Does Pakistan’s Cyber Security Policy Provide Effective Defence Against Cyber-Attacks?

*Click the Title above to view complete article on https://thefridaytimes.com/.

2022-03-30T13:38:35+05:00 Ayaz Hussain Abbasi
Deterrence is the process of persuading someone to refrain from doing something by convincing them that the costs will outweigh the expected benefits. Understanding deterrence in cyberspace is often challenging because our brains are still influenced by a Cold War-era notion of deterrence: a threat of devastating nuclear reprisal via nuclear means. The comparison to nuclear deterrence, however, is deceptive because the goal of nuclear weapons is ultimate prevention. Deterrence in cyberspace is more similar to crime prevention: governments can only do it imperfectly.

The threat of punishment, denial through the defense, entanglement, and normative taboos are four primary techniques for reducing and preventing bad behaviour in cyberspace. None of the four are ideal, but when taken together, they show the breadth of options available for reducing the possibility of harmful acts. Despite the challenge of attribution, these approaches can complement one another in influencing players' views of the costs and rewards of specific acts. While attribution is necessary for punishment, it is not necessary for deterrence through denial or entanglement.

The United States and other countries have claimed that armed conflict laws apply in cyberspace. The effects of a cyber-operation, not the instruments utilized, determine whether it is classified as an armed attack. As a result, attacks that do not achieve the equivalency of an armed attack are more difficult to deter. As US Special Counsel Robert Mueller's report revealed, Russia's hybrid warfare in Ukraine, as well as its interference in the US presidential election, fell into such a grey area.

Although attribution problems for cyber-attacks and the multiplicity of enemies in cyberspace do not rule out deterrence and dissuasion, they do suggest that punishment must play a smaller role than nuclear weapons. Both states and criminals can be punished, but the deterrent effect is reduced and dulled when an assailant cannot be detected quickly.

As per the report of the Identity Theft Resource Centre (2021), the total number of data breaches in 2021 was 1,291 compared to 1,108 breaches in 2020. Cyber security experts predict that global cyber-crime will cost $10.5 trillion per year by 2025. To minimize cyber threats, states must establish efficient and robust procedures to maintain effective deterrence.

The threat of a Cyber Pearl Harbor can be directly traced to the development of the World Wide Web (WWW) in the 1990s. Cyber Pearl Harbor is described by Sean Lawson and Michael K. Middleton (2019) as "catastrophic physical repercussions from cyber-attacks on key infrastructure." As governments are threatened with innovative dimensions of warfare, terms like "cyber wars," "cyber-attacks," and "cyber-intrusions" have spread into the state security discourse.
At a meeting in Geneva on June 16, 2021, President Biden presented President Putin with a list of 16 US vital infrastructure targets that need to be protected from cyber-attacks during a meeting on June 16, 2021.

On the other hand, Cyber Pearl Harbor is still a farfetched possibility. Low-stakes cyber-operations by states and non-state actors and high-stakes cyber-operations involving major countries are, however, commonplace.

As a subject of national security, cyber-attacks are at the center of high-level diplomatic debates. At a meeting in Geneva on June 16, 2021, President Biden presented President Putin with a list of sixteen US vital infrastructure targets that need to be protected from cyber-attacks during a meeting on June 16, 2021. Energy, nuclear power, healthcare, chemicals, information technology, and the defense industrial sector were among the industries on the list.

The conference reflected the United States' national security worries as well as its vulnerability, as it occurred shortly after a large cyber-attack on the Colonial Pipeline in May 2021.

Deterrence in cyberspace is a challenging task. In his article Deterrence and Dissuasion in Cyberspace, Joseph Nye explains that deterrence by denial will be more successful than deterrence by punishment because both governments and non-state actors have access to cyber-weapons. To prove it, he cited a cyber-attack on the JPMorgan Chase bank in 2012, which led to the compromise of Personally Identifiable Information (PII) from 76 million households and seven million organizations.

Russia was heavily blamed for the incident. The attackers, however, were recognized by the US Justice Department in 2015 as a sophisticated criminal ring headed by two Israelis and a US citizen.

Furthermore, the issue of attribution in cyberspace leads to a blame game between governments. For example, in 2021, the United States accused China of being "the world's leading source of cyber-attacks," and China responded by accusing the United States of being "the world's largest source of cyber-attacks." Similarly, Western governments use terms like "very likely" to blame their rivals for cyber-attacks without presenting solid proof.

As a result of the ambiguity surrounding attribution, nations resort to deterrence through denial. The effectiveness of deterrence through denial on its own is a key question for policymakers. Maintaining excellent cyber health and a strong cyber infrastructure can help shield against cyber-attacks from both states and non-state entities. However, it cannot eliminate the complete possibility of cyber-attacks.

In the Global Cyber security Index, Pakistan is ranked 79th. Pakistan, however, is not exempt from the global trend of cyber-attacks. Some recent large cyber-assaults in Pakistan, for example, have targeted financial and energy systems. K-Electric, the Federal Board of Revenue (FBR), and the National Bank of Pakistan (NBP).
To reduce cyber vulnerabilities, you need a strong cyber security infrastructure. Along with policy implementation and regulatory system strengthening, more investments in emerging technologies are needed. This will aid in bolstering cyber defenses, developing an effective deterrent posture, and improving Pakistan's indigenous cyber capacity.

There have also been reports of foreign security agencies indulging in cyber-warfare. In 2020, the ISPR alleged that Indian intelligence agencies were involved in cyber-crime against Pakistani government officials and military members.

In the same line, Amnesty International reported in 2021 that India had employed Pegasus spyware against Pakistan. In November of last year, the Global Times published an article about how an Indian hacker group waged cyber-attacks on government and security departments in Pakistan and China.

In the event of an attack on Pakistan's critical infrastructure, retaliatory actions are mentioned in Pakistan's National Cyber Security Policy 2021 -- "[it] will regard a cyber-attack on Pakistan CI/CII as an act of aggression against national sovereignty and will defend itself with appropriate response measures." Hence, the policy's primary deterrence strategy is the denial of benefits to the attacker. This is inadequate to maintain total cyber-warfare.

An effective defense may be required for an asymmetric cyber-attack, but to discourage a large-scale symmetric cyber-attack, cyber defense combined with non-cyber means of retribution would provide an effective deterrent. As a result, states' cyber-security strategies and nuclear doctrines include retaliation measures.

The 2018 Cyber Strategy of the United States Department of Defense is offensive and calls for the creation of a deadly joint force to combat malevolent cyber attackers.

Pakistan's IT exports are likely to exceed $50 billion within the next few years, which is undoubtedly a route to a robust digital infrastructure.

To protect the cyber frontiers, however, diligent application of the cyber-security policy will aid in the prevention of cyber-attacks.

It's difficult, but not impossible, to maintain deterrence in cyberspace. To reduce cyber vulnerabilities, you need a strong cyber security infrastructure. Along with policy implementation and regulatory system strengthening, more investments in emerging technologies are needed. This will aid in bolstering cyber defenses, developing an effective deterrent posture, and improving Pakistan's indigenous cyber capacity.
View More News