OUR TEAMS
Our Team Credentials

An Overview of Pakistan’s National Cyber Security Policy 2021

An Overview of Pakistan’s National Cyber Security Policy 2021

The global community transformed into a Global Village in the previous decade, primarily due to advancements in ICTs. Opportunities in business, culture, and society are expanding for Cyberspace consumers. These opportunities arise as a consequence of advancements in information and communication technology. All these things which are reshaping the global dimension of socioeconomic development and increasing threats national cyber security. A new age is figured out by this vast expansion, marked by low-cost and simple access to globally linked networks. The Internet has gained greater importance in today’s contemporary world. This is due to advancements in information and communication technologies and our increasing dependency on internet infrastructure. For information and penetration testing services follow us on LinkedIn.

Concerns about safety and security can dampen trust in cyberspace applications and services, slowing down development. The rise of cybercrime poses threats not only to the security and financial well-being of users, individuals, businesses, sectors, and states. It also jeopardizes the integrity and civil rights protections provided by the state. Furthermore, it impacts the level playing field, transparency, and socio-economic equilibrium. Do you know about NCX 2023, Don’t you? Click here.

Review of Pakistan’s National Cyber Security Landscape

To safeguard the digital infrastructure and ensure the online privacy of Pakistani citizens, numerous federal and provincial entities have implemented measures. These include the Investigation for Fair Trial Act (IFTA) of 2013, applicable exclusively to electronic financial transactions and records. Additionally, regulations such as the Pakistan Telecommunication (Re-Organization) Act of 1996, which governs digital systems, and the Electronic Transaction Ordinance of 2002, regulating electronic financial transactions and records, contribute to comprehensive cybersecurity efforts. If you want to read about top 9 vulnerabilities in 2023? click here.

A Call for National Emphasis and Enhanced Infrastructure

Furthermore, the PTA has informed the Telecom Computer Emergency Response Team (CERT) and the State Bank of Pakistan (SBP) issues guidelines regarding commercial cybersecurity. However, effectively tackling emerging trends and coordinating interdepartmentally to address cybersecurity challenges requires a national emphasis. Currently, only selective Cyber Security Incident Response Teams (CSIRTs) operate across the nation’s public, private, and defense sectors in terms of national cyber security infrastructure. It is imperative to bolster current legislative and institutional structures and fortify the underlying principles tasked with safeguarding national cybersecurity.

National Cybersecurity Framework Evolution

National Cybersecurity Framework Evolution

It is crucial to consistently monitor, evaluate, and enhance the legal framework, structures, and processes pertaining to national cyber security. The National Centre for Cyber Security was founded in 2018 with the purpose of conducting scholarly research. Additionally, the HEC has established graduate-level programs in MS Systems Security and National Cyber Security at various academic levels. This underscores the importance of enhancing the current workforce’s capabilities. Wide disparity between supply and demand for digital skills, especially in national cyber security, further emphasizes need for such programs. 

Pakistan heavily relies on imported hardware, software, and services, lacking an indigenous ICT and National Cyber Security sector. This dependency, along with insufficient national security standards, makes Pakistani computer systems vulnerable to external intrusions. These intrusions may include data breaches, and risks associated with chipsets, embedded malware, and backdoors. Inadequate accreditation further compounds these challenges.

Challenges and Risks in National Cyber Security

National cyber security having Challenges and Risks​

Data, being regarded as an economic asset, is susceptible to the same threats and hazards as any other asset. Implementing a comprehensive national cybersecurity policy is fundamental for addressing global risks and challenges. Such a policy mitigates vulnerabilities in IT systems. The subsequent points are the most crucial among them.

Ownership at the Top

One of the foundational pillars of knowledge-based economies is information. Therefore, to safeguard this time-sensitive asset, information and its governance, regulation, and administration must synchronize at the national level. Utilizing all available resources is essential. The administration of national cyber security is necessary owing to its complex nature, challenging nature, and cross-sectoral implementation.

National Cyber Security Policy and Strategy implementation issues

National Cyber Security Policy and Strategy implementation issues​

In the absence of a centralized policy and strategy for Cyber Security, attempts at securing the digital assets of the country are liable to be random and uncoordinated. 

i. Weak Enforcement of Statutes

The current legislative framework pertaining to national cyber security in Pakistan fails to adequately safeguard the nation’s digital assets. The current legislation on national cybersecurity lacks a robust mechanism. It is imperative to substantially revise it. This ensures consistent safeguarding of the nation’s interests, both in letter and spirit. A legislative structure that is suitable in nature could potentially facilitate adherence to a centralized and comprehensive compliance framework.

ii. Assessment And Continual Improvement

Cybersecurity-related legal frameworks, structures, and processes must undergo continuous monitoring, evaluation, and enhancement. Otherwise, they may cease to function and become threats in themselves. In regards to the compliance framework of the national cyber security policy, implementation must be continuously monitored, evaluated, and enhanced. In fact, a comprehensive strategy with suitable legal and technical frameworks could facilitate identifying potential risks. This strategy ensures that associated repercussions are recognized and that wrongdoers address vulnerabilities, leaving none unattended.

