The Ministry of Information Technology and Telecommunication has drafted National Cyber Security Policy 2021, envisaging developing secure and resilient cyber systems and networks for national cybersecurity and response.
The policy framework is envisaged to secure the entire cyberspace of Pakistan including all information and communication systems used in both public and private sectors.
The objective of the policy is
- To establish governance and institutional framework for the secure cyber ecosystem,
- Create protection and information sharing mechanism (CERTs/SOCs) at all tiers capable to monitor, detect, protect and respond against threats to national ICT/CII infrastructures,
- Protect National Critical Information Infrastructure by mandating national security standards and processes related to the design, acquisition, development, use and operation of information systems,
- Enhance the security of government information systems and infrastructure,
- Create an information assurance framework of audits and compliance for all entities in both public and private sectors,
- Ensure integrity of ICT products, systems and services by establishing a mechanism of testing, screening, forensics and accreditation,
- Develop public-private partnerships and a collaborative mechanism through technical and operational cooperation,
- Create a countrywide culture of cybersecurity awareness through mass communication and education programs,
- Develop and create skilled cybersecurity professionals through capacity building, skill development and training programs.
“To mitigate cyber threats the country faces today and to improve the national cybersecurity outlook, it is imperative to undertake the strengthening of national cybersecurity capabilities through the development of essential and well-coordinated mechanisms, implementation of security standards and regulations under a policy and legislative framework,” it added.
The guiding principles to achieve policy objectives are; all actions will be driven by the need to protect people and enhance national and public prosperity, respective public and private organizations will be responsible to ensure the cybersecurity of their online data, services, ICT products, and systems, in case of any incident, the government will lead the national response with support from both public and private sector, will regard a cyber-attack on Pakistan CI/ CII as an act of aggression against national sovereignty and will defend itself with appropriate response measures and will act in accordance with national and international laws and expect reciprocal respect of our national digital sovereignty.
To achieve the objectives, an implementation framework shall be developed by a designated organization of the Federal Government, dealing with the subject of Cyber Security. This organization shall also act at the Central Entity at the federal level for coordination and implementing all Cyber Security related matters.
National Level: The Central Entity along with its National Computer Emergency Response Team (nCERT) and National Security Operation Center (nSOC).
Sectoral Level: Sectoral Regulator(s)/ CERTs (Defense, Telecom, Banking and finance, Power, Federal and Provincial public sector)
Organizational Level: Enterprises, entities and individual users.
The Central Entity will also undertake specific actions which including but not limited to the following: working with Internet Service Providers (ISP) and Telecom operators to block malware attacks, by restricting access to specific domains or web sites that are known sources of malware (known as Domain Name System (DNS) blocking/filtering), Preventing email phishing and spoofing activity on public networks, promoting security best practice through internet governance organisations; such as Internet Corporation for Assigned Names and Numbers (ICANN), the Internet Engineering Task Force (IETF), European Regional Internet Registry (RIPE) and UN Internet Governance Forum (IGF) etc, Work with international law enforcement channels to protect Pakistan citizens from cyber-attacks from unprotected infrastructure overseas, Work towards implementation of controls to secure the routing of internet traffic for government departments to avoid illegitimately re-routed by malicious actors, Investing in capabilities enhancement programs of Law Enforcement Agencies (LEAs) and concerned Ministries/Divisions to enable them for response against state-sponsored and criminal cyber activities targeting Pakistan networks and systems.
The Central Entity will initiate actions, including but not limited to: develop an Internet Protocol (IP) reputation service to protect government digital services (this would allow online services to get information about an IP address connecting to them, helping the service get more informed on risk management decisions in real-time), seek to install products on government networks to ensure that software is running correctly and not being maliciously interfered, look to expand beyond the gov. pk domain into other digital services measures that notify users who are running out-of-date browsers.
To achieve this critical objective, the Central Entity will; operate requisite technical platforms to protect National Critical Information Infrastructure and work as nodal organization in the country, Institute processes for identification, prioritization, assessment and protection of Critical Information Infrastructure.
It will ensure a secure ICT environment including mobile systems and cloud-based solutions through state of the art security measures, mandate implementation of national security standards by all critical sector entities, to reduce the risk of disruption, develop a mechanism for protection of Critical Information Infrastructure and its integration at the entity level through relevant sectoral CERTs, establish and enforce risk management methodologies according to international standards inter alia ISO/IEC 27005:2008 and ISACA RISK IT etc, mandate all operators of national, provincial and organizational Critical Information Infrastructure to hire qualified Information Security individuals and add an appointment of Chief Information Security Officer (CISO).
To cater to a specific need of public sector information infrastructure, the Central Entity will: define and enforce a robust Government Authentication and Data Protection Framework, create vulnerability assessment and patch management process for all government technical systems, work with relevant government entities to ensure mandatory allocation of a certain percentage of the ICT project budget for Information Security Assurance, formulate a mechanism for creation and enforcement of staff vetting and clearance scheme across the government, improve security in government outsourcing and procurement through vetting of suppliers and enforcement of security clauses in contracts.
The implementation mechanism provided for this policy may require considerable time in order to be completely functional. Therefore, during this interim time period, the capacities and capabilities which state organizations and institutions currently have and are supportive of the implementation of this policy will be utilized and their continued use will be integrated with an all-encompassing implementation mechanism.
Pakistan Telecommunication Authority as per Telecom Act 1996, Telecommunications Policy 2015, and PECA 2016 will implement Telecom Sector technical platform (sectoral CERT as provided herein) in collaboration with the telecom industry.