Countries are increasingly adopting new technologies across various business spheres, and Pakistan is no exception. With its increasing number of start-ups, young professionals and digital transformation programs that have been implemented by established organizations, it was incumbent upon Pakistan to enact a cybersecurity policy supported by an overarching framework that also addressed data protection and privacy. This policy was designed to be a framework with which all public and private organizations would be obligated to attain—and maintain—compliance.
To gain a sense of the breadth of Pakistan’s cybersecurity policy, is important to understand the impact of cybersecurity, data sovereignty and privacy on the overall economic well-being of a country. The services, products or solutions that an organization provides create value to society and eventually contribute toward a country’s human development, economic stability and growth.
The services, products or solutions that an organization provides create value to society and eventually contribute toward a country’s human development, economic stability and growth.
Pakistan’s recently approved National Cybersecurity Policy 2021 has significant improvements from its previous consultation draft released in January 2021. In comparison to the previous consultation draft, the approved version of the policy released in July 2021 projects a broader vision that focuses not just on securing assets, but also on establishing resilience through a robust and continually improving digital ecosystem. The vision is set forth to foster cybersecurity while accentuating and culminating efforts to improve the socioeconomic development of society at large.
The policy names 3 distinct challenges and risk factors in the realm of cybersecurity. The ownership of cybersecurity is a major concern that demands appropriate and sufficient support from the government to ensure that the other value creation streams responsible for Pakistan’s economic growth are able to contribute to growth and progress in a healthy, continuous and sustainable manner. With a lack of support from the government in past years, cybersecurity remained on the backburner and assets essentially became low-hanging fruit for adversaries, whether opportunistic or persistent in nature.
The policy also highlights issues such as the lack of a governance framework, an ineffective enforcement mechanism, excessive reliance on external resources and insufficient human resources to lead, administer, operate and continually improve the national cybersecurity posture. It will be enforced in the public and private sectors which means uniformity should be adopted across the spectrum in terms of the cybersecurity governance framework and its compliance. This allows for easier adoption of the framework which will be developed in the future by the central entity responsible for coordinating and ensuring the implementation of cybersecurity measures. In addition, certain sectors or technological areas, such as operational technology (OT) and cloud computing, may require additional, separate frameworks built on a similar structure to help fulfill policy objectives similar to those highlighted in the National Cybersecurity Policy 2021.
Policy Objectives
The objectives of the policy are comprehensive and essential to holistically address the cybersecurity challenges and risk factors faced by Pakistan. The following key areas are addressed by policy objectives:
- Establish a governance framework
- Address importance of information systems and critical infrastructure (the critical information infrastructure is appropriately defined in Appendix 3.17).
- Promote data governance and protection
- Promote online privacy
- Establish an information assurance framework
- Create cybersecurity awareness
- Capacity building
- Achieve independence
- Emphasize national/global cooperation framework
- Emphasize adoption of risk-based approach
Policy Deliverables
To thoroughly examine the policy’s deliverables and nuances, it is imperative to understand that the efficacy of any governance policy or framework is impacted by people, processes and technology. A challenge posed by any of these 3 pillars can hinder the effects of a policy objective or framework.
Pakistan’s cybersecurity policy includes 17 distinct policy deliverables, 16 of which directly relate to cybersecurity. These deliverables provide holistic coverage of governance, technology, human resources and cybersecurity awareness. The remaining deliverable provides a lexicon.
In addition, a Cyber Governance Policy Committee (CGPC) was constituted to resolve the issue of cybersecurity ownership and provide strategic cybersecurity oversight. All policy recommendations put forward by the CGPC are subject to the approval and endorsement of the Federal Cabinet of Pakistan.
The review and approval of CGPC policy recommendations by the Federal Cabinet are significant in that they provide needed attention to cybersecurity challenges and risk factors at the national leadership level. The best practices promulgated by the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) ISO/IEC 27001 standard also emphasize the importance of oversight directly from executive leadership. This oversight ensures that cybersecurity challenges and risk factors are not suppressed or overshadowed by competing interests or structural issues that could lead to conflicts of interest.
