Islamabad, November 24, 2025: In response to escalating digital and cyber threats, the federal government has decided to establish a National Cybersecurity Authority to oversee and strengthen the country’s cyber defences.
The proposed authority will be responsible for recommending cybersecurity protocols for critical national infrastructure and implementing cybersecurity initiatives across Pakistan. The Ministry of Information Technology and Telecommunications has already drafted the initial Cybersecurity Act and circulated it among stakeholders for consultation.
According to officials, the new authority will operate under the policy direction of the National Cybersecurity Policy, which outlines a nationwide framework for digital protection and is currently being implemented under the Digital Economy Enhancement Programme.
The move comes after the IT Ministry acknowledged in September that Pakistan has suffered a series of significant cyberattacks and data breaches in recent years. In a report submitted to the National Assembly, the ministry stated that detailed information could not be shared publicly due to the sensitivity of the matter but could be provided in an in-camera briefing.
The report highlighted severe vulnerabilities, noting:
- A shortage of dedicated cybersecurity personnel
- Limited technical expertise
- Weak monitoring mechanisms
- A generally inadequate security posture
As a result, many cyber incidents either go undetected or are never formally reported at the institutional level.
One of the most damaging breaches involved the Oil and Gas Development Company Limited (OGDCL), where attackers gained unauthorised access to its core data centre, deleting 21 virtual servers. The system was restored only after a major three-day recovery effort using the organisation’s disaster recovery site.
The ministry’s report attributed the recurring cyber incidents to several systemic deficiencies, including:
- Insufficient resource allocation and funding
- Lack of dedicated cybersecurity teams
- Weak oversight and commitment from senior management
- Absence of a uniform governance structure
- Outdated or incomplete cybersecurity policies
Meanwhile, official documents show progress on projects related to the Secure Data Exchange Layer and digital identity systems. Key national institutions — including the National Database and Registration Authority (Nadra), the Federal Board of Revenue (FBR) and major telecom operators — have been classified as critical digital infrastructure.
The process to designate the Immigration and Passports system as critical infrastructure is also underway, signalling the government’s intent to prioritise cybersecurity for high-value digital systems.
Until the new authority is formally established, the CERT Council — comprising 14 public and private sector organisations — continues to function as the primary body for coordinating cyberattack responses and improving national readiness.
Additionally, work is in progress on the Pakistan Information Security Framework 2025, which aims to standardise cybersecurity practices across government and key sectors.
