Pakistan is one of the largest countries in the world in terms of population. Of 220 million people, 60 percent of the country falls in the youth bracket. This huge chunk of the population is not only tech savvy but also has a large digital footprint. That is making Pakistan a lucrative market for global IT companies and also prone to cyber espionage and warfare. The current IT boom in Pakistan is unprecedented as more and more people are getting themselves attached to employment related to the cyber realm. Situated in a geopolitical hotbed, the young and developing Pakistani digital space naturally becomes a potential target of cyber terrorism. For years, Pakistan has struggled to regulate its cyberspace to prevent any big disaster. Fortunately for Pakistan, no such incident has occurred to date but this does not rule out an occurring of a future event. Also, there is no legal clarity in dealing with cases related to cyber security. In order to provide a comprehensive framework and strengthen the cyber architecture of the country, the first Cyber Security Policy (CSP) was approved by the federal cabinet in July 2021. CYBER SECURITY POLICY 2021 global connectivity experienced a new rise after the fourth industrial revolution. The real-time data transfer and live feeds from across the globe not only reduced the distances but also allowed the IT industry to grow in an exponential manner. As the hardware and software industry grew in tandem, new heights of innovation and automation are reached with every passing day. The use of Artificial Intelligence has also contributed to the rising efficiency of machines and the use of big data is making them a necessity. The policy requests that information being a National asset, its management, governance, and regulation must be synchronized at the National level using all available resources, to secure this time-sensitive valuable asset.
The CSP acknowledges that Cyber Security requires monitoring, assessment, and improvement on a continuous basis and has also laid down its objectives which are as follows i) Establish a governance framework, Address the importance of information systems and critical infrastructure Promote data governance and protection, Promote online privacy, Establish an information assurance framework, Create cybersecurity awareness, Capacity building, Achieve independence, Emphasize national/global cooperation framework, Emphasize adoption of a risk-based approach. No policy is successful until it is implemented in earnest. Unfortunately, like a number of policies in Pakistan, the Cyber Security Policy (CSP) has also failed to achieve its deliverable targets. The CSP listed down 17 distinct policy deliverables, 16 of which directly relate to cybersecurity. These deliverables provide holistic coverage of governance, technology, human relatives the policy has failed to implement, and challenges faced by implementing body Establishment of Computer Emergency Response Teams (CERTs) The CSP identified the need of establishing CERTs to effectively counter the challenges posed to cyber security. Establishing CERT in principle is not an easy task. First, there is a need for assessment to determine what exactly the CERT will do. Proper terms of reference (TORs) are needed according to the assessment. It is also pertinent to mention here that all the CERTs will have different TORs as they will be specific to certain industries/sectors. The second is the need for financing. The CERT team would require state-of-the-art hardware and software to operate effectively in a challenging environment. The third is the need for human resources as the CERT without properly trained staff would not be able to respond to the evolving threat. Fourth is the legal cover that is required for CERTs.
The CSP does provide them with a basic cover but when tried in a court of law, there would be a lot of issues due to the lack of laws on this issue. The Turf War One needs to understand that there are a lot of stakeholders that are involved in the cyber domain. The stakeholders range from the Ministry of Information Technology to the Ministry of Defence to the State Bank of Pakistan. The Ministry of Information Technology and Telecommunications (MoIT&T) took the lead and formulated the CSP. Naturally, the MoIT&Tbel I e ve s that it is in its domain to implement the policy. However, there are multiple parallel institutions like the Pakistan Telecommunications Authority and Ministry of Science and Technology that overlap the jurisdiction of MoIT&T. Due to these various layers of power-sharing, implementing the policy by a single entity is just not possible. Political Instability and Lack of Legislation One of the core aspects of Cyber Security Policy (CSP) is data protection through online privacy. A number of large companies including startups and banks have fell victim to data theft. Without any laws in place, the dream of data protection in Pakistan will remain a dream. The biggest challenge that countries like Pakistan face is political instability. No elected Prime Minister has been able to complete his legal tenure. The previous Prime Minister was also ousted through a no-confidence movement making him the first one to be impeached in the 75-year history of the country. The political crisis brought the country to a standstill for almost 4 months. With such uncertainties and no central authority in place, a bump of 4 months not only derails the implementation process but also highlights the need for one commanding body.