Tackling the Growing Concerns Over Cybersecurity in Africa
Looking at Africa’s largest economy, Africa Centre for Strategic Studies article - Nigeria’s Diverse Security Threats,explores Nigeria’s growing state of emergency as a result of the continuously poor efforts in cybersecurity.
Many have perceived Nigeria’s main threat to peace and security to be centred on the terrorist organisation, Boko Haram, positioned in the north east. Through bombings, attacks and the spread of fear and violence over social media and cyberspace, the terrorists are fighting to overthrow the government and create an Islamic state. The group, together with the Islamic State in West Africa (ISWA), has caused mass disorder in Africa's most populous country, however, it is important not to be blindsided. The widespread nature of Nigeria’s security challenges affects all the country’s regions, and a deeper look into the state of cyber in Africa must be addressed.
However, when the powers that are in place to protect and serve are actually part of the problem, where are the means for research, regulation and change? Nigeria’s corrupt State Security Service (SSS), who are directly overseen by the president, together with the Presidential Guard Brigade, demonstrate a clear and often violent line between themselves and civilians. Corroding trust in the police and security forces accentuates the growing instability in Nigeria. Remedying this broken trust must be the top priority of any national security strategy. However, the terror inflicted by Boko Haram proved to be the perfect distraction, as cyber-terrorism to Nigerian infrastructure became the new and evolving weapon of destruction.
An article in This Day - Addressing Emerging Security Threats of Cyberattacks, takes a closer look at cyberthreats such as cyber terrorism, cyber espionage, cyber theft and Distributed Denial of Service (DDOS) against individuals, businesses and critical national infrastructure. Examining the response from nations across the globe in addressing these vulnerabilities through both defensive and offensive actions, was a theme of the workshop held to address the issue at the Army Officers Mess, Outer Marina, Lagos. The field commanders of the army, Nigerian Navy (NN), Nigerian Air Force (NAF), Nigerian Police, Department of State Services, Nigerian Security and Civil Defence Corps (NSCDC), together with other Nigerian state departments, were brought together to address the increasing threat to Nigeria’s security. Dubbed ‘Exercise Crocodile Smile VI’, it was the first-ever cyber warfare exercise to be conducted in the history of the African armed forces.
Operation Crocodile Smile VI, was set to look at armed robbery and other crimes, however, cyberattacks were named as the most pressing issue - an emerging security threat in Nigeria. The workshop sought to identify Boko Haram terrorists and to reassure law abiding citizens who have been left fearful of their safety after the violent manifestation of the #ENDSARS protest and the political use of cyberspace.
The Commander, 55 Signal Brigade, Brigadier General Henry Yanet, expressed concerns that the army and other government establishments may be vulnerable to cyberattacks from non-state actors such as the Boko Haram, ‘Anonymous’,and other hacktivists groups exploit the dark web, as was seen during the #ENDSARS protests. The demonstrations led to a wave of attacks on governments, together with private and public web infrastructure. The fear is that the spotlight may now shift to Nigerian companies as they are perceived to be easier targets.
According to an article by Deloitte; Maritime, Telecommunications, Consumer Goods and Energy sectors risk falling victim to cyberattacks and data leaks. However, the Financial Services Industry (FSI), has made better progress with employee awareness, anti-phishing campaigns, email and web security solutions, next-generation antivirus solutions and overall technology hardening. With the inevitability of more sophisticated attacks, it is important the FSI does not become complacent.
Over the past two years, businesses in Nigeria have implemented the Nigerian Data Privacy Regulation (NDPR). However, attackers are not idly sitting in the shadows; they continually work to find new loopholes, vulnerabilities, and flaws to exploit.
A January 2020, report by PWC - Cybersecurity & Privacy in Nigeria, outlined some simple measures that can be adopted for better preparation and protection:
• Use Strong authentication – Longer and stronger passwords, biometric authentication, and multi-factor.
• Use email and social media with care – If it looks too good to be true, it probably is. If an email or posts look suspicious, ignore/delete, or verify the authenticity through separate means of communication (a phone call for example). Do not open an email or its attachments if you do not recognise the sender. If you think you have been compromised, contact your IT team immediately: a few seconds can make a big difference when trying to contain a breach.
• Install updates – Updates often patch vulnerabilities giving users protection from attacks.
• Stay cyber aware and informed – Remember, an organisation is as strong as its weakest link.
• Comply with applicable laws and regulations – These are in place to protect against information being misused.
However, the 2019 National Information Technology Development Agency's (NITDA) introduction of the NDPR, failed to address one vital element in its regulation. It does not mandate that companies report data breaches. When a company is required by law to report the loss of data, it allows the person(s) whose data has been stolen to protect themselves, by changing passwords and alerting relevant people of the potential of fraudulent activity or impersonation.
