How to Cite
A clear lack of Civil-Military Cooperation is evident in the field of national cybersecurity policy. For a country such as Pakistan with fractious political, cultural, and diverse ethnic identities and ideological characteristics, an unguarded cyber domain can add to the existing rifts. In light of these challenges, Pakistan needs to create a national cybersecurity policy and strategy incorporating both civil and military concerns. The aim of this research paper is to find out a conceptual framework of Civil-Military Cooperation (CIMIC) in the realm of cybersecurity. This study has used open-ended semi-structured interviews to find out the way forward and the hindrances in civil-military cooperation to create a robust national cybersecurity regime. For an effective national cybersecurity policy, synergy has to be created between the civil and military sectors. The military should not only have the necessary cybersecurity expertise, but it should also organize cyber-drills incorporating all stakeholders.
CIMIC, Cybersecurity, Cyberwarfare, Synergy, Trust
Technological advances in cyberspace have redefined relations among states and institutions within the state. It has resulted in unprecedented security challenges. Globally, the importance of resilience in cybersecurity cannot be overemphasized (Lipton, 2020). Technologically advanced countries have taken due cognizance of it to ensure the safety and security of their economies, health services, and internal and external defense.
For a country such as Pakistan, with fractious political, culture, diverse ethnic identities, and ideological characteristics, an unguarded cyber domain can add to the existing rifts that can impact civil-military cooperation (CIMIC). In a report released by Comparitech (2019), a UK based pro-consumer website, Pakistan is ranked 7th worst in terms of cybersecurity. This assessment is based on seven indicators:
· Percentage of mobiles infected by malware;
· Financial malware attacks;
· Percentage of computers infected with malware;
· Percentage of telnet attacks by originating country;
· Percentage of crypto miners (software developed for the purpose of taking over a user’s computer and using it without the user’s knowledge or permission to mine currency);
· Best prepared for cyberattacks and most up-to-date legislation.
Pakistan’s adoption of cybersecurity practices requires the implementation of a national cybersecurity policy to help create an environment of cooperation between the military and civil leadership in the cyber domain. It will direct both institutions to carefully deal with the vulnerabilities created in the social media domain and deal with each other in a friction-free environment.
In this paper, an effort has been made to examine the applicability of the conceptual framework of Civil-Military Cooperation (CIMIC) in the national cybersecurity domain. Pakistan lacks a cybersecurity strategy; therefore, any cooperation with regional or international actors in the domain lacks the vision of operational and tactical level implementation. This paper addresses the hurdles in creating a common national cybersecurity strategy incorporating both civil and military concerns; the vulnerabilities that lead to unsafe national cybersecurity domains in Pakistan. The paper also analyses the prospective areas of cooperation between both actors. The Prevention of Electronic Crime Act (2016) set out provision for international cooperation in Chapter IV, section 39 on International Cooperation. However, due to the lack of a national CERT, National Cyber Security Strategy and implementation of cybersecurity policy, Pakistan has not been able to secure its own cyberspace.
This means, among other things, that Pakistan needs a national cybersecurity strategy to develop a framework that encourages cybersecurity cooperation among state organs and other states. A CIMIC architecture in cybersecurity based on multi-stakeholder engagement could provide a better understanding of the vulnerabilities in cyberspace. This paper shall make an attempt to highlight and analyze major hindrances in policy-making related to cybersecurity, key areas of collaboration between civil-military organizations and a prospective roadmap to meet international standards.
Existing secondary sources such as books, newspaper articles, national and international policy documents, working papers, research articles, Tallinn Manual 2.0, Prevention of Electronic Manual (2016) have been consulted as part of the research. To address the issues discussed in this paper and formulate a way forward, semi-structured interviews were conducted with ten cybersecurity experts, four from the military sector and six from the civil sector. Most of the interviews were conducted via zoom, given the current pandemic. The respondents were selected on the basis of their years of experience in Pakistan’s cybersecurity domain, their cross-sectoral experience, and exposure to the civil-military sector simultaneously. Empirical data has been collected via field research to better formulate a coordinated responses to the rising cybersecurity issues in the country and Pakistan’s role in Cyber Security CIMIC.
