Strengthening The Legal Framework For Cybersecurity in Pakistan: The Computer Emergency Response Team Rules, 2023

305 STRENGTHENING THE LEGAL FRAMEWORK FOR CYBERSECURITY IN PAKISTAN: THE COMPUTER EMERGENCY RESPONSE TEAM RULES, 2023 By Kamran Adil, Police Service of Pakistan I- INTRODUCTION Linking the concept of cybersecurity with geo-politics, the Global Cybersecurity Outlook Report, 2023 noted that 91% of the respondents (that included business and cyber leaders) feared that 'global geopolitical instability' might result in 'a far reaching, catastrophic cyber event' in the 'next two years'.1 With this type of forecast, one can surmise that the land-scape of the global state of cybersecurity is far from ideal. In this context, exploring the legal and regulatory framework of the cybersecurity in Pakistan may be useful. For this, the point of departure can be the working definition of the concept of cybersecurity, which has been defined by the Cybersecurity and Infrastructure Security Agency of the US (CISA) as: "Cybersecurity is the art of protecting networks, devices, and data from unauthorized access, or criminal use and the practice of ensuring confidentiality, integrity, and availability of information."2 The definition, in its totality, is very wide. Contrary to the conventional understanding of preventive and preemptory nature of the cybersecurity, it encompasses the 'rights' dimension of the cybersecurity by stating to take into account the 'criminal use' of computers. With this expansive dimension in mind, let us explore different aspects of the legal and regulatory framework of the cybersecurity in Pakistan. II- THE LEGAL FRAMEWORK Like many countries in the world, technology led the law making in Pakistan. After the advancements in the telecommunications, the Pakistan Telecommunication (Re-organization) Act, 1996 was enacted. It established the Pakistan Telecommunication Authority (PTA), a statutory body to regulate the licensing and competitive regime within the telecommunication sector3. Under the governance scheme, as stated in the Rules of Business for the Federal Government in Pakistan, the PTA works under the Cabinet Division and is placed there with other regulatory authorities for providing competitive field4. Later, in 2002, two new laws titled as the Electronic Transactions Ordinance, 2002 (ETO) and the Pakistan Electronic Media Regulatory Authority Ordinance, 2002 (PEMRA) were enacted. The former was to provide legal cover to the electronic transactions whereas the latter provided for regulation of competition in media industry for electronic media. On the criminal side, after initial temporary legislation, the Prevention of Electronic Crimes Act, 2016 (PECA) was promulgated. The law settled many important issues especially related to the social media regulation5, the cybercrimes6 and for the cybersecurity7. Thus, after the promulgation of the PECA, it is to be treated as the master legal framework in Pakistan that is applicable to cyberspace. It may, however, be noted that at the federal level, the enforcement of the PECA falls under the responsibility of the Ministry of Interior under the Rules of Business for the Government of Pakistan8. This entrustment to the Ministry of Interior, however, is shared with the Ministry of Information Technology and Telecommunications9. III- THE COMPUTER EMERGENCY RESPONSE TEAM RULES, 2023 The PECA empowers the federal government as well as the PTA to prevent cybercrimes10. Conversely, it criminalizes non-compliance of orders for prevention of breaches of cybersecurity11. In addition, the PECA requires that the federal government may constitute the Computer Emergency Response Teams (CERT)12. In pursuance of the statutory responsibility, the federal government, on 26th September, 2023, framed Rules for the computer emergency response team13. The salient features of the Rules are: a. ESTABLISHMENT OF CERTs: The Rules establish CERTs at three levels: a) National level, b) Sector-wise, and c) Organizational level14. The Rules establish a central CERT Council that shall oversee the working and performance of all the CERTs. The CERT Council, primarily, has a coordination role. It shall oversee the working of the National CERT, the Critical Information Infrastructure CERT, the Sectoral CERT, and the Provincial CERTs. The CERT Council is an inter-ministerial body having representatives from all the relevant ministries including the Ministry of Interior15. It is assumed that the representative of the Ministry of Interior will stir kinetic response from the law enforcement agencies including the civil armed forces and the representative of the Ministry of Defence shall coordinate response from the armed forces. b. FUNCTIONING OF CERTs: Three types of functions16 are required from CERTs under the Rules; these are: i. Proactive