Policies are important. These give directions to all matters of national importance. Lack of state policies reflect an absence of aim and direction. Nothing can be more disconcerting than a non-existent national cyber policy.
The digital revolution and the pervasiveness of the Internet has not only made communication fast, it has also increased manifold the risk of cyber attacks. It is perhaps a sign of times that cyber warfare is now recognized as an existential threat to nations. In the US policy makers talk of the possibility of a cyber pearl harbor and an extreme response to such an attack. Like all other digitally linked countries, Pakistan is vulnerable to malicious cyber activity. According to the Snowden revelations of 2013, Pakistan is the second most spied country in the world. This may or may not be the most accurate description of how precarious Pakistan is on the digital front.
Unfortunately Pakistan has no national cyber policy. The only area that has merited attention so far has been cyber crime. The Federal Intelligence Agency (FIA) has a designated body the National Response Center for Cyber Crime (NR3C) that is responsible to investigate electronic crime. The activity of this unit is hampered because of insufficient legislation to persecute digital criminals. The only existing piece of cyber legislation, the Prevention and Control of Cyber Crimes Ordinance (PECO), lapsed in 2009. The Electronic Documents and Prevention of Cybercrimes Act, 2014 is pending before the parliament. Compared to this Indian IT Act was promulgated in 2008. The Indians also have a national Computer Emergency Response Team (CERT) to respond to computer related emergencies. Pakistan regretfully has none. The Indians have copied the American model by creating the office of the cyber security coordinator. In the US, the cyber security coordinator reports directly to the President. The Department of the Homeland Security (DHS) is responsible for cyber security in the US. Critical infrastructure is of primary interest in the US and other advanced nations. A number of cyber policies have been prepared and released for public consumption in the US. The Presidential Policy Directive 20 (PPD-20) provides the framework for national cybersecurity by establishing principles and processes. Other documents include National Security Presidential Directive (NSPD)-54/Homeland Security Presidential Directive (HSPD) 23. The policy directives on cyber security of critical infrastructure are covered by the Executive Order (EO) 13636 Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive (PPD)-21 Critical Infrastructure Security and Resilience.
Billions of dollars are spent on cyber security in the US. The National Security Agency (NSA) and the national Cyber Command (Cybercom)are responsible for the offensive and defensive aspects of cyber security of USA. Pakistan needs to do a lot of work to put its cyber house in order and it will have to begin by scripting policies on national cyber security policy.