By Raza Ruman
“Pakistan’s Cybersecurity Act has been presented as a milestone. The proposed legislation marks a long-awaited attempt to strengthen national defences in an age where the first strike is often digital. Yet ambition alone will not suffice when dealing with the weaknesses that have repeatedly left the country exposed,” Dawn writes in it’s editorial.
As outlined by the IT minister on Friday, the law aims to establish a National Cybersecurity Authority, a beefed-up incident-response system, and a secure digital infrastructure built under the Digital Economy Enhancement Project. These are welcome steps. But a cybersecurity framework cannot be judged by announcements alone. It must also be assessed against Pakistan’s recent record.
Over the past few years, Pakistan has found itself in the headlines not for its cyber readiness but for a series of damaging breaches. Banks, hospitals, government email servers and even tax and identity databases have faced cyber intrusions, some of which brought services to a halt for days. Investigations into major leaks, including those linked to national identity data, have left citizens worried about whether the state can protect even the most sensitive information. Meanwhile, attacks on energy-sector utilities, such as the ransomware strike on K-Electric, have exposed the fragility of Pakistan’s critical infrastructure.
“Compounding these vulnerabilities is the reliance on blanket shutdowns. Internet outages — such as those most recently imposed in Balochistan — often without transparency or due process, have become a default response to security concerns. Such measures not only undermine public trust and damage economic activity, they also reveal the absence of resilient, rights-respecting mechanisms to manage crises. This contradiction is particularly striking given the government’s repeated celebration of Pakistan’s Tier-1 ranking in the ITU Global Cybersecurity Index. Rankings offer little comfort when the public experiences insecurity firsthand,” the paper says.
The Cybersecurity Act will only succeed if implemented with openness, independent oversight and a commitment to protecting fundamental rights. Without this, the law risks amounting to little more than an expanded surveillance tool, adding to concerns raised by civil society in the wake of recent amendments to cybercrime regulations, threats to block VPNs and Pakistan’s latest ‘Not Free’ score in the Freedom House internet freedom report.
“Pakistan has no shortage of talent. Universities like FAST-NU, where the IT minister spoke, and initiatives such as Ignite’s IC design training programme demonstrate technical capacity. Nor is there a dearth of urgency, especially after Marka-i-Haq, which officials have described as a defining moment. What Pakistan does lack is a coherent, civilian-led cybersecurity architecture that prioritises technical excellence over political control.”
The Cybersecurity Act could be the beginning of such a shift — but only if the state confronts the hard truth that national security in the digital era depends as much on rights, transparency and institutional competence as it does on firewalls, Dawn writes.
