Rapid digitalization and penetration of Information and Communication Technologies (ICTs) in all walks of life have exposed states to new and evolving cybersecurity threats. Protection of data and networks from these has become a sine qua non for states. While all responsible states have developed holistic policies and approaches to counter impending cyber threats, Pakistan struggled to formulate a centralized national policy or strategy for cybersecurity. Guidelines on cybersecurity and governance for various sectors(such as banking and defense) were in place, but a holistic national-level approach to cybersecurity was missing.
On 27 July 2021, the Federal Cabinet approved Pakistan’s first National Cyber Security Policy for data protection and prevention of cybercrimes, a much-anticipated document in the cybersecurity community. The policy was formulated by the Ministry of Information Technology & Telecommunication which endeavored to finally provide a plan of action to establish a concrete legal and structural framework related to cybersecurity.
What are the threats to National Cybersecurity Policy?
While National Cybersecurity Policy was a strategic need for a long it was actually the Pegasus scandal that expedited it. A collaborative investigation by a consortium of media organizations revealed how a hacking software – Pegasus- licensed by an Israeli firm NSO to its client governments for tracking terrorists and criminals was used to target world leaders, human rights activists and journalists, etc. Hundreds of phone numbers from Pakistan were on the list, including one used by PM Imran Khan once. Unsurprisingly, and most worryingly, India- Pakistan’s archrival- happened to be one of NSO’s most loyal clients.
The 2021 policy’s vision is to create a secure, robust, and continually improving nationwide digital ecosystem while ensuring accountable confidentiality, integrity, and availability of digital assets.’ Its key guiding principles include data privacy and security of citizens, providing the required support and system to concerned public and private organizations, the establishment of a national response framework, and last but not least, adoption of best practices to ensure national digital sovereignty.
The policy, in order to improve the national cybersecurity outlook, plans to undertake the ‘strengthening of national cybersecurity capabilities through the development of essential and well-coordinated mechanisms, implementation of security standards and regulations under a policy and legislative framework’.
Because of Pakistan’s meager commitment to cybersecurity, it performed poorly in global ICT rankings (ICT Development Index value of 2.42). Hence, one of the core objectives of the policy also happens to be the improvement of Pakistan’s ICT ranking. Pakistan also ranks 14 out of a total of 18 states in the Asia-Pacific on the Global Cybersecurity Index (GCI) 2020. The country’s overall GCI score is 64.88. The policy would help improve Pakistan’s GCI ranking too.
Another essential element discussed in the policy is the indigenization and development of cybersecurity solutions through R&D programs. This too was an important area that needed attention. Adequate local resources, both in terms of manpower through Centres of Excellence and HRD programs, and technology will rectify our excessive reliance on external sources which further amplify the country’s cyber risks. However, the policymakers did not specify how much resources/budget would be allocated for this crucial purpose.
The approach of risk management is a welcome initiative
Nevertheless, considerably more focus has been put on information security rather than on cybersecurity. This is primarily because the wrong stakeholder is in the lead on this policy. Since cybersecurity is much broader than information security, the subject should fall under the National Security Division (NSD) for a more substantive outlook and scope.
As underscored by the Information Minister, the National Cyber Security Policy constitutes two parts, cyber security as well as cyber offenses. The building up of a mechanism against offensive cyber operations was a long-overdue step. The existing information and data security legislations (often taken synonymous with cyber legislation) did not take into account the growing need to defend and deter cyber aggression.
While the current policy does not provide a response mechanism with demarcated roles and responsibilities, it categorically declares that in case of any aggression, the state of Pakistan will respond. Accordingly, a cyber-attack on Pakistan’s Critical Infrastructure or Critical Information Infrastructure will be regarded as an act of aggression against national sovereignty and the state will defend itself with appropriate response measures. The decision to establish a national-level response team is also fundamental in this regard.
Contextually and content-wise, the policy is an important and much-needed document that covers both offensives as well as defensive needs. Priorities and needed actions are well articulated, but unfortunately, an action plan to achieve those goals and deliverables is missing. Nonetheless, the decision to constitute a Cyber Governance Policy Committee (CGPC) for implementation and oversight is part of the policy.
The Committee will be tasked to come up with a concrete strategy and action plan. Given Pakistan’s poor record of enforcement and selective implementation of policies, all eyes are on CGPC to live up to its mandate and fulfill the responsibility of securing Pakistan’s national cyberspace.
The writer is a researcher at the Centre for Aerospace & Security Studies (CASS), Islamabad, Pakistan. She can be reached at firstname.lastname@example.org. The views expressed in the article are the author’s own and do not necessarily reflect the editorial policy of Global Village Space.