Information and Communication Technology (ICT) has become a crucial part of our lives, and we are increasingly relying on it due to the convenience and efficacy it provides. ICT has brought about a revolution in business transaction procedures, the conduct of national defence, and the way the government operates. Cyberspace has increased interaction, interconnectedness, and dependence. The trend of cyber attacks has changed from small-scale intrusions and financial breaches to highly organized state-sponsored attacks, endangering national security, the economy, and the daily lives of citizens. This not only raised new security concerns but also increased the sophistication of cyberattack methods.
The revolution of information technology and digitalization has not only changed everyone’s lives but also changed the traditional ways of thinking about warfare and has introduced cyberspace as the fifth domain of warfare after sea, land, air, and space. Using nuclear deterrence as a balancing act for strategic stability in the South Asian region, cybersecurity has become a more sagacious threat. Now, states have developed a concept of cyber arm culture, developing vicious malware and cyber weapons such as Stuxnet and Pegusas spyware, Ransomware. Other domains of warfare are also digitalized and are connected through cyberspace, i.e., transportation, telecommunications, banking and finance, the defense industry, and nuclear plants are digitalized. So, the vulnerabilities of cyberspace can not only restrict the working of other critical infrastructure but also cease economic activities and the banking system. It can also pose serious threats to our national security as nuclear programs are also connected through cyber layers.
Cyberattacks have become more sophisticated and organized, endangering national security, the economy, and daily lives
Pakistan and India are rivals, and both have security threats from each other. As a developing country, Pakistan has numerous vulnerabilities that are often exploited by our rival India. Pakistan has much more to do in cyberspace as India has made cybersecurity a priority and is surpassing Pakistan in defensive and offensive cyber warfare.
The Stuxnet worm attack on Iran’s nuclear program in 2010 brought about a paradigm shift in the policy-making process after a series of incidents, including the Chinese hackers’ Titan Rain attacks on America in 2003, the well-known cyber attacks on Estonia’s internet infrastructure in 2007 (DDoS), and the transformation of the war between Russia and Georgia into a cyberwar in 2008.
Challenges for Pakistan
The fact that Pakistan is the second-most spied-upon nation after Iran by the US National Security Agency (NSA), which intercepted the data of high-level government and military personnel in Pakistan, illustrates the vulnerability of Pakistan’s cyberspace.
In June 2013, the NSA also began a covert, widespread surveillance program with the codename “PRISM.” The servers of well-known programs like Google, Apple, Yahoo, Gmail, and Microsoft are directly accessible to the NSA. To protect national assets, important information, and valuable electronic data, a wide range of well-established cybersecurity techniques are required due to the presence of such loopholes in cyberspace. According to Symantec, Pakistan is one of the top ten countries that have been targeted. There have been attacks on infrastructure such as banking, telecommunications, political officials, health, transportation, utilities, and wide-sharing firms in recent years.
Pakistan and India are rival countries with security threats from each other, with India surpassing Pakistan in defensive and offensive cyber warfare.
Pakistan’s nuclear and other critical infrastructures are highly at risk. The modes of this operation can range from offensive cyber-attacks to propaganda. Offensive cyber-attacks target the critical infrastructure of a state, such as nuclear programs and national security. On the other hand, hybrid warfare involves the exploitation of existing fault lines within the state, i.e., social, religious, or cultural. These modes are also cheaper than conventional methods of warfare. Therefore, it is important for states to develop offensive and defensive cybersecurity capabilities.
In recent years, Pakistan has faced a number of attacks, including:
- In December 2010, six groups of the Indian Cyber Army hacked 30 government websites in retaliation for the Mumbai attacks of 26/11.
- On August 14, 2017, a large number of Pakistani official websites were compromised by Indian hackers during a crucial event for Pakistan.
- In 2017, a cyber attack was launched against K-Electric.
- In September 2020, K-Electric was hit by a ransomware attack, a new type of malware used by hackers to extort money from victims.
