The increased use of information and communication technologies has enhanced the global connectivity, mobility, and versatility of digital services. However, at the same time, it has exposed information assets to a host of new and evolving Cyber Security threats.
The Fourth Industrial Revolution has made these assets highly valuable. Simultaneously, with the organic growth and proliferation of the internet, some worrisome trends in the use of cyberspace have also emerged.
The concerns over safety and security potentially impede the objective of accelerated development and affect the confidence of people in using applications and services offered to traverse cyberspace.
The rise in incidents related to malicious use of ICTs in cyberspace is affecting the integrity and the civil rights protections guaranteed by the state, level-playing field, transparency, and socio-economic equilibrium.
It poses security and financial risks to the whole spectrum of users, including individuals, businesses, and states. It could also potentially impose serious barriers to achieving development goals in various economic sectors.
The Situation So Far
There are various initiatives already in place to promote the security of the digital systems, including the Electronic Transaction Ordinance, 2002 (covering only electronic financial transactions and records), Investigation for Fair Trial Act (IFTA) – 2013, Pakistan Telecommunication (Re-Organization) Act – 1996, and Prevention of Electronic Crime Act (PECA) 2016, which cover some but not all aspects of information and Cyber Security.
In addition, the State Bank of Pakistan (SBP) has also issued guidelines on Cyber Security for the financial sector, and the PTA has notified the Telecom Computer Emergency Response Team (CERT).
However, the inter-departmental coordination and holistic approach to address the Cyber Security challenges and their emerging trends requires a special focus on a national level.
With regards to setups responsible for Cyber Security in the country, only the selective Cyber Security Incident Response Teams (CSIRTs) are operational at the organizational level in the public, private, and defense sectors.
There is a need to enhance existing legislative and institutional frameworks and strengthen the principal organization mandated for national Cyber Security. The legal framework, structures, and processes related to Cyber Security need to be constantly monitored, assessed, and improved.
Challenges to Pakistan’s Digital Landscape
In the absence of an indigenous national ICT and Cyber Security industry, Pakistan relies heavily on imported hardware, software, and services. This reliance, inadequate national security standards, and weak accreditation has made computer systems in Pakistan vulnerable to outsider cyber attacks and data breaches through embedded malware, backdoors, and chipsets.
Despite the existence of such regulatory laws, there are other challenges like weak enforcement of existing statutes, inadequate or absent resources necessary to tackle weaknesses in cybersecurity, lack of data governance, reliance on external resources, and difficulties in carrying out coordinated responses to threats and attacks.
To counter all these challenges, the Ministry of Information Technology & Telecommunications (MOIT&T), under the Digital Pakistan initiative, has formulated National Cyber Security Policy, 2021.
It will serve as the foundation for the construction of a holistic digital ecosystem with supporting frameworks and components for the delivery of secure, reliable, and standardized digital services, applications, and digital infrastructure, the policy statement reads.
Under the policy, a Cyber Governance Policy Committee (CGPC) has been constituted to assert national level ownership to policy initiatives related to cyber-governance and security. The policy recommendations of CGPC will be approved/endorsed by the Federal Cabinet.
The core functions that CGPC will be responsible for are to:
- Formulate, guide, and recommend for the approval of the National Cyber Security Policy and Cyber Security Act.
- Assist in addressing requirements of organizational structures, technical, procedural, and legal measures to support the policy mandate and implementation mechanisms.
- Harmonize the working and operational reporting mechanism of all departments dealing with the subject.
- Carry out consultations on aspects related to cyber governance on a regular and permanent basis.
- Assign roles to national institutions for international representation and collaboration with global and regional bodies and organizations.
- Guide to align policy with emerging cyberspace requirements through updates and periodic reviews.
Active Defense Framework
The relevant stakeholders will work with Internet Service Providers (ISPs) and Telecom operators to block malware attacks by restricting access to specific domains or websites that are known sources of malware (known as Domain Name System (DNS) blocking/filtering, etc.)
They will also work to prevent email phishing and spoofing activity on public networks and promote security best practices through Internet governance organizations.
The involved stakeholders will also work with international law enforcement channels to protect Pakistan citizens from cyber-attacks from unprotected infrastructure overseas.
Investments will be made in capabilities enhancement programs of Law Enforcement Agencies (LEAs) and Ministries/Divisions concerned to enable them to respond against state-sponsored and criminal cyber activities targeting Pakistan networks and systems.
Protecting Internet-Based Services
An Internet Protocol (IP) reputation service will be developed to protect government digital services.
The stakeholders will look to expand beyond the gov.pk domain into other digital services measures that notify users who are running outdated technologies.
Confidential information will be shared between public and private organizations, safeguarding the online data privacy of citizens and ensuring complete data protection.
Protection of Government’s Information and Infrastructure
To cater to a specific need of public sector information infrastructure, the stakeholders will encourage the establishment of national Data Centers to co-locate servers and telecom Quality infrastructure for all government entities – federal & provincial.
Vulnerability management and patch management program for all government technical systems will be created, which will also work with relevant government entities to ensure mandatory allocation of a certain percentage of the ICT project budget for Cyber Security Assurance.
Security in government and critical infrastructure outsourcing will be improved, and procurement will be done through vetting and assurance of suppliers and enforcement of security clauses in contracts. Enforce periodic security & risk assessments of critical suppliers.
Public-Private Partnership & Research and Development
An environment for entrepreneurship based on cooperation among government, industry, academia, and research institutions in different areas, e.g., supply chain risk management, etc., will be nurtured.
Governmental support will be offered to start-ups and facilitate them to grow into competitive companies, and privately-owned Cyber Security groups/organizations will be enabled to collaborate with government bodies and regulate their actions.
Exchange of information on the development of new legislation and regulation between stakeholders will be facilitated.
Research & Development programs aimed at short-term, medium-term, and long-term goals will be carried out, which will aim to address aspects like development, testing, deployment, and maintenance of Cyber Security systems.
Commercialization of the outputs of Research & Development products will be promoted and facilitated, so they can be turned into commercial products and services to be used in public and private sectors.
Centers of Excellence will be set up in areas of strategic importance for the security of cyberspace and to educate and train human resources in Cyber Security domains to strengthen and uplift the human support base.
Customized human resource development programs will be implemented to fulfill the Cyber Security needs of both the public and private sectors.
Cyber Security research and development (R&D) budget will be increased for the development of indigenous Cyber Security solutions to minimize dependency on foreign technologies.
A special court will also be established to adjudicate the matters related to Cyber Security and related proceedings.
Cybercrime-related curriculum will be included in the graduate and post-graduate Engineering and Law related degrees, training of prosecutors, lawyers and judges, etc.
Cybercrime Response Mechanism
To ensure timely and apt resolution of complaints and mitigation of risks, the policy says that the relevant stakeholders will:
- Assist and enhance government capacity by augmenting law enforcement agencies’ technical capability to respond to cybercrimes.
- Establish liaison and coordination with other national and international cybercrime agencies for sharing of information and cooperation.
- Strengthen the processes and procedures and embed Cyber Security in public and private service networks vulnerable to cybercrimes.
Establishing Trust in Digital Transactions
In order to build and maintain the trust of users in the security and integrity of digital services, Digital Certifications will be enforced for the authenticity of individuals and businesses, including enhancing technology for enabling digital signature/electronic transactions.
Work on scalable Public Key Infrastructure (PKI) will be encouraged as per future business requirements (e-passport, e-voting, e-filing, e-procurement, e-governance, etc.).
Multiple Certification Service Providers will also be promoted to improve the security and trust of digital services such as e-commerce, fintech, and other government to citizen services.