The Cyber Governance Policy has been drafted, which is aimed at realizing the full potential of information and communication technologies for socio-economic development by assuring availability, confidentially and integrity of the critical infrastructure and information system, besides providing reliable secured and resilient cyber-space for all.
According to the policy draft, the country’s cyber governance policy is being formulated in consultation with all stakeholders. In this regard, a draft on cybersecurity framework has also been shared by the Law Enforcement Agencies.
Important elements relating to integrated Cyber Security Policy (a part of cyber governance), which are being given due consideration, include;
i) transparency in both policy-making and implementation
ii) public trust—safety vs surveillance (civil liberties)
iii) practicality and manageability of structure
iv) technical soundness, completeness and adequacy
v) balance between safety and development/growth/economic considerations
vi) continued funding and sustainability
vii) international compatibility (diplomatic connotations)
To cater all the above-mentioned considerations in a balanced way, a tiered approach for cybersecurity structure for Pakistan is being deliberated whereby institutional setups at the national and sectoral level will be proposed to the federal government.
This approach is aimed at creating, enhancing and laying down specifications of technical interface and processes for national, provincial sectoral and organizational level mechanisms for assessment of threats to ICT infrastructure, creating scenarios for response, resolution and crisis management through effective predictive, preventive protective response and post-incident recovery actions.
The cyber governance/security policy draft includes the following major blocks:
i) vision, scope, objectives
ii) governance model
iii) institutional structure and functions
v) cross structure collaboration model and processes
vi) risk assurance framework
vii) capacity building
viii) R7D and indigenization
ix) Model for international collaboration
xi) Legislative cover for the institutional model/operationalization of PECA 2016
Structural and Operational Requirements
Keeping in view the ever-changing and evolving dynamics of the cyberspace, the government of Pakistan, through the proposed draft cybersecurity policy, is considering the option of establishing a specialized and autonomous body for cybersecurity, under an appropriately high-level reporting mechanism.
The proposed body, having autonomous functional model and broader oversight board with representation of relevant stakeholders, will be equipped with all the modern and necessary tools to effectively deal with the issue issues of cyber security in the country in both proactive mode, including threat prediction and anticipation, as well as reactive capacities for effective response to cyber incidents.
The draft clearly lays out the roles and responsibilities of policy formulation on the subject as well as implementation mechanism where the central institution will be responsible to set up policy mandated standards, coordination process between various tiers, threat environment grading mechanisms, dynamic critical infrastructure classification mechanisms and risk mitigation assurance mechanism for all classes of users and entities across various sectors.
User and organization level compliance will be ensured through relevant sectoral CERTs/Cybersecurity apparatus across various sectors. Further legislative and regulatory requirements to be persuaded by the federal government have also been spelled out.
In the first instance, the draft policy document will be presented to the cyber governance policy committee and thereafter the draft will be broadly consulted with the telecom industry as well as other cross-domain stakeholders. The draft will be presented in detail to the Senate and National Assembly Standing committees as well, before proceeding for approval by the federal government.