Abstract
By 2026, global cybercrime costs had reached over USD 13.8 trillion per year, more than the GDP of any country except the United States and China. Artificial intelligence now plays a major role in cyber attacks. AI systems can identify security weaknesses on their own, create social-engineering attacks in multiple languages, and rapidly evolve malware. Pakistan is ranked 79th on the ITU Global Cyber security Index 2024 and faced more than 22,000 cyber incidents in 2025. The country is at a key turning point. This article examines the 2026 AI-driven cyber threat landscape, reviews Pakistan's evolving cyber security landscape, identifies key gaps, and proposes a policy framework to strengthen national cyber resilience.
1. Introduction
By 2026, cyberspace will have become the main stage for geopolitical competition, moving far beyond its earlier, secondary role. The World Economic Forum's Global Risks Report 2026 lists AI-powered cyber threats as the second most serious global risk for the next two years, just after extreme weather events. For the first time, the report highlights 'autonomous AI-driven cyber attacks on critical infrastructure' as a distinct risk category, signaling a major shift in the threat landscape.
Pakistan's digital presence has grown quickly. By early 2026, there will be 114 million internet users (47.3% penetration), 190 million active SIM connections, and a fintech sector handling PKR 127 trillion in annual transactions through platforms like Raast, Easy Paisa, and Jazz Cash. The State Bank of Pakistan's digital payment system now reaches over 52 million previously unbanked people. While these achievements have boosted financial inclusion and economic growth, they have also increased the potential targets for cyber attackers.
Key Context (2026): Pakistan's National Telecommunication & Information Security Board (NTISB) recorded 22,400 confirmed cyber incidents in 2025, a 60% increase over 2023 figures. Sector distribution: government networks (34%), financial services (28%), telecommunications (19%), energy (11%), other (8%). Source: NTISB Annual Threat Report, 2025.
This article is organized into five sections. First, it assesses the 2026 AI-cyber threat landscape. Next, it evaluates Pakistan's current cybersecurity architecture, identifies strategic gaps, offers evidence-based policy recommendations, and concludes.
2. The 2026 AI-Driven Cyber Threat Landscape
2.1 Agentic AI: The New Frontier of Offensive Cyber Operations
The biggest change in cyber warfare for 2025-26 is the rise of agentic AI. These are autonomous AI systems that can plan and execute complex, multi-stage cyber attacks independently, without human guidance at each step. In contrast, the AI-assisted attacks observed in 2023-24 still required significant human oversight. Agentic AI can take a broad goal, like 'compromise the target's operational technology network,' and handle everything itself: reconnaissance, vulnerability identification, exploit selection and use, network traversal, and data theft, all in just a few hours.
CrowdStrike's Global Threat Report 2026 highlights a major change: the average time it takes for an intruder to move through a network after breaking in has dropped from 62 minutes in 2023 to just 47 seconds in 2025. This huge increase in speed is due to AI-driven tools that automate lateral movement. The result is clear: responding at human speed is no longer enough. Only AI-powered defense systems can keep up with these AI-powered attacks.
2.2 The South Asia Cyber Threat Matrix
Pakistan’s geopolitical situation creates a unique regional cyber threat landscape. Indian state-linked APT groups, mainly SideWinder (APT-C-17) and Transparent Tribe (APT36), have significantly improved their tactics since 2024. They now use AI-generated spear-phishing in Urdu, AI-assisted vulnerability exploitation, and mobile malware aimed at Android devices used by Pakistani government and military staff. According to Recorded Future’s 2026 Nation-State Threat Intelligence Report, APT36 activity targeting Pakistan’s defense, energy, and government networks rose by 220% between 2024 and 2025.
In November 2025, a spear-phishing attack linked to SideWinder compromised email accounts at three Pakistani federal ministries. The attackers used AI-generated emails that closely matched official inter-ministry messages, achieving 96% stylistic accuracy and evading standard spam filters. Source: CERT-Pakistan Advisory CA-2025-047.
In addition to state actors, Pakistan faces cyber threats from criminal groups seeking financial gain, hacktivist groups, and terrorist organizations developing cyber skills. In 2025, the National Counter Terrorism Authority (NACTA) reported that at least four banned organizations have active cyber units engaged in propaganda, fundraising scams, and the collection of information on government targets.
