Is the Cloud First Policy a step towards digitising the country?

There has for the longest time been a lot of noise around ‘Digital Pakistan.’ The idea that a big part of Pakistan turning into a developed nation is making sure that we adopt technology early and choose digitisation both in governance and everyday life. 

A ‘Digital Pakistan’ is supposed to create a digital ecosystem with infrastructure and institutional frameworks for the rapid delivery of innovative digital services, applications and content. Essentially, making sure everything is online, accessible, operable, and convenient. To this end, one of the most recent developments has been a draft of Pakistan’s first ever cloud policy on 15 February, 2022. The IT ministry’s draft has already been approved by the cabinet, and is being claimed by the government as a game changer in digitising the country’s economic as well as administrative infrastructure.

Essentially, it is exactly what it sounds like. The government is preparing to shift all of its data from hard memory disks to a cloud based system – much like you might have on your phone with iCloud or Google Storage. However, when data is being put up onto a cloud in such large quantities, matters are a little more complicated. 

The most essential part of this effort will be pushing to make sure that all new data entries are made directly to the cloud after it is thoroughly tested to make sure there are no glitches or mishaps, and then forming a team dedicated to categorising and uploading old data to this cloud as well. And of course, before all of those making sure this cloud is encrypted from multiple ends and completely safe will be of the utmost importance given how sensitive the information being uploaded will be. The only question is, how convincing is this Cloud First Policy? 

What’s a cloud? 

It’s pretty obvious by now we’re not talking about the fluffy white things in the sky that sometimes turn grey and shower rain upon us. What we’re referring to is a wireless ‘cloud’ system of data storage. Cloud Computing is based on the infrastructure that facilitates the delivery of multiple services and applications directly through the internet. These services include networking, database, softwares and data storage.

Basically, it provides an infrastructure that can replace local storage (computer hard drives in most cases). But, why can’t we just carry on with the local storage?

Well, local storage has served us well over the years, but cloud changes the game. It is more efficient, offers huge cost savings, arguably better data management and protection and the processing capacity is higher than that what most local storage systems can offer. Furthermore, it facilitates user mobility as data is accessible from anywhere in the world. 

What progress has been made?

Pakistan, as per World Bank, is the fifth largest country around the globe in terms of population.  Furthermore, with 40 divisions and more than 600 affiliated departments of its Federal government, Pakistan has a massive utility of cloud computing both in Public as well as Private sector.

Unfortunately, as of now, the country has not been able to fully tap into the potential of this technology. Apparent from the fact that Pakistan failed to make into Association of Cloud Computing Asia’s cloud readiness index while countries like India, Indonesia and Vietnam all were present in the rankings.

The use of cloud services in the public sector is comparatively low, and the bulk of data centres are designed to serve the needs of a single enterprise. The lack of centralised cloud infrastructure remains a major impediment for the country in tapping into the perks of cloud computing.

Furthermore, Telecommunications Advisory Assistance, 5G Readiness Plan for Pakistan, a report issued by the World Bank also emphasised on the need for the country to build the local Cloud infrastructure to facilitate domestic entities and deployment of related services like IoT.       

Public sector data needs to be on the cloud

Integration of all government databases to cloud platforms will enable the government to better analyse the data which will ultimately lead to quality enhancement of E-Government services. Additionally, a cloud infrastructure will help reduce the burden on the national treasury of operating separate data centres for federal entities and departments.

Moreover, it will prove to be a step towards removing administrative and legal barriers in data exchange between government departments. This is important for departments like Nadra and FBR that possess valuable data which can be of utility to other government departments and agencies. 

As per the Principles for Adopting Cloud Computing in the Public Sector, issued by Association of Cloud Computing Asia, “The protections offered by the technical architecture of the cloud and the efficiencies associated with cloud services are only the beginning of the benefits that governments and society can realise by deploying cloud-based technologies.” 

The report further added, “The transformational technologies of today are largely powered by cloud solutions. Policymakers and procurement officers should not limit themselves to thinking about the change cloud computing enables within IT departments or the budgetary savings that can result from migrating to the cloud, but should expect cloud-based technologies to offer solutions that enable governments to achieve their broader objectives as well. Agencies that focus only on migrating existing workloads to the cloud or take too narrow a view of cost savings will miss these transformational benefits.”

Will the policy achieve its goals? 

One of the IT ministry’s biggest talking points has been their goals towards achieving digitisation in three things –  E-Governance, E-Commerce and E-Banking. These are also the three elements the government is hoping to achieve 

“It aims to contribute to the Government of Pakistan’s (GoP) goal to promote E-Governance through IT enablement at all levels. MoITT also aims to reduce the burden of import bills of Pakistan by discouraging investments in organisation specific data centres in Public Sector Entities (PSE) and taking advantage of the economies of scale offered by the cloud,” reads one section of the policy draft. 