Cybersecurity in Pakistan
Cyber threat intelligence requires broad-based collaboration, where no institution works in a standalone mode. Pakistan’s National Internal Security Policy (NISP) has addressed the issue of cyber threats and underscored the need for a civil-military command for inter and intra agency coordination (NISP, 2018). To date, neither a civil-military command nor a common national cybersecurity strategy has been implemented. Additionally, the policy paper does not discuss the international cooperation to adopt best practices and secure Pakistan’s cyberspace. A policy gap remains that needs to be addressed by the Pakistani academia, political leadership, bureaucratic leadership and the military for a holistic and air-tight national cyber policy. This gap has been identified by Rubab Syed et al (2019). The need for interagency contingency plans, according to Jensen and Work (2018), cannot be ignored. Therefore, Pakistan should not only prepare itself against physical external and internal attacks, but it should also have robust cyber defences against virtual attacks on its critical infrastructure (ibid).
Neighboring countries such as India and Bangladesh have been allocating budget and manpower to the IT sector, including collaboration between the civil and military sectors in cyberspace for a coordinated response (Policy, 2013). Understanding the cyber posture of both states and non-state actors has become a prerequisite for all foreign and domestic policy standings (Salmaan, 2018). This assumes importance as society shifts to cyberspace to conduct all sorts of businesses (Firdous, 2018).
A comprehensive response plan (CRP), as recommended in the NISP (2014-18), requires a strong CIMIC framework (NISP, 2014). The security of national cyberspace needs prompt preemptive joint civil and military measures. Hassan (2019) mentioned the ITU wellness report to improve cybersecurity health and Pakistan lack of certified national Cyber Emergency Response Team (CERT) hindering development and increasing insecurity vis-a-vis cyberspace.
Yamin (2014) recommends confidence-building measures (CBM) in cybersecurity between Pakistan and India to build robust cybersecurity at the bilateral level. Such practices can be extended to include other regional and extra-regional actors through CIMIC. Yamin (2018) proposed raising the issue of regional cooperation in cybersecurity on the forum of the Shanghai Cooperation Organization (SCO) by Pakistan’s foreign office.
Syed et al. (2018) emphasize inter-sectorial coordination between different public-private and military institutions. Writing further, that the public sector vulnerability to cyber-attacks in the form of credit card frauds, phishing, spamming and extraction of other financial information can bring the economy of a country down to its knees.
Therefore, it cannot be ignored that the military sector faces security challenges in case the critical public infrastructure of the country is targeted. According to an article published in Express Tribune (2016), referring to the Intercept, National Security Agency (NSA) reportedly spied on Pakistan’s civil and military leadership using an NSA software called ‘SECONDATE’. Pakistan Navy (PN) was targeted using the ‘target collision hijacking method’ through malware ‘rattlesnake’, specifically targeting the PN’s Public Relations Bureau (Khalil, 2020). Vombatkere (2018), in the context of India, mentioned the implications of hardware and software as they are foreign technologies bought in foreign markets. The hardware and software ‘target the defense, home, finance and banking operations, energy including oil …. Electric power, nuclear power…air traffic control...’, ‘public or private sector industry including Unique Identification Authority of India’s (UIDAI) Central ID Repository (CIDR)’, (ibid). This presents a unique question for militaries and civilian leaderships of any country as they adopt policies on cyberspace in standalone capacity minimizing the role of a collaborative effort.
The Niche of CIMIC in Cybersecurity in Pakistan
Cybersecurity and CIMIC
Cybersecurity is the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks (Kaspersky, 2020). ITU (2020) defines cybersecurity as:
The collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets.