2.4 The Deep fake Threat in Pakistan's Political Landscape
Pakistan saw a sharp rise in politically motivated deep fake content during 2024 and 2025. The Digital Rights Foundation recorded 340 verified deep fake incidents in 2025, a 480% increase from 2023. These included fake video statements linked to current ministers and senior military officers. By 2026, Pakistan had 72 million Facebook users, 41 million YouTube users, and 38 million TikTok users. This large social media presence allows synthetic disinformation to spread across the country within minutes.
The risks go beyond reputational harm. Nuclear-armed neighbors, who often have to make decisions quickly and have seen crises escalate within hours in the past, could face situations where AI-generated fakes lead to mistaken military actions. The 2019 Balakot crisis showed how fast tensions between India and Pakistan can rise. Adding AI-generated disinformation to a future crisis could make dangerous mistakes more likely.
3. Pakistan's Cyber security Architecture in 2026
3.1 Institutional Developments Since 2021
Since the 2021 National Cyber Security Policy, Pakistan has made clear progress. By April 2026, the country launched the National Computer Emergency Response Team (NCERT) with round-the-clock monitoring. Sector-specific CERTs were set up for banking (FS-CERT under SBP) and telecommunications (T-CERT under PTA). The Personal Data Protection Act 2023 (PDPA) was passed, although its implementation rules are still pending. The FIA Cybercrime Wing also doubled its investigative staff to about 600 officers.
3.2 The Budgetary Gap
Even with some progress at the institutional level, Pakistan still invests far too little in cybersecurity. For FY2025-26, the federal IT ministry’s total budget is about PKR 52 billion (USD 186 million). Out of this, only an estimated PKR 4-6 billion (USD 14-21 million) is set aside for cybersecurity. That is just 0.015% of GDP, well below the 0.1-0.2% recommended by the ITU and NATO.
Cost-Benefit Reality: Pakistan's entire estimated annual cybersecurity budget (USD 14-21M) is less than the average cost of a single significant data breach (USD 5.17M, IBM 2025). The 14 confirmed bank fraud events linked to AI phishing in 2025 alone cost PKR 47 billion, more than twice the annual cybersecurity budget.
The shortage of skilled workers has persisted, despite recent efforts to address it. According to ISC2's 2025 Cybersecurity Workforce Study, there is a global gap of 4.8 million professionals. In Pakistan, there is about one certified cybersecurity expert for every 17,500 internet users, which is much lower than India (1:2,800), Singapore (1:180), and the global best-practice goal of 1:500. The Higher Education Commission's 2025 audit also found that only 14 out of 212 public universities in Pakistan offer a dedicated cybersecurity degree program, and less than 30% of those include AI security modules.
Post-quantum cryptography is a serious new risk. In 2024, NIST released the first post-quantum cryptographic standards (FIPS 203, 204, 205). Some adversaries are already collecting encrypted Pakistani government communications now, planning to decrypt them in the future when quantum computers become powerful enough, which some experts expect could happen as soon as 2028 to 2032. Pakistan has not yet shared its timeline for making this transition.
5. Policy Recommendations for 2026-2031
5.1 Establish a National Cyber Command (NCC) by 2027
Pakistan should bring together the cyber functions of NCERT, NTISB, and the military under a statutory National Cyber Command. This new body would have a five-year budget of PKR 120 billion (about USD 430 million), equivalent to 0.06% of the projected GDP. This would triple the current effective spending but still keep it below the international benchmark. The NCC should be required to respond to national-level incidents within 15 minutes, release public threat reports every quarter, and deliver Pakistan's first National Cyber Threat Assessment by the end of 2026.
5.3 Enact a Critical Infrastructure Protection Act
The National Assembly should pass the Critical Infrastructure Protection Act by December 2026. This law would be based on the EU NIS2 Directive (2023) and include parts of the US CIRCIA (2022). It should identify 18 critical sectors, set minimum cybersecurity standards enforced by the NCC, and require incident reporting within 24 hours. The Act should also require AI security audits for OT/ICS systems in energy, water, and telecommunications, starting with the 10 highest-risk DISCO substations identified in WAPDA's 2025 vulnerability assessment.
