pakistan cyber policy

Share this article

Facebook
Twitter
LinkedIn

Rapid digitalization and penetration of Information and Communication Technologies (ICTs) in all walks of life have exposed states to new and evolving cybersecurity threats. Protection of data and networks from these has become a sine qua non for states. While all responsible states have developed holistic policies and approaches to counter impending cyber threats, Pakistan struggled to formulate a centralized national policy or strategy for cybersecurity. Guidelines on cybersecurity and governance for various sectors (such as banking and defense) were in place, but a holistic national-level approach to cybersecurity was missing.

On 27 July 2021, the Federal Cabinet approved Pakistan’s first National Cyber Security Policy for data protection and prevention of cybercrimes, a much-anticipated document in the cybersecurity community. The policy was formulated by the Ministry of Information Technology & Telecommunication which endeavored to finally provide a plan of action to establish a concrete legal and structural framework related to cybersecurity.

What are the threats to National Cybersecurity Policy?

While National Cybersecurity Policy was a strategic need for a long it was actually the Pegasus scandal that expedited it. A collaborative investigation by a consortium of media organizations revealed how a hacking software – Pegasus- licensed by an Israeli firm NSO to its client governments for tracking terrorists and criminals was used to target world leaders, human rights activists and journalists, etc. Hundreds of phone numbers from Pakistan were on the list, including one used by PM Imran Khan once. Unsurprisingly, and most worryingly, India- Pakistan’s archrival- happened to be one of NSO’s most loyal clients.

The 2021 policy’s vision is to create a secure, robust, and continually improving nationwide digital ecosystem while ensuring accountable confidentiality, integrity, and availability of digital assets.’ Its key guiding principles include data privacy and security of citizens, providing the required support and system to concerned public and private organizations, the establishment of a national response framework, and last but not least, adoption of best practices to ensure national digital sovereignty.

The policy, in order to improve the national cybersecurity outlook, plans to undertake the ‘strengthening of national cybersecurity capabilities through the development of essential and well-coordinated mechanisms, implementation of security standards and regulations under a policy and legislative framework’.

Because of Pakistan’s meager commitment to cybersecurity, it performed poorly in global ICT rankings (ICT Development Index value of 2.42). Hence, one of the core objectives of the policy also happens to be the improvement of Pakistan’s ICT ranking. Pakistan also ranks 14 out of a total of 18 states in the Asia-Pacific on the Global Cybersecurity Index (GCI) 2020. The country’s overall GCI score is 64.88. The policy would help improve Pakistan’s GCI ranking too.

Another essential element discussed in the policy is the indigenization and development of cybersecurity solutions through R&D programs. This too was an important area that needed attention. Adequate local resources, both in terms of manpower through Centres of Excellence and HRD programs, and technology will rectify our excessive reliance on external sources which further amplify the country’s cyber risks. However, the policymakers did not specify how much resources/budget would be allocated for this crucial purpose.

The approach of risk management is a welcome initiative

Nevertheless, considerably more focus has been put on information security rather than on cybersecurity. This is primarily because the wrong stakeholder is in the lead on this policy. Since cybersecurity is much broader than information security, the subject should fall under the National Security Division (NSD) for a more substantive outlook and scope.

As underscored by the Information Minister, the National Cyber Security Policy constitutes two parts, cyber security as well as cyber offenses. The building up of a mechanism against offensive cyber operations was a long-overdue step. The existing information and data security legislations (often taken synonymous with cyber legislation) did not take into account the growing need to defend and deter cyber aggression.

While the current policy does not provide a response mechanism with demarcated roles and responsibilities, it categorically declares that in case of any aggression, the state of Pakistan will respond. Accordingly, a cyber-attack on Pakistan’s Critical Infrastructure or Critical Information Infrastructure will be regarded as an act of aggression against national sovereignty and the state will defend itself with appropriate response measures. The decision to establish a national-level response team is also fundamental in this regard.

Contextually and content-wise, the policy is an important and much-needed document that covers both offensives as well as defensive needs. Priorities and needed actions are well articulated, but unfortunately, an action plan to achieve those goals and deliverables is missing. Nonetheless, the decision to constitute a Cyber Governance Policy Committee (CGPC) for implementation and oversight is part of the policy.

The Committee will be tasked to come up with a concrete strategy and action plan. Given Pakistan’s poor record of enforcement and selective implementation of policies, all eyes are on CGPC to live up to its mandate and fulfill the responsibility of securing Pakistan’s national cyberspace.

Aneeqa Safdar is researcher at Centre for Aerospace & Security Studies (CASS). This article was first published in Global Space Village (GVS). She can be reached at cass.thinkers@gmail.com

Image Source:  Radichel, Teri. “Cybersecurity policies that reduce reduce risk”. 2nd Sight Lab. December 11, 2019. 

Recent Publications

Browse through the list of recent publications.

Development and Democracy: Part and Parcel of One Another

Whether democracy is a precondition for development is a debate that continues to stimulate scholarly reflection till the present day. While this intellectual reflection is praiseworthy, the discussion could have been settled long ago when Amartya Sen redefined the concept of ‘development’ as ‘freedom’– a notion that strongly resonates with the human spirit.
  111 views

Read More »

Evaluating the Potential of Carbon Capture and Storage Technology in Pakistan

Technology and innovation are emerging dimensions of climate discourse in contemporary times. Climate technologies  are rapidly becoming instrumental in reducing greenhouse gas (GHG) emissions and adapting to the detrimental impacts of climate change. Carbon Capture and Storage (CCS) technology has the potential to expedite endeavours towards climate change mitigation in environmentally vulnerable countries.
  937 views

Read More »

Operation Swift Retort: Five Years On

The nature of Indo-Pak relations has been turbulent right from the onset. Numerous events have influenced the trajectory of this bilateral relationship over time. In this regard, February 2019 stands out as both countries were on the verge of military escalation and nearly went to war, was it not for the foresight and restraint of Pakistan’s leadership.
  290 views

Read More »

Stay Connected

Follow and Subscribe

Join Our Newsletter
And get notified everytime we publish new content.

© 2022 CASSTT ALL RIGHTS RESERVED

Developed By Team CASSTT

Contact CASS

CASS (Centre for Aerospace & Security Studies), Old Airport Road, Islamabad
+92 51 5405011
cass.thinkers@casstt.com
career@casstt.com

All views and opinions expressed or implied are those of the authors/speakers/internal and external scholars and should not be construed as carrying the official sanction of CASS.