The latest National Internal Security Policy (NISP) for the first time emphasizes about securing cyberspace. It is the first policy document which stresses on securing the cyber domain by proposing a number of measures.

Currently, there are more than 55 million 3G/4G phone subscribers and 58 million broadband Internet users in the country. Over 44 million social media accounts are been used by Pakistanis.  According to the Inclusive Internet Index 2018, Pakistan has been ranked 68^th out of 86 countries. Since 2009, Pakistan has been a victim of at least 11 suspected state-sponsored cyber operations. Hacking of several government and non-government websites by foreign hackers, prominently Indians, is reported regularly. Pakistan ranks 66^th in the Global Cybersecurity Index 2017. Between 2016 and 2018, more than 18,000 cybercrime complaints were reported.

According to experts, the banking sector is the most vulnerable to cyberattack, and have termed the data security of banking sector against fraud attempts as ‘fragile as a cobweb’. Cyberattacks against banks which cause loss of millions of rupees and defacement of banking websites have been reported with regular intervals.

Pakistan-centric terrorist groups are extensively using cyberspace for the following objectives:

• Running malicious propaganda campaigns against the state of Pakistan and its security forces,
• Propagating a distorted version of the religion,
• Promoting hatred towards various sects within Muslims prominently Shias,
• Recruiting new members, and
• Claiming responsibility for the terrorist attacks (In several cases, Baloch sub-nationalist groups have claimed responsibility for terrorist attacks which were never conducted. This is done primarily to remain in media spotlight).

A number of factors have contributed in keeping Pakistan lagging behind in the domain of cyberspace. Firstly, the country doesn’t have a cyber-security strategy to direct the government institutions on how to deal with this threat. Secondly, prior to ‘Digital Pakistan Policy’, there was a lack of government support to the information and technology sector. The policy has been termed as a ‘much needed step in the right direction’ as it addresses some of the major bottlenecks faced by the IT sector and entrepreneurial ecosystem. Apart from addressing major concerns, the policy neglected the area of intellectual property laws which is considered as a major reason behind lack of incentive to innovate.

Thirdly, IT sector contributes nearly $5.5 billion to the country’s exports but remains in the denial mood regarding cyber-security. Fourthly, in the last decade only, the government has on average allocated just 0.033 percent of the total budget for IT and Telecom Division (See Table). However, statistics are not available to fathom how much of the allocated funds for IT and defence sectors were invested in the cyber domain.

Source: Ministry of Finance (Funds Allocation for IT and Telecom Division)

Fifthly, lack of technological innovation is another major reason due to which Pakistan lags behind in the cyber realm. According to the Global Innovation Index 2018, the country ranks 109^th out of 126 countries. Sixthly, lack of research and development is also a contributing factor. No national level research programs have been established so far. Moreover, only handful universities are offering cyber-security education through 2-year Master, MPhil and PhD programs in Information Security.

Of late, a number of initiatives have been taking place to deal with cyber threats. In late 2016, Lahore Garrison University started Digital Forensic Research and Service Centre, claimed to be the first of its kind in South Asian region, to deal with aspects of cyber warfare, cyber-security and forensic science and imparting training in these respective fields. In May this year, Pakistan’s first ever National Centre for Cyber Security was inaugurated at Air University which aims to serve as hub of innovation and scientific research to secure cyber space of Pakistan, transfer knowledge to the local economy and impart training.

In terms of legal instruments to combat threats arising from the cyber realm, the very first cyber law was introduced by Musharraf administration which was tilted ‘Electronic Transaction Ordinance 2002’. A number of other legal instruments were introduced in the following years which include:

• The Payment Systems and Electronic Fund Transfers Act 2007
• Prevention of Electronic Crimes Ordinance, Pakistan 2007
• Prevention of Electronic Crimes Ordinance, Pakistan 2008
• Prevention of Electronic Crimes Act (PECA) 2016

Federal Investigation Agency (FIA) established the National Response Centre for Cyber Crimes to deal with cybercrimes in 2007. However, the centre lacks the capacity to prevent various offences like internet bank fraud, lottery scams and offences committed on social media. The FIA also faces capacity building issues in terms of cybercrimes experts. Similarly, the PECA 2016 needs to be amended especially for the lenient punishments mentioned for committing serious cyber offences. A number of initiatives mentioned in the 2016 Act like Computer Emergency Response Team, the establishment of forensic laboratory and classification of critical infrastructure have not been implemented yet.

Since Stuxnet attack on Iranian uranium enrichment facility, several Pakistani academics have been advocating cyber-nuclear doctrine to provide multi-layered support to country’s nuclear arsenal. They have also recommended seeking Chinese support in this regard.  However, in November 2013 then Pakistan’s permanent ambassador to United Nations Masood Khan said that the nuclear arsenal of Pakistan was safe from cyberattack in addition to other threats.

In the evolving cyber landscape, it is imperative for Pakistan’s security policymakers to identify the immediate and future cyber threats, formulate a cybersecurity strategy for both offensive and defensive capabilities, classify and shield its critical infrastructure from cyber threats and invest in the cyber domain. The fulfilment of the measures proposed in the latest NISP – formulation of cyber-security strategy, establishment of civil-military cyber command forces, strengthening of the cyber-crimes wing at FIA, and creating public awareness about cyber threats – will be among the first steps in directing the country’s policymakers towards the securitization of cyberspace.