The developing cybersecurity framework in Pakistan
Monday 27 March 2023
Sahar Iqbal
Akhund Forbes, Karachi
sahar.iqbal@akhundforbes.com
Applicable legal framework
The current legal framework for cybersecurity is governed by the Prevention of Electronic Crimes Act 2016 (PECA).[1] The PECA was enacted to curb the rising cybercrimes in Pakistan and offences relating to information systems. It lays out the procedure for investigation and specifies the penalties for electronic crimes.
Pursuant to the PECA, any unauthorised entry, copying, or transmission of data or an information system with the purpose to cause someone harm, wrongful gain, or loss is a punishable offence. Additionally, the PECA mandates that a service provider shall maintain its specified traffic data (information about a communication that indicates its origin, destination, route, time, size, duration, or type of service) for at least one year or for such a longer period as the Pakistan Telecommunication Authority (PTA) may notify from time to time. The provider must also, subject to the production of a warrant issued by a court, provide information to the investigating agency or the authorised party.
The PECA provides for the constitution of a computer emergency response team. Its role is to respond to any threat against or attack on critical infrastructure information systems or critical infrastructure data, or widespread attack on information systems within Pakistan.
In addition, a draft Personal Data Protection Bill 2021 ('the Bill') has been prepared by the Ministry of Information Technology & Telecommunication (MOITT), which is yet to be promulgated into official law. The Bill constitutes provisions pertaining to the processing, obtaining, holding, use and disclosure of personal data while respecting the rights, freedoms and dignity of natural persons with special regard to their right to privacy, secrecy and personal identity.[2]
Any organisation or person which controls personal data, any entity operating in Pakistan that controls or processes data, and any Pakistani data subject will all be subject to the Bill once it is enacted.
National Cyber Crime Policy, 2021
The establishment of the National Cyber Crime Policy 2021 ('the Policy') was a major development in the direction of developing a comprehensive framework for Cyber Security in Pakistan.[3] The Policy, approved by Parliament on 27 July 2021,[4] necessitates exceptional initiatives to tackle cybersecurity challenges.
The Policy provides comprehensive objectives aimed at addressing cybersecurity challenges and risk factors prevalent in Pakistan. Some of the objectives highlighted under the Policy include:
- initiating a governance structure for the cybersecurity ecosystem;
- upgrading information systems and infrastructure;
- promoting data privacy and protection;
- establishing a protection and information sharing framework;
- raising awareness about cybersecurity issues for the public; and
- providing a framework promoting national/global cooperation on cybersecurity.
The governance and institutional framework for the lawful, secure operation of both public and private groups is objectified by the Policy. It constitutes of 17 distinct policy deliverables, 16 of which are closely associated to cybersecurity. These objectives cover governance, technology, human resources and cybersecurity awareness all in one place. The Policy stresses that it is vitally important to understand the concept that the success of any governance policy or framework is directly influenced by the people, process and technology. The Policy also emphasises the establishment of a cybersecurity culture through cybersecurity awareness and education programmes in both the public and private sectors.
The Policy provides for the constitution of a Cyber Governance Policy Committee (CGPC) to solve the problem of cybersecurity ownership and to provide cybersecurity supervision. The Federal Cabinet of Pakistan must formally approve and support any policy proposals made by the CGPC.
The Federal Cabinet’s review and approval of CGPC policy proposals is important because it brings much-needed attention to cybersecurity challenges and risk factors at a national leadership level. The significance of oversight directly from executive leadership is also emphasised in the best practises published by the International Organization for Standardization (ISO) under its International Electrotechnical Commission (IEC) ISO/IEC 27001 standard. This oversight ensures that potential conflicts of interest are not suppressed or obscured by conflicting interests or structural problems when it comes to cybersecurity challenges and risk factors.
The policy requires a designated department of the federal government to create an implementation framework. This division will serve as the central authority at the federal level, responsible for coordinating and executing cybersecurity measures at the national, sectoral and organisational levels.
The need for R&D, public–private partnerships, and capacity building are effectively addressed by Pakistan’s cybersecurity policy. The larger goal of developing and utilising indigenous cybersecurity products, solutions and services requires cybersecurity research and development.
Recent developments
One recent development is the establishment of the Cyber Security Framework established by the PTA under its Critical Telecom Data and Infrastructure Security Regulation (CTDISR). It specifies obligations for the auditors and licensees to record and report any infringement of data and other cyber-related crimes enabling an enhanced system to manage and reduce cybersecurity risk.[5]
In addition to the framework, the PTA has developed a National Telecom Security Operations Centre (NTSOC). Its objective is to improve the security of telecom infrastructure and develop a secure and resilient cyber space for Pakistan. The NTSOC has been formulated in accordance with the Policy and PECA, and focuses on securing Pakistan’s critical telecom data and infrastructure against cyberattacks. It is connected to telecom operators and a computer emergency response team to increase the efficiency against cyberattacks. It will also assist in the dissemination of information between the PTA and telecom service providers on the latest cybersecurity threats, incidents, vulnerabilities, security news and other information.[6]
Conclusion
The realm of cybersecurity in Pakistan is at an early stage of development. However, the recent, much needed advances outlined above, reflect that it is heading in the right direction. The Cyber Security Policy portrays Pakistan’s vision for cybersecurity development, which goes beyond simply protecting assets, to placing an emphasis on resilience via a strong and constantly evolving digital environment. Nevertheless, effective implementation of the Policy without delay is vital in establishing a cyber-friendly environment which will contribute to economic and technological development.
[1] Gazette of Pakistan, Act No, XL of 20I6, 22 August 2016, https://nr3c.gov.pk/peca16.pdf accessed 25 March 2023.
[2] Pakistan Ministry of Information Technology & Telecommunication, Personal Data Protection Bill 2021, Consultation Draft, 25 August 2021, https://moitt.gov.pk/SiteImage/Misc/files/25821%20DPA%20Bill%20Consultation%20Draft(1).pdf accessed 25 March 2023.
[3] Pakistan Ministry of Information Technology & Telecommunication, Digital Pakistan: National Cyber Security Policy 2021, July 2021, https://moitt.gov.pk/SiteImage/Misc/files/National%20Cyber%20Security%20Policy%202021%20Final.pdf accessed 25 March 2023.
[4] Kalbe Ali, ‘Cabinet gives the green light to cyber security policy’, Dawn, 28 July 2021, https://www.dawn.com/news/1637334 accessed 25 March 2023.
[5] ‘PTA formulates cyber security framework’, PTA, 7 July 2022, https://www.pta.gov.pk/en/media-center/single-media/pta-formulates-cyber-security-framework--080722 accessed 26 March 2023.
[6] Kalbe Ali ‘Cyber security platform for telecom sector launched’, Dawn, 15 July 2023, https://www.dawn.com/news/1737245 accessed 25 March 2023.