Improving Pakistan’s cybersecurity architecture using US and UK insights
Wednesday 6 November 2024
Sahar Iqbal
Akhund Forbes, Karachi
sahar.iqbal@akhundforbes.com
Introduction
The quick digitisation of society has changed how people, companies and governments function, but it has also brought forth a dynamic and complicated world of cyberthreats. Similarly to several other countries, Pakistan faces the difficulty of protecting its cyberspace while utilising digital technologies for its advantage. This article explores the cybersecurity environment in Pakistan by examining the country’s current legal system, highlighting weaknesses and making suggesting improvements.
Pakistan’s cybersecurity laws are anchored on the Prevention of Electronic Crimes Act 2016 (PECA). Although PECA covers a number of cybercrimes, such as data breaches and unauthorised access, it is insufficient in addressing new threats like ransomware and advanced persistent threats (APTs). Pakistan’s capacity to adequately safeguard its cyberspace is further hampered by the lack of an all-encompassing data protection law and insufficient incident response procedures.[1]
This article examines the cybersecurity frameworks of the US and the UK and shows how Pakistan can improve its defences by combining institutional growth, international cooperation and legislative reforms. By adopting a thorough and diverse strategy, Pakistan can improve its cybersecurity standing and create a more robust digital environment.
Pakistan’s cybersecurity environment: PECA’s role
Pakistan adopted the PECA 2016 as the main legislative framework to combat electronic crime in recognition of the growing significance of cybersecurity. A wide range of internet offences are covered under this statute.[2]
In order to prevent unauthorised access to computer systems (Section 3), data breaches (Section 9) and tampering with electronic documents (Section 10), PECA introduces several measures. In response to increasingly serious threats, Section 11 of PECA criminalises cyber terrorism and imposes severe penalties on actions intended to compromise key infrastructure or national security.
The PECA includes provisions for cyberstalking, harassment and defamation (Sections 20–22) in recognition of the widespread nature of online harassment. Section 24 of the law criminalises the exploitation and pornography of children, placing a high priority on child safety. Furthermore, Sections 11 and 29 of the Act deal with the threat of hate speech and encouragement to violence, respectively.
Even though PECA is a big step forward, given how quickly cyber dangers are changing, the legislative framework will need to be continuously evaluated and updated to ensure that it is still effective in tackling new issues. PECA, however, is but one component of the whole.
Although not solely centered on cybersecurity, the Electronic Transactions Ordinance (ETO) of 2002 provides the fundamental legal acceptance of electronic records and transactions. By offering a legal framework for electronic evidence, this acts as a prelude to dealing with cybercrimes.
Despite having a wider purpose, the Federal Investigation Agency (FIA) Act of 1974 gives the agency the authority to look into cybercrimes. Given the technical know-how needed in these situations, the FIA’s involvement in cybercrime investigation is essential.[3]
Although the foundation of Pakistan’s cybersecurity legal framework is comprised of these laws, the dynamic nature of cyber threats means that its suitability must be continuously assessed, and any necessary changes must take into account new threats.[4]
Legislative gaps in Pakistan regarding cybersecurity
Although the PECA is a major improvement for Pakistan’s cybersecurity environment, there are still a number of important shortcomings. A significant absence is thorough data protection legislation, which exposes citizens to identity theft and data breaches. The growing threat spectrum, which encompasses ransomware assaults, APTs and state-sponsored cyber espionage, is not adequately addressed by PECA’s primary focus on classic cybercrimes.[5] Moreover, PECA’s unclear policies for incident response and management make it more difficult to implement efficient defences against cyberattacks. Lack of cybersecurity education and public awareness exacerbates these problems by making people and organisations more vulnerable to online assaults. Because jurisdictional issues frequently obstruct cross-border investigations and prosecutions, the international aspect of cybercrime makes the situation harder to resolve.[6]
Improving cybersecurity standards in Pakistan
Through statutory improvements and proactive initiatives, Pakistan must strengthen its cybersecurity architecture in order to effectively address the changing cyber threat landscape. To secure personal data, a comprehensive data protection law is necessary, modelled after the General Data Protection Regulation (GDPR) of the EU. Furthermore, it is imperative that PECA be expanded to include new dangers like ransomware and APTs. For crisis management to be effective, a strong incident response framework that is modelled after the Computer Emergency Response Team (CERT) systems[7] in nations like the US and India must be established.[8]
A comparison of cybersecurity frameworks among the US, UK and Pakistan
Understanding other countries’ cybersecurity frameworks is crucial for addressing the dynamic cyber threat landscape. The US and the UK provide insightful examples of successful legislative and regulatory strategies.
