FBR exempted from PPRA rules

ISLAMABAD: The Federal Cabinet has exempted Federal Board of Revenue (FBR) from Public Procurement Regulatory Authority (PPRA) Rules, 2004 as a mitigating measure taken as an “operational emergency” to avoid further loss of taxpayers’ data during the recent cyber attack, informed sources told Business Recorder.

In this regard, an “unnamed” high tech security firm has been hired for damage control and Chairman FBR removed for not taking measures to secure taxpayers data.

On September 14, 2021, Revenue Division briefed the Cabinet that on August 14, 2021, a cyber-attack occurred on FBR’s Data Centre located in FBR (HQ), Constitution Avenue, Islamabad. This was a continuation of a trend observed during the past several years notably that the frequency and severity of cyber-attacks increase on days of national significance.

According to FBR, due to the security protocols already in place, this cyber-attack was restricted to the front end of the data centre, and only about 400 virtual machines (out of the 850) were affected and had to be shut down. This affected the day-to-day operations of FBR for some time. The initial forensic analysis conducted concluded that data of the taxpayers was not compromised, and contrary to the media reports there was no indication or any evidence that data was accessed, altered or stolen.

The sources said, due to the urgency of the situation, the Chief Information Officer (CIO) of FBR gave a presentation to the Finance Minister on the initial assessment of the attack on August 16, 2021. In the said meeting, it was unanimously decided that the systems damaged had to be resurrected immediately as in the event of any further disruption the entire revenue stream of the country could be compromised both at Federal and Provincial levels.

The sources maintained that consequent upon decisions made during the meeting, the then Revenue Secretary/Chairman (FBR) declared “Operational Emergency” in terms of Rule 2(g) and Rule 42(c)(v) of the Public Procurement Rules, 2004, to secure immediate procurement of hi-tech security services to ensure elimination of risks to public property - taxpayers’ data. Rule 2(g) is reproduced as follows: - “(g) “emergency” means natural calamities, disasters, accidents, war and operational emergency which may give rise to abnormal situation requiring prompt and immediate action to limit or avoid damage to person, property or the environment.”

In pursuance to the declaration of Operational Emergency an international firm specializing in cyber security/forensics was engaged immediately, which immediately went into damage-control and system rehabilitation on a war-footing, the sources continued.

FBR, sought approval of Federal Cabinet to validate the declaration of emergency under Rule 2(g) and Rule 42(c)(v) of the Public Procurement Rules, 2004, to enable the Revenue Division to take all mitigating measures so as to avoid any further loss to public property - taxpayers’ data - and keep the revenue system secure from any further attacks or damage.—MUSHTAQ GHUMMAN