As the continent improves its communications infrastructure, it becomes a bigger target for cyber criminals
Separated by cultures, religions, languages and 8,458 kilometers, Morocco and India appear to have little in common. And yet, in late 2018, the two countries signed a memorandum of understanding (MoU) to work together on several fronts.
One of the problems the two countries share is cyber crime. According to India’s Policy Commission, India ranks third in the world in terms of internet users, after the United States and China. India’s internet use grew sixfold between 2012 and 2017, with an annual growth rate of 44 percent. With that growth has come cyber crime: The country ranks seventh in the world in sending out spam and ranks among the top five countries afflicted by online crimes.
Morocco’s judicial police recorded 1,091 cyber crime cases in 2018, compared with 765 cases the previous year — a 33 percent increase. Moroccan police recorded 435 victims of online sexual blackmail, including 125 non-Moroccans, with 267 arrests.
The MoU means the two countries will work together on cyber security. “The MoU aims to promote closer cooperation for the exchange of knowledge and experience in detection, resolution and the prevention of security-related incidents for both sides,” a news release said. “The implementation of the MoU will result in significant mutual benefits in India’s cyber security sector, through institutional and capacity-building with Morocco.”
Morocco has been among Africa’s leaders in trying to address cyber crime. It requires companies to comply with laws on cyber crime, the protection of personal data and electronic exchanges.
The United States-based Brookings Institution says the average cost of cyber crime for businesses throughout the world has increased 22.7 percent since 2016. Data leaks have increased 27 percent. A single attack of the WannaCry ransomware in May 2017 hit more than 400,000 computers in 150 countries in a matter of days. As of early 2019, intelligence officials said, the WannaCry ransomware was still on hundreds of thousands of computers, albeit in a dormant state.
In a 2018 report, Brookings wrote, “As cybercrimes are threatening companies all over the world, the risk is even higher for African businesses.” Although Africa is comparatively limited in its communications infrastructure, its low level of cyber security has made it a prime target of cyber criminals.
Computer security is not a new problem for Africa. In a 2016 study, the Business Software Alliance said that 57 percent of software installed in Africa and the Middle East was pirated, promoting cyber attacks and causing a potential loss of $3.7 billion. Computer scientist Tariq Khokhar said, “It wouldn’t be unreasonable to say that 80 percent of all computers you find in Africa will have some nastiness on them.”
The nations of Africa will not thrive without addressing cyber security. The European Union’s General Data Protection Regulation, which the EU describes as “the most important change in data privacy regulation in 20 years,” went into effect in May 2018, and African countries wanting to maintain commercial relations with Europe will have to comply with the union’s rules.
Cyber crime affects every facet of life in Africa. The “Africa Cyber Security Report 2017” said Africa’s banks and financial services account for nearly one-fourth of the continent’s cyber crime losses, followed by governments, e-commerce, mobile-based transactions and telecommunications.
NIGERIA’S PARTICULAR CHALLENGE
Even before the internet, Nigeria was infamous for its scams, such as the “Nigerian prince” who has inherited wealth but needs someone’s bank account number in which to deposit the money. As a result, Nigeria has had a head start in addressing cyber security. In a June 2013 study by the International Journal of Cognitive Research in Science, Engineering and Education, researchers laid out the basic steps for any system to address cyber crime:
- Educate citizens to continually maintain and update their computer security systems. Corporations and organizations must also be required to learn best practices for effective computer management.
- Establish programs and information technology forums for young people, which not only equips a new generation to deal with cyber crime, but provides new jobs for a class of people that has been underemployed.
- Use address verification systems to ensure that the address on product order forms matches the address of a buyer’s billing statement.
- Employ interactive voice response terminals, a type of technology that collects a “voice stamp” or voice authorization and verification from customers before orders are shipped.
- IP address tracking makes sure that the IP address on a customer’s order is from the same country included in the order’s billing and shipping addresses.
- Use video surveillance systems.
- Anti-virus and anti-spyware software prevent and stop computer viruses and restrict “back-door” intrusions into computer systems.
- Firewalls protect computer networks from unauthorized entry.
- Cryptography codes information so that it can be decoded only by the sender and the intended recipient.
- Cyber ethics and cyber legislation require internet service providers and their customers to take measures to protect themselves from cyber crimes.
DEFENDING AGAINST CYBER CRIME
Landry Signé and Kevin Signé, writing for the Brookings Institution, say there are four steps that African businesses must take to deal with cyber crime. Although the steps are aimed at the business sector, they also are good practices for other sectors.
1. Design and deploy cyber resilience: In its “State of Cybersecurity 2018” report, ISACA, formerly known as the Information Systems Audit and Control Association, said that four out of five security professionals worldwide believe that their enterprises were likely or very likely to experience a cyber attack during the year. Half of the respondents indicated that their organizations already had experienced an increase in attacks over the past year. Preventing or stopping cyber attacks begins at the executive level “by prioritizing and enacting procedures that will protect valuable assets and by integrating them as requirements into all business processes,” the Brookings report said. A company should raise its security measures by:
- Building its employees’ skills in information security.