The cybersecurity framework of the UK
The UK has implemented a comprehensive approach to cybersecurity, in which the National Cyber Security Centre (NCSC)[9] is a key component. The NCSC was founded in 2016 and is housed under the Cabinet Office. Its main role is to defend the vital national infrastructure of the UK against cyberattacks. Enhancing cooperation in cybersecurity, the UK’s Cyber Security Act 2018 offers a legislative framework for information exchange between industry and government. Despite its primary focus on data protection, the Data Protection Act 2018[10] also advances cybersecurity by requiring organisations to put in place the necessary organisational and technical safeguards to secure personal data.
The climate of cybersecurity in the US
The US approaches cybersecurity in a variety of ways, utilising multiple federal departments and agencies. The main organisation in charge of cybersecurity is the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security. The Department of Defense, the National Security Agency, and the Federal Bureau of Investigation are further important actors. A number of laws targeting particular facets of cybersecurity have been passed in the US; one such law is the Cybersecurity Act 2015, which focuses on protecting vital infrastructure. A thorough federal cybersecurity law is still unattainable, though.
A comparative study with implications for Pakistan
Pakistan can benefit from the experiences of the US and the UK even if it has achieved progress in combating cybercrime through PECA. The creation of a specialised cybersecurity agency, similar to the UK’s NCSC, would improve response and coordination abilities. To secure personal data, a comprehensive data protection regulation akin to the GDPR is necessary. In addition, Pakistan stands to gain by following the US’s lead and implementing a cybersecurity strategy tailored to the specific needs of critical infrastructure industries.
International cooperation is also very important. Pakistan can improve its skills by taking part in international cybersecurity initiatives and knowledge-sharing platforms. Public awareness efforts that are akin to those carried out in the United States can enable citizens to exercise caution when it comes to cyber risks.
Pakistan may boost its defences against the constantly changing cyber threat landscape by identifying best practices and implementing essential reforms by benchmarking its cybersecurity framework against those of the US and the UK.
Conclusion
The cybersecurity environment in Pakistan is defined by the intricate interactions between developing threats, institutional capacities and regulatory frameworks. Even though PECA has been a big step forward, the legal and regulatory landscape must always be assessed and adjusted due to the speed at which technology is developing.
Pakistan should prioritise passing a comprehensive data protection law, bolster incident response capabilities and broaden the PECA’s purview to include new risks in order to successfully combat rising cyber threats. Establishing a separate cybersecurity agency, as seen in the UK, can boost coordination and response operations. Keeping up with worldwide best practices also requires knowledge sharing and international cooperation.
Pakistan may strengthen its cybersecurity defences, safeguard vital infrastructure and create a more robust digital ecosystem by putting these suggestions into practice. Although achieving a secure cyberspace will take time and money, there will be significant benefits in terms of both economic growth and national security.
Notes
[1] Eesah Arshad Khan, ‘The Prevention of Electronic Crimes Act 2016: An analysis’ (2018), LUMS LJ, 5, 117.
[2] Government of Pakistan. (2023). The Prevention of Electronic Crimes Act, 2016.
https:www.na.gov.pk/uploads/documents/1470910659_707.pdf.
[3] Prevention of Electronic Crimes Investigation Rules 2018
[5] Shakeel Qarar, ‘Cybercrime reports hit a record high in 2018:FIA’ (DAWN, 23 October 2018)
www.dawn.com/news/1440854 accessed 4 November 2024.
[6] Ayse Okutan, ‘A Framework for Cyber Crime Investigation. Procedia Computer Science’ (2019), PCS 158, 287–294.
[7] See more information on the US Computer Emergency Readiness Team here: www.cisa.gov/sites/default/files/publications/infosheet_US-CERT_v2.pdf.
[8] Mahboob Usman, ‘Cyber Crime: Pakistani Perspective’ ()2017, Islamabad Law Review 1(03), 18–40.