New policy welcomed as much-needed improvement to ‘poorly implemented’ Prevention of Electronic Crime Act
The Pakistan Ministry of Information Technology has announced that a new cybersecurity policy and accompanying cybersecurity agency has been approved for the South Asian nation.
The new policy aims to support both public and private institutions, including national information systems and critical infrastructure, replacing a system whereby government institutions have separate security operations.
It comes at a delicate time for Pakistan, which recently accused India of using the Israeli spyware Pegasus to spy on Prime Minister Imran Khan – and designates cyber-attacks on any Pakistani institution as an attack on national sovereignty.
“The IT ministry and all relevant public and private institutions will be provided all possible assistance and support to ensure that their data, services, ICT products and systems are in line with the requirements of cybersecurity,” said IT minister Syed Aminul Haq, as quoted in local press.
Pakistan’s new cybersecurity policy will include a new governance and institutional framework for a ‘secure cyber ecosystem’, along with computer emergency response teams (CERTs) and security operations centers (SOCs) at national, sector, and institutional levels.
And the policy calls for new information-sharing mechanisms, along with skills development and training programs and public awareness campaigns.
“The cybersecurity policy announced by Pakistan is a welcome development,” Javvad Malik, security awareness advocate at KnowBe4, tells The Daily Swig.
“Security awareness is essential. People need to be informed of the risks that come with interconnected systems, and what their role is in ensuring security. Once this groundwork is laid, then putting in place technologies and procedures to support these become easier and more effective.”
Poor track record
Pakistan has a poor record on cybersecurity, ranking 79th in the ITU’s Global Cyber Security Index.
The country’s current cyber law, the ‘Prevention of Electronic Crime Act’ (PECA), is poorly implemented, according to ethical hacker and security researcher Rafay Baloch.
“To quote a few examples, the federal government has yet to designate a digital forensics laboratory to provide expert opinion to the court independent of the investigative agency which is mandated by the section 40 of PECA,” he tells The Daily Swig.
“Similarly, under section 49 of PECA, the federal government was required to designate national and sectoral CERTs for protecting against critical infrastructure.”
Baloch says that the new policy should improve Pakistan’s cybersecurity, in particular by harmonizing practices across different bodies.
“The major challenge pertaining to the policy is its implementation. A national cybersecurity policy is accompanied by a strategy document with an action plan to achieve the objectives laid out in the policy,” he says.
“The strategy document would include prioritization of action items, timelines, roles and responsibilities of organizations responsible for implementing the objectives laid out in the policy.”
He also calls for the government to develop an institutional framework consisting of dual civil-military agencies:
“That would be raised with the specific purpose of implementing the aforementioned policy objectives and maintaining national cyber defenses in government, commercial and military domains.”