While the motive of the recent cyber-attack on Afghan government websites is still not known, the incident has certainly put the Ministry of Communications and Information Technology (MCIT) on the spot and the administration and management of the IT programs and projects are under scrutiny.
Although this attack did not pose significant implications to the infrastructure nor a severe data leakage has been reported, however it did draw attention of many civil societies and IT technologists of the country, to the hardware and software infrastructure in the country, the administration of the ministry, the technical capacity of the engineers and as well the policies and strategies set by the government for the development and adoption of Information Technology.
Shortly after the incident, MCIT officials tried to detract citizens' attention from the severity of the incident by stating that maintaining 100% security was not possible anywhere. Among other concerns that the officials showed, two important issues were raised in order to mitigate the problem in the future. The first ‘solution’ included an improved compensation system for the IT staff in the ministry and the second was the possibility of outsourcing their programs to a company outside of the ministry or possibly outside of the country. As an expert in the field, these are red flags in the priorities set by our officials in tackling the incident. It was expected by the officials to take responsibility for their failure and work towards a more realistic operational plan in providing strong cyber protection to the citizens and their data. The request for further financial support to IT projects might be truthful but it is not timely, given that no immediate solutions have been provided to the issue.
Information security practices in an organization requires global standards set by a number of global organizations, such as ISO 27001 & 27002, which ensures that the organization has the processes in place to secure its data. Unfortunately the MCIT does not hold this standard but these practices are within the human skills and budget available to them. The practice of ensuring multiple layered server signing in feature, the practice of providing instructions and guidelines in protecting server access passwords and other authentication methods are within their capacity but perhaps not their priority. And the question of outsourcing the national data center service is again not timely and most certainly the priorities have been confused. It would have been less costly and more realistic if the government data center was outsourced when we didn’t have the infrastructure establish and then slowly bring the technologies in to the country and work towards developing the human capacity of the ministry.
The implications of this incident might not be big but it has taken our attention to the capacity of the administration and the processes established in the organization. The administration should set their short term and long term goals to address the issue. Implementing long term strategies of outsourcing or increasing compensation is not going to provide a workaround or a quick fix to the current vulnerable networks. Afghan university graduates and self-learned IT technologists have the capacity to provide the technological solutions to such incidents. MCIT administration need to develop a strategy to work together with the students in order to develop their skills and also work towards providing equal recruitment opportunity to its citizens.