One can thus see that the primary aim seems to be increasing efficiency of the government and its department’s digital activities and enhancing data security while simultaneously reducing costs of establishing and maintaining data centres separately for departments. In an ideal world, PSEs will benefit from consolidated cloud services.

But the two most important factors with this will be implementation and trust. The policy and its goals are all well and good. The problem is no government policy claims that it will not be able to solve the problems it has identified and is suggesting solutions to. However, most policies go unnoticed. It is imperative to wait and see what sort of attention the government gives to this policy and whether it is followed through on or not. The second important factor will be how secure this entire operation is. 

The MoITT has claimed that it will actually enhance the security of the government’s data, which over the years has been vulnerable to cyber attacks. This has even been admitted by the government recently in the National Security Policy, which made it a point to mention that the government needs to invest in technology to build its Cyber Security Framework as it stands at risk of cyber attacks from internal and external sources. 

As per the report, Security guidelines for big data infrastructure and platform by International Telecommunication Union, “Technical defects of system virtualization could cause several security risks; in addition, immature operation and maintenance technology could result in risks being more serious. Additionally, large-scale distributed storage and computing models of big data infrastructure and platforms cause higher risks of security configuration parameters to the software used in big data management.”

Therefore, to tackle the issue of data security, the FPCP has laid out five data classifications and the level of security required for them. 

Scope, applicability and policy objectives

The policy, after coming into effect, will be applicable on every PSE under the federal government. Additionally, as per the policy “ It will serve as a guiding framework to regulated sectors and private sector organisations as they continue to undertake digital transformation. PCFP is issued to support the digital transformation of the ICT landscape in Pakistan, improve efficiency, provide quality service delivery, and encourage investments in ICT.”

As stated in the Policy, by the introduction of a Cloud system, GoP aims to; (1) Reduce time to procure and time to launch by maintaining a pre-accredited list of Cloud Service Providers (CSP). The accreditation will be done by benchmarking against international quality standards. (2) Reduce the cost of ICT infrastructure by paying only for the services that are utilised rather than incurring high capital expenditure for dedicated infrastructure. (3) To encourage investment in cloud services by local and International CSP in Pakistan. This will be done by making it mandatory for all PSEs and Public sector projects to prioritise Cloud based solutions when investing in IT infrastructure which will raise demand for CSP’s services. As per the policy, After 1st July 2022, all new ICT investments should adhere to the directions of Cloud Office. 

(4) Facilitate CSP to achieve economies of scale. As demand grows for their service, the providers will need to scale up their bandwidth and ancillary infrastructure which will lead to lower per unit costs. (5) Provide enhanced information security to end-users via cloud offerings. The policy will establish the basis for data classification and respective security criteria for each classification. This will assist in benchmarking against international security standards. (6) Provide transparency to citizens with digital government solutions. The Open data category will consist of structured and readily available data for the public. (7) Increase utilization of cloud solutions by transitioning from local hosting to cloud hosting (8) Foster a digital entrepreneurship ecosystem by providing readily available cloud services. (9) Attain optimization via aggregation of resources. (10) Develop a cloud enabled workforce by upskilling the existing workforce of PSEs.(11) Obtain environmental benefits achieved by optimized use of resources. (12)Put forward a synchronized approach to ICT procurement across the governments/provinces. 

Road map for enabling Cloud Computing 

The implementation of the proposed policy will be carried out through Cloud Office. As per the policy, “Planned governance structure will enable the roadmap for establishing a structured and formal organisational setup for cloud governance in Pakistan.”

Furthermore, to ensure smooth implementation of the policy, the Cloud office(s) will be reportable to a Cloud board.The structure of the Board will consist of Secretary MoITT as the head, alongwith provincial Chief secretaries or their representatives along with two experts from the industry.

The involvement of Chief secretaries will be contingent on the adoption of the policy by respective provincial governments.The Operational Hierarchy of the Cloud office(s) is illustrated by the chart below.

 As per the policy framework, key operational steps will be implemented by cloud offices, these include; Accreditation of Cloud Service Providers for Government Data, Registration of Cloud Service Providers, ICT Audits, Restrictions on Investments in Fragmented ICT infrastructure, Data Classification, Security Framework and PSE ICT procurement checks. 

The Timeline

The drafting of the Policy started after the GoP in its digital Pakistan Policy assigned the task of creating a government cloud for integrated public sector data to the Ministry of Information Technology and Telecommunication. 

As per sources, before presenting it to the cabinet, the policy draft was amended three times, taking into consideration the input of all stakeholders. As of now, the cabinet has approved the policy and it will come into effect once the notification process is completed. The process of implementation will start with the establishment of Cloud Office.