Over three billion users access the internet today, compared to a measly 400 million in 2000. As the internet creates new opportunities for countries across the world, it also creates a whole host of challenges in the cyber realm. The anonymity offered by the internet, and its disregard for national boundaries, a revolutionary trait, is now becoming a military challenge. To ensure long-term security of its military and civilian infrastructure, Pakistan must implement a forward-looking strategy to deal with these cyber threats.
When US director of National Intelligence, James Clapper, was asked about the threats faced by the United States, he placed cyber at the top. “Cyber threats,” he said, “to US national and economic security are increasing in frequency, scale, sophistication and severity of impact; [and] the ranges of cyber threat actors, methods of attack, targeted systems and victims are also expanding.” The United States is not the only country facing this challenge; all leading economies of the world are wary of the real danger they face in cyberspace.
Starting with the Stuxnet attack on Iran in January 2009, the scale and damage caused by cyberattacks has grown tremendously. Russia, China, North Korea, Iran, the United States and Israel all have robust and indigenous cyber warfare capabilities. Under the Modi government, India has also started work on developing its own cyber capabilities. Pakistan has been lagging behind and has so far failed to develop and implement any robust policy framework directed at emerging cyber challenges.
Cyberterrorism poses an immediate and short-term threat to the country’s national security. This could consist of cyberattacks and the use of the internet by terrorists to plan, recruit, and communicate with other terrorists inside and outside the country. While terrorists probably do not have the sophisticated skills to target critical infrastructure, they have used the dark corners of the internet to communicate, recruit, and plan terrorist attacks. As ongoing counterterrorism operations squeeze the physical space for militants in Pakistan, they will increasingly withdraw deep into the internet to plan and communicate with each other. Unable to carry out large terrorist attacks in public, they could also begin to learn new and more dangerous cyber warfare capabilities.
The government, military and private sector must develop a framework for securing the country’s critical infrastructure from cyberattacks.
A more serious and long-term threat emanates from cyber warfare carried out by other nation states, in particular India. After the Mumbai terrorist attacks of November 2008, plans to carry out quick military strikes against Pakistan were developed. Future terrorist attacks, like Mumbai, could lead to a quick military response from India and punish Pakistan for its alleged involvement in terrorist strikes on Indian soil. In response, Pakistan began developing tactical nuclear weapons at a rapid pace. These weapons have lowered the nuclear threshold and act as a deterrent against such measures.
The introduction of offensive cyber capabilities, however, would upend this strategic balance. Armed with offensive cyber weapons, and confident that Pakistan does not have similar capabilities, India could wreck Pakistan’s critical military infrastructure. It could then conduct quick offensive strikes against Pakistan, or be satisfied with the damaging effect of cyberattacks. The development of such weapons would undermine the balance of power in the region and allow India to conduct punitive strikes against Pakistan with relative ease.
A three-pronged approach is needed to deal with cyber threats emanating from state and non-state actors.
Firstly, the government must pass well-articulated legislation that provides a legal framework for law enforcement and intelligence agencies to operate under. The draft cybercrime bill developed by the government has raised a number of issues. This bill needs a lot more work and must be amended before being passed as law. Furthermore, a transparent process, with input from the private sector, needs to be developed for accessing communications data when national security is at risk. Such regulatory measures should not trample on freedom of speech and the user’s right to privacy, and should have oversight measures to ensure that the powers granted to the intelligence agencies are not abused.
Secondly, Pakistan must develop a centralised command that serves as the central organisation responsible for the development of military capabilities in the cyber realm. This cyber command should be tasked with modernising Pakistan’s cyber defences, both in the military and civilian domain, and for developing and demonstrating offensive cyber capabilities. The goal of the cyber command must be to ensure that Pakistan achieves and maintains a strategic cyber deterrent. China’s People’s Liberation Army (PLA) is beginning to develop a similar cyber command, and Pakistan can leverage its deep defensive ties with China to collaborate with the PLA in this domain.
Finally, the government, military, and the private sector must come together to develop a framework for securing the country’s critical infrastructure from cyberattacks. Financial markets, the electric grid, nuclear weapons, and other physical assets must be secured in a consistent manner. Scenario planning and war games must be conducted to harden critical assets, and exercises must be carried out to simulate cyberattacks and flush out measures that must be taken during such events.
Cyber threats will continue to grow exponentially in the coming years and the costs of not investing in a full spectrum of cyber capabilities will continue to escalate. While the Senate Committee on Defence and Defence Production, along with other experts have raised this issue, no significant headway has yet been made. Emerging cyber threats can no longer be ignored, and a continued failure to plan and execute today will cause long-term damage to the security of the country.