One of the simplest definitions of policy is that it is a deliberate or constructed set of guidelines or systems that can help an entity in achieving certain outcomes, so policy reflects ideas, intentions, procedures and identifies the desired objectives. From nation-states to small organizations in a country each and every entity has one all-encompassing policy composed of complementing small sub-sets of policies to run, govern and achieve rational objectives. The state devises different kinds of policies such as security policy, foreign policy, and economic policy, to protect its national interest in the international system. These policies complement each other and gear a nation and state toward a single objective. In this conflicting and competing international system states first of all have to protect their boundaries, nationals, and sovereignty, these objectives are identified in the national security policies of states. In this century of digitalization when all components of national security have a virtual presence, one additional security concern for states is emerging in the form of cybersecurity threats. So, today many states have started work to secure their cybersecurity environment. The first step in this regard for any state is the formulation of ‘national cybersecurity policy”. It is important to make policy first as it will establish the desired outcome, guidelines, procedures, and methods the state will have to adapt to secure its cybersecurity.
The three main components in the process of cybersecurity are; people, processes, and data and information. Any policy to be made for securing cyberspace should address and cater to these three pillars. These three components not only need protection but these three components also make threats. Recently, in a step towards more secure national cyberspace, Pakistan’s cabinet approved “national cybersecurity policy 2021,” it was drafted by the ministry of information and technology, Pakistan. This particular policy document came on the surface and was approved in urgency after recent news on “Pegasus spyware” broke out internationally, where it was mentioned that the Prime Minister of Pakistan was one of the identified targets of this software. Other than that current government and state institutions have been continuously highlighting the disinformation campaign against Pakistan in cyberspace. Even international organizations and watchdogs for disinformation have launched reports which highlight the disinformation campaigns against Pakistan by India. Pakistan also launched programs like “digital Pakistan”, which envisions aiding the digital transformation of Pakistani society for its growth and development. It is important to highlight these aspects because they show the dynamics of Pakistan’s cyberspace where the use of the internet and cyberspace among the population is increasing rapidly, as of today Pakistan despite being a developing county is on no. 4th in freelancing development industry but at the same time threats in this particular domain were always ignored. Therefore the approval of “cybersecurity policy 2021” by the cabinet is a positive development as it reflects the understanding of the dynamics of cyberspace and reflects the understanding and resolve to address the prevalent and emerging threats in this domain through different means (public awareness, institutional frameworks, international cooperation etc). Though Pakistan has passed many laws and regulations in the last few years for the protection of cyberspace but what is missing was the aim that what Pakistan wants to achieve in its cyberspace.
National cyber security policy 2021 aims at forming a policy that will provide Pakistan with new institutional frameworks and governance to secure the “cyber eco-system” of Pakistan. Institutional frameworks to be established will include computer emergency response teams as well as security operation centers. The policy document envisions securing the entire cyberspace of Pakistan, which includes not only the public sector but the private sector and information and communication systems in the country as well. Moreover, a policy document points out that the policy document does not want Pakistan just to have a secured but “resilient cyber system and network”. Resilience is an important component because it enables the systems to perform even in case of attack while absorbing the attack. The guiding principle of current cybersecurity policy is to “protect the people” at the same time increase the growth and prosperity of the nation. Other than that attack on Pakistan’s cyber-space will be considered as a Category-I and Category-II level threat and will be responded to accordingly.
This was a much-needed and demanded policy document in Pakistan. It showed what Pakistan wants to achieve in its cybersecurity, how it will achieve its objectives, but there are certain important points which this policy document missed, as these points are not something new which are coming out as a result. But, they are the aspects that already exist and have compromised the Pakistan’s cyberspace. As in the document “central entity” term was used for the organization responsible for implementing the policy drafts, but which the entity will be that is not given in the whole draft and how long will it take to formulate such an entity. It is important to discuss these institutional frameworks because previously in a “national cyber-security policy of 2018-2023” the command force structure composed of civil and military was proposed but the actual implementation was not seen, and even this subsequent document of policy does not talk about it. Moreover, as people have rights in the physical world they have rights in the virtual world that needs to be protected by the government, or what would be the policy orientation of government towards such laws are not clearly written or defined in this policy document. National Scholars studying cybersecurity have also highlighted that policy document does not address the concepts like “privacy by design” and no-legacy” and also fails to acknowledge that cyber security is not just the issue of the ministry of information and the Ministry of foreign affairs include a broader set of ministries.
It is high-time that authorities realize that cybersecurity is emerging as concerning issues for Pakistan’s national security and reactionary and lethargic policy and lack of implantation of these policies and mentioned initiatives in them will compromise Pakistan’s cyberspace in peace and wartime as well.
*Ahyousha Khan, Research Associate, Strategic Vision Institute, Islamabad.