by Gulraiz Iqbal
Throughout history, the survival of states has hinged on their ability to anticipate and adapt to emerging threats. Just as industrialization reshaped the nature of conflict in the 19th century and nuclear weapons redefined power in the 20th, cybersecurity now determines the resilience of nations in the digital era. For Pakistan, which is constantly navigating shifting geopolitical currents by virtue of its strategic geography, regulating this front presents a dual-premised dilemma; how to ensure that its digital safeguards are in harmony with its posture on state sovereignty, while also aligning with international legal frameworks. While the state ensures its full commitment to the former, the latter may find itself caught in a feud of dueling priorities, where each thrust of regulatory assertion meets a parry of global legal expectations.
This dynamic is strategic in nature. The state’s cybersecurity instincts are shaped by a historical impulse to protect sovereignty first and foremost. Yet, in an age where critical infrastructure is woven into global digital systems, Pakistan also recognizes that resilience cannot be purely insular. Its official communications, including a 2023 submission to the United Nations, reflect this evolving outlook: a reaffirmation that principles such as sovereignty, non-intervention, and peaceful dispute resolution remain vital in cyberspace, but must now be interpreted within the unique architecture of the digital domain.
The tension, therefore, is not whether to accept or reject international law, but between the traditional constructs of control and the fluidity of cyberspace. In this landscape, where attribution is elusive and intent is often obscured, Pakistan has begun to argue for more structured mechanisms of global cooperation—ones that avoid domination by a few but still offer pathways to responsible state behavior online. These impulses are also shaping Pakistan’s approach to regional engagement: as cyber threats transcend borders, regional cooperation—rooted in mutual benefit, not hierarchy—may offer a viable model for resilience.
However, Pakistan’s approach to cybersecurity remains shaped by a delicate balancing act—one that prioritizes sovereignty and national security while selectively engaging with global cyber governance frameworks. Its reluctance to accede to multilateral treaties like the Budapest Convention underscores concerns over external oversight, even as regional collaborations and bilateral agreements offer alternative avenues for cyber cooperation. Instead, Pakistan aligns with United Nations-led processes like the Open-Ended Working Group (OEWG) and the Group of Governmental Experts (GGE), which affirm the applicability of the UN Charter in cyberspace while preserving state autonomy.
This selective engagement reflects its broader geopolitical alignments and institutional constraints, positioning Pakistan at a crossroads where strategic autonomy must be reconciled with the imperative of strengthening its cyber defenses.
Pakistan’s approach to cybersecurity remains shaped by a delicate balancing act—one that prioritizes sovereignty and national security while selectively engaging with global cyber governance frameworks.
Pakistan’s Cybersecurity Governance and International Engagement
Pakistan’s cybersecurity framework reflects the broader complexity of its governance—driven by security imperatives, institutional overlap, and cautious international engagement. Domestically, the Prevention of Electronic Crimes Act (PECA) 2016 forms the legal base for tackling cybercrime, but its uneven enforcement and civil liberties concerns highlight regulatory friction. The National Cyber Security Policy 2021 aimed to secure critical systems, yet fragmentation of this issue set across multiple agencies—Pakistan Telecommunication Authority, NR3C, Ministry of Information Technology and Telecommunication—continues to undercut coherence. This institutional dispersion mirrors a deeper dilemma: the need to modernize defenses without diluting state control.
Pakistan’s engagement with international law also reflects this tension and it navigates the evolving cyber governance landscape with deliberate caution. Pakistan has affirmed the applicability of the UN Charter and International Humanitarian Law to cyberspace, but also flagged the challenges of applying these principles amid attribution complexities and dual-use infrastructures. It has refrained from acceding to the Budapest Convention on Cybercrime, citing concerns over external jurisdiction and data sovereignty—an argument reaffirmed in a 2020 Lahore High Court hearing by the Ministry of Foreign Affairs. In doing so, Pakistan aligns itself with states such as China, Russia, Indonesia, and Singapore, which reject legal frameworks that could subject domestic digital infrastructure to foreign oversight. Pakistan aligns with the UN GGE, which emphasizes voluntary state cooperation through a set of eleven norms and the applicability of international law, while preserving national sovereignty in cyberspace.
