Archives


SOURCE: TNN BLOG

The Pakistani Cabinet on the 27 th July 2021 approved the National Cyber Security Policy. From the Pakistani angle this was necessary as it ranked seventh worst cyber-secure state in the world by the Global Strategies Index and the Global Security Index 2018 report.

The Pak National Cyber Security Policy is ‘aimed at realising the full potential of information and communication technologies for socio-economic development by assuring availability, confidentially, and integrity of critical infrastructure and information systems, while also providing reliable, secured, and resilient cyberspace for all.’ In short, the scope of Pak National Cyber Security Policy is to secure entire cyberspace of Pakistan including all information and communication systems used in both public and private sectors.

In April 2021, the Pak Parliament had constituted a committee of all the relevant organisation to study all the dimensions of the cyber threats. Earlier, Pakistan had established the National Centre for Cyber Security (NCCS) for research and development in 11 selected universities with Air University servicing as the Secretariat of the NCCS.

Federal Minister for Information and Broadcasting Fawad Chaudhry after the Cabinet meeting stated that the policy has two parts-cyber security and cyber offences. Giving the background for this policy he also stated that a list of cyber security experts was being prepared, who would conduct a thorough probe, especially India’s use of Israeli spyware to hack the phone of Prime Minister Imran Khan. Well in Pakistan the driving force is anti-India approach, hence this statement was on expected lines.

Six main dimensions of the Pak National Cyber Security Policy are significant. First and the most important is its emphasis on deterrence. It declares that ‘a cyberattack on any institution of Pakistan will be considered an act of aggression against national sovereignty and all necessary and retaliatory steps would be taken. It further states that a cyberattack on Pakistan will be considered as category I and category II aggression against national sovereignty and the State will defend itself with appropriate response measures.

Second, a high-powered governance body-the Cyber Governance Policy Committee (CGPC)- has been formed to implement the policy at the national level, determine a strategy in a timely manner and take timely action. The committee comprises the secretaries and senior officers of 13 different departments/organisations. While it is not clear who head this body, its decisions are to approved by the Cabinet under the PM. Crucially, the CGPC is entrusted to assert national level ownership to policy initiatives related to cyber-governance and security. The CGPC is responsible for strategic oversight over national cybersecurity issues.

Third, to ensure support of all stake-holders for the establishment of an internal framework in all public and private institutions for the protection of cyber ecosystem, security of national information system and infrastructure and protection in all national ICT infrastructures. The aim is to have a resilient system in place for protection of critical infrastructure and instil confidence among citizens about its system.

Fourth, to have an information sharing mechanisms to protect against cyberattacks at all levels, ensure cybercrime monitoring, electronic identification and security and provide the organisations with the required systems and support for protection of online privacy. While protection of privacy has been mentioned, the details of the system are not available.

Fifth, to create awareness among citizens about the cyber security threat. And establishing a public-private partnership for providing technical and operational assistance. The document states that the objective is to ensure the privacy of online data, information and private and important content of Pakistani citizens and government and private entities while maintaining its privacy.

The fifth dimension is to create skilled experts in the domain through training programme. As mentioned above, the NCCS has already been established for R&D. A few centres of excellence may also be established.

In essence, the Pak National Cyber Security Policy aims at establishing ‘an active cyber defence’ (offensive postutre) and cyber security governance, protect internet-based services, ensure protection and resilience of national critical information structures, protection of the government’s information systems and infrastructure, develop information security assurance framework, increase awareness of cyber security and develop cybercrime response mechanisms and regulations. It also mentions to have a system of testing for checking the integrity of products- an important aspect.

The Pak National Cyber Security Policy places the cyber-attacks at par with attacks on the core aspects of national security and is linked to its national security strategy. Prominence of deterrence comes out very clearly. While Pakistan has not spelled out how it would retaliate, it may use all weapons. In the context of the use of nuclear weapons, Lt Gen. (Retd) Khalid Kidwai then Director General of Pakistan’s Strategic Plans Division in an interview in 2002 had outlined the contours of possible use of Pak nuclear weapons against India. He had stated that in four conditions Pakistan would use nuclear weapons– (i) If India attacks Pakistan and conquers a large part of its territory (space threshold). (ii) If India destroys a large part of its land or air forces (military threshold). (iii) If India proceeds to the economic strangling of Pakistan (economic threshold). (iv) If India pushes Pakistan into political destabilization or creates a large internal subversion in Pakistan (domestic destabilization). Pakistan has now added the fifth condition- attack on its cyber space.

Pak has also adopted the doctrine of “full spectrum deterrence” in the context of use of nuclear weapons. It was explained that the concept of “full spectrum deterrence” is the Pak response to plug those gaps which were bothering the Pak Army and which could be exploited by Indian Army through its “Cold War Doctrine”. These gaps have been plugged by the tactical nuclear weapons, which are fully integrated with conventional weapons to fight wars.

Objectively speaking, the Pak National Cyber Security Policy is on the lines of other nations like US, Russia, UK, France, China etc. They all have offensive part for deterrence and have linked their cyber policies with the national security policies. The US National Cyber Security Strategy of 2018 now stresses offensive operations which was earlier mentioned in general terms; the Australian cyber security policy stresses on strong defence system that can detect vulnerabilities and mentions global responsibilities; France has a separate part of offensive cyber strategy that states that an attack on military forces would be retaliated to neutralise the source; Russia considers the cyber warfare as a part of hybrid wars in which they play a decisive role; UK accepts the national offensive planning has unified its various entities; Japan calls for enhancing deterrence and in the Chinese concept there can be no national security without cyber security and it places cyber deterrence at par with nuclear deterrence.

India also needs to define its cyber strategy in clear terms to sharpen its deterrence. It is facing cyber attacks from China and Pakistan in a big way. The state intelligence agencies of these countries have been using hackers to attack Indian official websites, trying to obtain information and place disinformation to manipulate perceptions of the target population. Both the countries are using the influence operations to divide the civil society. Pakistan is also using the cyber space for radicalisation of youth. In India most of the arrested terrorists have indicated how the ISI had been projecting that the minorities in India are mal-treated and are leading a miserable life. Several articles in the Pak Army Green Book 2020 had recommended a strong cyber policy to enhance the deterrence, indicating that the Pak held a weak posture to deal with any threat in this domain. With the new policy in place, a more forceful cyber offensive campaign can be expected from Pakistan. Hence India needs to develop teeth in its cyber policy to have equilibrium of deterrence from the known adversaries.