Pakistan plans new federal authority to strengthen Cyber security

In response to growing threats in the digital sphere, the federal government has initiated steps to set up a Cybersecurity Authority.

According to a news article, the proposed authority will be responsible for recommending security protocols for the country’s critical digital infrastructure and overseeing the rollout of cybersecurity initiatives nationwide.

According to officials, the Ministry of Information Technology and Telecommunications has drafted the preliminary version of the Cybersecurity Act and circulated it among relevant stakeholders for review. The upcoming legislation aligns with the National Cybersecurity Policy, which lays out a nationwide framework for digital protection and is currently being implemented as part of the Digital Economy Enhancement Programme.

The move comes after the MoIT acknowledged in September that Pakistan has suffered multiple significant cyberattacks and data breaches in recent years. In a submission to the National Assembly, the ministry declined to share full details due to the sensitive nature of the incidents but offered to provide a complete briefing behind closed doors.

The ministry noted that inadequate staffing, limited technical expertise, weak monitoring mechanisms, and an overall fragile cybersecurity posture have allowed many cyber incidents to go unnoticed or unreported within institutions.

One of the major breaches cited involved the Oil and Gas Development Company Limited (OGDCL), where attackers infiltrated the organization’s core data centre, wiping out 21 virtual servers. Operations were restored only after a three-day recovery effort from the disaster recovery site.

The report identified several systemic issues behind such incidents, including insufficient funding for cybersecurity, the absence of trained personnel, weak governance structures, and gaps in comprehensive security policies.

Meanwhile, ministry documents indicate progress on the Secure Data Exchange Layer and digital identity initiatives. Data belonging to Nadra, the Federal Board of Revenue, and the telecom sector has already been categorised as critical digital infrastructure, with the government prioritising the protection of these systems. Efforts are also underway to classify the Immigration and Passports Directorate’s systems as critical.

Until the National Cybersecurity Authority is formally established, the CERT Council, a body comprising 14 public and private sector organisations, continues to coordinate and enhance the country’s cyberattack response capacity. Work on the Pakistan Information Security Framework 2025 is also in progress, the ministry added.