Looking at Africa as a whole
The Global Cybersecurity Index (GCI) Framework, measures the commitment of countries to cybersecurity, looking at each country’s level of development and engagement. In the interests of this article and its objective to shed light on the state of cyber risk management in Africa, this framework and its comparisons give a clear insight into just that. The UK was ranked as the most committed to cybersecurity, followed by the USA, then France. However, in Africa, Mauritius was the top ranked member state (globally 14th), followed by Egypt(23rd globally), then Kenya (44th globally), and Rwanda (49th globally). The final African member state ranking is Ghana, which is 89th in the world. In reflection, this demonstrates a low commitment to cybersecurity in Africa, and therefore a higher cyber risk exposure.
Serianu, is a Kenya based firm which gathers intelligence released by the Africa Cyber Immersion Centre (ACIC). Their 2019/2020 Africa Cybersecurity Report, highlights significant investigative research and trends in threat statistics. It highlighted the rise in regionally coordinated attacks in East Africa, the 50% rise in insecure remote connections in Kenya, and the rise of ATM malware attacks.
Key cyberattack vectors were indicated as:
• Malware (including Ransomware) - increased from 4,146,435 threats detected in 2016/17 to 40,893,141 in 2018/19.
• Web application attacks – rose from 2,656,675 threats detected in 2016/17 to 6,109,184 in 2018/19.
• Botnet/DDoS – grew from 952,327 in 2016/17 to 4,852,022 in 2018/19.
In fact, the total number of cyberthreats rose from 7,755,498 in 2016/17 to an eye watering 51,903,286 in 2018/19.
The previous 2018 report, demonstrated a clear cyber skills gap in African organisations, estimating that 90% of SMEs and large organisations will face a talent shortage of cybersecurity professionals in 2019. A disturbing figure which illustrates this concern is Botswana’s meagre 200 certified security professionals. Two challenges faced by African organisations in patching the skills gap, are a lack of sufficient IT security budgets and keeping abreast of cyberthreats.
Returning to Serianu’s 2017 report, Demystifying Africa’s Cybersecurity Poverty Line, of the organisations asked, 90% had been impacted by cybercrime, yet only 28% reported these crimes to the authorities. In June of that year, Uganda ranked 7th highest risk country globally. In fact, 95% of African organisations in private and public sectors, were found to be operating on or below the Cybersecurity Poverty Line.
Looking specifically at South Africa, the latest report by Accenture, illustrates that SA has the third highest number of cyberattacks in the world, losing R2.2 billion a year. It claims:
As an increasing proportion of the population begins connecting to the Internet for the first time, this inexperience paired with increased exposure is a potent combination that cyber criminals try to exploit.
To translate the scale of the problem, some of the major incidents in 2019 are outlined below:
• February 2019: A South African energy supplier sufferedtwo security breaches in quick succession.
• July 2019: Ransomware infected a provider of pre-paid electric power, leaving customers without access to power.
• September 2019: One of South Africa’s largest ISPs suffered a Distributed Denial of Service (DDoS) attack lasting two days.
• October 2019: Several South African banks, as well as financial institutions in Singapore and Scandinavia, suffered DDoS attacks resulting in a loss of service.
It is thought that cybercriminals perceive South Africa as an easy target, and as having lower defensive barriers than perhaps more developed economies. With South Africa’s low investment in cybersecurity and cybercrime legislation, it may be that threat actors believe they are at a lower risk of being traced and of facing consequences.
South Africa are beginning to tackle the issue with the introduction of the Protection of Personal Information Act (POPI) which was enacted in July 2020. It requires that all South African institutions conduct themselves in a responsible manner when collecting, processing, storing, and sharing another entity’s personal information. The act holds institutions accountable should they abuse or compromise personal information. However, in terms of cybercrime accountability, while civil and criminal charges can be brought against people or organisations under Section 87 of the Electronic Communications and Transaction Act (ECTA), there is still a profound amount of work essential in bringingSouth African legislation in line with international principles and standards and South Africa has yet to introduce a specific Cybercrime Act.
Looking for a solution
Cyber insurance provides a positive step in the effective management of cyber risk in Africa, however, in the earlier cited 2020 Serianu report, a disappointing 76% of organisations surveyed, did not have cyber insurance. 25% said they did not have extensive cybersecurity controls and a mere 17% said they did have cyber insurance. African organisations must address this chasm of insecurity and ensure the proper economic quantification of their cyber exposure in order to address their cyber value at risk. They can achieve measurable outcomes with cyber risk management programs.
As part of a long-term strategy, African governments must work with their education ministers to develop curricula that will create future cyber experts, inspiring students to pursue the profession.
The role of governments cannot be overemphasized in tackling cyberthreat. It should no longer be a backburner idea which should be handled only by the Ministry of Science and Technology, or the office of the National Security Adviser. It is a frontline issue that could result in cascading economic catastrophes.
(Deloitte - ‘Cyberharam’: can Nigeria prepare for the next generation of terrorists?)