Assessing Pakistan’s Cyber Security Landscape

Authors: Gulraiz Iqbal and Ayesha Khalid*

Pakistan’s history of cyber security policy development can be traced back to early 2000s when the Electronic Transactions Ordinance (ETO), 2002 was passed that primarily dealt with the protection of Pakistan’s e-commerce at the national and international level. In 2007, the National Response Center for Cyber Crimes (NR3C) was established under the Federal Investigation Agency (FIA) to investigate and prevent cybercrimes in the country. The government of Pakistan launched the National Action Plan (NAP) in 2014 to counter terrorism and extremism, which included provisions for strengthening cyber security in the country. Later on, The Prevention of Electronic Crimes Act (PECA) was passed by the National Assembly in 2016. The bill introduced provisions for the prosecution of cybercrimes, including hacking, unauthorized access to data, and cyber terrorism. Apart from this, one of the notable initiatives is the establishment of National Cyber Security Policy, launched in 2021. This Policy aims to enhance digital security by addressing challenges which include weak enforcement and data protection etc. It also addresses governance issues, audits and collaboration for effective implementation. Through the implementation of the policies, legislative reforms, establishment of the institutions and awareness initiatives, Pakistan is forming a cyber ecosystem that is secure, works effectively and bolsters the resilience of infrastructure.

The Legal Contours of Pakistan’s Cyberspace:

In Pakistan, two significant pieces of legislation play a crucial role in maintaining law and order, as well as combating emerging threats in the digital age by granting powers to agencies to operate. The Federal Investigation Agency Act, 1974, establishes the Federal Investigation Agency (FIA) as the lead federal organization, while the Pakistan Telecommunication (Re-Organization) Act, 1996, empowers the Pakistan Telecommunication Authority (PTA) to regulate and police the telecommunications sector.

Under the Federal Investigation Agency Act, 1974, the FIA has extensive powers to investigate various crimes, with a particular focus on cybercrimes and transnational organized crime. The FIA’s cross-border jurisdiction and coordination with INTERPOL make it a key player in national security.

The PTA, established under the Pakistan Telecommunication (Re-Organization) Act, 1996, regulates and polices the telecommunications sector. It blocks websites, regulates content, and secures the internet. PTA collaboration with social media businesses and computer emergency response organizations protect crucial infrastructure. The FIA and PTA need resources, training, and international coordination to meet changing problems.

Pakistan’s cybercrime law is PECA. It criminalizes cybercrimes. While PECA provides a comprehensive legal framework, there are limitations in terms of judicial orders for legal action. The law designates the Federal Investigation Agency (FIA) as the sole authorized agency to investigate cybercrimes. PECA also emphasizes preventive measures and outlines procedures for search and seizure, data retention, and international cooperation. Strengthening cybercrime laws and data protection is essential for a secure digital environment.

Personal Protection Bill (2021)

Pakistan’s Personal Data Protection Bill, 2021 is a major step toward digital privacy protection. Privacy and dignity are constitutional rights under Article 14. In an age of electronic transactions and cross-border exchanges, personal data gathering and processing must be regulated.

The purpose of the Bill, which was introduced by the Ministry of Information Technology and Telecommunication, is to build a legal framework that respects the rights and freedoms of individuals while also assuring the secure processing, obtaining, retaining, usage, and disclosure of personal data. This framework will be established by establishing a legal framework that protects the rights and freedoms of individuals. It defines fundamental ideas including the data subject, personal data, the data controller, the data processor, and the processing.

Data subjects can access, correct, revoke, and stop harmful processing under the Bill. Data controllers must process personal data in an adequate and necessary manner for legitimate purposes. The data controller must notify and seek consent for data collection and usage.

The Bill requires data controllers and processors to secure personal data. The National Commission for Personal Data Protection of Pakistan enforces data protection, prevents misuse, raises awareness, and handles complaints. The Bill can lead to penalties and jail time.

The timing of this legislation is crucial, as global governments are recognizing the need for personal data protection laws due to the rapid growth of e-commerce and cross-border transactions. Compliance with the Bill will not only protect individuals’ rights but also enable Pakistani entrepreneurs to compete globally and secure a significant share of global trade. It is essential for all stakeholders, particularly data subjects, to understand their rights and obligations under the Bill to ensure full compliance and reap the benefits of enhanced data protection.