A Deliberate Distinction and Strategic Cyber Alignment
Pakistan’s cyber policy deliberately maintains a clear distinction between cybersecurity and cybercrime, aligning with common international practices. While cybersecurity primarily concerns state behavior—such as cyber warfare, espionage, and protecting critical digital infrastructure—cybercrime focuses on criminal activities by non-state actors, whether individuals or groups, including hacking, financial fraud, and cyberterrorism. This differentiation is embedded in domestic Pakistani legislation, particularly the PECA. Complementing its domestic focus, Pakistan presented its “Position on the Application of International Law to Cyberspace” to the UN in March 2023, affirming that the UN Charter’s principles—sovereign equality, nonintervention and the peaceful settlement of disputes—apply online. By publishing this note verbale, Islamabad signaled a willingness to engage in the evolving body of global cyber norms while continuing to rely on PECA for internal enforcement.
Pakistan supports the recently adopted UN Convention against Cybercrime, initiated by Russia and backed by China. Negotiated over several years and formally adopted in late 2024, the treaty establishes a global framework to combat cybercrime while reinforcing state control over internet governance. It is now open for signature through 2026. While proponents highlight its security benefits, critics warn it may enable government overreach and restrict digital freedoms.
Western trade and investment increasingly hinge on open and secure digital frameworks. Thus, Pakistan’s cyber governance posture could influence its future digital trade negotiations and investor confidence. Regulatory misalignment, especially with European data standards, may limit market access. Similarly, Western investors in Pakistan’s information technology sector prioritize open digital policies, and any shift towards restrictive cyber regulations could raise concerns about market accessibility and regulatory predictability. A rigid stance may constrain opportunities in sectors where cybersecurity standards are not just technical benchmarks but preconditions for economic participation. The path forward will likely demand a recalibration—a policy posture that balances strategic autonomy with regulatory predictability, especially in dealings with the West. Pakistan’s ability to signal credible alignment without compromising sovereignty will shape its long-term economic leverage.
Addressing Domestic Legal and Normative Gaps
Pakistan’s domestic cybersecurity governance is in an evolving phase, facing challenges in legal frameworks, institutional capacity, and alignment with international norms. Despite efforts to strengthen regulations, gaps in enforcement and coordination expose Pakistan to increasing cyber threats. Addressing these issues is crucial for enhancing national resilience and ensuring strategic alignment with international best practices.
A key legal challenge is the absence of a dedicated national cybercrime law. The Federal Investigation Agency’s NR3C enforces PECA, but the law lacks provisions for critical infrastructure protection, mandatory security standards, and effective cross-border cooperation. While it addresses access and data theft, PECA’s scope remains limited. No independent cybersecurity authority exists, and PTA’s limited mandate—focused more on content than infrastructure—adds to the enforcement gap.
Capacity constraints remain another critical challenge. Institutions such as the NR3C play a key role in cybersecurity enforcement, yet they face resource limitations in technology, personnel, and financial investment. Cybersecurity expertise within Pakistan’s judicial system remains limited, leading to delays in cybercrime investigations and low conviction rates. Structured collaboration between law enforcement agencies and the private sector also remains weak, slowing response times to cyber incidents.
Pakistan can enhance institutional capacity through targeted investments in training and technology while its recent accession to the Global Forum on Cyber Expertise (GFCE) in May 2023 reflects a commitment to international collaboration on cyber capacity-building. Domestically, the government has announced that Pakistan’s National Computer Emergency Response Team (NCERT) will be fully operational in 2025, which is expected to help address these challenges. The specific rules governing its operation, known as the CERT Rules, were only notified in September 2023, contributing to delays in full operationalization. This move will enhance institutional capacity by providing a more coordinated, agile, and resource-rich response framework, aligning Pakistan’s cybersecurity infrastructure with global best practices.
Pakistan must prioritize institutional strengthening, adopt a phased approach to international engagement, and develop a cybersecurity framework that balances sovereignty with global best practices. Investing in cyber capacity-building, cross-sector collaboration, and proactive legal reforms will ensure that Pakistan is not only resilient against cyber threats but also positioned as a key player in shaping regional and global cybersecurity governance.
