PAKISTAN’S National Cybersecurity Policy has been approved by the cabinet, and it is surprising that Pakistan did not have one up till now. The policy reads partly like an ambitious strategy paper, and at many points includes irrelevant factors. Still, it marks an important beginning considering the fast shift to digital in all spheres, including governance.
There are some important factors that are worth exploring apart from the salient features of this lengthy document, including the external factors that impact cybersecurity readiness, capacity and capability, the intersectionality of cybersecurity, and protection of rights while doing so.
The purpose of the policy is stated to be “Inter-departmental coordination and holistic approach to address cybersecurity challenges and their emerging trends on a national level”.
The focus rightly seems to be on synchronisation of a national cybersecurity effort, which is divided into national, sectoral and organisational levels. The focus of the policy is largely on government-related institutions, though it speaks of the need for cybersecurity best practices to be adopted in the private sector as well, including banking, the health sector, etc. It also mentions the need for public-private partnerships which are necessary for the policy to remain dynamic over time as it is also aimed to be.
Enhanced capacity in government departments is necessary for implementing the policy.
A critical factor in implementing such a policy will be getting the necessary buy-in from government institutions that must take cybersecurity seriously. This will require more work than just a policy, because it has to do with a particular mindset about technology, and seriousness regarding established security protocols — for example, knowledge about simple digital security steps such as screen locks on phones, not sharing passwords with others, etc.
Issues such as taking shortcuts, not updating anti-spyware and anti-viruses in computers and phones, and thinking of cybersecurity expenditure as unnecessary are some of the impediments that already exist and are likely to continue with a senior bureaucracy that is resistant to change.
Take, for example, the recent hacking of the Federal Board of Revenue records which took place despite repeated reminders in its third-party audit reports that asked the FBR to take cybersecurity protocols and compliance seriously, including when the current chairperson was a member IT, apart from warnings from others. The financial records of all Pakistani taxpayers were compromised due to resistance to logical advice in an audit. Nadra has been subjected to similar hacking despite being the repository of all Pakistani citizens’ data. Are there any mechanisms for accountability in such cases? None.
The policy also addresses the capacity of government institutions to adopt such change over time, and gives a vague timeline. However, it must also focus on how behavioural change will be guided in government departments’ resistance to dynamism. For instance, information officers are supposed to be present in all departments for right-to-information requests, but despite the presence of this law since 2002, most departments lack a dedicated information officer. How will the implementation of cybersecurity protocols and designation of associated personnel be different?
The policy also speaks of “weak enforcement of statutes” related to cybersecurity, which include the Prevention of Electronic Crimes Act [Peca], 2016, and the dated Telegraph Act and Electronic Transactions Ordinance. What this policy fails to explore is that this is a general problem with the overall law enforcement and justice system in Pakistan. The Federal Investigation Agency faces major setbacks when it comes to the implementation of Peca 2016. For instance, its prosecutors do not show up in court, mysteriously lose evidence files, and have limited forensic investigation capacities.
This is where our law-enforcement agencies require help, which should be in the form of independent forensic laboratories that are free from influence, high in number, and efficient in delivering results while respecting the privacy of subjects of investigation that should be carried out only under a warrant from the court. There is no point bringing in new legislation if there is no capacity for its implementation.
The policy also mentions the need to protect the online privacy of citizens, but after proposing a draft data protection and privacy bill last year, the government has made no progress on it despite inviting feedback from civil society which was duly provided in a detailed manner. When there is no data protection bill, how can foreign investors be confident of doing business here? What consequences exist for weak cybersecurity protocols that lead to data breaches, and what legal recourse to citizens is available in case of data breaches?
In another nod to the government’s obsession with data localisation, the policy speaks of data beyond “legal jurisdiction”, without realising the fundamental nature of the internet, or that countries cannot be expected to have physical access to all data related to its citizens. Apart from risking the right to privacy of citizens, such concerns also undermine already existent encryption protocols that ensure data protection no matter where it is stored. The mention of encryption is completely missing from this policy, and Pakistan should move towards ensuring the highest possible encryption protocols for data related to its citizens, as well as for critical national infrastructure that requires maximum security.
The policy also proposes a Cyber Governance Policy Committee, and this should include a diverse set of stakeholders so that maximum benefit can accrue from existing cross-sector relevant expertise.
The plans for a framework for cybersecurity audit and compliance are important and must be implemented across the board. The national IT Research and Development Fund that has a large repository of funds from the telecom licensees should be utilised for cybersecurity research.
Plans for special courts to adjudicate on cybersecurity matters sound ambitious where the amicus curiae can easily assist courts in such cases. The inclusion of cybercrime-related curricula for computer science and law degrees; training of lawyers, prosecutors, judges; and teaching cybersecurity in middle and secondary schools are wonderful ideas that deserve further action.
Such a policy cannot be successful without behavioral change, improvement in the overall legal system, inclusion of diverse voices, and cross-sector coordination and collaboration.
The writer is director of Bolo Bhi, an advocacy forum for digital rights.
Published in Dawn, August 21st, 2021