Cyber Security Policy (2021)

The National Cyber security Policy, unveiled in 2021 is a document that contains ambitious goals and covers various aspects of cyber security. The focus is primarily on government institutions, but it recognizes the need for cyber security practices in the private sector as well. There are five dimensions of the National Cyber Security Policy which are pertinent. First is the emphasis on deterrence. According to it any cyber-attack on the national institution will be considered as a direct attack on the sovereignty. Second, a governance body, the Cyber Governance Policy Committee (CGPC) has been formed for the implementation of the policy at the national level. Third, for the protection of the cyber ecosystem, assurance of support of all stakeholders for the establishment of an internal framework in all public and private institutions was made. Fifth was to create the awareness among citizens about the security threat.  This policy proposes the establishment of a Cyber Governance Policy Committee and emphasizes the importance of cyber security audits and compliance. Special courts for cyber security cases, cyber security education, and cross-sector collaboration are also mentioned as key initiatives.

Multiple Cyber Attack Incidents Faced by Pakistan

Pakistan has been the victim of state-sponsored cyber-attacks in the past, particularly from neighboring India. These attacks are carried out by foreign governments or state-affiliated groups with the goal of stealing sensitive information, disrupting critical infrastructure, or conducting espionage. In 2020, it was reported that Indian hackers targeted Pakistani government and military officials’ phones and other gadgets in a major cyber-attack.

The National Security Policy (NSCP) 2021 of Pakistan contains measures to effectively combat the menace of state-sponsored cyber-attacks.

These efforts include creating national cyber security standards and guidelines, establishing a national incident response system, and educating the public. Pakistan has also improved cyber security cooperation with China.  Cybercrime and hacking are major issues in Pakistan. Data breaches, online fraud, and identity theft have increased in Pakistan due to cybercrime and hacking. Pakistan’s 2018 data breach exposed 19,000 people’s personal information.

Pakistan understands the need for a robust legal framework and effective policies to tackle its online concerns. Pakistan Telecommunication Authority (PTA) and Federal Investigation Agency (FIA) investigate cybercrimes, regulate the telecommunications industry, and pass legislation to secure the internet. The Prevention of Electronic Crimes Act of 2016 (PECA) limits law enforcement activity, but it provides a comprehensive legislative framework to combat cybercrime. The PDPA, 2021 is a positive step toward protecting privacy and data security in compliance with constitutionally recognized fundamental rights. 

Conclusion

In spite of the difficulties that Pakistan is currently experiencing in its cyberspace, the Pakistani government recognizes that it is essential to develop a robust legislative framework and put efficient policies into place in order to overcome these difficulties. Both the Pakistan Telecommunication Authority (PTA) and the Federal Investigation Agency (FIA) play essential roles in the nation’s efforts to combat cybercrime, maintain order within the telecommunications industry, and pass laws that make the internet safer for all users. The Prevention of Electronic Crimes Act of 2016 (PECA) is a comprehensive legal framework that can give a comprehensive framework to address cybercrime. Despite the fact that the court mandates of law enforcement action are relatively limited, it can provide a comprehensive framework to handle cybercrime. As a result of the passage of the PDPA, 2021, a significant step forward has been taken in the fight to safeguard the fundamental rights of persons, including their right to privacy and the protection of their personal information. This is an encouraging development. Pakistan has made significant headway in a crucial area thanks to its Cyber Security Policy, 2021. With the implementation of this policy, Pakistan would be able to further strengthen its footing in the digital sphere. However, several areas still require improvement such as, allocation of resources by the government for the smooth functioning of these initiatives and promotion of cyber security culture. To ensure the effective enforcement of cyber security statuses, establishment of independent forensic laboratories and efficient justice system would play an important role in investigating and prosecuting cyber crimes effectively. Furthermore, Regular audits and compliance assessments are essential to identify vulnerabilities and ensure adherence to cybersecurity standards. Finally, fostering cross-sector collaboration and public-private partnerships will facilitate information sharing and enable a coordinated response to emerging cyber threats. By addressing these areas, Pakistan can continue to enhance its trajectory in cybersecurity and effectively safeguard its digital infrastructure and sensitive information.

*Ayesha Khalid: Ayesha Khalid is an MPhil Candidate of International Relations specializing in military affairs and national security affairs. Her research expertise lies in multi-domain operations, hybrid warfare, military diplomacy, foreign policy, and emerging technologies.

Gulraiz Iqbal
Gulraiz Iqbal
Gulraiz Iqbal, is a Research and Teaching Assistant at School of Politics and International Relations in Quaid I Azam University, Islamabad. He previously was an intern at the High Commission of Sri Lanka. He tweets @GulraizIqbal10.