On Tuesday, the federal cabinet is expected to approve the first “National Cyber Security Policy 2021.”
Syed Amin Ul Haque, the Federal Minister for Information Technology and Telecommunications, informed ProPakistani that the Cabinet meeting on Tuesday will discuss two Ministry agenda items. The Cabinet will discuss the National Cyber Security Policy 2021 as well as the policy direction for the NGMS spectrum auction in Pakistan, Azad Jammu and Kashmir, and Gilgit-Baltistan.
The Ministry of Information Technology and Telecommunications has drafted the National Cyber Security Policy 2021, which states that a cyber-attack on Pakistan is an act of aggression against national sovereignty, and that Pakistan will defend itself with appropriate response measures, act in accordance with national and international laws, and expect reciprocal respect for our national digital sovereignty.
For national cybersecurity and response, the draught strategy envisions establishing safe and resilient cyber systems and networks.
The policy framework envisaged to secure the entire cyberspace of Pakistan including all information and communication systems used in both public and private sectors.
- The objective of the policy is to establish a governance and institutional framework for a secure cyber ecosystem
- Create protection and information sharing mechanisms (CERTs/ SOCs) at all tiers capable to monitor, detect, protect and respond against threats to national ICT/CII infrastructures
- Protect National Critical Information Infrastructure by mandating national security standards and processes related to the design
- Acquisition, development, use, and operation of information systems
- Enhance the security of government information systems and infrastructure
- Create an information assurance framework of audits and compliance for all entities in both public and private sectors
- Ensure the integrity of ICT products, systems, and services by establishing a mechanism of testing, screening, forensics and accreditation
- Develop public-private partnerships and collaborative mechanism through technical and operational cooperation
- Create a countrywide culture of cybersecurity awareness through mass communication and education programs
- Develop and create skilled cybersecurity professionals through capacity building, skill development and training programs.
To mitigate cyber threats the country faces today and to improve the national cybersecurity outlook, it is imperative to undertake the strengthening of national cybersecurity capabilities through the development of essential and well-coordinated mechanisms, implementation of security standards and regulations under a policy and legislative framework, it added.
The guiding principles to achieve policy objectives are;
- All actions will be driven by the need to protect people and enhance national and public prosperity
- Respective public and private organizations will be responsible to ensure the cybersecurity of their online data, services, ICT products, and systems, in case of any incident, the government will lead the national response with support from both public and private sector, will regard a cyber-attack on Pakistan CI/CII as an act of aggression against national sovereignty and will defend itself with appropriate response measures and will act in accordance with national and international laws and expect reciprocal respect of our national digital sovereignty.
An implementation framework dealing with cybersecurity must be designed by a designated federal government body to meet the objectives. This agency will also serve as the federal government’s focal point of coordination and implementation for all cybersecurity-related issues.
The Central Entity along with its National Computer Emergency Response Team (nCERT) and National Security Operation Center (nSOC).
Sectoral Regulator(s)/ CERTs (Defense, Telecom, Banking and finance, Power, Federal and Provincial public sector).
Enterprises, entities and individual users.
The Central Entity will also undertake specific actions which including but are not limited to the following:
- Working with Internet Service Providers (ISP) and telecom operators to block malware attacks
- By restricting access to specific domains or websites that are known sources of malware (known as Domain Name System (DNS) blocking/filtering)
- Preventing email phishing and spoofing activity on public networks, promoting security best practices through internet governance organizations; such as Internet Corporation for Assigned Names and Numbers (ICANN), the Internet Engineering Task Force (IETF), European Regional Internet Registry (RIPE) and UN Internet Governance Forum (IGF) etc;
- Work with international law enforcement channels to protect Pakistan citizens from cyber-attacks from unprotected infrastructure overseas;
- Work towards implementation of controls to secure the routing of internet traffic for government departments to avoid illegitimately re-routed by malicious actors;
- Investing in capabilities enhancement programs of law enforcement agencies (LEAs) and concerned ministries/divisions to enable them to respond against state-sponsored and criminal cyber activities targeting Pakistan networks and systems.
The Central Entity will initiate actions, including but not limited to:
- Develop an Internet Protocol (IP) reputation service to protect government digital services (this would allow online services to get information about an IP address connecting to them
- Helping the service get more informed on risk management decisions in real-time)
- Seek to install products on government networks to ensure that software is running correctly and not being maliciously interfered
- Look to expand beyond the gov.pk domain into other digital services measures that notify users who are running out-of-date browsers.
To achieve this critical objective, the Central Entity will;
- Operate requisite technical platforms to protect National Critical Information Infrastructure and work as nodal organization in the country;
- Institute processes for identification, prioritization, assessment and protection of Critical Information Infrastructure
- Ensure secure ICT environment including mobile systems and cloud-based solutions through state of the art security measures, mandate implementation of national security standards by all critical sector entities, to reduce the risk of disruption
- Develop a mechanism for protection of Critical Information Infrastructure and its integration at the entity level through relevant sectoral CERTs, establish and enforce risk management methodologies according to international standards inter alia ISO/IEC 27005:2008 and ISACA RISK IT etc, mandate all operators of national, provincial and organizational Critical Information Infrastructure to hire qualified information security individuals and add an appointment of Chief Information Security Officer (CISO).
To cater to the specific needs of public sector information infrastructure, the Central Entity will
- Define and enforce a robust Government Authentication and Data Protection Framework
- Create vulnerability assessment and patch management processes for all government technical systems
- Work with relevant government entities to ensure mandatory allocation of a certain percentage of ICT project budget for Information Security Assurance
- Formulate a mechanism for the creation and enforcement of staff vetting and clearance schemes across the government
- Improve security in government outsourcing and procurement through vetting of suppliers and enforcement of security clauses in contracts.
The implementation mechanism provided for this policy may require considerable time in order to be completely functional.
As a result, during this interim phase, the capacities and capabilities that state organisations and institutions now have and that are supportive of the policy’s implementation will be used, and their continuous usage will be merged with an all-encompassing implementation mechanism.
In partnership with the telecom industry, the Pakistan Telecommunication Authority will construct a telecom sector technical platform (sectoral CERT as described below) in accordance with the Telecom Act 1996, Telecommunications Policy 2015, and PECA 2016.