The Ministry of Information Technology and Telecommunication has draftedNational Cyber Security Policy 2021, envisaging developing secure andresilient cyber systems and networks for national cybersecurity andresponse.
The policy framework is envisaged to secure the entire cyberspace ofPakistan including all information and communication systems used in bothpublic and private sectors.
The objective of the policy is
– To establish governance and institutional framework for the secure cyber ecosystem, – Create protection and information sharing mechanism (CERTs/SOCs) at all tiers capable to monitor, detect, protect and respond against threats to national ICT/CII infrastructures, – Protect National Critical Information Infrastructure by mandating national security standards and processes related to the design, acquisition, development, use and operation of information systems, – Enhance the security of government information systems and infrastructure, – Create an information assurance framework of audits and compliance for all entities in both public and private sectors, – Ensure integrity of ICT products, systems and services by establishing a mechanism of testing, screening, forensics and accreditation, – Develop public-private partnerships and a collaborative mechanism through technical and operational cooperation, – Create a countrywide culture of cybersecurity awareness through mass communication and education programs, – Develop and create skilled cybersecurity professionals through capacity building, skill development and training programs.
“To mitigate cyber threats the country faces today and to improve thenational cybersecurity outlook, it is imperative to undertake thestrengthening of national cybersecurity capabilities through thedevelopment of essential and well-coordinated mechanisms, implementation ofsecurity standards and regulations under a policy and legislativeframework,” it added.
The guiding principles to achieve policy objectives are; all actions willbe driven by the need to protect people and enhance national and publicprosperity, respective public and private organizations will be responsibleto ensure the cybersecurity of their online data, services, ICT products,and systems, in case of any incident, the government will lead the nationalresponse with support from both public and private sector, will regard acyber-attack on Pakistan CI/ CII as an act of aggression against nationalsovereignty and will defend itself with appropriate response measures andwill act in accordance with national and international laws and expectreciprocal respect of our national digital sovereignty.
To achieve the objectives, an implementation framework shall be developedby a designated organization of the Federal Government, dealing with thesubject of Cyber Security. This organization shall also act at the CentralEntity at the federal level for coordination and implementing all CyberSecurity related matters.
National Level: The Central Entity along with its National ComputerEmergency Response Team (nCERT) and National Security Operation Center(nSOC).
Sectoral Level: Sectoral Regulator(s)/ CERTs (Defense, Telecom, Banking andfinance, Power, Federal and Provincial public sector)
Organizational Level: Enterprises, entities and individual users.
The Central Entity will also undertake specific actions which including butnot limited to the following: working with Internet Service Providers (ISP)and Telecom operators to block malware attacks, by restricting access tospecific domains or web sites that are known sources of malware (known asDomain Name System (DNS) blocking/filtering), Preventing email phishing andspoofing activity on public networks, promoting security best practicethrough internet governance organisations; such as Internet Corporation forAssigned Names and Numbers (ICANN), the Internet Engineering Task Force(IETF), European Regional Internet Registry (RIPE) and UN InternetGovernance Forum (IGF) etc, Work with international law enforcementchannels to protect Pakistan citizens from cyber-attacks from unprotectedinfrastructure overseas, Work towards implementation of controls to securethe routing of internet traffic for government departments to avoidillegitimately re-routed by malicious actors, Investing in capabilitiesenhancement programs of Law Enforcement Agencies (LEAs) and concernedMinistries/Divisions to enable them for response against state-sponsoredand criminal cyber activities targeting Pakistan networks and systems.
The Central Entity will initiate actions, including but not limited to:develop an Internet Protocol (IP) reputation service to protect governmentdigital services (this would allow online services to get information aboutan IP address connecting to them, helping the service get more informed onrisk management decisions in real-time), seek to install products ongovernment networks to ensure that software is running correctly and notbeing maliciously interfered, look to expand beyond the gov. pk domain intoother digital services measures that notify users who are runningout-of-date browsers.
To achieve this critical objective, the Central Entity will; operaterequisite technical platforms to protect National Critical InformationInfrastructure and work as nodal organization in the country, Instituteprocesses for identification, prioritization, assessment and protection ofCritical Information Infrastructure.
It will ensure a secure ICT environment including Mobilelink systems and cloud-based solutions throughstate of the art security measures, mandate implementation of nationalsecurity standards by all critical sector entities, to reduce the risk ofdisruption, develop a mechanism for protection of Critical InformationInfrastructure and its integration at the entity level through relevantsectoral CERTs, establish and enforce risk management methodologiesaccording to international standards inter alia ISO/IEC 27005:2008 andISACA RISK IT etc, mandate all operators of national, provincial andorganizational Critical Information Infrastructure to hire qualifiedInformation Security individuals and add an appointment of ChiefInformation Security Officer (CISO).
To cater to a specific need of public sector information infrastructure,the Central Entity will: define and enforce a robust GovernmentAuthentication and Data Protection Framework, create vulnerabilityassessment and patch management process for all government technicalsystems, work with relevant government entities to ensure mandatoryallocation of a certain percentage of the ICT project budget forInformation Security Assurance, formulate a mechanism for creation andenforcement of staff vetting and clearance scheme across the government,improve security in government outsourcing and procurement through vettingof suppliers and enforcement of security clauses in contracts.
The implementation mechanism provided for this policy may requireconsiderable time in order to be completely functional. Therefore, duringthis interim time period, the capacities and capabilities which stateorganizations and institutions currently have and are supportive of theimplementation of this policy will be utilized and their continued use willbe integrated with an all-encompassing implementation mechanism.
Pakistan Telecommunication Authority as per Telecom Act 1996,Telecommunications Policy 2015, and PECA 2016 will implement Telecom Sectortechnical platform (sectoral CERT as provided herein) in collaboration withthe telecom industry.
Source:link