Submit your essay to the AI-Cybersecurity Essay Prize Competition by January 2, 2025.
The AI-Cybersecurity Essay Prize Competition

Pakistan’s new cybersecurity approach will infringe on fundamental freedoms

Salma Shaheen examines Pakistan’s new cybersecurity strategy
Main Top Image
Image created with the assistance of Midjourney

Pakistan’s government restricted access to social media platforms on January 7, just a month before general elections on February 8. Pakistan ranks third globally, after Iran and India, in imposing new internet restrictions. There is a tension between cybersecurity and fundamental freedoms in Pakistan and that is likely to grow further as the country digitises.

Digitisation and cybersecurity

The number of broadband subscribers in Pakistan increased to 124 million (56.0% penetration) by 2021-22 from a low 7.7 million in 2014 (3.4%), according to Pakistan’s Telecommunication Authority (PTA). The vast majority of internet penetration is through mobile phones (54.6% of the 56.0% penetration).

Predictably, cybersecurity awareness is low. The Global Cybersecurity Index 2020 ranked Pakistan 79th out of 194 countries worldwide due to its vulnerability to cyberattacks. In the World Internet Development Report 2023, Pakistan ranks 45th out of 52 countries.

As Pakistan digitises, especially in critical infrastructure, the cyber threat landscape expands. Islamabad has integrated a Supervisor Control and Data Acquisition (SCADA) system into its water supply infrastructure, using an artificial intelligence (AI) system that was recently compromised by Russian hackers. Pakistan has also introduced AI-based medical diagnosis, such as Nayya Jee, and digitised the health sector through apps, such as Marham and Sehat Kahani.

This digitisation is uneven and is developing far ahead of security. Private sector investment in cybersecurity and technology is largely unregulated. The country relies on imported skills, hardware, and software. There have been various data breaches and hacking incidents targeting government authorities such as the National Database and Registration Authority (NADRA), and in critical sectors such as banking, telecommunications and energy.

In order to ensure the security of national digital assets, Pakistan’s cybersecurity strategy has gradually shifted from a sector-specific approach to a more comprehensive ‘whole-of-the-society’ approach. This new framework comprises four pillars: preparedness, prevention, regulation, and criminalisation.

Regulation and privacy

Pakistan’s first internet legislation was enacted in 2002, with the Electronic Transaction Ordinance that aimed to secure financial transactions. Over time, it has implemented various regulations, legislation, and structures to enhance cybersecurity. Among these, the Prevention of Electronic Crimes Act (PECA) of 2016 was a fundamental yet flawed law (the Islamabad High Court declared parts of it unconstitutional) that criminalised the illegal use of cyberspace and digital devices but did not cover the strategic dimension of cyberspace. The first national strategy to cover all aspects of cybersecurity was released in 2021 with the National Cyber Security Policy (NCSP).

The NCSP 2021 is an ambitious policy that focuses on strengthening digital governance through:

  • cybersecurity audits;     
  • special courts for cybersecurity crimes; and
  • raising awareness about cyberspace, including incorporating a cyber-related syllabus in education.

In addition to the NCSP 2021, there are two recent bills – the E-Safety Bill 2023 and the Personal Data Protection Bill 2023 – which have garnered official praise for safeguarding individuals’ digital rights, e-commerce, and the digital economy. However, they have also faced criticism for ambiguity regarding data storage and the degree of independence of the National Commission for Personal Data Protection. Furthermore, they were formulated in a secretive manner – passed by the Federal Cabinet instead of parliament – which was labelled as “undemocratic”. Both the E-Safety Bill 2023 and the Personal Data Protection Bill 2023 facilitate illegal surveillance and isolate Pakistan from the liberal digital community.

The enactment of cyber bills in opaque ways undermines public trust in nascent democratic practices and raises concerns about Pakistan’s cybersecurity posture infringing upon individual rights and freedoms. Lawsuits such as the Benazir Bhutto case in 1998 and Justice Qazi Faez Isa v President of Pakistan in 2021-2022 show long-term abuse and violations of citizens’ privacy by security forces. Despite these cases, law enforcement and intelligence agencies continue to carry out unjustified surveillance.

It will be difficult for Pakistan to strike a balance between security and personal freedoms while military courts exist and the authority of the officers responsible for searching and seizing citizens’ information is undefined. The secretive and arbitrary formulation of cyber regulations allows unconstitutional surveillance and suppression of fundamental freedoms.

A ‘whole-of-society’ approach

In addition to legislation, key features of the preparedness and prevention pillars of Pakistan’s cybersecurity posture include audits, secure operational technology, and public-private partnerships (PPP).

In 2023, the Pakistan Telecommunication Authority introduced a comprehensive audit regime that allows telecom companies to conduct third-party cybersecurity audits. Furthermore, in 2022 Pakistan enacted the Operational Technology/Information Technology (OT/IT) Cybersecurity Regulation to help secure the National Electric Power Regulatory Authority. Both the audits and the OT/IT regulation need to be extended to other sectors to secure the country’s critical infrastructure and industries.

Pakistan’s NCSP 2021 supports the role of PPPs in fostering a cybersecurity culture, similar to the UK’s 2022 National Cyber Policy’s ‘whole-of-society’ approach. For example, Pakistan is at the forefront of promoting PPPs in the health sector. However, health is governed at the provincial level, which hinders collaboration between the provincial ministries of health and the federal Ministry of Information Technology. PPP projects have a mixed history, so the implementation of the amended Public-Private Partnership Authority Act of 2021 and the NCSP 2021 could help integrate PPPs into the cyberspace landscape.

Pakistan established in October 2023 its first-ever National Computer Emergency Response Team (CERT), following the example of the European Computer Emergency Response Team (CERT-EU). This will be followed by provincial/sectoral CERTs to strengthen cyber defence at the federal and provincial levels and facilitate coordination between different tiers of government.

The way forward

Overall, Pakistan has codified a robust cybersecurity framework in terms of policies, legislation, regulations, and structures. However, there are challenges in capacity-building, effective implementation of laws, and deployment of regulations and structures across all sectors, which hinder the full implementation of the cybersecurity framework.

Furthermore, the significant influence of domestic security agencies suggests that Pakistan will struggle to find a balance between its cybersecurity needs and the privacy of its citizens.

 

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.