5.5 Cyber Diplomacy: A 2026-2028 Roadmap
Pakistan should follow a clear cyber diplomacy plan based on three main tracks. The first track is multilateral norms, which means taking an active role in the UN Open-Ended Working Group (OEWG) on cybersecurity, the Budapest Convention observer process, and the ITU's AI for Good cybersecurity work stream. The second track is regional cooperation. Pakistan can formalize its current SCO Cybersecurity Agreement commitments with China and look to sign bilateral cyber agreements with Saudi Arabia, UAE, Turkey, and Azerbaijan. These countries have both strong ties with Pakistan and growing cyber capabilities. The third track is information sharing. Pakistan can establish its first Information Sharing and Analysis Center (ISAC) for the financial sector by the second quarter of 2027, using the FS-ISAC model, and expand to energy and telecommunications ISACs by 2028.
Benchmark: The Saudi National Cyber security Authority (NCA), established in 2017, achieved a top-15 ITU ranking by 2024 through focused investment and bilateral cooperation. Saudi Arabia now operates 4 bilateral cyber intelligence-sharing agreements with Western partners and 6 with regional states. A comparable Pakistani program is achievable within 5 years, given the right political commitment.
6. Conclusion
The combination of agentic AI and offensive cyber tools in 2026 marks the biggest change in security since South Asia became nuclear. For Pakistan, this is a real and present danger. In 2025 alone, there were 22,400 cyber incidents, PKR 47 billion in financial sector losses, and confirmed APT campaigns targeting government ministries. These numbers show that Pakistan is facing ongoing digital attacks.
Closing Pakistan's cyber security gap will require a major investment, but it is within reach. The plan calls for PKR 120 billion for the National Cyber Command, PKR 58 billion for AI defense, and PKR 27 billion for workforce development over five years. Altogether, this is about PKR 205 billion, or roughly 0.04% of the projected total GDP. For comparison, Pakistan lost more than PKR 65 billion to cybercrime in 2025 alone. Investing in prevention clearly pays off.
| The Strategic Choice: Every year Pakistan delays establishing a National Cyber Command, enacting Critical Infrastructure Protection legislation, and scaling its cybersecurity workforce, adversaries gain compounding advantages. The asymmetry of AI-enabled cyber offense over under-resourced defense widens not linearly but exponentially. The cost of action in 2026 is a fraction of the cost of catastrophic inaction in 2028. |
Pakistan has the key ingredients to become a strong cyber power: 114 million people online, a young and skilled population, a growing tech industry, and adaptable institutions. Now, Pakistan needs to apply the same clear strategy it used for conventional and nuclear deterrence to the digital world, and do so quickly, since digital strength now supports all areas of national power.
References
Buchanan, B. (2020). The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics. Harvard University Press.
CERT-Pakistan. (2025). Advisory CA-2025-047: SideWinder APT Campaign Against Pakistani Federal Ministries. Islamabad: NTISB.
CrowdStrike. (2026). Global Threat Report 2026. Austin: CrowdStrike Holdings, Inc.
Cybersecurity Ventures. (2026). Cybercrime Report 2026: The Annual Cost Reaches USD 13.8 Trillion. Sausalito: Cybersecurity Ventures.
Digital Rights Foundation. (2026). Deep fakes and Digital Harms in Pakistan: Annual Report 2025. Lahore: DRF.
Government of Pakistan. (2021). National Cyber Security Policy 2021. Ministry of Information Technology and Telecommunication.
Government of Pakistan. (2023). Personal Data Protection Act 2023. National Assembly of Pakistan.
Higher Education Commission of Pakistan. (2025). Audit of Cybersecurity and IT Degree Programmes in Pakistani Universities 2025. Islamabad: HEC.
IBM Security. (2025). Cost of a Data Breach Report 2025. Armonk: IBM Corporation.
IBM X-Force. (2026). X-Force Threat Intelligence Index 2026. Armonk: IBM Corporation.
International Telecommunication Union (ITU). (2024). Global Cybersecurity Index 2024. Geneva: ITU Publications.
ISC2. (2025). Cybersecurity Workforce Study 2025. Clearwater: ISC2.
National Institute of Standards and Technology (NIST). (2024). Post-Quantum Cryptographic Standards: FIPS 203, 204, 205. Gaithersburg: NIST.
National Telecommunication & Information Security Board
