Cyber governance policy being formulated
The government has drafted the Cyber Governance Policy aimed at realising the full potential of information and communication technologies for socio-economic development by assuring availability, confidentially and integrity of the critical infrastructure and information system, besides providing reliable, secured and resilient cyber space for all. According to the policy draft, the country’s cyber governance policy is being formulated in consultation with all the stakeholders. In this regard, a draft on cyber security framework has also been shared by the law enforcement agencies (LEAs).
“The government is also planning to establish a Cyber Security Authority to deal with cyber threats, while terming it a serious matter. The government is cognisant of security threats and working on a plan to establish Cyber Security Authority to deal with such kinds of threats,” said a senior official of the Ministry of Information Technology and Telecommunication.
Important elements relating to integrated Cyber Security Policy (a part of cyber governance), which are being given due consideration, include; (i) transparency in both policymaking and implementation; (ii) public trust -safety vs surveillance (civil liberties); (iii) practicality and manageability of structure; (iv) technical soundness, completeness and adequacy; (v) balance between safety and development/growth/economic considerations; (vi) continued funding and sustainability; (vii) and international compatibility (diplomatic connotations).
To cater all the abovementioned considerations in balanced way, a tiered approach for cyber security structure for Pakistan is being deliberated whereby institutional setups at national and sectoral levels will be proposed to the federal government.
This approach is aimed at creating, enhancing and laying down specifications of technical interface and processes for national, provincial sectoral and organisational level mechanisms for assessment of threats to ICT infrastructure, creating scenarios for response, resolution and crisis management through effective predictive, preventive protective response and post incident recovery actions.
The cyber governance/security policy draft includes the following major blocks cyber governance/security policy: (i) vision, scope, objectives; (ii) governance model; (iii) institutional structure and functions; (iv) standards; (v) cross structure collaboration model and processes; (vi) risk assurance framework; (vii) capacity building; (viii) R&D and indigenisation; (ix) model for international collaboration; (x) awareness; (xi) and legislative cover for the institutional model/operationalisation of PECA 2016
Keeping in view the ever changing and evolving dynamics of the cyber space, the government of Pakistan through the proposed draft cyber security policy is considering the option of establishing a specialised and autonomous body for cyber security, under an appropriate high-level reporting mechanism.
The proposed body, having autonomous functional model and broader oversight board with representation of relevant stakeholders will be equipped with all the modern and necessary tools to effectively deal with the issue issues of cyber security in the country in both proactive mode including threat prediction and anticipation as well as reactive capacities for effective response to cyber incidents.
The draft lays out the roles and responsibilities of policy formulation on the subject as well as implementation mechanism where the central institution will be responsible to set up policy mandated standards, coordination process between various tiers, threat environment grading mechanisms, dynamic critical infrastructure classification mechanisms and risk mitigation assurance mechanism for all classes of users and entities across various sectors.
User and organisation level compliance will be ensured through relevant sectoral cyber security apparatus across various sectors. Further legislative and regulatory requirements to be persuaded by the federal government have also been spelled out.
In the first instance, the draft policy document will be presented to the cyber governance policy committee and thereafter the draft will be broadly consulted with the telecom industry as well as other cross domain stakeholders.