- Securing its information systems and regularly updating its infrastructure.
- Using technologies for active surveillance.
- Implementing proactive detection and rapid response systems for security breaches and incidents.
- Performing regular security audits and penetration tests.
2. Develop cyber security skills: A shortage of experienced and skilled cyber security specialists may be the biggest problem facing the continent. Leaders in government and business must attract such specialists or find the means to train them. Keeping such specialists will be difficult. “African organizations must adopt effective strategies to face the brain drain of their most talented cybersecurity profiles,” the authors wrote. “Indeed, as they gain the necessary skills, those specialists become increasingly mobile and may choose to relocate, especially to Europe and North America.” Currently, less than 1 percent of security skill management programs address experimental recruitment and talent retention. By 2020, the authors said, that figure will rise to 20 percent.
3. Protect data integrity: Protecting data may replace confidentiality as the primary goal of cyber security. Many recent cases of ransomware, in which software hijacks a computer system or data until a ransom is paid, have highlighted the importance of data integrity. In cases where ransoms were paid, none of the companies was able to confirm that it ultimately got all of its data back. Companies and other sectors must improve security measures to prevent ransomware attacks and massive data corruption.
In addition to regular data backup, there are new technologies that record transactions across several computers linked in a peer-to-peer network. Some countries, particularly in North Africa, already are exploring new technologies to handle security threats. The Brookings Institution said that information security spending in the Middle East and North Africa grew 11 percent in 2017, to a total of $1.8 billion.
4. Integrate cyber risk awareness into the decision process: An organization’s cyber security goals, systems and assets should go beyond just the top management and the cyber security team. The goal is to “popularize cyber risk-aware culture at all levels.” The organization’s executives also “should be more aware of their accountability in case of a cyberattack and recognize the need for skilled managers to identify and act against potential cyber threats.”
ISACA says that worldwide, only 21 percent of chief information security officers report directly to the head of the company, while 63 percent report to the chief information officer. This structure means that these companies regard cyber security as more of a technical issue than a financial one, which ISACA says is a mistake.
African Countries Lead the Way in Fighting Cyber Crime
In dealing with cyber crime, the nations of Africa are handicapped by a lack of local expertise and a lack of laws addressing the problem. But there are countries that are handling the issue head-on. The “Africa Cyber Security Report 2017” by cyber security firm Serianu said these countries excel in dealing with cyber crime:
The tiny nation of Mauritius, with a population of just 1.2 million, has established itself as the information and communications technology leader in Africa. Government leaders say the country is championing the cause of a common cyber security law for all of Africa. Mauritius was among the first African countries to change privacy laws to comply with the European Union’s General Data Protection Regulation.
In its annual Global Cybersecurity Index for 2017, the International Telecommunication Union said Mauritius’ Botnet Tracking and Detection project allowed the country’s Computer Emergency Response Team to “proactively take measures to curtail threats on different networks within the country.”
“Capacity building is another area where Mauritius does well,” the index reported. “The government IT Security Unit has conducted 180 awareness sessions for some 2,000 civil servants in 32 government ministries and 20 years.”
The index ranked Rwanda second in cyber security in Africa. Like Mauritius, Rwanda is pushing for continentwide security protocols. Rwandan officials say their own protocols and laws stopped 8 million cyber attacks in 2017.
The index said that Rwanda “has a standalone cybersecurity policy addressing both the public and private sector” and is “committed to develop a stronger cybersecurity industry to ensure a resilient cyber space.”
The index ranked Kenya third on the continent, noting that the National Kenya Computer Incident Response Team Coordination Centre was coordinating cyber security at national, regional and global levels. As the mobile money capital of Africa, Kenya enacted its Computer Misuse and Cybercrime law in May 2018.
On December 19, 2018, the Communications Authority of Kenya said that the number of cyber attacks detected in the country grew to 3.8 million between July and September 2018, an increase of 400,000 threats from the previous quarter. In early 2019, the center warned the public that it had detected “Emotet,” a malware program that was targeting network systems worldwide.
Nigeria ranks fourth in Africa in terms of cyber crime defense, despite having a worldwide reputation for cyber scams and other cyber crimes. The tech media company IDG said cyber crime has been “an image nightmare for the country.” Even with its security advances, Nigeria lost $649 million in cyber crime-related activities in 2017, the highest amount on the continent.
However, the country is proposing a tax that would help agencies fight cyber crime. The 0.005 percent tax on telecom companies was proposed in the 2015 Cybercrime Act to train cyber security agents. Despite being Africa’s most populous country with nearly 200 million people, it has only 1,800 certified cyber security professionals.