The concept of ‘cyberspace’ is understood differently in Pakistan at public and private levels. Some view it purely as an operational domain, in the strictest military sense of the term, while others look at it as a medium of communication and connectivity. Take for example, the key law handling offences enabled by cyberspace.
The Prevention of Electronic Crimes Act 2016 (PECA-2016) has been (erroneously) referred to as cybercrime law not only by mainstream media but also the official websites of Federal Investigation Agency (FIA) and National Assembly, among others. Several lawmakers (government/opposition) and analysts overlooked the fact that neither the Act’s title mentions the word cyber nor is this term defined standalone anywhere in Section 2.
It appears briefly and only through pairing with matters of terrorism, stalking, or forensics. Terms such as data or electronic are employed to cover up for limited conceptual understanding. This confusion arises from lack of serious high-level deliberations on cyberspace issues by successive political and military leaders; even the IT Action Plan (2000) passed during dictatorship of General Pervez Musharraf failed to define or elaborate in detail the multitude of cyber threats.
As a consequence of this lackadaisical approach, the following important questions remain unanswered:
- Does Pakistan view cyber threats from a technical lens (denial of service, exploit attacks), psychological lens (deception, disinformation, and propaganda) or both?
- Is the distinction between cyber security (public level) and cyber defence (national security level) understood?
- If the flow of data enters Pakistan-based systems from foreign sources, can it be held to account under local laws?
- Which agency or organisation at the national level will identify and mitigate cyber threats?
- If a cyber-enabled kinetic attack targeting critical information infrastructures with physical effects is conducted, will it be considered an act of war? If yes, which national agency will be authorised to do the needful?
- Will the state develop a public-private cooperative model for cyber risk mitigation or assume complete responsibilities at the federal level?
Presently, the FIA through National Response Centre for Cyber Crimes is functioning as the sole prosecuting authority empowered by PECA-2016 to handle cybercrimes. It cannot engage in proactive threat identification and mitigation.
The genesis of any national cyber strategy lies in the promotion of indigenous research and development. It is an endeavour through which the state patronises subject matter experts and encourages them to indigenise novel approaches toward cyberspace.
Absence of policies and dedicated institutions continues to pose a significant threat to national security.
During the last stages of its rule, the previous Pakistan Muslim League-Nawaz (PML-N) government hurriedly inaugurated a National Centre for Cyber Security at Air University, Islamabad which has setup research and development labs with several other academic institutes. The irony is that this venture is traversing in an unknown direction because its course has not been set by any national level cyber policy or strategy. Both the PML-N’s Vision 2025 and Pakistan Tehreek-e-Insaf’s Digital Pakistan Policy fall short of elucidating long-term roadmaps for the country’s cyberspace interests (except brief mentions of words cyber security or e-commerce).
Put simply, the state of Pakistan’s approach towards cyberspace remains disjointed. Absence of policies and dedicated institutions continues to pose a significant threat to national security.
The recent foreign-origin cyber intrusions into systems belonging to Kudankulam Nuclear Power Plant and Indian Space Research Organisation raised alarm bells across the world because up until these incidents, India’s cyber policymaking and institutional mechanisms were praised and entrusted with putting adequate safeguards in place. Indian agencies were informed about these occurrences by friendly third-party sources based abroad. Had it not been so, these intrusions might have remained undetected.
In the current circumstances, if Pakistan’s critical information infrastructure is targeted, various organs operating in standalone capacity will rush to make sense of the issue at hand and each will propose their own solutions. Moreover, it is least likely that any ally would provide Islamabad with resourceful information because cyber threat intelligence among nations relies upon quid pro quo.
Until the decision to develop a national cyber strategy is taken, the government can at least constitute a task force on cyberspace affairs within Prime Minister’s Office for multi-stakeholder deliberations involving key federal ministries (Law, Interior, Defence, IT & Telecom, Commerce, Science & Tech), a representative of Joint Staff Headquarters, industry bodies such as P@SHA, and selected cyber policy experts who can advise the committee on how the process should move through.
Discourse on cyberspace affairs should not be security-centric but also cover aspects of standardisation and certification, education, and lawfare so that avenues of development are also secured.