Island Nation Tackles Cyber Security
Mauritius emerges as a global leader in computer security innovation
For nearly two decades, the island country of Mauritius has aspired to be a technical and financial force on the world stage.
The country’s ambition to become an “information society” dates to 2001, when it established the Business Parks of Mauritius Ltd as a government-owned company to develop information and communications technology. That led to the Cyber City Project in 2003. The goal of the project was to make Mauritius a preferred destination for business and professionals and “to create wealth and employment through the use of information technology,” reported The New Economy of the United Kingdom. Today, the project takes up 62 hectares with five distinct zones: Cyber and Multimedia, Business and Finance, Knowledge, Commercial, and Residential.
Mauritius is now viewed as the country most committed to cyber security in Africa and is ranked sixth in the world by the Global Cybersecurity Index. It is no coincidence that Mauritius is considered Africa’s most successful democracy and one of only 20 countries worldwide to be classified as a “full democracy.”
Grove Applied Intelligence of South Africa says that Mauritius’ standing as an information and communications technology (ICT) leader comes as a result of the country’s “good policymaking and foresight on behalf of the business sector.”
In May 2018, the European Union enacted the General Data Protection Regulation, which affects every organization and country doing business with the EU. The regulation requires wide-ranging cyber security and privacy practices. In anticipation of the EU regulations, Mauritius adopted the Data Protection Act of 2017.
In announcing the act, Mauritian officials said it was the “right balance” between privacy rights and government and business security concerns.
“The key principle underpinning data protection is to ensure that people know to control how personal information about them is used or, at the very least, to know how others use that information,” the Mauritius Data Protection Office noted. “Data controllers are people or organizations holding information about individuals, and they must comply with the data protection principles in handling personal data, and ‘data subjects’ are individuals who have corresponding rights.
“The object of the act is to provide for the protection of the privacy rights of individuals in view of the developments in the techniques used to capture, transmit, manipulate, record or store data relating to individuals.”
Kaleem Ahmed Usmani heads the Computer Emergency Response Team (CERT) of Mauritius and is the current Mauritian representative to the United Nations Group of Governmental Experts on Cyber. In an email interview with ADF, Kaleem said his country felt it had to keep up with the times in addressing cyber security.
“The rapid expansion of ICT across the African continent over the past decade has led to increased reliance on internet and mobile technology,” he wrote. “The increase in the internet penetration has also made the countries vulnerable to cyber attacks. Legislations, policies and capacity building regarding cyber security have not been the main focus for many countries due to lack of awareness and political will.”
Kaleem said that from the start, the Mauritian government’s vision “was to make the country a ‘cyber island’ in which ICT would become the fifth pillar of the economy after sugar, textiles, tourism and financial services.”
Emergency Response Team
A major aspect of the country’s cyber security is the CERT of Mauritius, a division of the National Computer Board. The response team operates a national computer portal aimed at educating the public on the technical and social issues facing internet users, particularly online dangers. Response team members say the goal is to provide information for targeted groups as they “continuously study, analyze, research and innovate to stay ahead and maintain a technological edge over cybercrime actors.”
The portal team’s responsibilities include:
- Encouraging organizations and individuals to report cyber security incidents.
- Advising internet users on how to cope with cyber threats.
- Assessing the security of organizations’ information technology (IT) infrastructure.
- Conducting third-party information security audits for organizations.
- Helping organizations set up security management best practices.
- Educating and training in cyber security.
- Organizing training for cyber security professionals.
Sylvain Martinez, founder of ElysiumSecurity, told the Mauritian news site Defimedia that as Mauritian homes and businesses continue to rely on technology and connect to the internet, the country is as vulnerable to cyber attacks as any other developed country.
“As the modern world is becoming more and more digitalized, it will also increasingly rely on IT systems, which means the cyber attack surface is growing,” he said. “In parallel, there is more and more money for cyber criminals to gain from cyber attacks as well as an increasingly high potential geopolitical impact, which means the hackers are becoming more and more sophisticated professionals and with more resources.”
