Neglect caused FBR cyber-attack
Despite knowing that its information technology equipment is obsolete and some of its software is outdated, the Federal Board of Revenue (FBR) did not make any serious effort to upgrade them, which resulted into hacking of the data centres.
The systems were not improved even though the World Bank approved an $80 million loan two years ago to upgrade what it called “end-of-life equipment” and “legacy branded software”.
The hacking of the country’s largest data centre has also weakened the government’s case for holding next general elections through the Electronic Voting Machines (EVMs). The hacking took place at a time when the Cabinet Division has also shifted its business online.
The two reports by the World Bank, which provided $400 million loan to FBR including $80 million for IT equipment, revealed the story of incompetency and inefficiency in the tax collecting authority that led to hacking of its data centres on August 14.
The World Bank also shares partial blame for FBR’s failure to upgrade the system given that the global lender was eager to lend $400 million in June 2019 but did not show enthusiasm towards its prudent use. Some of the $400 million loan proceeds were used to pay bonuses to FBR employees.
In June 2019, the World Bank approved $400 million in loan for Pakistan Raises Revenue scheme. Out of $400 million, an amount of $101.7 million has been disbursed but most of the amount was not spent on the most productive purpose – upgrade of IT infrastructure.
A World Bank loan appraisal report, issued in May 2019, stated that the $80 million loan will be used for “replacement of end-of-life equipment, active-active private cloud and update of legacy branded software.”
The report further revealed that the “ICT hardware used by the FBR has already reached its end-of-life, resulting in risks of critical system failure and disruption of operations”.
The report pointed out that an active-active configuration would ensure that a threat to one of the two sites disables only half of the infrastructure but allows FBR operations to continue in the event of infrastructure failures due to natural disasters or deliberate attacks on the infrastructure.
However, hackers attacked the FBR data centre and brought down all the official websites operated by the tax machinery for more than 72 hours. The FBR is unofficially giving two versions about hacking.
According to one version, the hackers intruded the system by hacking the login and passwords of the data centre administrators. The FBR’s technical wing’s initial assessment was that the hackers intruded in the system through Hyper-V link.
In order to hide its incompetency, the FBR termed the hacking as “unforeseen anomalies during the migration process.” The sources said that there were no chances of any self-accountability as the FBR and Pakistan Revenue Automation Limited (PRAL) managements were congratulating each other for restoring the system.
The PRAL officials who met with Finance Minister Shaukat Tarin claimed that he congratulated them for restoring the IT system.
However, Tarin told The Express Tribune that he would take a third-party view before taking any action in case of the cyber-attack.
Pakistan’s premier spy agency had forewarned the FBR about high possibility of a cyber-attack but these warnings were ignored, resulting into either taking over or shutting down about 360 virtual machines of the FBR data centre, said the sources. The 360 machines are almost half of total virtual machines, indicating the extent of damage caused to the data. The sources said that PRAL, which provides technical support to the FBR and also houses the data, and FBR management took a lenient view of the threat.
The June 2021 World Bank Implementation Status and Results Report of the FBR project revealed that the activity to replace “obsolete ICT equipment, updating legacy branded software and active-active private cloud establishment has been delayed”. The technical requirements have been prepared, but the procurement has not been launched and is in the process of being finalised, according to report.
The status report further disclosed that data warehouse with big data capacity and business intelligence tools were not functional and “this activity is delayed”.
There was another requirement that FBR offices will have full, permanent and reliable connectivity but “this activity is delayed”. The technical requirements have been prepared, but the procurement has not been launched and is in the process of being finalised”.
The June status report noted that “in the next six months, it is expected that key activities such as the replacement of end of life equipment and update of legacy software as well as the establishment of the data warehouse and business intelligence systems will be well underway”
Procurement under this component will need to be stepped up to meet implementation timelines, it added.
There were also media reports that the FBR was using pirated software. Although the FBR issued a clarification but it did not out rightly rejected the report.
“The PRAL has been using virtualisation software. Some are free and open source while others are licensed software,” admitted the FBR. The PRAL has been using licensed Hyper-V software mostly. It said final evaluations/recommendations have been made based on these one or two virtualisation software which are planned to be procured soon.
The World Bank’s response was awaited till the filing of the story. The World Bank spokesperson had been requested to comment how much of $80 million money had been disbursed and how many out of 16 IT experts were hired in past two years.
Published in The Express Tribune, August 22nd, 2021.