Function ii. Responsive function iii. Sustenance functioning Each function is further expanded in the Rules. The Proactive Function includes real time announcements and dissemination of information, technology watch, security audits, intrusion detection, malware analysis, and inclusion of academia. The Responsive Function covers incident management and vulnerability management. The Sustenance Function is not clearly spelled out, however, security quality management is added to explain it in the Rules. The elaborate functioning system in the Rules, if implemented, can be very effective. c. ESSENTIAL COMPONENTS OF THE CERTs: The Rules provide for four essential components of each CERT, which are: i) Security Operations and Compliance Centre, ii) Coordination and Capacity Building Center, iii) Technology Development Teams, and iv) Supporting Labs. The Security Operations component is supposed to work 24/7 and must cover the Governance, Risk Compliance (GRC) and the Operations and Monitoring functions. The Rules provide adequate legal cover to the cyber threat intelligence system with criminal justice grade requirements like timestamps and Autonomous System Number (ASN)17. The timestamps and ASNs can be effectively used by forensic experts to prosecute an offender for cybercrimes. It may be noted that these features are particularly useful for tracing and reverse tracking counter terrorism financing and money laundering cases. The Rules also require establishment of a Digital Forensic Lab18 that will surely help in prosecuting territorial and extra-territorial law enforcement actions. The Rules may be further refined in future to specify the ownership and management for Digital Forensic Lab for its accreditation and for its smooth and neutral functioning. d. OPERATIONALIZATION: The Rules have attended to operationalization aspects of the CERTs. The Rules require that every CERT must designate a Point of Contact (PoC). The non-compliance of the orders of the National CERT has been made consequential by providing a procedure for ensuring timely action by all CERTs. 19 e. KEY PERFORMANCE INDICATORS: Finally, the Rules provide for a National CERT Capability Maturity Model that specifies minimum standards for start-ups, formative entities, established organizations. The capability model has been built into the Key Performance Indicators that will be used for monitoring of different entities for cybersecurity20. IV- WAY FORWARD The newly framed Rules cover but a part of the whole spectrum of the cybersecurity for Pakistan. There is scope to further strengthening the legal framework by specifying and synchronizing the governmental structures with the Rules and with the National Cyber Security Policy, 2021. This alignment must also take into account mainstreaming of the technical information technology prowess with the criminal justice system that protects the rights of people. The unregulated areas of the virtual and crypto-assets must be properly regulated and special rules for collection, handling, processing and proving digital evidence forensically may be introduced to ensure dissuasive deterrent justice sector response to evolving technological challenges. 1 Global Security Outlook Report, 2023 available at: https://www3.weforum.org/docs/WEF_Global_Security_Outlook_Report_2023.pdf. 2 https://www.cisa.gov/news-events/news/what-cybersecurity 3 Section 4 of the Pakistan Telecommunication (Re-organization) Act, 1996 4 Item 83 of Cabinet Division of the Schedule II of the Rules of Business, 1973 (protected and framed under Articles 90 and 99 of the Constitution of Pakistan, 1973) 5 The Removal and Blocking of Unlawful Online Content (Procedure, Oversight and Safeguards) Rules, 2021 framed under sections 37 and 51 of the Prevention of Electronic Crimes Act, 2016. 6 Sections 3 to 26 of the Prevention of Electronic Crimes Act, 2016. 7 Sections 48 and 49 of the Prevention of Electronic Crimes Act, 2016. 8 Items 31 and 32 of the Interior Division of the Schedule II of the Rules of Business, 1973. 9 Item 1 of the Information Technology and Telecommunications of the Schedule II of the Rules of Business, 1973. 10 Section 48 of the Prevention of Electronic Crimes Act, 2016. 11 Section 48(2) of the Prevention of Electronic Crimes Act, 2016. 12 Section 49 of the Prevention of Electronic Crimes Act, 2016. 13 The Computer Emergency Response Team Rules, 2023. 14 Rule 3 of the Computer Emergency Response Team Rules, 2023. 15 Rule 4(3) of the Computer Emergency Response Team Rules, 2023. 16 Rule 11 of the Computer Emergency Response Team Rules, 2023. 17 Rule 13(1) of the Computer Emergency Response Team Rules, 2023. 18 Rule 13(4) of the Computer Emergency Response Team Rules, 2023. 19 Rule 26 of the Computer Emergency Response Team Rules, 2023. 20 Rule 12 of the Computer Emergency Response Team Rules, 2023.