Fortifying cybersecurity: Pakistan’s CERT Rules 2023 and their implications

Sahar Iqbal

Akhund Forbes, Karachi

sahar.iqbal@akhundforbes.com

Introduction

In an increasingly interconnected world, digital infrastructure protection is crucial not only for individuals and organisations, but also for nations as a whole. Recognising the critical need for protecting its digital borders, Pakistan has made an admirable step forward by passing the Computer Emergency Response Team Rules 2023 (CERT Rules). While this legislative framework appears technical, it has far-reaching legal ramifications that go beyond its technical components. The adoption of the CERT Rules demonstrates Pakistan’s commitment to defending its cybersecurity sovereignty and protecting its digital territory.

The CERT Rules are a comprehensive framework which enable both national and sectorial level Computer Emergency Response Teams (CERTs) to monitor, detect and respond to cybersecurity threats in a proactive manner. They are designed to perform a unique set of functions which will be discussed in this article.

Proactive cyber threat intelligence and coordination

A cornerstone function of the CERT Rules is the establishment of a Cyber Threat Intelligence System.[1] This system operates as a vigilant sentinel, continually scanning the digital landscape for potential threats. By keeping CERTs up-to-date on the evolving cybersecurity threat landscape, it enables rapid responses and well-informed decision-making. Moreover, CERTs play a pivotal role as the central hub for collaboration and coordination within the cybersecurity ecosystem. They facilitate the seamless exchange of critical information not only among government agencies but also with private entities and international cybersecurity organisations. This collaborative approach ensures a more comprehensive and effective response to the ever-growing spectrum of cyber threats.

Mitigating vulnerabilities, building capacity and ensuring compliance

Pursuant to the CERT Rules, CERTs assume the crucial responsibility of identifying and mitigating vulnerabilities in critical infrastructure software and hardware. They also develop and uphold standards for secure procurement and deployment, thereby reducing the attack surface and enhancing the overall resilience of the nation’s cybersecurity. Furthermore, CERTs contribute significantly to capacity building by forging partnerships with universities and research organisations, conducting cybersecurity training programmes and raising public awareness through targeted awareness campaigns. This multifaceted approach not only cultivates a skilled workforce but also promotes a culture of cybersecurity awareness. The CERT Rules also ensure regulatory compliance by aligning Pakistan's cybersecurity efforts with existing legal frameworks, including the Prevention of Electronic Crimes Act 2016 and the National Cyber Security Policy 2021. This alignment fosters legal uniformity and clarity in addressing cybersecurity risks.

In addition to these functions, CERTs stand ready to provide 24/7 incident management through forensic labs, as well as collaborating with international counterparts to leverage global expertise and contribute to safeguarding the nation against cross-border cyber threats while supporting global efforts against cybercrime.[2] Together, these functions empower Pakistan to navigate the ever-evolving landscape of cybersecurity with confidence and resilience.

The significance of CERT functions

Pakistan is set to build CERTs at several levels, indicating a multi-tiered strategy to enhance the country’s cyber defensive capabilities. The CERTs will be strategically deployed across various hierarchical levels, encompassing the national, governmental, federal, provincial and sectoral tiers. The primary objective of this extensive network of CERTs is to optimise the efficacy of cybersecurity endeavours throughout the nation, guaranteeing a thorough and timely response to cyberattacks. In general, these functions are more than just technical operations; they reflect a proactive approach to the ever-changing spectrum of cyberthreats. In the face of digital adversaries, they emphasise the need of being vigilant and well-equipped. In essence, the CERT Rules represent Pakistan’s commitment to defending its digital borders and ensuring the digital safety of its citizens, enterprises and institutions.

Conclusion

The CERT Rules 2023 have the potential to significantly increase Pakistan’s cybersecurity capabilities. By developing a systematic framework for CERTs, these principles enable the government to actively monitor, detect and respond to cyberthreats. This proactive policy improves Pakistan’s ability to safeguard its digital assets and critical infrastructure. The rules make it easy for many stakeholders, both domestically and globally, to communicate, coordinate and share information, forging a united front against cyberthreats. They also stress capacity development, which would allow Pakistan to develop a trained cybersecurity workforce while simultaneously improving public awareness. Overall, the 2023 CERT Rules pave the way for a more secure and resilient digital landscape in Pakistan.