AS the internet becomes an integral part of life, the risk of potential cyberthreats has escalated around the world. We as a nation should recognise the evolving risks new technologies create and be prepared for the continuing challenge of developing measures to protect against such threats. The current apprehensions that surround the Pakistan Ele­­c­­tronic Crimes Bill, 2015, are not unexpected due to the complex nature of cyberspace and the amorphous nature of the threat.

This article aims to explain some of the basic distinctions that are required in order to make the public aware of the complexities of the cyberspace domain. The bill is an example of how the government has ostensibly failed to develop a futuristic approach towards cyberthreats.

Many critics have validly raised concerns regarding the imbalance between security, privacy and freedom of expression caused by sweeping executive discretion. However, there are other problematic sections of the bill that deal with critical infrastructures and cyberterrorism, which have not been discussed; it is essential to consider these issues in any bill that aims to regulate cyberspace.

More focus is needed on tackling cyberthreats.

In order to understand the convolutions of the bill, the specific types of threats that exist must be determined. These currently include cybercrimes, cybersecurity, cyberterrorism and cyberwarfare. Also, nuanced categorisation is required to distinguish threats within the peacetime legal regime and during an armed conflict.

Threats during peacetime primarily in­­clude cybercrimes, cybersecurity and cyberterrorism, whereas, in an armed conflict, cyberwarfare and cyberterrorism become relevant. The PEC bill inadequately deals with the peacetime regime and does not address the scenario of an armed conflict.

The only international convention that exists for cybercrimes is the Budapest Convention, which currently has 45 member states. Pakistan is not a signatory to the Convention which has been criticised several times for either being outdated or for issues pertaining to metadata retention. However, the PEC bill is claimed to take guidelines from the Budapest Convention. The applicability of international law in the cyberspace domain is currently evolving and state practice is going to play an essential role in developing international norms. The Pakistani government has not put forward its position at the international level on any of the important issues that govern inter-state relations in the cyber domain.

The threat of cyberattack is real and has important global implications. Information, communications and technology are of dual use and are used for both military and civilian purposes. Thus the emerging threat of peacetime attacks on critical infrastructure needs to be seriously considered by citizens, businesses and governments alike.

The PEC bill covers the aspect of Pakistan’s critical infrastructures in a limited manner and the core issues of investigation and prosecution have not been considered adequately. In particular, attribution of responsibility for a cyber operation is difficult due to the anonymity of cyber attackers and their non-governmental/governmental status. There is a substantial risk of states being unable to accurately identify the source of a cyberattack, which may result in an innocent party falling victim to a counter-attack or even being prosecuted.

With non-state actors who, driven by political ideology, target private-sector entities, further complications arise in characterising their actions as either criminal activities, political activism or a threat to national security. Under the bill, such actions may fall under the definition of cyberterrorism; however, the definition of cyberterrorism itself is ill-construed. It does not regulate the means of dissemination or propagation on the internet eg do­­cu­­mentaries, social media, hacking websites to propagate poli­­tical ideology etc.

There is no linear process to develop laws or policies which can deal with the complex nature of cyberspace. The government must understand that to develop effective cyber infrastructure, it should move from the concept of governance towards coordination between public and private sectors, and international cooperation. The majority of critical infrastructure is designed, deployed and maintained by the private sector, which is therefore an indispensable partner in ensuring the viability of the government’s efforts.

It is essential to frame policies and technical goals in a realistic and strategic manner. Pakistan needs to significantly increase its capabilities in the cyberspace domain including its expertise in tackling or responding to a cyber threat.

Serious notice must be taken of developing international norms and becoming part of the international discourse. In order to avoid escalations of potential threats that can have a catastrophic impact on the economy or infrastructure, the government needs to develop a more capable approach that articulates its objectives, actions and desired impact more clearly in the pursuit of national interest.

The writer is a high court advocate with an interest in international law.

Published in Dawn, April 29th, 2015

On a mobile phone? Get the Dawn Mobile App: Apple Store | Google Play