Enforcement of Required Structures and Processes

Enforcement of Required Structures and Processes​ in National cyber security

Appropriate frameworks and procedures for governance, regulation, implementation, and enforcement are necessary to ensure cyber security. Cybersecurity is vulnerable to any collapse or deficiency in the regulatory frameworks. 

I. National Cybersecurity Resources: Challenges and Risks

I. Insufficient and Substandard Resources The field of cyber security is experiencing significant expansion, necessitating an ongoing acquisition of pertinent expertise and resources. Failure to possess the necessary skills will result in vulnerabilities within the national cyber security domain. Furthermore, an emerging challenge in the digital workforce is the need to bridge the disparity between supply and demand. The lack of a mechanism to verify the quantity and quality of these resources and skills poses a risk to the nation’s cyber security.

II. Lack of Data Governance

When data management, control, and processing occur beyond a country’s legal authority, data colonization concerns arise. The information domain becomes vulnerable to threat actors, allowing third parties to acquire personal information without citizens’ knowledge, permission, or validation. Society is exploited due to widespread data use and misuse. Weak data governance, poor quality, and a lack of stewardship create unreliable information resources, endangering national cyber security.

III. Reliance on External Resources

Widespread use of IT, especially in operations technology, makes critical information assets more likely to be attacked online. When local resources aren’t enough, cybersecurity is put at risk. It becomes very important to rely on foreign resources like knowledge, technology, and tools.

IV. Challenges of Coordinated Response to Threats and Attacks

A network of coordinated response teams known as CERTs is necessary for an efficient reaction to challenges, threats, and assaults. A big risk is the lack of such teams and the inability for them to work together. The associate organizations’ inadequate Cyber Security posture and functions are the main causes of this. The key to a thriving Cyber Security ecosystem is empowering support organizations.

Global Cooperation and Collaborations

Global Cooperation and Collaborations​

The Central Entity and the Ministry of IT & Telecom will advocate for the nation’s perspective. They will provide guidance in international forums and advise on participating in global collaborations. Participation in information and cybersecurity events will involve the Central Entity, Ministry of Foreign Affairs, and Ministry of IT & Telecom, as needed.

The Ministry of IT & Telecom, in consultation with the Central Entity, will:
  • Maintain a constant presence and offer expert perspectives to international organizations such as ICANN, GAC, and ITU. Additionally, engage with regional bodies like APT, as well as comparable United Nations and non-UN agencies. 
  • Construct a mechanism for the exchange of reliable information at both local and international levels. This includes intrusions, vulnerabilities, threats, and collaboration with intergovernmental and non-governmental organizations, as well as the general public.

Cybercrime Response Mechanism

Cybercrime Response Mechanism​
The Central Authority will: 
  • Support the government and make it better at what it does. This means making law enforcement agents smarter about technology. The goal is to successfully track, spot, and fight fraud. 
  • Foster collaboration and information exchange with other domestic and international cybercrime agencies through the establishment of liaison and coordination mechanisms. 
  • Reinforce processes and procedures and integrate national cyber security into networks that provide vulnerable public and private services to cybercriminals.

REGULATIONS

Establishing suitable frameworks and regulations for cyber governance is crucial for the successful execution of the National Cyber Security Policy and the attainment of predetermined objectives. In collaboration with relevant parties, these will be devised and shall consist of the following, among others:

  • Development and implementation of the Cyber Security Act and National Cyber Security Policy. 
  • Regulations and policies governing the national cyber security framework. 
  • Information Sharing and National Cyber Security/Governance Operations Mechanism: for incident response, management capability, and evidence provision. 
  • Risk management, screening, accreditation, and compliance regulations: for Critical Information Infrastructure, public-private partnerships, capacity building, research and development initiatives, and international collaboration. 
  • Digital Certifications that verify the legitimacy of enterprises and individuals. 
  • Public and private organizations exchange confidential information while protecting the privacy of citizens and assuring the security of data. 
  • Standardization of digital analysis equipment and methods to help with cyber control in line with this policy and PECA 2016. 
  • Adherence to auditing protocols and safeguarding national cyber security standards throughout Pakistan.

Interim Measures

It may take a long time for the policy’s implementation mechanism to be fully functioning. During the transition phase, the state’s current institutions and organizations will use their resources and skills. These tools will help carry out the policy, and they will be added to all the time. This letter will be built into the system for complete execution. Working in collaboration with the telecom industry, the Pakistan Telecommunication Authority (PTA) is set to establish a telecom sector technical platform known as the sectoral CERT. This initiative is in accordance with the Telecom Act of 1996, the Telecommunications Policy of 2015, and PECA 2016. The sectoral CERT is designed to bolster cybersecurity measures within telecommunications sector, providing framework consistent with existing regulations and policies.