India Insights with Geetha Nandikotkur

Governance & Risk Management , Legislation & Litigation , Standards, Regulations & Compliance

Can Pakistan's New Cybersecurity Law Help Combat Cybercrime?

Still a Long Way to Go to Ensure a Cybersecure Ecosystem
Can Pakistan's New Cybersecurity Law Help Combat Cybercrime?

Pakistan's bill on cybersecurity, first presented in June 2014 before the National Assembly, has been passed under the Prevention of Electronic Crimes Act, 2015. Cybersecurity critics welcome the move, considering it a milestone toward cybersecurity and defence. They also say it's unfortunate that there was no cybersecurity policy and legislation in Pakistan before now, when other Southeast Asian countries were way ahead in addressing such challenges.

The Ministry of Information Technology says the Act will come into force with immediate effect and apply to every citizen of Pakistan, as well as to every enterprise and to all those who are residing in Pakistan for the time being.

The law clearly articulates offences and punishments for unauthorised use of identity information; tampering of communication equipment; interference with critical infrastructure, information systems or data; making, obtaining or supplying device for use of offence; and cyber stalking.

It is interesting to note that cyber terrorism, electronic forgery; electronic fraud; tempering of communication equipment; writing malicious code; cyber stalking through coercing or intimidating or harassing any person; and misusing information, spamming and spoofing, among others, get special attention with prescribed sections for punishment if violated.

The federal government establishing or designating a law enforcement agency for investigation of offences under this Act is definitely a positive move in addressing cybercrime challenges.

Why the Scepticism?

While it's a surprise that the Pakistan government was able to pass the bill amidst much criticism from the opposition of the house, there is also cynicism about its execution plan.

The intrinsic question that strikes everyone's mind: Why - while the entire world is talking about growing cyberattacks and cyber espionage, and every nation is working on cybersecurity frameworks to combat growing crimes - has Pakistan just woken up now?

The country's critical infrastructure - including banks, utilities sector, healthcare, defence, among others - is vulnerable to sophisticated cyberattacks. Why such a lackadaisical approach towards cybersecurity, given that nation-state attacks against rival states are rampant? Pakistan's intellectual and political circles agree that the nation is way behind in cybersecurity compared with Iran, India and China.

Historically, both India and Pakistan have been drawing parallels between themselves on varied developmental activities taken up.

In this case, many experts agree that India's cybersecurity is far better than Pakistan's, as India announced its National Cybersecurity Policy in July 2013. It has also set up a Cybersecurity Task Force to plan a methodical approach to create a cybersecure ecosystem with focus on skill development, R&D and a cybersecurity framework by leveraging the public-private partnership model (see: Creating Private-Public Partners).

In comparison, Pakistan has to take baby steps, and the government is still not clear on the modus operandi of executing the Act, nor does it appear to be looking into building a good incidence response mechanism.

Starting from Scratch

Undoubtedly, the Pakistan government is building a cybersecurity platform from scratch with the passage of the bill.

The Act envelops preliminary areas of cybersecurity. The bill essentially focuses on detailing the areas of crime/offences and related punishments and announcing the appointment of an investigation agency and prosecution agency with procedural powers.

The new law primarily focuses on preventive measures, rather than detailing proactive measures of building an incidence response plan or building cybersecurity skills in combating crime.

The Act speaks about issuing guidelines toward prevention of electronic crimes to be followed by owners of the designated information systems or service providers. Any violation calls for a fine of up to ten million rupees. Any subsequent conviction shall be punishable with imprisonment, which may extend to six months.

Another preventive measure is a proposal to formulate one or more computer emergency response teams to respond to any threat against or attack on any critical infrastructure information systems or critical infrastructure data, or widespread attack on information systems in Pakistan.

According to MoiT, a CERT constituted under sub-section (1) may include technical experts of known expertise, officers of any intelligence agency or any sub-set thereof. It will respond to a threat or attack without causing any undue hindrance or inconvenience to the use and access of the information system or data as may be prescribed.

Then how is a CERT going to combat all crimes, given the urgency required to address these challenges?

The only way to scale up, in my opinion, is to issue relevant guidelines and form an expert panel on a war footing to track cybercrime and work on an effective incidence response plan for Pakistan. One way is to relax rules for top security vendors to conduct business directly and help the country build an effective cybersecurity model via a public-private partnership approach.

So, what are your thoughts on how Pakistan needs to build an effective cybersecure ecosystem, as well as the immediate steps for MoiT? Share your opinions below.

About the Author

Geetha Nandikotkur

Geetha Nandikotkur

Vice President - Conferences, Asia, Middle East and Africa, ISMG

Nandikotkur is an award-winning journalist with over 20 years of experience in newspapers, audiovisual media, magazines and research. She has an understanding of technology and business journalism and has moderated several roundtables and conferences, in addition to leading mentoring programs for the IT community. Prior to joining ISMG, Nandikotkur worked for 9.9 Media as a group editor for CIO & Leader, IT Next and CSO Forum.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.