Dr. Naveed Elahi

With the gruesome incident of pager explosions in Beirut last year, the genie of cyber scare lurking in the shadows has come to the fore with a bang. The detonation with viral malware has added a new and palpable dimension to cyber threats. It is clear now that states will and can fight cyber wars with invisible sabers. It can cause colossal disruption and countless deaths in a jiffy. In Beirut, the detonation of thousands of devices led to the deaths of at least 20 people and injuries to more than 460 others. The Israeli intelligence agency Mossad orchestrated this operation by embedding military-grade explosives in 5000 pagers supplied to Hezbollah and detonated them simultaneously through malware. It was a combination of vulnerabilities within supply chain security and cyber strikes through communication technologies.

Fourteen years earlier, Mossad had conducted a cyber operation to sabotage Iran’s nuclear facility at Natanz, where centrifuges started malfunctioning. The malware Stuxnet, a highly sophisticated cyber weapon, significantly delayed its program for several years. It shows that the threat had emerged at least two decades ago, but now with the advent of artificial intelligence, it has grown at an alarming proportion and threats of asymmetrical war through cyber technology have increased manifold. The developed world had anticipated the lethality of the emerging cyber threats; therefore, they started devising cyber security policies and strategies almost at the same time. 

 The Centre for Strategic and International Studies stated in 2022 that there were 78 countries with national cyber security strategies, 63 with strategies for mitigating cyber threats to critical infrastructure, and 113 with policies that regulate the collection and handling of personal data. The United States was the first country to formulate a national cyber security strategy in 2003, which has been updated multiple times ever since.

 Like many governments around the world, Pakistan acknowledged, though slightly belatedly, the need for a national policy of cyber security and formulated the National Cyber Security Policy in 2021. This delayed response to cyber threats was caused by the slow pace of digitization, laid-back bureaucratic systems and limited technical or economic capacities. Additionally, its implementation has remained a far cry so far. The cyber security strategy is still in embryonic stage.  Naturally, it has hampered Pakistan’s ability to attend to the challenges required in this space.

It is high time for Pakistan to move fast to formulate and implement a robust cyber security strategy to address the foreboding challenges of cyber war. It should be kept in mind that from hacktivists to nation-states, all have the capabilities to conduct cyber-attacks. Pakistan, therefore, ought to take into consideration several common elements that typically emerge in national cybersecurity strategies.

First, Pakistan must adopt a national security-focused strategy, closely tied to its internal and external security and shaped by military and intelligence agencies. This includes countering hostile agencies’ cyber operations for intelligence gathering and prioritizing the cybersecurity of its military and intelligence systems.

Second, the protection of critical national infrastructures (CNIs), often referred to as ‘Crown Jewels’ is essential. It is crucial for Pakistan to identify and ensure the protection of critical networks, for example, communications, critical manufacturing, emergency services, energy, financial services, food and agriculture, and nuclear reactors on which economy and stability depend. Emulating other successful models, Pakistan must issue multiple guidelines and policy directives to prioritise CNIs as part of official cyber security strategies and to create specific public-private partnerships for their protection. Axiomatically, the topmost priority should be accorded to the nuclear facility.

Third, protection of confidentiality, integrity, and availability of personal data is increasingly crucial as cyber threats continue to evolve. Currently, Pakistan lacks a specific legislative framework that extensively covers the protection of personal data across various sectors. The absence of such laws exposes individuals’ data to potential misuse, loss, and unauthorized access. Pakistan should look to international best practices, such as the European Union’s General Data Protection Regulation (GDPR), which provides a strong framework that emphasizes transparency, security, and accountability by entities handling personal data.

By developing a legal framework that protects personal data, Pakistan can enhance its cybersecurity posture, promote digital economic growth, and align more closely with international standards, which could also facilitate trade and secure information exchanges with other countries.

Fourth, it is the need of the hour to enact and strengthen cybercrime laws and procedures to prevent computer misuse. In fighting the persistent threat of cybercrimes, many governments have laws that prohibit ‘computer networks’ misuse in criminal activities and, in some cases, in disinformation campaigns. Pakistan is in the whirlwind of the last activity.

To address this, Pakistan can take a cue from the UK government’s Computer Misuse Act. This act defines unlawful acts including unauthorised access to computer material and unauthorised access with intent to commit or facilitate the commission of further offences, unauthorised acts with intent to impair, or with recklessness as to impair the operation of a computer, among others (UK Public General Acts, 1990). 

Fifth, the multi-stakeholder nature of cybersecurity necessitates that government policies effectively collaborate with private entities, offering appropriate incentives to ensure these organizations secure their systems and invest in the security of their hardware and software. They must build collaborative networks to address and ensure cybersecurity at the national and citizen levels.

Sixth, the lack of established internet conduct rules heightens cybersecurity risks, resulting in an unpredictable and fragmented landscape. To address these challenges, government and organizations should invest in threat intelligence, and ensure they meet varied regulatory standards.

Whatever national cybersecurity strategy Pakistan may adopt, security measures should include reducing cyber incidents, improving response times, and enhancing cybersecurity awareness. Compliance with international standards, strengthening the legal framework, and fostering public-private collaboration are essential. Protecting critical infrastructure and increasing investment in cybersecurity are also key metrics. These measures can be tracked through reports from National Data Registration Authority (NADRA), Federal Investigation Agency (FIA) Cyber Crime Wing, National Information Technology Board (NITB), HEC, and CERT-PK.

Given the magnitude of the threat and the seriousness of the situation, we cannot afford to fall behind due to ignorance, laziness or lack of initiative. The genie of cyber threats must be contained and countered in a collaborative and sustained manner.

The author is Chief Editor of The Strategic Brief