Does Pakistan’s First Cybersecurity Policy Go Far Enough?
The new government must work to modernize not only its cybersecurity infrastructure but also the security framework behind it.
Pakistan falls among the developing countries that have recently experienced the fast-growing application of information and communication technologies, particularly the internet. According to Pakistan Telecommunication Authority (PTA) data, the country’s internet penetration rate stands at 52.60 percent as of April 2022. Internet usage saw a surge following the accelerated shift to cyberspace for work and business amid the pandemic. Consequently, Pakistan is increasingly adopting e-services across its economy and government. To develop its digital ecosystem, comprised of technological infrastructure and institutional frameworks, Pakistan has adopted the Digital Pakistan Policy. These trends and measures indicate that digitization has become an ever-growing phenomenon in Pakistani society and government.
Notwithstanding its advantages, increasing digitization makes Pakistan vulnerable to various cyber threats, particularly because it is lacking in cybersecurity readiness. Pakistan faces a huge gap in the demand and supply for information system protections. In its 2020 global cybersecurity rankings, the International Telecommunication Union (ITU), ranked Pakistan seventy-ninth among its 193 member states and fourteenth out of thirty-eight Asia-Pacific states. The ITU measures a state’s commitment to cybersecurity on the basis of five categories: legal, technical, organizational, capacity development, and cooperation. Though Pakistan has adopted a number of cybersecurity laws over the years, it needs updates and more specific, policy-guided legislation. Pakistan’s main cybersecurity law, the 2016 Prevention of Electronic Crime Act, identifies a range of cybercrimes, including cyberterrorism, cyberstalking, electronic fraud, hate speech, and unauthorized interference with critical infrastructure. However, PECA has been criticized for vaguely defining the cybercrimes, failing to specify what constitutes critical infrastructure, and undermining freedom of expression. In addition, the act lacks a clear and comprehensive enforcement mechanism due to Pakistan’s shortage of cybersecurity institutional infrastructure.
Regarding technical cybersecurity measures, Pakistan has yet to develop an effective mechanism to deal with cyber risks and incidents. To provide information on cyber threats, assistance, and capacity-building in cybersecurity, Pakistan has two private bodies: the Pakistan Computer Emergency Response Team (PakCERT) and the Pakistan Information Security Association Computer Emergency Response Team (PISA-CERT). There are also some organizations in the public, private, and defense sectors where specific cybersecurity mechanisms exist. Nevertheless, Pakistan has to establish a national CERT to develop a centralized and coordinated response mechanism to address cybersecurity threats. This must be complemented with sector-specific and organization-specific CERTs.
In terms of organizational measures, successive Pakistani governments have failed in undertaking national cybersecurity policy. While Pakistan introduced the Digital Pakistan Policy in 2017, it only adopted its maiden national cybersecurity policy in July 2021. The absence of a cybersecurity policy has contributed significantly to the country’s low performance in meeting cybersecurity criteria, particularly those related to technical, capacity-building, and collaboration measures. Cybersecurity policy and strategy is the foremost step toward a well-defined governance system and posture for cybersecurity. The country does not have a full-fledged organization at the national level mandated for cybersecurity. Rather, it has the National Response Centre for Cyber Crime (NR3C), which functions as a unit under the Federal Investigation Agency. The NR3C reportedly lacks the resources and facilities needed to efficiently investigate complicated cybercrimes.
Pakistan has undertaken some significant initiatives for capacity development in cybersecurity, but much still remains to be done. The Pakistan Telecommunication Authority has established a Cyber Vigilance Division that comprises three directorates: information and communication technology (ICT), cybersecurity, and vigilance. The ICT Directorate is responsible for developing the capacity of the industrial sector through research and analysis, the provision of IT infrastructure, and the organization of conferences and meetings involving stakeholders. The Vigilance Directorate detects and controls—through technical solutions and law enforcement—gray traffic and unauthorized IP addresses. The Cyber Security Directorate provides assistance in policy formulation, conducts security audits of applications and infrastructure, and issues advisories and guidelines to address cyber threats. In addition, Pakistan has established the National Centre for Cyber Security and introduced academic degrees in cybersecurity to push learning and research in this area. Alongside these nascent developments, the country needs to adopt more capacity development measures, particularly best practices, public awareness campaigns, professional training courses, incentive mechanisms, and homegrown industry.
Being a transnational issue due to the interconnectedness and correlated infrastructure, cybersecurity must entail cooperative measures through bilateral and multilateral agreements, participation in international activities, and public-private partnerships. Though PECA, Pakistan’s cyber law, stipulates a mechanism for international cooperation in cybersecurity, the country lacks practical initiatives. Pakistan has membership in the International Multilateral Partnership against Cyber Threats (ITU-IMPACT) and maintains an international liaison with a few regional computer emergency response teams through PISA-CERT. However, the country lacks other collaborative measures, particularly international cybersecurity agreements and public-private partnerships. According to the International Telecommunication Union’s 2020 global cybersecurity index, countries are increasingly concluding international cybersecurity agreements for capacity development and information-sharing. But Pakistan has not negotiated or concluded any such agreement as of now.
Pakistan’s Cybersecurity Profile (ITU-GCI 2020)
Pakistan’s low profile in cybersecurity is primarily due to the lack of political will to prioritize the issue. This fundamental problem has resulted in the non-existence of a long-term cybersecurity policy framework and a paucity of cybersecurity institutional mechanisms. However, as the adoption of the country’s first-ever cybersecurity policy shows, there is a growing political realization in Pakistan that cybersecurity should move higher on the policy agenda. The basic objective of the national cybersecurity policy is to build governance and institutional frameworks for information security and critical infrastructure. The Cyber Governance Policy Committee was established to formulate cybersecurity policy and identify the organizational, technical, and legal requirements for policy implementation. The key policy deliverable in this regard is the designation of an organization under the federal government to act as the central entity for the coordination and implementation of all cybersecurity matters.
Though the maiden Pakistani cybersecurity policy is comprehensive in terms of its objectives and the corresponding targets, it carries certain ambiguities. Foremost, the policy leaves the lingering issue of central responsibility unsettled by failing to designate a federal organization responsible for cybersecurity across the country. Second, the policy does not specify what exactly comprises critical infrastructure and what will be the policy response if a cyberattack is launched on them. Finally, the policy does not provide a timeframe and roadmap for achieving the prescribed organizational, technical, legal, capacity development, and collaborative measures. Pakistan has taken an important first step, but there remains much work to be done.
Dr. Muhammad Riaz Shad is Jean Monnet Chair and Head of the Department of International Relations at the National University of Modern Languages (NUML) in Islamabad.