CIMIC and Cybersecurity: Case of Pakistan
A cyberattack could ‘contribute towards a state collapse, in case of initiating or prolonging failure of critical national infrastructure’ (Robinson et al., 2018). Pakistan’s military intelligence has a sophisticated cybersecurity architecture and cyber-surveillance system (International, 2015); however, a broad-spectrum cybersecurity policy covering health, economics, critical infrastructure and counter-terrorism aspects is also needed. According to Information Telecommunication Union (ITU) (2018) report, 103 countries in the world have National Computer Emergency Response Teams (CERTs) or Computer Security Incident Response Teams (CSIRT). The functions of these teams are to provide aid to corporations, enterprises and nations in case of cybersecurity incidents. Making them an important component of cybersecurity defense where civil and military sectors can cooperate (access, 2020). In Pakistan, there are some organizations where civil-military information security experts are working together, such as Special Communication Organization (SCO). Pakistan’s National Response Center for Cybercrime (NR3C) mixes CERTs from both the civil and military sector for a more holistic response. The concentration, however, is more in the security sector.
Pakistan has established the National Center for Cyber Security (NCCS, 2018), but this lacks the capacity for emergency planning and execution of a plan during a crisis. The Center has the representation of both civil and military but has yet not been fully operational.
According to digital Pakistan (2020), the
total number of internet users in January of 2020 was recorded at 76.38 million, which makes it a 35percent of the population. As the number of users increase, so does the vulnerability and cyber insecurity. In 2016 Pakistan’s Parliament passed Prevention Electronic Crime Acts (PECA); however, the bill faced resistance from private and digital activists for the ‘impact of legitimate business and citizens rights’ (Bolobhi, 2015). In 2019, law enforcement agencies surveilled the footage of the student solidarity march and registered cases against the participants (The News, 2019). The country’s intelligence agency had been carrying mass network surveillance since 2005 of apex court judges, politicians’ activists, lawyers and journalists (Dawn, 2017). Such practices by the state agencies have created mutual distrust, and private actors and the civilian sector show reservations in cooperation.
Considering such reservations by private and public sectors, a council for mutual participation needs to be formulated. One such council in dealing with multi-stakeholders was the National Security Council (NSC). NSC Pakistan consisted of multiple stakeholders to help the country deal with different policy issues (Ali, 2015). In the case of cybersecurity, such a council does not exist.
In 2018, former National Security Advisor (NSA) Lt Gen Nasser Khan Janjua (retd) emphasized the need to focus on non-traditional threats to hitherto unexplored areas such as cybersecurity (Jabri, 2018). The multifaceted cybersecurity threats include malware attacks, cyberespionage, cyber theft, identity theft and Distributed Denial of Service (DDoS) (Rafiq, 2019). These threats are to both civil and military sectors. Even though the nature of the attacks and policy gaps are identified, and institutions such as NR3C deal with cybercrimes under FIA, the concentration is on resolving the crimes that are reported, not broader aspects of cooperation and securing the country’s cyber gateways.
Asia Center note (2018) coined the term ‘cyber-enabled information conflict’ that can cause equally grave consequences as a physical conflict in a borderland. According to the note (2018), ‘cyber-enabled information conflicts are increasingly shaping the character of regional security flashpoints…’ resultantly tensions can escalate between adversaries. According to Fravel (2015), who quoted from China’s Defense White Paper, 2015 ‘the form of war is accelerating its transformation to informatization.’ It could also escalate the internal threat vector of a state, as there exists resentment between different institutions and the public. According to the 2013 Wikileaks, the boundless informant heatmap (Greenwald and MacAskill, (2013) showed Pakistan as one of the most surveilled countries by NSA. Both civil-military actors were targeted. The attacks and practices in cyberspace do not end only with surveillance. Countries collect the data for information purposes and generating 5th generation warfare. Pakistan, due to multiple threats of sectarian violence, terrorism, ethnic and religious divisions and poor economic development, is more vulnerable.
According to the Global Security Index report, Pakistan has shown a commitment to cybersecurity programs and initiatives (GCSI, 2018). However, Pakistan needs to develop step by step approach to making its neighborhood safe from cyberattacks while formulating interregional cooperation. This can also help in better CIMIC policies in cybersecurity as Pakistan is one of the most surveilled countries in the world (International, 2015). In 2019, senior official cellphones were hacked via Whatsapp for ‘covert surveillance (Qadeer, 2020). Pakistan, by developing a national cybersecurity strategy, can be better prepared in the future to deal with increasing cyberattacks.