Mauritius’ national cyber security portal is intended to be user-friendly and valuable to almost anyone who goes online. It includes an explanation and video about phishing scams; a video about protecting children from cyber bullying; information and a video on how to keep children safe online; tips on protecting yourself, your family and your devices; and information on the country’s computer security hotline for reporting dangerous websites. The website is useful even to those not in Mauritius.
The portal has eight web links just for children. The “parents” section of the portal includes information on gambling, indecent content, social networking, online safety, internet addiction, junk email, chatting online safely, online predators and a separate section dealing with Facebook use.
The “home users” section offers information on smartphones, malware, online shopping and investing, hate speech, wireless access, spam and scams, your digital footprint, and safe computing.
The portal offers organizations and businesses information on backing up data, fighting threats, access controls, dealing with malware, identifying theft and privacy, wireless access, and security policies.
Free tools available for download include antivirus programs, a website-blocking tool, spam filters and blockers, and a program to block phishing websites.
“The Mauritian Cybercrime Online Reporting System (MAUCORS) was also set up as an online platform for reporting cyber crimes,” noted Kaleem. “MAUCORS also provides information with regards to various forms of cyber crimes and how can citizens better protect themselves.”
Smart Countries Still At Risk
Kaleem said that the lessons learned in his country can be applied elsewhere.
“Other countries, especially in Africa, can follow the steps of Mauritius to strengthen their cyber resilience,” he said. “These include measures such as the development of national cyber security legislation, strategy, setting up of CERTs and technical systems, cyber security capacity building, and promotion of international cooperation. Mauritius will be very much willing to share the expertise within the region.”
Security experts say that even cyber-savvy countries such as Mauritius face security risks, and as the country moves more public and private business online, the risks will continue to grow. The most common types include phishing, malware and threats to infrastructure, Loganaden Velvindron of the African Peering & Interconnection Forum told Defimedia.
“Phishing is common in emails that claim to be someone different,” he said. “Many people are unable to identify phishing attacks against them. Malware is common on smartphones, tablets and also PCs that have been infected. Lastly, vulnerable infrastructure which is exploited is quite common: Servers are often left running for years without provision for security updates. Many websites have been defaced due to lack of security audits to identify vulnerable code running.”
Mauritius also has taken steps to stop fake news, Kaleem said, with a penalty of up to 10 years in prison for those who knowingly post false information. He added that his country had dedicated portals and websites on which citizens can find “authentic information.”
Kaleem said the stakes in cyber security are higher than ever.
“The increasing reliance on the cyberspace brings new opportunities, but at the same time new threats,” he said. “As new crimes are developing at an exponential rate, the government recognizes the serious threats posed by cyber criminals and the impacts on the critical infrastructure of the country.”
Kaleem and other experts say that there are some basic security controls that all organizations should have, including up-to-date antivirus software, a firewall and strong application-specific passwords. Then there is the matter of using common sense: Think before you click.
The ongoing COVID-19 crisis has caused an increase in cyber crimes, experts said.
“During this crisis, which prompted more reliance on computer systems, mobile devices and the internet to work, communicate, shop, share and receive information, a sudden surge in cyber incidents was noted,” Kaleem said. “A change in the cyber threat landscape in Mauritius was observed. Phishing campaigns, online scams, including extortion, posting of offensive content, were the ongoing trend, compared to other traditional types of incidents such as identity theft, cyber bullying, hacking, amongst others.”
As digitalization advances, so do the risks, experts say. Subheer Ramnoruth, director of the Whitefield Business School in Curepipe, Mauritius, said people are “vaguely aware” of cyber security risks, which only makes them more prone to online threats.
“For instance, when one downloads a mobile phone app, have we ever questioned ourselves why does the app ask us for permission to view our pictures or call logs?” he told Defimedia. “Or do we venture to see if these are genuine apps or fraudulent ones? Why would a company invest hundreds of thousands of [Mauritian] rupees in developing an app and then give it online for free to everyone? Surely there is another motive.”