The policy states that an implementation framework will be developed by a designated division of the federal government. This division will serve as the central authority at the federal level, responsible for coordinating and implementing cybersecurity measures at the national, sectoral and organizational levels. Policy Deliverable 3.5–Protection of Government’s Information Systems and Infrastructure advises “Work[ing] with relevant government entities to ensure mandatory allocation of a certain percentage of the ICT project budget for Cyber Security Assurance.”1
This guidance is likely to create conflict between IT and cybersecurity teams and, unfortunately, there is every likelihood that cybersecurity will be overshadowed by IT in government organizations. International standards such as ISO/IEC 27001 emphasize the need to separate cybersecurity from any potential conflict that may arise and that cybersecurity teams should report directly to the organization’s leadership instead of reporting to any other unit, where the issues raised are likely to remain on the back burner.
Many other countries’ national cybersecurity frameworks ensure that chief information security officers (CISOs) directly report to chief executive officers (CEOs) or chief risk officers (CROs) instead of chief information officers (CIOs), and that their security budget, key performance indicators (KPIs) and performance evaluation of cybersecurity are entirely independent of information and communication technology (ICT).
Pakistan’s cybersecurity policy effectively addresses capacity building and the need for research, development and public-private partnership. Cybersecurity research and development are critical to achieving the broader objective of developing and utilizing indigenous cybersecurity products, solutions and services. Becoming independent and self-sufficient will be hugely advantageous to Pakistan’s economy as well, because mature, home-grown products and solutions can be exported to other countries within the region that are experiencing cybersecurity issues.
Cybersecurity research and development are critical to achieving the broader objective of developing and utilizing indigenous cybersecurity products, solutions and services.
The policy also emphasizes establishing a national cybersecurity culture. However, the implementation of cybersecurity awareness programs should not be restricted to the government sector only, but rather all organizations in the private sector should ensure that they carry out robust and effective cybersecurity awareness programs.
With increasing digital transformation and ecommerce activities across Pakistan, the policy duly addresses the requirements for establishing trust in digital transactions and promulgates the adoption of a risk-centric approach to all cybersecurity decisions.
Conclusion
Pakistan’s National Cybersecurity Policy 2021 provides much-needed direction to the overall benefit of society at large, however, policy makers have yet to clarify the following:
- Operating framework of the CGPC
- Reporting structure of the CGPC
- Powers granted to the CGPC
- Members of the CGPC
Clarifying these matters will help organizations address structural issues and, ultimately, achieve effective cybersecurity governance. Additionally, understanding the functions and structure of the CGPC is important to ascertain its operating model and effectiveness. The absence of clarity around roles, responsibilities and authorities of formulated bodies leads to scenarios where such committees become dormant and a source of revenue consumption without any substantial contribution to the policy objectives.
Additionally, the policy’s benefits can only be reaped if it is implemented consistently and effectively across all sectors. To do so, it is imperative that Pakistan’s policy makers undertake the following steps:
- Establish an overarching cybersecurity framework incumbent upon organizations of all sizes and types.
- Establish a robust audit mechanism through which all organizations, regardless of type and size, can undergo to achieve and maintain compliance.
The cybersecurity framework along with robust audit mechanisms acts as policy enforcement tools to ensure that the objectives of the cybersecurity policy are consistently pursued by applicable organizations. It is, therefore, equally important that the Government of Pakistan appoints organizations to perform audits of the organizations implementing policy measures on a periodic and as-needed basis, and reports their compliance status to the Government of Pakistan.
Endnotes
1 Ministry of Information Technology and Telecommunication, National Cyber Security Policy 2021, Pakistan, July 2021
Editor’s Note
Hear more about what the author has to say on this topic by listening to the “Unpacking Pakistan's Cybersecurity Policy 2021” episode of the ISACA® Podcast.
Muneeb Imran Shaikh, CRISC, CDPSE, CCSP, CISSP, ISO 27001 LI, ISO 27701 LI, Forrester Zero Trust Strategist, PMI-ACP
Is a cybersecurity strategy and governance consultant based in the Middle East, providing consultancy services for cybersecurity strategy and governance, risk and compliance (GRC) to organizations in the government, financial and health care sectors. He is also the author of various cybersecurity publications. Shaikh can be contacted via email at muneebimranshaikh@gmail.com or through LinkedIn http://linkedin.com/in/muneebimranshaikh.