THE Establishment Division had earlier endorsed the setting up of a national agency to tackle cybercrime. The creation of the National Cyber Crime Investigation Agency (NCCIA) as a separate entity from the Federal Investigation Agency (FIA) has now become a reality. It raises concerns that go beyond the duplication of efforts and resources, the move may also gravely affect citizens’ right to privacy, which seems to have been overlooked in the rush to bolster cyber defences.

The FIA has had a cybercrime wing dedicated to handling issues related to cybersecurity. This suggests that there is already a framework, with the requisite set of capabilities, in the country to deal with cyberthreats.

Creating the NCCIA to replace the FIA’s cybercrime wing could result in an overlap of responsibilities, leading to bureaucratic inefficiencies and confusion. There were questions whether the cybercrime officers of FIA would continue with the NCCIA. If they did, would it be different from continuing with the FIA and doing the job they were already doing? If they did not, why would the government want to waste trained human resource and make efforts to train others, not to mention waste other resources spent on this training? Does that make any sense at a time of economic crunch? As it turns out, existing personnel will continue with their duties for a year until staff is appointed at the NCCIA.

Even during this interim period, it would be crucial to avoid duplication of duties and inefficiency as the NCCIA starts functioning. Clear legislative frameworks would have to define the roles and responsibilities of those involved in cybersecurity, and would have to include protocols for inter-agency collaboration and information sharing. Without responsibilities clearly delineated, jurisdictional disputes could hinder the swift action required in cybersecurity operations. It is evident then that introducing another agency to handle cybercrime will add layers of bureaucracy, potentially slowing down decision-making processes and response times to cyber incidents.

The NCCIA’s creators did not provide a clear reason for why the FIA’s efforts were insufficient to meet cybersecurity needs.

The establishment of any new agency requires significant investment in terms of funding, resources, and time for development and operational readiness. Similarly, operationalising the NCCIA would involve significant financial outlay to set up new infrastructure, hire specialised personnel, and develop new protocols. Given the FIA’s existing infrastructure and expertise in cybercrime, enhancing and scaling its capabilities would have been more cost-effective and efficient than starting afresh with the NCCIA.

This approach would have avoided extra expenditure and kept to a streamlined allocation of scarce cybersecurity resources — Pakistan does not need experiments during a financial crisis. Thus the resources spent on the NCCIA would have been more effectively utilised in strengthening and expanding the capabilities of the FIA’s cybercrime wing, for enhanced training, technology upgrades, and international collaboration to bolster effectiveness.

In the rush to form it, the creators of the NCCIA did not provide a clear justification for why the existing efforts and mechanisms within the FIA were insufficient to meet the country’s cybersecurity needs. Without clear evidence of the FIA’s inadequacies in this area, the necessity of establishing the NCCIA will be questioned.

The creation of a separate agency will lead to the loss or dilution of talent and efforts that could otherwise have been concentrated within a single, more robust entity. This could weaken the country’s overall cybersecurity posture rather than strengthening it. Also, FIA’s now defunct cybercrime wing might already have been collaborating internationally, with a sound reputation in the field of cybersecurity. The NCCIA will need to rebuild these relationships and prove their effectiveness, which could take considerable time and effort.

The expansion of cybersecurity efforts must be balanced with the protection of citizens’ privacy rights. The establishment of new agencies like the NCCIA raises questions about oversight mechanisms and safeguards against overreach. There’s a risk that in the pursuit of cybersecurity, privacy rights could be compromised without stringent checks and balances in place.

Ensuring robust privacy protection would include transparent operations, judicial oversight, and mechanisms for accountability. The government should engage with stakeholders, including civil society, the tech industry, and the public, in a discourse about balancing cybersecurity measures with privacy rights. This would help in the formulation of policies that are both effective in countering cyberthreats and being respectful of individual freedoms.

The conversation around cybersecurity in Pakistan focuses heavily on strengthening defences and prosecuting cybercrime and does not sufficiently address the right of privacy of citizens. This omission is concerning, as the effectiveness of cybersecurity measures should not only be gauged by their ability to counter threats but also by their adherence to democratic values and human rights, including privacy. In the cybersecurity rush, let us not become an intrusive state that peeps into citizens’ lives unnecessarily and for less-than-noble purposes.

Efforts to raise public awareness about cybersecurity and to educate citizens on how to protect themselves online can be carried out effectively without the need for a new agency. Existing institutions, including the FIA and educational organisations, could have spearheaded these initiatives, as highlighted by the success of Pakistani teams in international competitions under the current framework. In the recently held Black Hat cybersecurity competition in Saudi Arabia, for instance, Pakistani teams performed quite well. This shows a latent pool of talent already in country which could be expanded in the right direction.

In conclusion, while strengthening cybersecurity is imperative, the approach should not focus on creating new entities like the NCCIA but enhance existing structures, while ensuring that these measures do not infringe on privacy rights. The creation of the NCCIA can be regarded as an unnecessary move that will not only duplicate existing efforts and resources but will also divert attention and funds from organisations like the FIA, which already possess a solid base for cybersecurity operations.

The writer is a retired inspector general of police and ex-head of the National Counter Terrorism Authority.

X: @Kkf50

Published in Dawn, May 4th, 2024