Pakistan’s Cyber Sovereignty and the SACRON

A new attack roughly every 39 seconds. Yet no bullets, bombs, or smoke. This is the paradox of a modern conflict: a silent war that is fought in the cyber domain and turns chaotic when systems crash. In this digital era, where survival belongs to the state that is the most adaptive and builds true cyber resilience. Global cyber governance has become a battleground for sovereignty and influence. For a state like Pakistan, which is facing fierce challenges to its security and sovereignty from the cyber domain, the question is how to fit itself into a fragmented digital global order.  Pakistan must take a systemic and proactive role in shaping global cyber norms, and one possible avenue is the South Asian Cyber Resilience and Operations Network (SACRON) framework.

As the digital world continues to develop at an unimaginable pace, states are facing the dilemma of balancing their sovereignty and security concerns with the digital liberty of their citizens. Due to the unique nature of the security environment in which they operate, some states are wary of the Western-led initiatives for global digital governance. This apprehension is manifested in the fact that Pakistan, China, Russia and Singapore are reluctant to sign the Budapest Convention, a Western framework aimed at preventing cybercrimes. These states are concerned about foreign oversight and data sovereignty. Pakistan has alternatively signed the UN Open-Ended Working Group and the Group of Governmental Experts which promote voluntary cooperation between states and recognise the principles of state sovereignty, non-intervention, peaceful resolution of disputes, and non-use of force. Pakistan is also a proponent of the UN Convention against Cybercrime which was launched by Russia and is supported by China.

An outright opposition to these Western initiatives can create quite a problematic situation for a state, given the highly interdependent global digital market. Pakistan’s economic and IT sectors are highly dependent on trade and investment, especially with the EU and the US, both of which emphasise transparent and safe digital systems. Thus, in an era where critical infrastructure is becoming more and more integrated with global digital systems, Pakistan must sharpen the strategic insight on cybersecurity. The country needs to comprehend that resilience is not a solitary pursuit, the new digital landscape necessitates a paradigm shift, interweaving sovereign priorities into a broader global cooperative fabric and long-term economic leverage.

Sovereign priorities require institutional capacity and policies. Ironically, Pakistan has no dedicated national cybercrime law. The 2016 Prevention of Electronic Crimes Act (PECA) drafted the legal basis to tackle cybercrime in the country. However, in the longer run, it will require some changes to prevent its misuse for curtailing freedom of speech and breaching privacy. The Pakistan Telecommunication Authority (PTA) is also limited in its mandate and focused on regulating and monitoring online content. It does not encompass the technical aspects of cybersecurity and tackle cross-border cooperation. In other words, it is neither structurally equipped nor sufficiently empowered. Yet in pursuit of embedding itself in the global system and cementing cyber capacity-building, Pakistan acceded to the Global Forum on Cyber Expertise in May 2023. Pakistan’s cybersecurity coordination body, the National Computer Emergency Response Team (NCERT), has also faced delays in its operationalisation. Pakistan’s National Cyber Security Policy of 2021 is also undermined by the overlapping mandates of the PTA, the National Response Center for Cyber Crimes, and the Ministry of IT and Telecom.

Against this backdrop, SACRON offers Pakistan an opportunity to play a central role in the design and development of a regional framework on cybersecurity collaboration. This cyber tiered and mutually beneficial model is indicative of the Montreal Protocol that demands more from the advanced states and buys time for the developing states. This project may provide a middle path and ensure equitable participation from all members. Under this initiative, Pakistan can initiate bilateral cyber CBMs with regional powers such as Sri Lanka and Bangladesh. This may include creating cyber hotlines or intelligence sharing systems to prevent miscalculations. The SACRON initiative could also connect NCERTs and automate threat information sharing. Moreover, the project could be patterned after the NATO Locked Shields, that conducts periodic cybersecurity drills to simulate resilience and improve common response strategies.

Nevertheless, the success of SACRON depends on addressing certain concerns. One of the weaknesses of the framework is its potential politicisation. In order to prevent this, the framework may utilise a Cybersecurity Credits Model, which is an incentive-driven system of rewarding states in terms of knowledge sharing, training, better cyber defences and regional support in the application of cyber laws. Moreover, to ensure accountability and transparency, an oversight committee of cybersecurity experts can be formed with the mandate to monitor each state’s progress.

All in all, this framework, if implemented successfully, would not only enable Pakistan to engage regionally but also influence global cyber treaties without succumbing to the domination of powerful states and compromising its digital sovereignty. This is the ideal time for Pakistan to lead from the forefront because this era of cyberspace is the new battlefield where digital resilience is the strategic asset. Pakistan, with SACRON, can transform its cyber loopholes into strengths and prudence into a strategy bilaterally, regionally, and ultimately globally.