[BreachExchange] Can Pakistan's New Cybersecurity Law Help Combat Cybercrime?

Tue May 10 21:25:35 EDT 2016

http://www.databreachtoday.com/blogs/pakistans-new-cybersecurity-law-help-combat-cybercrime-p-2123

Pakistan's bill on cybersecurity, first presented in June 2014 before the
National Assembly, has been passed under the Prevention of Electronic
Crimes Act, 2015. Cybersecurity critics welcome the move, considering it a
milestone toward cybersecurity and defence. They also say it's unfortunate
that there was no cybersecurity policy and legislation in Pakistan before
now, when other Southeast Asian countries were way ahead in addressing such
challenges.

The Ministry of Information Technology says the Act will come into force
with immediate effect and apply to every citizen of Pakistan, as well as to
every enterprise and to all those who are residing in Pakistan for the time
being.

The law clearly articulates offences and punishments for unauthorised use
of identity information; tampering of communication equipment; interference
with critical infrastructure, information systems or data; making,
obtaining or supplying device for use of offence; and cyber stalking.

It is interesting to note that cyber terrorism, electronic forgery;
electronic fraud; tempering of communication equipment; writing malicious
code; cyber stalking through coercing or intimidating or harassing any
person; and misusing information, spamming and spoofing, among others, get
special attention with prescribed sections for punishment if violated.

The federal government establishing or designating a law enforcement agency
for investigation of offences under this Act is definitely a positive move
in addressing cybercrime challenges.

Why the Scepticism?

While it's a surprise that the Pakistan government was able to pass the
bill amidst much criticism from the opposition of the house, there is also
cynicism about its execution plan.

The intrinsic question that strikes everyone's mind: Why - while the entire
world is talking about growing cyberattacks and cyber espionage, and every
nation is working on cybersecurity frameworks to combat growing crimes -
has Pakistan just woken up now?

The country's critical infrastructure - including banks, utilities sector,
healthcare, defence, among others - is vulnerable to sophisticated
cyberattacks. Why such a lackadaisical approach towards cybersecurity,
given that nation-state attacks against rival states are rampant?
Pakistan's intellectual and political circles agree that the nation is way
behind in cybersecurity compared with Iran, India and China.

Historically, both India and Pakistan have been drawing parallels between
themselves on varied developmental activities taken up.

In this case, many experts agree that India's cybersecurity is far better
than Pakistan's, as India announced its National Cybersecurity Policy in
July 2013. It has also set up a Cybersecurity Task Force to plan a
methodical approach to create a cybersecure ecosystem with focus on skill
development, R&D and a cybersecurity framework by leveraging the
public-private partnership model (see: Creating Private-Public Partners).

In comparison, Pakistan has to take baby steps, and the government is still
not clear on the modus operandi of executing the Act, nor does it appear to
be looking into building a good incidence response mechanism.

Starting from Scratch

Undoubtedly, the Pakistan government is building a cybersecurity platform
from scratch with the passage of the bill.

The Act envelops preliminary areas of cybersecurity. The bill essentially
focuses on detailing the areas of crime/offences and related punishments
and announcing the appointment of an investigation agency and prosecution
agency with procedural powers.

The new law primarily focuses on preventive measures, rather than detailing
proactive measures of building an incidence response plan or building
cybersecurity skills in combating crime.

The Act speaks about issuing guidelines toward prevention of electronic
crimes to be followed by owners of the designated information systems or
service providers. Any violation calls for a fine of up to ten million
rupees. Any subsequent conviction shall be punishable with imprisonment,
which may extend to six months.

Another preventive measure is a proposal to formulate one or more computer
emergency response teams to respond to any threat against or attack on any
critical infrastructure information systems or critical infrastructure
data, or widespread attack on information systems in Pakistan.

According to MoiT, a CERT constituted under sub-section (1) may include
technical experts of known expertise, officers of any intelligence agency
or any sub-set thereof. It will respond to a threat or attack without
causing any undue hindrance or inconvenience to the use and access of the
information system or data as may be prescribed.

Then how is a CERT going to combat all crimes, given the urgency required
to address these challenges?

The only way to scale up, in my opinion, is to issue relevant guidelines
and form an expert panel on a war footing to track cybercrime and work on
an effective incidence response plan for Pakistan. One way is to relax
rules for top security vendors to conduct business directly and help the
country build an effective cybersecurity model via a public-private
partnership approach.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160510/9bf4f838/attachment.html>