The revelations were based on a cache of files from 2008 released by former US intelligence contractor Edward Snowden and reported by journalists Andrew Fishman and Glenn Greenwald in The Intercept, an online news outlet, this week.
In a document marked “TOP SECRET STRAP2 UK EYES ONLY” allegedly issued by Britain’s Government Communications Headquarters (GCHQ), the spy agency discusses its computer network exploitation (CNE) and software reverse engineering efforts abroad.
“Capability against Cisco routers developed by this means has allowed a CNE presence on the Pakistan Internet Exchange which affords access to almost any user of the internet inside Pakistan,” it said, referring to a US technology company that provides most of the world’s network infrastructure.
In its press release, Digital Rights Foundation has expressed serious concerns over the revelations of the infiltration of Pakistan’s Internet Exchange by Britain’s GCHQ intelligence agency. It has urged the government of Pakistan to take action to protect the right to privacy of Pakistani citizens, and to condemn the actions of GCHQ.
From documentation published by The Intercept, it was revealed that Britain’s intelligence agency GCHQ as a result of its Computer Network Exploitation (hacking) operations had gained presence on the Pakistan Internet Exchange prior to 2008. This gave GCHQ according to the document published “access to almost any user of the internet inside Pakistan” and the ability “to re-route selected traffic across international links towards GCHQ’s passive collection systems.”
This hacking operation, at a scale never previously seen before from the British intelligence agency, seriously undermines the right to privacy of all users of the internet in Pakistan. By targeting a key point in Pakistan’s communications infrastructure, GCHQ have put at risk the security and integrity of a significant portion of Pakistan’s communications infrastructure.
The Pakistan Internet Exchange is a core part of the communications infrastructure in Pakistan. It is a common point of transfer for a significant portion of Pakistanis’ communications. This makes the intrusion all the more concerning. Any vulnerability that allows British intelligence to access the exchange is also available to any other malicious actor.
The operation from GCHQ targeted Cisco routers. Cisco routers have previously been caught up in intelligence agencies cross-border spy games. It was revealed that America’s National Security Agency had been intercepting Cisco routers and installing firmware onto them before they were delivered to customers. Steps should be taken immediately by Cisco to fix any vulnerabilities discovered in their routers to protect their customers right to privacy.
This is not the first time that Pakistan has been involved in the mass surveillance programmes from intelligence agencies of a “friendly” nation. Earlier this year it was reported that the NSA had determined that Al-Jazeera’s Islamabad bureau chief was a person of interest, via metadata collected from 55 million Pakistani mobile phone records, and entered in SKYNET, a computer programme designed to analyse metadata.
It is unclear whether the Pakistan government knew of these operations. The Pakistan government has an obligation to protect Pakistanis right to privacy and this level of intrusion onto critical national infrastructure undermines that obligation. It is of paramount importance that the government does all it can to account for this intrusion and to take meaningful steps to ensure the right to privacy in Pakistan and prevent it from being brazenly interfered with by foreign intelligence agencies.