Lack of indigenization of technology creates vulnerability for cybersecurity in Pakistan. Lack of information sharing between government sectors and the military sectors can lead to future security breaches and disinformation between the two sides. All these issues arise from poor governance of cybersecurity. The dual-use technology leaves civilian institutions more vulnerable; at the same time make them the last line of defence in the domain of cybersecurity.
Lack of policy also results in a lack of an overarching body, where CIMIC can take place in a cordial atmosphere. Yamin (2018) pointed towards the absence of a central body that could coordinate the cybersecurity ecosystem, provide advice to the Prime Minister on Cyber threats. There is also private actors’ reluctance to cooperate with the civil-military sector due to breach of basic human rights—a consequence of weak good governance practices of the country and lack of institutional response. Throughout the globe, civic societies, military and government sectors are realizing the impact of cybersecurity on national security; however, Pakistan has a long way to go. In the next section of data analyses, the gaps in Pakistan’s cybersecurity has been analyzed. This provides us lead on how these gaps can be mitigated.
Pakistan has been unable to bring together its military and civilian stakeholders when the National Cybersecurity council Bill (NCSC) was proposed in the senate in 2014. This has enhanced the cybersecurity vulnerability of the country.
CIMIC in Correlation with Policy in Pakistan
Interviews from local cybersecurity experts have resulted in some interesting insights (all interviews were held in confidentiality, names have been withheld). Respondents generally agreed that the dependency of a state on technology had elevated the vulnerability of cyberspace. Additionally, the lack of cybersecurity surpasses the threat of weapons of mass destruction. Experts unanimously agreed that policy holds utmost significance in defining the role of a nation and where it stands. In 2014, all stakeholders came together to formulate National Cybersecurity Council Bill (2014); however, the bill is still pending in the senate. Lack of CSITRT and a national CERT, along with disintegrated military and civilian sectors responses, hinders progress in the domain (Expert G, 22 August 2020). The military preparedness for any unprecedented cyber event within Pakistan does exist, but the civil side remains vulnerable. The hindrance that exists in Pakistan’s cybersecurity is that our cybercrime bill does not have any provisions of cybersecurity even though both are interlinked.
On the military side, there are reservations in cooperating with the civil side. As one respondent argued, ‘that the sectors are isolated’. While another respondent stated
‘CIMIC is not possible in the near future due to trust deficit. The military is an isolated network. The military has its own setup in place, which is based on an ‘airgap’ network’’. Another factor for the military’s reluctance for cooperation is the lack of expertise in the civil side. ‘A lack of balance in capabilities between the civil and military hinders chances for cooperation. The civilians have traditional networks, where the knowledge is public domain’ (Expert I, 19 August 2020). However, the challenge is that cyberspace is for operational purposes in the civil infrastructure, such as dams, water, roads, power grids, power plants and airways. As the fifth domain of warfare and a global common, the military cannot work in isolation despite a separate secure network. The lack of CIMIC in cybersecurity also results in economic hindrances. One of the experts mentioned that ‘our poor cyber defences in the banking sector has resulted in the loss of USD 6 billion dollars in 2018 alone.’ Due to weak data protection and lack of capabilities, we are unable to bring stakeholders, resultantly affecting our knowledge economy.
Experts were of the opinion that Pakistan neither has a well-developed cybersecurity policy nor cyber diplomacy. On research, through different platforms, it was found that it is due to the power struggle between the stakeholders in the domain. The military considers cybersecurity in the perspective of warfare alone. While the civil perspective revolves around particular strands of cybercrime, including harassment, hacking, cyberbullying. The consideration for the connection of cybercrimes to greater threats such as malware attacks, ransomware attacks or attacks on critical infrastructure is not covered under the anti-cybercrime practices. According to one expert, ‘on the importance of cybersecurity experts in post-conflict scenario: ‘military considers cybersecurity to be a military domain’ (Expert I, 19 August 2020). Another expert emphasized that ‘the military should let the civilian side work (Expert D, 22 August 2020). Most of the experts almost shared the view that the domain of cybersecurity needs ‘well-developed infrastructure.’ To strengthen this area, civil-military cooperation is required that needs a good policy in order to handle security, enhanced and implemented at a higher level.