Security Must Remain Open And Accountable
Dr. Nathaniel Allen is an assistant professor for security studies at the Africa Center for Strategic Studies. He is responsible for overseeing the center’s academic programming on cyber security and peace support operations and integrating these considerations into the center’s research and outreach. He spoke by phone with ADF about Mauritius and its work on cyber crime.
ADF: Why is Mauritius one of the world’s leading countries in dealing with cyber attacks?
ALLEN: Mauritius has a couple of advantages that most African countries don’t: It’s a small, well-governed, upper-middle-income country. It is positioning itself as a regional and global business and financial hub, has a high rate of internet penetration, and a robust ICT (information and communications technology) sector. These factors make cyber security a very important issue for Mauritian policymakers and industry stakeholders. They have both invested a lot in making sure that Mauritius has the infrastructure, human resources, legal frameworks, and multistakeholder relationships and institutions needed to effectively prevent and recover from cyber attacks.
ADF: Mauritius has established a way for people — public and private — to go online and report cyber attacks. Is this something new? Are other countries doing it?
ALLEN: It’s a best practice in dealing with cyber attacks. Mauritius’ online reporting system is managed by its national computer emergency response team (CERT). CERTs are becoming increasingly common vehicles for countries and sectors to monitor prevent, respond to and manage cyber attacks. It is not yet a standard practice in Africa, where more than half the region’s countries lack a CERT. The CERT of Mauritius was established in 2008, so it’s been ahead of the pack.
ADF: Could other countries emulate what Mauritius is doing? Should they try?
ALLEN: Absolutely. I think other countries in Africa should take a strong look at how Mauritius is managing its cyber security challenges, and it’s only going to be a matter of time before they have to. Internet penetration across the continent is still relatively low — between about 30% and 40% — but is expected to rise to 75% by the end of the decade. As more countries become connected to the internet, and as more individuals get broadband, vulnerabilities will increase, and so will the importance of cyber security. The countries in Africa that already have a high level of internet penetration tend to have the best cyber security policies. As the number of people with internet access rises, the use of cyber security will have to follow.
ADF: Do you think Mauritius’ status as a well-established democracy has anything to do with its cyber crime efforts?
ALLEN: Yes. Mauritius has found a way to prevent and respond to cyber crime while maintaining its status as a democracy that is respectful of its citizens’ civil and political liberties. I think it is crucially important to give the security sector a role that enables it to effectively address and manage the threat from cyber crime, but also remain committed to open, transparent and accountable security-sector governance principles. This is one of the central challenges many governments across the world — including in Africa — face going forward.
ADF: Mauritius is working closely with banks in dealing with cyber crime. What other aspects of society, or businesses, do you see the country working with to stop cyber crime?
ALLEN: Because it is a nerve center for the rest of the economy, the financial sector has always been a key partner for governments when it comes to responding to cyber crime. Banks tend to devote significant resources to managing threats from things such as illegal wire transfers for credit card fraud. This makes them a natural partner for any government. Given Mauritius’ attempts to position itself as a financial center for much of Africa and Asia, the relationship is all the more crucial. ICT is also increasingly becoming embedded in our daily lives and across many different sectors; most business and sectors are dependent on ICT or ICT infrastructure in some way, which makes cyber security all the more crucial.
ADF: Where does Mauritius go next in fighting cyber crime?
ALLEN: Hopefully, only upward. However, the COVID-19 pandemic is already proving challenging, as cyber threat actors in Mauritius and across the world are increasingly exploiting the pandemic to conduct spam, phishing and other kinds of social engineering. Fake news and disinformation related to the pandemic is also a problem. But I think the biggest danger of the pandemic is that it has already affected the country’s economy. But the pandemic is also in many ways speeding up moves toward ICT-driven development. So we’re in a period of great uncertainty now.