ISLAMABAD: In 2016, the then government of Pakistan Muslim League-Nawaz introduced a set of controversial cybercrime laws that were widely criticised for posing a grave threat to online free speech. But in their apparent preoccupation with criminalising dissent on cyberspace, the brains behind the legislation seem to have forgotten one crucial aspect of cybercrime prevention: cybersecurity and data protection.
As things stand, Pakistan counts itself among countries considered unsafe for internet users. The 2017 Global Cybersecurity Index places Pakistan at 67 on a list of 165 countries ranked according to how safe their cyber-environments are. Of Pakistan’s roughly 45 million internet users, a staggering 25% have been attacked one way or another by hackers.
In particular, the cyberattacks on Pakistani banks reported late last year underscored the woeful inadequacy of current cybercrime laws. In that episode, hackers stole credit card details of more than 20,000 customers from 22 Pakistani banks and leaked them over the ‘dark web’ – portions of the internet not open to public view and accessible only through special software.
Federal Investigation Agency (FIA) officials complain that current cybercrime laws do not recognise invasion of online privacy and unauthorised access to personal data as criminal offenses, putting Pakistani internet users at great risk of misuse of private information. To further complicate matters, social media networks and email services are not bound to relinquish any information for investigation.
Both officials and experts agree there is a pressing need to formulate an enforceable national cybersecurity framework and set up computer emergency response teams (CERTs) to prosecute and prevent such incidents.
Speaking to The Express Tribune, FIA Additional Director General Ammar Jaffery compared the lack of a legal framework covering cybersecurity to leaving a house unlocked.
“Would you not be practically inviting thieves to rob you? This is exactly what Pakistan’s current situation is with regards to cybersecurity,” he said, stressing the need to immediately introduce laws pertaining to cybersecurity. “Better cybersecurity supported by robust laws would deter would-be criminals from engaging in cybercrimes.”
“The Prevention of Electronic Crimes Act (PECA) which we have right now has some loopholes,” said Zeeshan Riaz, a lawyer who specialises in cybercrime cases. “Take data theft for example, there is no proper law covering it. If someone’s data was stolen today, authorities would encounter difficulties in determining cognisable and non-cognisable offenses, and obtaining warrants.”
He pointed out that all developed countries have laws and policies covering cybersecurity at national and government levels. “In these nations, hacking or leaking someone’s data, scamming people via email, or even breaching a firewall, all of these actions are considered cybercrimes.”
A cybersecurity policy has been in development since 2014, said FIA’s Jaffery. “Currently, it is pending approval from the Senate. It needs to be approved and enacted, because we may not get a chance to draft such a policy again.”
Once the policy is enacted, the next step would be to develop an infrastructure to enforce it, he said. “We need to create an ecosystem, like Turkey – there are over 300 CERTs in Turkey. There are few countries without national CERTs but unfortunately, we are one of them.”
“Right now we see this big vacuum, which the government cannot fill on its own. It needs support from our universities, NGOs and technology partners,” the senior FIA official added. “All institutions, including non-government ones, need to have CERTs. Cybersecurity can only be ensured through the joint effort of all these partners.”
Jaffery pointed out that the government can only expect cooperation from foreign social media giants and offshore internet-based services once cybersecurity laws are in place. “Whenever our authorities approach Facebook, Google and others for information, they ask what legal basis the request has been made upon,” he said.
“These internet giants will only oblige our government once necessary laws are in place. Without these laws and bodies to oversee their enforcement, they will keep declining all government requests for data sharing.”
However, the lack of laws is not the sole hindrance in this regard, according to lawyer Riaz. “Developed countries have memorandums of understanding (MoUs) and mutual legal assistance treaties (MLATs) with the data centres of social media giants like Google, Facebook and Twitter,” he said. “Our government needs to sign such MoUs and MLATs. Often we do not get a response from these internet companies because there is no agreement in place.”
Talking to The Express Tribune, Member Telecom of the Ministry of Information Technology Muhammad Mudassir admitted the need for new laws to cover data privacy and data theft. However, he insisted that this did not mean nothing could be done to enhance cybersecurity in the immediate run.
“Legislation is extremely important to address an issue over the long term,” Mudassir said. “But there are other steps that can be taken now.”
“Preventive and mitigation measures for instance or enhancing coordination with concerned authorities and increasing awareness at the user level… no one is stopping various sectors such as banking and telecom from undertaking them.”
He added that such steps would help create a layered security framework once a national cybersecurity policy was implemented.
Lawyer Riaz agreed with Mudassir, saying “Lay internet users have a lot of tools and applications in the palms of their hands. They should be taught which of these are secure and what measures and software solutions can safeguard them from online risks.”
He said it is foolish to hope online risks can be removed altogether. “Both Canada and Venezuela suffered cybersecurity breaches just days ago,” he pointed out. “We cannot put an end to such incidents but what we can do is mitigate them and the best place to start would be to teach cybersecurity from high school up to university level.”
In the meantime, the FIA has initiated a grand project to enhance the capabilities of its cyber-wing, reveal documents available with The Express Tribune. The project, which is estimated to cost Rs1.12 billion, will see FIA recruit additional personnel, set up more cybercrime reporting centres and introduce a centralised complaint management system.
As many as 416 personnel, 150 of whom will be investigation officers, will be hired on two-year contracts, according to the documents. A quarter of these new positions will be reserved for women.
FIA will also set up new cybercrime reporting centres equipped with forensic equipment and other modern facilities in Islamabad, Multan, Faisalabad, Gujranwala, Sukkur, Hyderabad, Dera Ismail Khan, Abbotabad, Gilgit and Gwadar. Currently, FIA has only five such centres in Karachi, Lahore, Rawalpindi, Quetta and Peshawar.
The lack of cybersecurity laws notwithstanding, FIA officials admitted that a lack of manpower in the cyber-wing has contributed to the dismal state of cybersecurity in the country. Particularly, they pointed out that the wing only has 10 investigation officers for all 15 zones.
According to an FIA report, the agency received 22,148 cybercrime complaints last year. While 7,000 of these were formally registered after necessary scrutiny, cases could only be lodged against 273 suspects. Over 1,550 inquiries were either closed or referred to other departments while 4,906 remain pending. The agency presented challans against 191 suspects in various courts, but only 32 of them were sentenced and fined up to Rs50,000.