Pakistan’s new cybersecurity approach will infringe on fundamental freedoms

Pakistan’s government restricted access to social media platforms on January 7, just a month before general elections on February 8. Pakistan ranks third globally, after Iran and India, in imposing new internet restrictions. There is a tension between cybersecurity and fundamental freedoms in Pakistan and that is likely to grow further as the country digitises.

Digitisation and cybersecurity

The number of broadband subscribers in Pakistan increased to 124 million (56.0% penetration) by 2021-22 from a low 7.7 million in 2014 (3.4%), according to Pakistan’s Telecommunication Authority (PTA). The vast majority of internet penetration is through mobile phones (54.6% of the 56.0% penetration).

Predictably, cybersecurity awareness is low. The Global Cybersecurity Index 2020 ranked Pakistan 79th out of 194 countries worldwide due to its vulnerability to cyberattacks. In the World Internet Development Report 2023, Pakistan ranks 45th out of 52 countries.

As Pakistan digitises, especially in critical infrastructure, the cyber threat landscape expands. Islamabad has integrated a Supervisor Control and Data Acquisition (SCADA) system into its water supply infrastructure, using an artificial intelligence (AI) system that was recently compromised by Russian hackers. Pakistan has also introduced AI-based medical diagnosis, such as Nayya Jee, and digitised the health sector through apps, such as Marham and Sehat Kahani.

This digitisation is uneven and is developing far ahead of security. Private sector investment in cybersecurity and technology is largely unregulated. The country relies on imported skills, hardware, and software. There have been various data breaches and hacking incidents targeting government authorities such as the National Database and Registration Authority (NADRA), and in critical sectors such as banking, telecommunications and energy.

In order to ensure the security of national digital assets, Pakistan’s cybersecurity strategy has gradually shifted from a sector-specific approach to a more comprehensive ‘whole-of-the-society’ approach. This new framework comprises four pillars: preparedness, prevention, regulation, and criminalisation.

Regulation and privacy

Pakistan’s first internet legislation was enacted in 2002, with the Electronic Transaction Ordinance that aimed to secure financial transactions. Over time, it has implemented various regulations, legislation, and structures to enhance cybersecurity. Among these, the Prevention of Electronic Crimes Act (PECA) of 2016 was a fundamental yet flawed law (the Islamabad High Court declared parts of it unconstitutional) that criminalised the illegal use of cyberspace and digital devices but did not cover the strategic dimension of cyberspace. The first national strategy to cover all aspects of cybersecurity was released in 2021 with the National Cyber Security Policy (NCSP).

The NCSP 2021 is an ambitious policy that focuses on strengthening digital governance through:

• cybersecurity audits;     
• special courts for cybersecurity crimes; and
• raising awareness about cyberspace, including incorporating a cyber-related syllabus in education.

In addition to the NCSP 2021, there are two recent bills – the E-Safety Bill 2023 and the Personal Data Protection Bill 2023 – which have garnered official praise for safeguarding individuals’ digital rights, e-commerce, and the digital economy. However, they have also faced criticism for ambiguity regarding data storage and the degree of independence of the National Commission for Personal Data Protection. Furthermore, they were formulated in a secretive manner – passed by the Federal Cabinet instead of parliament – which was labelled as “undemocratic”. Both the E-Safety Bill 2023 and the Personal Data Protection Bill 2023 facilitate illegal surveillance and isolate Pakistan from the liberal digital community.

The enactment of cyber bills in opaque ways undermines public trust in nascent democratic practices and raises concerns about Pakistan’s cybersecurity posture infringing upon individual rights and freedoms. Lawsuits such as the Benazir Bhutto case in 1998 and Justice Qazi Faez Isa v President of Pakistan in 2021-2022 show long-term abuse and violations of citizens’ privacy by security forces. Despite these cases, law enforcement and intelligence agencies continue to carry out unjustified surveillance.

It will be difficult for Pakistan to strike a balance between security and personal freedoms while military courts exist and the authority of the officers responsible for searching and seizing citizens’ information is undefined. The secretive and arbitrary formulation of cyber regulations allows unconstitutional surveillance and suppression of fundamental freedoms.

A ‘whole-of-society’ approach

In addition to legislation, key features of the preparedness and prevention pillars of Pakistan’s cybersecurity posture include audits, secure operational technology, and public-private partnerships (PPP).

In 2023, the Pakistan Telecommunication Authority introduced a comprehensive audit regime that allows telecom companies to conduct third-party cybersecurity audits. Furthermore, in 2022 Pakistan enacted the Operational Technology/Information Technology (OT/IT) Cybersecurity Regulation to help secure the National Electric Power Regulatory Authority. Both the audits and the OT/IT regulation need to be extended to other sectors to secure the country’s critical infrastructure and industries.

Pakistan’s NCSP 2021 supports the role of PPPs in fostering a cybersecurity culture, similar to the UK’s 2022 National Cyber Policy’s ‘whole-of-society’ approach. For example, Pakistan is at the forefront of promoting PPPs in the health sector. However, health is governed at the provincial level, which hinders collaboration between the provincial ministries of health and the federal Ministry of Information Technology. PPP projects have a mixed history, so the implementation of the amended Public-Private Partnership Authority Act of 2021 and the NCSP 2021 could help integrate PPPs into the cyberspace landscape.

Pakistan established in October 2023 its first-ever National Computer Emergency Response Team (CERT), following the example of the European Computer Emergency Response Team (CERT-EU). This will be followed by provincial/sectoral CERTs to strengthen cyber defence at the federal and provincial levels and facilitate coordination between different tiers of government.

The way forward

Overall, Pakistan has codified a robust cybersecurity framework in terms of policies, legislation, regulations, and structures. However, there are challenges in capacity-building, effective implementation of laws, and deployment of regulations and structures across all sectors, which hinder the full implementation of the cybersecurity framework.

Furthermore, the significant influence of domestic security agencies suggests that Pakistan will struggle to find a balance between its cybersecurity needs and the privacy of its citizens.