The Ukraine crisis has revealed how geopolitical conflict can quickly spill over into cyberspace and bring in an assortment of other state and nonstate actors. Geopolitics has always been a powerful motivator in catalyzing aggressive and even hostile activity. Pakistan has been watching the crisis closely, purposefully remaining neutral as to avoid any unwanted attention from cyber forces supporting both sides and who have targeted those perceived sympathetic to the adversary. Two primary reasons have driven this stance. First, Pakistan’s cyber security posture is not where it wants to be with the government knowing that its critical infrastructures such as its national power grid are vulnerable to exploitation. The second is that Islamabad, like the rest of the world, is carefully observing how civilians, private sector companies, and state actors have gotten into the fray, and using their capabilities to support an array of offensive and defensive actions.

Understandably, the developments on the cyber front during periods of geopolitical tension is not lost on Pakistan, who, since 1947, has been embroiled in its own territorial conflict since with neighbor India over the disputed Kashmir region.  As has been observed with Ukraine, physical clashes between Pakistan and India has traversed into cyberspace where patriotic hacktivists from both sides have attacked the websites of public and private sector organizations in defense of their respective country’s interests.  But for the most part, these nonstate elements have been more nuisances than serious players, conducting low-level attacks that have made minimal impact.  The Ukraine conflict has shown that not only can these elements be harnessed into a more effective cyber presence, but sympathetic cybercriminal communities can also be leveraged as well.  While Pakistan may not have a robust, indigenous cybercrime ecosystem, the Middle East with pro-Islam hackers could certainly be a resource for recruitment and use.

But cybersecurity is a concern.  According to Pakistan’s Federal Minster for Information Technology, more than 900,000 hacking incidents target Pakistan daily, coming from a variety of criminal, hacktivist, and state actors.  As per one report, Pakistan ranked 79^th in the world in cybersecurity capability, an inauspicious placement for a nuclear capable country embroiled in its own geopolitical conflicts.  Between 2018 and 2020, cybercrime targeting Pakistan increased by 83% over the three-year period. Therefore, it is little surprise that like many other countries, Pakistan has made cybersecurity a governmental priority.  It established its National Center for Cyber Security in 2018, and publishing its National Cybersecurity Strategy in 2021. The Center’s mission is to build national capabilities to produce indigenous cybersecurity solutions through national labs and develop professional expertise to bolster Pakistan’s cyber defense posture.  The Strategy presents a vision that not only includes securing assets such as critical infrastructure, but also on creating cyber resilience via a robust and improving digital ecosystem, as the National Center promotes.

As any practitioner knows, cybersecurity is a nonstop work-in-progress where failure garners attention and successes are rarely publicized.  In 2022, a Pakistani parliamentary committee addressing information technology and telecommunications labeled the country’s cybersecurity efforts as “incompetent,” a damning assessment after the country was unable to restore services after disruptive cyber attacks against energy, military, government, and financial networks.  A January 2023 blackout in Pakistan underscored such vulnerabilities especially when speculations over the cause of the outage shifted from “technical” glitches to a malicious cyber attack, especially as it wasn’t the first time this happened.  In 2022, Pakistan suffered another blackout as a result of a suspected cyber attack, calling into question if Pakistan’s cybersecurity efforts are being implemented efficiently.  A recent article in a foreign policy journal underscored these sentiments in which it advocated the government investing in cyber defense capabilities to protect its critical infrastructure via technology solutions, bolstering public-private partnerships, and building a security minded culture via training, and ongoing security education.

But cybersecurity is not just about protecting against current threats; it also needs to be forward-looking and preparing for the future battlespace.  The Ukraine conflict has made Pakistan take stock of how future battles can be fought and has seen the emergence of hybrid warfare and how its multi-dimensional approach across physical, cognitive, and cyber domains can be deployed to achieve results.  This has created a complex operating environment that requires the agility, adaptability, and capability to address threats.  There is a sense that Pakistan is not yet able to be caught in a hybrid war, with one article suggesting that the government is mired in “a pernicious state of affairs” with respect to internal and external security considerations.  Another piece

 criticizes Pakistan’s inability to respond to the evolving nature of cyberspace and the activities that transpire within citing lack of political will, as well as lack failure to understand the soft power tactics (e.g., the role of social media and influence operations) that have proven critical in recent years.

Given how governments have implemented cyber operations into their military and statecraft arsenals, Pakistan appears to be well behind the curve.  This is important given that Pakistan is believed to have some level of offensive capability that it uses against its primary adversary India, as well as in cyber espionage activities in the region.  Furthermore, there is some evidence suggesting that Pakistan acts as China’s proxy against India as well, collecting information on a mutual target of interest.  However, where Pakistan failed to make a 2022 list of global cyber powers, India did, putting Pakistan further in jeopardy should India or any other country decide to target it via hybrid warfare.  India’s advanced persistent threat groups have targeted Pakistan and are believed in at least one incident to be responsible for attacks on its energy infrastructure. 

What’s more, there is a belief that India may already be engaging in its own form of hybrid warfare against Pakistan, making Pakistan’s need to speed up its ability to confront this new threat an imperative.  This is largely due to the fact that hybrid warfare’s multi-pronged engagements can prove troublesome to the stability of states and regions, with cyber attacks being especially effective in disrupting the day-to-day functions of civilians and government alike. One Pakistan think tank’s issue paper addressed this concern citing how India has already executed information warfare, cyber attacks, propaganda, and influence operations, among other offensive actions against Pakistan, as well as the broader international community. The longer Pakistan continues to lack a comprehensive security strategy and policy formulation addressing this threat, the more it’s in peril of being victimized by the dynamism of hybrid warfare directed against it.

What makes Pakistan-India situation so compelling is that it is a potential geopolitical hotspot whose animosities can quickly flare up and bring in sympathizers and adversaries alike.  What’s more, Pakistan’s primary nemesis appears ahead of it when it comes to implementing irregular hybrid warfare tactics to support its national objectives.  As such, Pakistan knows it needs to do more, and acknowledges that a robust cyber defense is essential to mitigating the effects of the myriad hostile activities conducted via the Internet via India’s hybrid warfare efforts.  The anecdotal history of state cyber actors breaching hard targets such as centrifuges in an enrichment facility and other industrial control systems should be a serious concern for a nuclear-capable nation like Pakistan. Any deteriorating geopolitical situation could expose the country’s vulnerabilities to debilitating cyber attacks, neutralizing its ability to effectively respond.  Right now, it appears that Pakistan has a long way to go before it can compete with India or any other burgeoning regional cyber power, and the longer more strides aren’t made in its cyber apparatus and policy frameworks, the more ground Pakistan will have to make up in the strategic competition in cyberspace.