NISP 2018: How Pakistan’s new Internal Security Policy perceives cyber threats?

In the midst of reports that terrorists are actively using social media, it seems that the architects of Pakistan’s internal security policy have finally woken up to the new reality of countering terrorist threats in cyberspace.

The recently approved National Security Policy, NISP (2018-2023), makes references on multiple occasions to cybercrimes and the threats that they pose to the internal security.

It is important to mention here that when the first NISP (2014-2018) was introduced, it did not address the issue of terrorism in cyberspace. It did not even talk about using modern technology to improve internal security. However, four years down the line, the second NISP, approved by the outgoing cabinet of former Prime Minister Shahid Khaqan Abbasi, has expressed its commitment to take actions against the threats in cyberspace.

Noting with concern the use of internet by terrorists to spread propaganda, NISP expresses desire to take a series of steps to push back against the emerging threats in cyberspace.  It has also expressed its desire to make full use of modern technology to enhance internal security.

While one can argue at this point that NISP has not comprehensively addressed the threats posed by cyberspace to internal security, it is nevertheless a welcome step that policy makers are finally taking broader view of challenges to internal security. Some of the key points highlighted in the National Internal Security Policy are below:

Threats to Cyberspace:

Listing cybercrimes as one of the security challenges, the NISP uses generic terms to emphasize the threats in cyberspace.  It notes with concern the rising sophistication in the cyber-attacks that have allowed groups to not only hack critical government or financial data but also allowed them to virtually paralyze the country through attacking communication network or energy infrastructure.

The NISP also expresses concern at the way terrorist groups such as Daesh are using “social networking sites to spread their poisonous ideology and recruit people.”  It further adds that “internet has enabled them to rapidly disseminate their messages and reach out to a much bigger audience circumventing the barriers imposed by geography and distance.”

It is important to note that the policy does not explicitly give out any figures to reflect on to what extent the threats in cyberspace are an internal security problem.  While independent media sources have often touched upon the scope of terrorist use of internet in Pakistan, it would have been helpful if the NISP had provided some statistics about the government’s own internal assessment related to threats in cyberspace.

Also, it is interesting to note that the policy document only refers to Daesh use of social media despite that there have been many other local proscribed organizations that have been using internet to propagate their ideology.  As investigated by Dawn exactly a year ago in 2017, 41 out of 64 proscribed organizations were found to be using Facebook.

Mitigating threats in Cyberspace:

The NISP has also put forth a range of commitments to mitigate the rising threats in cyberspace. For instance, it states that a National Cyber Security Strategy shall be developed to secure services and infrastructure from cyber- attacks.  Another commitment has been to establish a combined civil-military cyber command force to ensure intra and inter agency coordination.

Additionally, commitments to enhance the capacity of FIA Cybercrimes Wing and NACTA’s Cyber Security Wing have been made to allow them to “curb cybercrimes and monitor misuse of cyberspaces for extremist or proscribed organizations in collaboration with PTA.”  On another occasion, NISP commits to using PTA to “secure online spaces to curb provocative statements and hate speech.”

Reading the above passage, one gets an impression as if the policy talks about proactive monitoring of cyberspace whereas officials within PTA and FIA have repeatedly emphasized that they do not pursue active monitoring of internet. They have stated that they are only liable to take action when a complaint is filed with them.  This also raises another legal question; does law give room to NACTA’s cyber security wing to monitor misuse of cyberspace or even curb cybercrimes? Under current legal regime, there is no role for NACTA to prevent misuse of cyberspace. Apparently under Fair Trial Act 2013, an intelligence agency can seek permits to gather information using modern devices. Also under PECA, so far FIA is the only investigating agency responsible for investigating cybercrimes.  Thus, the policy brings to mind the issue of legality in active monitoring of social media and that too by government bodies not mandated to do this job.

Lastly, NISP has committed to launching public awareness campaigns to promote awareness about the cyber security threats.  This is a welcome step. In some limited capacity, FIA has already been making efforts to raise awareness about cybercrimes. However, it would have been helpful if the NISP had expressed its commitment to working with civil society in running these public awareness campaigns.

Use of technology to enhance Internal Security:

NISP has expressed willingness to set up centralized data bases to streamline a number of processes and improve internal security. It notes that “Information/data management is (the) key to public service delivery in the 21st century.” The policy notes that already there have been successful examples in the past in the form of “the Integrated Border Management System, Safe City project and the biometric SIM registration system are successful examples of using information technology” More initiatives in this area would include setting up National criminal data base and fingerprint system, a national centralized vehicle data base and a robust and closely interlinked system based on modern technology connecting Police Stations, Investigation, Forensic Science Laboratories and Bomb Disposal Units.

No comments

leave a comment