In these days of the ever-changing digital landscape, there is no doubt that artificial intelligence has opened new doors in the technological age, and while these doors offer great benefits, there can also be no argument that these advancements also pose serious threats to the already lackluster cybersecurity laws of Pakistan.
While AI has undeniably the potential to fortify our security defenses as well as open our economy to newer horizons, however, it has also unfurled a new dimension of challenges in the form of AI-generated cyber threats, and these threats have serious criminal implications for individuals, organizations, governments and the state itself across the globe.
AI powered cyber threats are a dangerous adversary in the digital world as they utilize the massive power of a sophisticated and efficient AI algorithm and in addition to this efficiency, the algorithm has a defining trait of adaptability and improvement. Through this adaptability, it can repeatedly improve failing attack patterns and reshape its approach and tactics to penetrate the responsive defense. Yet cyber-penetration is only a single aspect of the broad range of cyber threats that AI can wield.
For instance, AI can generate realistic and humanlike phishing emails that cater to the idiosyncrasies of individual recipients. In fact, there has been a growing increase in AI-generated phishing emails and messages that cater to the personalized data obtained through clandestine means to defraud individuals and these attacks arrive at an extraordinary pace as automated attacks zero in on multiple vulnerabilities that go beyond the capacity of an individual to match. These attacks pose a considerable challenge to cybersecurity.
Another aspect to consider is AI's capacity to generate deepfake images, videos and messages to deceive their targets. These deepfakes generated content is difficult to determine as forgeries without a proper investigation into said content, and this could be used to commit various criminal activities against individuals especially if there are grave vulnerabilities to the legal jurisdiction regarding the matter.
Just like cryptocurrency, the Government of Pakistan has been ignorant of the vast magnitude that AI offers to the country as well as the threat it poses to cybersecurity.
Pakistan’s cyber laws are centered on the obsolete Prevention of Electronic Crimes Ordinance 2007, which is often read with the even more obsolete Payments & Electronic Fund Transfer Act 2007 and Electronic Transaction Ordinance 2002. Most of Pakistan’s cyberlaws focus on hate speech and terrorism with some focus on child pornography and security. It speaks volumes on the obsolete nature of Pakistan’s cyberlaws that the term cryptocurrency is not legally defined in the cyberlaws of Pakistan, and there is no concept of its recognition as a financial tender.
Ironically, there has been little parliamentary discussion despite the fact that in 2021, it was reported that Pakistanis held nearly $20 billion in crypto assets, yet rather than regulating such a vast wealth or creating a digital currency bank, the country decided to use the FATF as an excuse, and declared a ban on all cryptocurrency, which means that any individual holding any digitized currency will not only be unprotected against AI generated cyberattacks to their digital wallets, but will also face prosecution by the state. Just like cryptocurrency, the Government of Pakistan has been ignorant of the vast magnitude that AI offers to the country as well as the threat it poses to cybersecurity.
The State of Pakistan has looked to form a bureaucratic entity under the national AI policy, which in itself was below subpar, however the formation of the entity remained unexplained with its duties, powers and authority just as undefined as the AI within the policy itself. One of the most important things that Pakistan fails to consider is that its cyberlaws nor policy fail to define what AI even is and what form of conceptual understanding the state wishes to follow which is the first essential step towards implementing protection against AI-generated attacks. For instance, the debates around the actual limits of ‘intelligentization,’ aka AI improvements are ongoing where one school of thought such as presented by the Swedish-American physicist Mex Tegmark submits that the AI intelligence growth has no limits and eventually these machines will not only come to par with the human intellect, but will outgrow the latter’s potential where on the other hand the German psychologist Gerd Gigrenzer argues through compelling evidence that human intelligence is not merely limited to calculative growth, but comprises common sense, intuition, consciousness and these aspects of the human minds will most likely remain outside the scope of complex algorithms.
The importance of Pakistan’s policy to understand and partake with these schools of thought will help it determine proper legal safeguards against AI-generated cyberattacks allowing for not only a secure digital environment but will also help secure the digital economic landscape allowing for greater economic growth. Considering the obsolete nature of Pakistan’s cyber laws, the incoming government of Pakistan needs to immediately declare a proper policy concerning AI wherein it needs to define artificial intelligence, and the nature of the intelligence itself, after which it must pass extensive legislation which shall acknowledge the significant role of AI and this legislation must include provisions making it mandatory for organizations to report cyber skirmishes and establish stringent data protection policies with penalties for non-compliance.
Copyright law must also protect the intellectual property of individuals who may witness their works being copyrighted by AI.
These reports must be sent to a cybersecurity institution which shall examine these attacks and be dynamic and flexible to determine the changing patterns of these attacks. To protect against AI processing voluminous private data, the law must make it mandatory for organizations to maintain transparency in their data handling policies, seek explicit consent of data holders and provide individuals to wield their rights over personal data.
In addition to this legislation, patent and intellectual property laws must be amended as well, since AI technology is vastly growing and these obsolete laws must be updated to accommodate the nascent innovations brought forth by AI. Additionally, copyright law must also protect the intellectual property of individuals who may witness their works being copyrighted by AI. State policy must be formed regarding the exporting and importing of AI tools that could be harnessed for malevolent cyber pursuits which will not only help internal digital security but also help bolster international cybersecurity endeavors. Furthermore, the formation of ethical boundaries, and asking organizations to fashion ethical frameworks as mandatory for company registrations could go a long way in not only securing the workplace environment but also the digital environment of said workplace. Lastly, these legal frameworks should not be rigid but chameleonic in nature so that the framework can adapt to the dynamic nature of AI-powered threats to cybersecurity.
Pakistan’s state policy has always played catch-up with the world and often in a panic the government has passed policies that not only fed insecurity, but also promised long-term harm to the capacity of the state and its economy, as we witnessed with cryptocurrency recently. AI promises to revolutionize the world and Pakistan cannot be blind to the advantages and threats that this revolution promises to bring. For once, Pakistan must take the initiative.