Given these threats, it is essential for Pakistan to achieve its cybersecurity objectives and counter these cyber attacks. For example:
- In February 2019, Meezan Bank lost $3.5 million worth of data due to hacking. While the bank took necessary measures to protect its customers, the vulnerabilities of the banking system were exposed.
- In 2021, the Federal Board of Revenue (FBR) was targeted in a cyber attack due to outdated software. Although the data was restored, the hackers threatened to sell the data on a Russian forum for $30,000.
Terrorist organizations are also using cyberspace to exploit and threaten their adversaries in order to achieve their goals. This underscores the importance of cybersecurity bodies and laws for Pakistan.
Pakistan’s Cyber Security Policies
Pakistan is aware of the cyber threats it faces and has taken steps to address them. The Electronic Transactions Ordinance of 2002 digitalized all legal frameworks, providing legal recognition of electronic information, archives, data, transactions, and communications, as well as electronic signatures. The Electronic Crime Ordinance was the first act to address the legalization and punishment of cybercrimes, and it formed the basis for the Prevention of Electronic Crimes Act (PECA) of 2016.
PECA’s main goal was to promote citizen security at both the national and global levels. It creates new offenses such as hacking, tampering with data and information systems, denial of service (DDOS) attacks, electronic forgery and fraud, cyberterrorism, attacks on critical infrastructure, unauthorized civilian interceptions, use of malicious code viruses, identity theft, and more. It also outlines punishments ranging from three months to seven years in prison, and/or fines, depending on the offense. The government has also established various measures to counter challenges such as hacking, cyber exploitation, forgery, electronic fraud, and cyber spoofing, including the creation of Computer Emergency Response Teams (CERTs) consisting of skilled cybersecurity personnel focused on critical infrastructure or information technology.
The National Cyber Security Policy of 2021 addresses cyberattacks on Pakistan as acts of aggression against national sovereignty. It also includes appropriate mechanisms to defend national integrity in accordance with national and international laws. This draft envisions the development of secure and resilient strategies and networks for national cybersecurity and response, and aims to establish a governance and institutional framework for a secure cyber ecosystem for citizens.
Analysis of Pakistan’s Cyber Policies
While these policies represent a significant step towards envisioning a secure cyber ecosystem at the national and international levels, they lack a structural framework for implementing these policies. Additionally, the legal framework is weaker compared to those of neighboring states like Iran and India, which have strict punishments for cybercrimes. While it is not accurate to label these policies as “draconian and unconstitutional,” there should be stricter punishments for cyber terrorism so that no one can exploit cyberspace. For example, in Pakistan’s law, the punishment for cyber terrorism is only fourteen years, while in Indian laws it is life imprisonment.
Second, these acts lack the structural framework to implement these laws, as there is a need for scientific and forensic researchers and technical experts in this area which Pakistan lacks.
In short, these policies also indicate the absence of a governance structure, reliance on outside means, and a lack of staff to steer, manage, and consistently enhance the country’s cybersecurity posture.
At the national level, there is a need to take initiatives such as cyber security public awareness campaigns and actively promote cooperation and coordination between the public and private sectors to protect civilians from cyber exploitation.
The main reason for brain drain is the lack of opportunities and discouragement of talents. Therefore, Pakistan should encourage technological expertise and innovation in IT, as well as indigenous software and programs. Pakistan should allocate more budget to information technology research centers and encourage investment in IT and scientific education.
All infrastructure operators and service providers, the domestic ICT industrial base, and the education sector should be linked to create a national community of security-aware ICT producers and developers.
To counter foreign threats, Pakistan should not only focus on its defensive capabilities but also develop its offensive capabilities. It should also develop its own cyber army, similar to those of Israel and America. Pakistan must now concentrate on implementing policies for cyber security, building a robust organizational structure that can effectively address cyber threats, and developing response capabilities.
The views, information, and opinions expressed by the author (blogger) do not necessarily reflect those of Aware Pakistan and its team. The primary purpose of the blogs and articles is to empower civic voices and offer independent bloggers and aspiring writers a professional platform on which to speak in their entirety and publish their words without any restrictions.