The importance of civil cyber experts has been emphasized by the experts. According to one expert, ‘more is less.’ In the view of another expert, they ensure the availability of cybersecurity to the masses and the military. One respondent revealed that ‘research and development skills are available and Pakistan’s civilian side is more equipped with cyber capabilities than the military (Expert F, 23 August 2020),’ which could help in sharing knowledge of the civilian environment with the military sector and equipping it for unforeseen scenarios in the cyberspace.
Experts have highlighted the need for the identification of experts within civil and private institutions for preparedness in the cybersecurity domain. There are a number of institutions within civil and military sectors that have representation of cyber-experts in both sectors; however, the forces still need civil-cyber functional experts, who through training and exercises could help in providing the first line of defence for the country.
According to a respondent ‘ the military complex has dependencies from an information highway perspective, including logistics such as water, roads and dams (Expert C, 19 August 2020). Even though the military aims to gain a digital high ground, both military and civil cybersecurity are intertwined. The security of the military cannot be ensured if they do not extend expertise to their civil counterpart in an organizational capacity.
A few experts emphasized the importance of awareness in the domain of cybersecurity. Awareness will be created vis-à-vis the cybersecurity policy devised. This will lead to cooperation between the two sectors.’ Cyberspace intertwines and is an intersection of economies. It is very important for that purpose to manage military and non-military relations.
Along with the military, we need civil professionals who can promptly deliver results. There is a need for a well-devised road map towards cybersecurity. Support for cyber CERTs lacks on both the civil and military side, resulting in the private PAK-CERTs organizations participation in an unofficial capacity in the international cyber drills. In
cyber drills ‘military takes part in an unofficial capacity (Expert G, 21 August 2020), weakening cooperation through shared platforms in an official capacity. Moreover, we ‘lack the indigenization of technology and awareness. There is also a lack of formalized assessment (Expert D, 22 August 2020).
According to a number of respondents, if there is a cyberattack launched from Pakistan’s soil on a third party, Pakistan will be unable to respond to whether Pakistan’s cyberspace was compromised or it was involved in the attacks. Due to a lack of trust on the military side, there could be a delay in information sharing in case of a cyberattack. As one of the respondents elaborated, ‘if there is an incident Pakistan response will suffer, and lack of capability further hinders the response. It springs from a lack of awareness and policy. Resultantly no response to the attack will take place due to lack of detection’ (Expert I, 19 August 2020). The issue also arises in citizen privacy. Some experts deemed it necessary for the law enforcement agencies and the military establishment to monitor cyberspace. On the question of ensuring the human rights of the private actors, how synergy can be created between civil-military and private actors, one respondent emphatically put ‘there is no personal security above Pakistan. Personal information does not matter’ (Expert H, 24 August 2020). Another respondent argued that ‘sometimes people do not understand why interception of data and security is important, but it is definitely important if it is used for the right purposes’ (Expert F, 24 August 2020). Such mindsets detract a country’s path towards growth in the cybersecurity sector.
Joint civil-military exercises are required within a robust cybersecurity plan to bridge the gap between Pakistan and the rest of the world. CERTs are needed to be integrated at all levels, which requires joint exercises. Military needs to take part in cyber drills organized by private actors. Through these exercises, a synergy can be created between civil-military within Pakistan. Further, the indigenization of the country’s firewalls, its technologies in the public sector could boost the confidence of the other sectors. It could help in avoiding any backdoors into our cyberspace and in building trust between the stakeholders.
According to one expert, cybersecurity should be placed under the National Security Division (NSD). Another expert mentioned ‘there is a need for a figurehead that works directly under the President and Prime minister.’ According to some respondents, ‘Federal Investigation Agency (FIA) is mixing CERT from both military and civil’ despite the lack of national CERT. A respondent also informed that in case of a ‘bug, security flaw, or an attack Pakistan Telecommunication Authority (PTA) floats information’ about it that is then shared between different individual setup, stating that ‘cooperation is definitely there’ (Expert F, 24 August 2020).