Regional Solutions: South Asian Cyber Security Framework
In looking for regional solutions to shared challenges, Pakistan should take the lead in establishing a South Asian Cybersecurity Network (SACN)—a structured alliance that facilitates cyber threat intelligence sharing, collective defense mechanisms, and capacity-building initiatives. This network could be institutionalized under a dedicated South Asian Cybersecurity Council (SACC), which would define regional cyber norms, establish best practices, and ensure coordinated responses to cyber threats. Unlike existing multilateral mechanisms that remain ineffective due to political discord, SACN could be structured around pragmatic cooperation, allowing states to engage on common cyber threats while maintaining strategic autonomy. Though its success would depend on a framework of non-dominance, where no single state dictates policy, ensuring equitable participation from all members.
A regional approach to cybersecurity offers Pakistan a chance to lead from a position of principle and necessity. Such a framework aligns with Pakistan’s vision of sovereignty-respecting cooperation, as articulated in its calls for Confidence Building Measures at the UN and its broader reluctance to embrace externally imposed regimes. SACN would offer a middle path: not passive alignment with dominant cyber powers, but proactive shaping of rules among equally situated states.
A regional approach to cybersecurity offers Pakistan a chance to lead from a position of principle and necessity.
Implementation would require a tiered engagement model. At the foundational level, Pakistan could initiate bilateral cybersecurity agreements with India and Bangladesh, establishing direct cyber hotlines and intelligence-sharing mechanisms to prevent escalatory miscalculations. At the regional level, SACN would have to integrate National Computer Emergency Response Teams (NCERTs), creating an automated threat intelligence exchange that enables rapid response to cyber incidents. Regular cybersecurity drills, modelled on NATO’s Locked Shields, could be conducted to test resilience and refine collective response mechanisms. Apart from this, SACN could develop a regional cybercrime task force, enhancing law enforcement cooperation to track and dismantle cross-border cybercriminal networks. Given diplomatic sensitivities, a Track 1.5 cyber diplomacy approach can be undertaken, which would include technical exchanges between national CERTs and independent cybersecurity experts as a way to build trust and common ground. This cooperation could be hosted and facilitated by a neutral third-party country and initially utilize blockchain-based anonymous threat intelligence sharing. Starting specifically with mutual external cyber threats (like ransomware or cyber fraud originating outside the region), the states could gradually build practical trust, demonstrating clear mutual benefits without immediately tackling sensitive diplomatic issues head-on.
A key element of SACN could be a Cybersecurity Credits Model (CCM), ensuring that participation translates into tangible benefits for Pakistan. Under CCM, a regional cyber governance body could define baseline cybersecurity standards, awarding Cybersecurity Credits (CCs) to states that demonstrate leadership in cyber resilience, law enforcement cooperation, and digital hygiene initiatives. Rather than functioning as a punitive system, CCM could be structured as an incentive-based mechanism, allowing states to leverage credits for cyber infrastructure investment, skill-building initiatives, and research collaboration. Pakistan could position itself as a credit-surplus state, earning CCs through leadership in cybersecurity training, CERT coordination, and cyber policy development. Instead of merely offsetting obligations, Pakistan could monetize its cyber expertise, using credits to secure funding for domestic cybersecurity projects and exert influence over regional cyber governance. Like the Montreal Protocol, SACN can adopt a phased approach, assigning differentiated cybersecurity responsibilities based on national capacity. A tiered commitment model—binding yet context-sensitive—would ensure equitable participation across both technologically advanced and developing South Asian states. In fact, Pakistan can leverage this initiative to reinforce its recent advocacy efforts for a dedicated UN-led funding mechanism to support cybersecurity capacity-building in developing countries, positioning SACN as a viable regional pilot for global application.
To ensure accountability and operational effectiveness, SACN would have to have built-in checks and balances. A rotating Cybersecurity Oversight Committee, composed of independent experts and government representatives, could periodically assess compliance with established norms. States that fail to meet security commitments would either have to invest in regional cybersecurity projects or risk losing voting privileges within SACN. Transparency mechanisms, such as regional cyber incident reporting protocols, could prevent unilateral accusations and promote collective security. Additionally, a dispute resolution framework would have to be put in place to mitigate geopolitical frictions that could undermine SACN’s objectives.
Unlike traditional military alliances, this framework would allow Pakistan to engage selectively, maintaining strategic autonomy while benefiting from regional collaboration.
The article appeared in the southasianvoices