cyber_security_in_pakistan_1200x630-1068x561

The authors highlight the vulnerabilities within Pakistan’s cyber-security system. There are cyber laws in place by the government, however, they do not adequately understand the growing sophistication of cyber-attacks.

With the growth and spread of connected digital technologies, cyber threats have become an inescapable reality. According to the World Economic Global Risk Report 2019, massive data fraud and theft were ranked the number four global risk in terms of likelihood, with cyber-attacks at number five.

The same report published in 2020, listed cyber-attacks on critical infrastructures as the fifth top risk. This elucidates the growing potential of the cyber realm where governments, political groups, non-state actors, and corporations can engage in espionage, warfare, and terrorism using this domain.

According to multiple governments as well as privately documented reports, there is an ever-growing threat of cyber-based attacks on crucial infrastructure systems.

Critical infrastructure systems, being the lifeline of the modern world, hold paramount importance for both national and economic security as their reliable and secure operation is crucial for the smooth working of a state. Recognizing it as a global and national security concern, all modern states undertook emergency measures to consolidate their cybersecurity.

The cyber-attack on K-Electric

The cyber-attack on K-Electric, Pakistan’s largest power supply company that took place in late 2020 reinitiated the long-drawn debate on the enactment of an appropriate cybersecurity legislation and governance framework, but to no avail. Cyberspace legislation and governance remain a neglected area in Pakistan.

The ransomware attack launched by Net walker put at risk the data of 2.5 million consumers of the company whose names, addresses, CNIC, and NTN numbers were dumped on the dark web as K-Electric failed to pay the ransom amount of $7 million.

Although K-Electric officials have claimed that the attack has not been harmful and their data remains safe, the consequences of any such future attack can be further catastrophic as Pakistan neither has an effective redressal mechanism to monitor cyber infiltrations nor data protection laws that strengthen digital privacy in the country.

The cyber-attack on K-Electric and numerous other such incidents show weaknesses in Pakistan’s preparedness against cyber threats. According to the Global Security Index 2018, Pakistan was ranked 94 out of a total of 193 countries in terms of cyber preparedness.

The situation has worsened since then and can be attributed to a lack of commitment in legal, technical, organizational, capacity building areas as well as a dearth of interagency/sector cooperation in the cybersecurity domain.

What Pakistan’s cyber laws lack

Different computer and internet-related laws have been enacted by the government to govern and regulate cyberspace in Pakistan.

The key ones include “National IT Policy and Action Plan of 2000”, “Electronic Transaction Ordinance 2002”, “Electronic Crime Ordinance 2004”, “Pakistan Electronic Crime Ordinance 2007”, “Prevention of Electronic Crimes Act (PECA) 2016”, “Data Protection Bill 2018”, and the most recent being “Citizen Protection (Against Online Harm) Rules 2020”.

Even though all these legislations were aimed at addressing internet and computer-related crimes to some extent, none however adequately understands the growing sophistication of cyber-attacks.

While penalizing cybercrimes through effective national legislation is a step in the right direction, Pakistan’s cybercrime laws are just one determinant of a good and secure cybersecurity system.

Unfortunately, Pakistan lags behind in fulfilling some of the major credentials of a good cybersecurity system. According to International Telecommunication Union (ITU), a national cybersecurity strategy is an essential first step in addressing cyber-security challenges.

Apart from the “Prevention of Electronic Crimes Act 2016”, there is no security agency that lays down a national cybersecurity strategy and framework in Pakistan. There is also a lack of coherence in criminal law procedures and the policies to address cybersecurity incidents.

Moreover, there is a dearth of intelligence sharing as well as cooperation frameworks amongst the national institutions which ultimately hampers national cybersecurity efforts. Pakistan also lacks a proactive Computer Emergency Response Team (CERT) at the national level to detect and respond to cyber-threats/attacks in real-time.

Capacity-building in the domain of cybersecurity is another essential component for a robust cyber-security structure, and efforts in this regard are still at a very nascent stage.

A much-needed collaboration

Foregoing suggests Pakistan is extremely vulnerable to cyber-attacks and lacks an appropriate response mechanism.

