On Monday, December 22, 2014 there were reports that some of the government systems of Afghanistan had been hacked.However, this isn’t an isolated incident and has happened in the past years too. We had the same reports in 2012 when some of the government websites were hacked.
But before I get to what happened on Monday, I want to give you an overall view about how most of the government websites work in Afghanistan.
In 2011, I was assigned to take care of one of the government websites and train some of their staff to upload information on their website. That was my first time working with the ‘Afghanistan E-Government’ CMS (Content Management System). No one taught me how it works but since I had already worked with many different CMSs I found it easy to work on.It seemed to be the easiest CMS I have ever worked with. The website is made of a couple of modules and I didn’t find the system to be very secure. In fact,open source CMSs like WordPress, Joomla, and Symphony are much more secure than the CMS being used by our government.
One of the reasons being that all of government websites are connected to one central server. It means if one of the websites is hacked, accessing the other websites won’t be that difficult. It is because it is very simple to gain access to the the CMS: writing username and password and that’s it. No security question. No two-steps sign-ins (which most of internet services are using these days). It means that even if someone doesn’t have programming/hacking skills, but happens to acquire the username and password; they can easily log in to the system.
For example, when I was assigned to train some of the organization staff to take care of their website, atleast six employees had the username and password of that website. When I asked one of them, he had it written on a paper and left it on his desk. And the password itself was not something difficult with diverse characters. It was just a couple of numbers. I am not accusing anyone, but it is likely that a disgruntled employee could have passed the login credentials to a programmer/hacker.
And once the hacker has access to one of the websites, accessing the others wouldn’t have been difficult for him. Here is how it works; BBC reported that the website of the Afghanistan Embassy in Australia was attacked too. The question is that why then were the websites of other embassies of Afghanistan not hacked? The Embassy of Afghanistan in the United States seems to be more important. I think the answer is because the Afghanistan Embassy in Australia is using the same template and the same CMS as the one used by most of the ministries. But Embassy of Afghanistan in United States is using another kind of CMS and template. It shows that the problem is with the CMS and theancient template the governmentis using.
This overall view might help you understand what could have happened on Monday. Some of the news agencies reported that hackers attacked the CDN (Central Data Network) and modified one of the files of the ANDC (Afghanistan National Data Center).
When I read news about hackers attacking Afghanistan official websites, the only thingthat keeps repeating in my head is that, “computers of Afghanistan government don’t have good antivirus programs to fight against hackers.”
Even the designs of the Afghanistan government websites reflect how ancient they are. The Ministry of Higher Education of Afghanistan website has not been re-designed since 2006. The “E-government template” which has been used on most of the government websites is from late 2008 and early 2009. The typography, the alignments, the margins, overall design, and etc are not standard. It hasn’t been developed with latest versions of CSS and HTML. It is not a responsive design and doesn’t even support smart phones and tablets resolutions. The way you can share the pages on social media is also outdated.
While the Afghan government has made great strides in bringing digital technology to the country in such a short period, it is about time that they upgrade themselves to better systems to avoid incidences such as this one. If there is anything the December 22 incident can teach us, it is that we need to better equip ourselves digitally, even if for nothing but the sake of national security.