Govt moves to establish Cybersecurity Authority at federal level

• Nadra, FBR, telecom sector declared critical infrastructure.
• Cybersecurity Act sent to stakeholders for consultations.
• Work also underway on Information Security Framework 2025.
  

ISLAMABAD: Amid the prevailing risks in the digital and cyber domain, the government has decided to establish a Cybersecurity Authority at the federal level, The News reported on Monday.

The authority will propose cybersecurity measures for critical national infrastructure and will implement cybersecurity initiatives across the country.

The Ministry of IT has prepared the initial draft of Cybersecurity Act and sent it to stakeholders for consultation. The National Cybersecurity Policy provides a framework for nationwide digital protection, and its implementation is underway under the Digital Economy Enhancement Programme.

The move follows the acknowledgement by the Ministry of Information Technology and Telecommunications, who back in September, admitted the country has faced several major cyberattacks and data leaks in recent years.

In a report submitted to the National Assembly, the ministry, however, said that complete details could not be shared through this channel due to the sensitive nature of the issue, adding that full information could be provided in a closed-door briefing.

It added that due to the lack of dedicated human resources, technical expertise, effective monitoring systems, and a generally weak security posture, many cyber incidents either go undetected or are not reported at the institutional level.

Major cybersecurity breaches were also highlighted in the report, including the one involving Oil and Gas Development Company Limited (OGDCL), where unauthorised access was gained to the core data centre infrastructure, resulting in the deletion of 21 virtual servers. Operations were eventually restored after a three-day recovery effort from the disaster recovery (DR) site.

The ministry identified several root causes for these incidents including the lack of resource allocation for cybersecurity, particularly the absence of dedicated human resources and funding along with inadequate oversight and commitment from senior management, the absence of an effective governance structure and comprehensive cybersecurity policies.

Meanwhile, the Ministry of IT's documents show that progress has been made on Secure Data Exchange Layer and digital identity projects. National Database and Registration Authority (Nadra), the Federal Board of Revenue (FBR) and telecom sector data have been declared critical digital infrastructure and protecting information systems of key institutions is a government priority.

The process of declaring Immigration and Passports systems as critical infrastructure is also underway. Until the establishment of National Cybersecurity Authority, the CERT Council remains active.

The CERT Council consists of 14 public and private institutions and is strengthening cyberattack response and coordination.

The work is also ongoing on Pakistan Information Security Framework 2025, said the ministry.