Pakistan, therefore, needs to address its policy shortcomings vis-Ă -vis cybersecurity and its preparedness, considering the evolving threats to national security, which have further heightened during the COVID-19 pandemic. Any delay to ramp-up infrastructure related to cyber-security may prove costly.

The need to neutralize any possible cyber incursion is essential and cyber security laws in Pakistan must be made responsive to cope with the emerging cyber threat environment.

A “National Cyber Security Agency” should be formed to ensure collaboration between the government, military, and intelligence stakeholders. A body should be formed to conduct a cyber risk assessment of critical infrastructures and establish protection levels.

Most importantly, there is a dire need to revamp the current digital legislations, particularly PECA from a broader lens of catering for problems relating to cyberspace.

Any indifference, procrastination, or delay in acquiring robust and dynamic cyber defense will be at Pakistan’s own peril.

Amna Tauhidi and Aneeqa Safdar are researchers at the Centre for Aerospace & Security Studies (CASS), Pakistan. The article was first published in Global Village Space(GVS). They can be reached at [email protected]


Share this article

Facebook
Twitter
LinkedIn

Recent Publications

Browse through the list of recent publications.

Two Faces of the Atom: India’s Nuclear Exceptionalism

ew examples capture the inconsistencies of the nuclear world order more starkly than the events of 2 March 2026: as Prime Ministers’ Mark Carney and Narendra Modi signed a landmark 1.9 billion USD uranium supply deal for India’s civil nuclear sector, Iran was subjected to the third day of indiscriminate airstrikes by the US and Israel under the banner of nuclear non-proliferation, despite Iran agreeing to zero stockpiling of enriched uranium just days prior. This event, unfortunately, was not an isolated one, rather it reflects a pattern of nuclear exceptionalism where certain states such as India, continue to be rewarded for non-compliance with international regulations, while others such as Iran, are censured and even subjected to military action based on hypothetical realities.

The latest deal would see Canada sell close to 22 million pounds of uranium concentrate to India over 8 years, starting in 2027, a sale more than ten times the last Canada-India uranium agreement of 2015, which supplied 7 million pounds of concentrate over 5 years.

Read More »

Data Centres as the New Military Targets in Modern Conflicts

The character of warfare has evolved in tandem with the changing nature of military targets. In early March 2026, Iran bypassed traditional military targets and struck the physical part of the digital infrastructure at Amazon Web Services (AWS) data centres in the UAE and Bahrain. Until now data centres had been considered an unassuming target, as they did not house any military equipment or hardware. However, the US-Israel war on Iran, has transformed these billion dollar sites into high-value targets because of their ability to act as server farms on which adversaries’ websites, apps, AI systems and the entire digital infrastructure run.

Data centres are digital ecosystems where the delivery of cloud services depends on the integrity of physical infrastructure. Disruption in any one part of the shared infrastructure does not remain isolated and risks triggering widespread systemic failure. In the case at hand, Amazon operated multiple availability zones within each region in the United Arab Emirates and Bahrain. Iran struck two of the three availability zones in the UAE, while in Bahrain, a zone was damaged by drone debris causing an extended power outage and connectivity problems that further disrupted service across the Gulf.

Read More »

The Sovereign Shield

Pakistan’s defence industry is gearing up from a localised purchase requirement to a globalising high-tech export industry. For long the military-industrial complex of Pakistan had been dominated by military needs of the border security and the costly importation of foreign technology. This tendency, however, seems to be reversing slowly. Pakistan is attempting to edge closer to a model of self-reliance in this regard in terms of tactical security and geoeconomic rebalancing that is spearheaded by the JF-17 Block III, the Super Mushshak, and the unmanned systems. This is very clear in its international defence contracts of between 10 to 13 billion dollars.

But export headlines simply aren’t enough to succeed. The defence ecosystem of Pakistan is built on the basis of a strategic triangle in which the PAF is the challenging end-user and technological enabler of the defence ecosystem, a nascent domestic defence sector with focus on platforms such as the JF-17 and the overall economy that will have to eventually underpin and benefit of the activity. The first two legs have demonstrated great strength. The most challenging one is the economic leg, however. Export spikes can be short lived unless structural reforms are adopted. It is the work to be done by chance, that is to assemble these three factors in a self-sustaining system.

Read More »