Analyzing Pakistan’s Cyber Security Policy
The world is advancing towards the use of different methods of conflict. Battlegrounds have transformed beyond physical space and into the realms of cyberspace. Protection of a country’s sovereignty now requires the protection of its cyberspace as well. Cyber security in the age of Information warfare and Cyber warfare have become crucial for the survival of governments, militaries, and other organizations”.
Developed countries have advanced in cyber security rules and regulations and their implementation is ensured across the board. But in a country like Pakistan, the concept of cyber security was far-fetched which hampered the formulation of a comprehensive policy on cyber security. Under the current government, the Ministry of Information Technology and Telecommunication has drafted the National Cyber Security Policy 2021. Since the draft was made public, it has become under discussion for the right reasons says Fahad Nabeel, a researcher who has been studying cyber security and its implications on Pakistan for years. Fahad offered an extensive comment on the draft and says “the consultation draft of National Cyber Security Policy 2021 covers several key areas which should be part of a standard cybersecurity policy document”.
According to a leading expert on cybersecurity, Dr Pearce suggested three key areas of cybersecurity as follows, national security (intelligence and counter-intelligence), cooperate security, and personal security. Pakistan has had to face cyber threats on the national security front the most. This makes the document concerning the matter of national security an important blueprint for the induction of cybersecurity clauses in the relevant ministries. This also includes telecommunication operators in the country that will be required to undergo structural and technical reforms to beef up their cybersecurity while aiding the national cybersecurity as suggested in the draft. The combined effort is an important step to enhance the overall cybersecurity of the country.
As Fahad continues to explain that “the new policy calls for a central entity at the federal level which will coordinate and implement all cybersecurity-related matters. Additionally, the policy calls for establishing cyber incident response capabilities, promotion of information sharing, foster cybersecurity R&D, develop cybersecurity curricula, implement cybersecurity awareness-raising programs, and seeking international cyber cooperation. On international cooperation, the policy calls for recognizing the importance of cybersecurity in Pakistan’s foreign policy by engaging in international discussions and promoting cooperation in cyberspace”. In light of the recent disinformation campaigns against Pakistan that were mainly generated by India through its advanced cyber network, the draft’s implementation is essential to not only protect but also counter future cyber threats. For Pakistan, which is attempting to move towards digitization, the unregulated process poses more threats to its digitization goal and leaves room for loopholes. But the draft shows an encouraging understanding of cyber warfare, where a strong cybersecurity setup will help form the first line of defence.
However, there is considerable room for improvement in the consultation draft and Fahad Nabeel points to a few of those. He adds that “in the National Internal Security Policy 2018-2023, a combined civil-military cyber command force was proposed to prevent cyber-attacks. However, the cybersecurity policy document remains silent about it. While the policy calls for implementing the concept of ‘Information Security by Design’, there is no mention of the ‘Privacy by Design’ and ‘No-Legacy’ principles. The policy mentions that Pakistan will take appropriate measures in case of an attack on critical infrastructure or critical information infrastructure without elaborating what these measures will be. The policy explicitly identifies roles and responsibilities for only two Ministries – Ministry of IT & Telecom and Ministry of Foreign Affairs – while remaining silent about the roles and responsibilities of other relevant ministries like Ministry of the Interior, Ministry of Law and Justice, Ministry of Economic Affairs, etc. The policy does not provide any specific timeframe for approval of the National Cyber Security Policy, Cyber Security Act, and Data Protection Law. “
The policy document also fails to acknowledge the fact that rights that people have offline should also be protected online. Similarly, the principles of proportionality and necessity are not mentioned while talking about enhancing the technical capability of law enforcement agencies. Moreover, the policy does not make any mention of contingency plans for cybersecurity crisis management. Similarly, the policy remains silent on cybersecurity and incident response exercises. The policy does not mention any asset which constitutes part of critical infrastructure. Moreover, the concept of essential services is missing in the policy document. Lastly, there is no mention of sustainable development and social inclusiveness in the policy document or the implementation of the draft. These remain the concern and if not addressed properly, can become a major loophole in an important policy document.
While cybersecurity is the first line of defence in case of a cyber offensive against the country, it must also be looked at from the perspective of Information warfare as well. As Pakistan is under a constant threat of both information and cyberwarfare, the policy draft should include the slight differences of both concepts for better identification of cyber threats.