed malicious elements to bypass authentication protocols. It categorized risks to government-owned systems as “High”. IBM WebSphere is prone to simple exploit attacks. In October 2015, the website of retail chain David Jones was hacked after its WebSphere application server was penetrated by hackers.

It would be wise for NADRA to draft and release its Information Security SOPs so that ordinary citizens familiar with the concepts can scrutinize potential weaknesses and grey areas. There is no openly available information which comprehensively sheds light on how exactly NADRA protects critical information systems from hostile intrusion.

Should we fear the day when our sensitive biodata might be leaked online by criminals or non-state actors? Let’s hope not.

Top image credit: businessinsider.com

1 Comment

1 Comment

  1. Siddiqui

    14/01/2016 at 8:41 pm

    Secure? you are kidding me, In a country without even its own peering point where all connections are terminating over L2 in Atlanta, NewYork, Oman, Germany and England and you cant even ping a server in Islamabad from Karachi without the signal passing a third country and half of your ISP`s hanging to Reliance industries subnets, Everybody is busy making money how nobody cares in that country.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

To Top