Pakistan’s New Cyber Policy: Welcome, But Flaws RemainExperts Say 'Cyber Security Policy 2021' a Step in Right Direction, But Identify Shortcomings
Pakistan’s newly approved Cyber Security Policy 2021 aims to strengthen institutional and governance structures, including setting up Computer Emergency Response Teams and Security Operations Centers.
And while cybersecurity and policy experts describe the new policy as a step in the right direction, there remains some uncertainty around what constitutes critical infrastructure. The policy also does not include a road map to create a digital forensic lab.
“The new policy does state the formation of a National and Sectoral Computer Emergency Response Team to protect the cyberspace against cyberattacks and make it resilient," says Rafay Baloch, researcher and former cybersecurity advisor to the Pakistan Telecommunication Authority. "However, there is still some ambiguity pertaining to what is meant by critical infrastructure in the new cyber policy.”
Baloch points out that although Section 40 of Pakistan’s Prevention of Electronic Crimes Act mandates the establishment of an independent forensic lab to analyze and provide expert opinion on cybercrime investigations, the government hasn’t yet set up or designated such a body. “The establishment of a forensic lab will help prevent the misuse of cyber laws by law enforcement agencies and bring about accountability,” he says.
What's in the New Policy?
The most significant policy guidelines that address Pakistan’s immediate cybersecurity concerns are: the establishment of a much-needed governance framework, collaboration with global Computer Emergency Response Teams, and the statement that a cyberattack on any Pakistani institution will henceforth be considered as an act of aggression on national sovereignty and the attackers will face appropriate retaliatory measures.
Khawaja Mohammad Ali, head of technology strategy, GRC and cybersecurity at the Federal Bank of Pakistan and an international liaison for the Pakistan Information Security Association, acknowledges that strong cybersecurity policies and frameworks are a must-have for any country. “In the wake of COVID-19, the need for countries to have focused attention on cybersecurity has never been greater," he says. "The Pakistani government has recognized this need and has therefore taken steps to increase international collaboration."
Ali adds that the tenets of the new policy are based not only on cybersecurity incidents that have taken place on Pakistani soil, but on observations and learnings from cyberattacks faced by other countries.
The collaboration aspect is not limited to global CERTs and SOCs. The new guidelines also call for more partnership between public and private entities - a welcome move in Ali’s opinion.
Although there’s no specified date for when the Cyber Security Policy 2021 goes into effect or an assigned deadline to achieve the new policy’s objectives, the newly constituted Cyber Governance Policy Committee is in charge of the new policy’s initiatives.
While there’s room for improvement in Pakistan’s new cyber policy - especially around identification of critical infra and cyber forensic capabilities - it addresses the need to create an assurance framework by focusing more on compliance audits, observers say. The 2021 policy underlines the need for partnership between public and private entities and fostering local research and development. Developing home-grown ICT products and solutions is also one of the objectives the government aims to drive.
Electronic Crimes Act 2016 Limitations
Pakistan’s first legal framework to tackle cybercrime was passed in 2002, but it couldn’t really crack down on cybercriminals because it failed to criminalize most cybercrimes.
Pakistan’s latest and most comprehensive cybercrime bill - the Prevention of Electronic Crimes Act - was passed in 2016
The 2016 act, however, focused on preventive measures instead of proactive ones when it came to building incident response plans or addressing the need to foster cybersecurity skills to combat cybercrime (see: Can Pakistan's New Cybersecurity Law Help Combat Cybercrime?)
Baloch says the new cyber policy’s failure to properly define critical infrastructure has its root in the 2016 Act. The new policy also offers no clarity on what constitutes critical infrastructure - a key factor when it comes to protecting national assets against cyberespionage or targeted attacks, he says.
Usama Nizamani, assistant research associate at Islamabad Policy Research Institute, in his published appraisal of Pakistan’s cyber policy, notes that strategic initiatives in legislative powers, policymaking and international involvement are absent from the Prevention of Electronic Crimes Act 2016.
Another major challenge, he observes, is the absence of a cybersecurity framework, which results in the overall policy being “rudderless, ineffective and haphazard." In his report, he states that the establishment of the Cyber Emergency Response Team and Cyber Command modules under the new cyber policy are critical for the country’s national security.
Increased Collaboration with Global CERTs
In addition to government bodies such as the National Center for Cyber Security, international collaboration is also conducted by the Pakistan Information Security Association, which engages with international CERTs from India, China, Malaysia, Sri Lanka and Singapore to discuss and collaborate on security policies and run cyberattack response drills.
Ali explains that a cyberattack in any part of the world gets added to the “inventory” of threat response and best practices for all security practitioners around the globe. “This is because when it comes to cyberattacks, there are no geographical boundaries.”
He adds that increased digitization has made it even more important to collaborate with security practitioners and experts from around the world to ensure business continuity and keep the economy up and running.
“Pakistan was already working towards securing cyber space, but a lot of those activities were happening in silos. Countries like Singapore, Canada and Turkey have made a lot of advancements in the field of cybersecurity, and Pakistan is trying to follow in their footsteps,” Ali says.
He says Pakistan is equally responsible for contributing to protection of cyber space, and efforts are being made to not only secure Pakistan, but the world.