An initiative that is already in place in an unofficial capacity is the Cybersecurity Alliance of Pakistan (CSAP), by formalizing this alliance, Pakistan will have a starting point under which framework could be formalized. Under the framework, policy and strategy could be formulated, and assessments could be made based on certain checks and balances. The assessment will help formulate policies that will also ensure that it caters to the contours of the domestic setup while ‘taking guidelines from the international policies’, (Expert G).
One expert emphasized ‘the need to form a form a National Cybersecurity Taskforce comprising civil and military experts to strengthen the cyberspace without compromising any civil rights.’ EU has put in place the General Data Protection (GDPR) for the protection of individual rights in cyberspace. Similarly, there is California Privacy Act. Pakistan has introduced earlier this year the ‘Citizens Protection against Harm Rule’ and has in draft phase the ‘Personal Data Protection Regulation of Pakistan (PDPR)’. The current laws are for cybercrimes in the country and do not cover cybersecurity. Cybersecurity laws could be an extension of the cybercrime bill. A council for mutual participation needs to be formulated specifically catering to the cybersecurity demands. The functions of this council should be separate from the National Response Center for Cyber Crime (NR3C).
The civil-military actors come together both in an official and unofficial setting, as in the case of the Cybersecurity Alliance of Pakistan (CSAP). Officers from NESCOM, C4I, Airforce are part of Cyber Security Alliance of Pakistan (CSAP) drills, but not in an organizational capacity. The question arises who will lead the domain of cybersecurity in the case of international operation. As one respondent stated, ‘invitations may come to either Ministry of Information Technology or to military, they may or may not share with the other side, as civil and military are not on the same page (Expert D, 22 August 2020). It also shows there is a trust deficit, even though both sides have capabilities. According to Expert A (8 August 2020), ‘the inclination of the military is towards their own assets’. The standalone nature of the military cannot be fruitful when the attack is on the civil infrastructure.
According to Expert G (21 August 2020), heading the Cyber Security Alliance of Pakistan (CSAP), there are more than ‘five hundred’ members in the alliance.’ The group members are from civil, army, CSOs and CISOs; these are also the people that are handling emergencies within Pakistan currently.
Next-generation is likely to see cybersecurity soldiers for that purpose; both civil and military cooperation is required. The state-owned policy is important for national and international alliances. NATO holds regular joint exercises. Therefore, it is an important aspect to collaborate in cybersecurity with the countries with whom Pakistan has friendly ties. The civilian side is more well versed in on-ground day to day cyber realities, while the military’s concentration is more on developing the offensive and defensive capabilities.
Federal Investigation Agency (FIA) coordinates with Interpol. A cyber investigation setup is in place that tracks down the suspects in collaboration with other countries. Pakistan has also taken part in cyber drills for the last twelve years. However, ‘it is only the civilians that take part in these drills from the platform of PISA-CERT’ (Expert G, 21 August 2020).
Needless to say, the overarching hindrance in Pakistan’s cybersecurity is due to the political tug of war between the institutions. Similar to every other domain, cybersecurity in Pakistan has also been subjected to a lack of bureaucratic and political will. Additionally, there is reluctance in implementing a cybersecurity policy, despite the development of a framework for cybersecurity. Pakistan is marred with self-governance in cybersecurity, where, where-withal cybersecurity framework is not being developed.
Through the inclusion of CIMIC, Pakistan can approach the cybersecurity issue in Pakistan and South Asia from a broader perspective. It will also help in creating cyber defences of the country where both actors will be involved. Research needs to be broadened on civil-military cooperation in the components of information technology. Research Gap exist in information security governance in Pakistan. Further research could also be carried out in civil-military cooperation in information security.
Civil and military organizations must realize the importance of civil-military cooperation in cyberspace. The open communication lines could provide for more avenues of cooperation: a platform to resolve the differences and formulate a roadmap for robust cybersecurity. This will help send a positive message of both sectors working together and securing the country’s cyberspace from malicious cyber threats. The cooperation will help in creating a knowledge economy and in boosting the countries e-commerce. Cooperation is needed to help in cyber preparedness for any unknown cyber threat.