www.cyberinafrica.com
The Africa's "Cyberscape"
perspectives from those leading the way
Issue 1
1
PERSPECTIVES from those leading the way
2
CYBER INSURANCE Sure way to cover your 6!
The new
3
DATA WAVE in Africa: privacy & Security
4
CLOUD SECURITY
Cyber Scape Africa
bringing Africa's cybersecurity to the fore
Cyber In Africa P. O. BOX 62371 - 00200 Uganda House, Kenyatta Avenue
M: +254 710 573 580 E: editor@cyberinafrica.com @CyberInAfrica
People are talking about cyber security in Africa. Africa has undergone through economic transformation in last few years. Recent economic reports release attribute the exponential growth to investment into ICT by both public and private sector. The East Africa for instance, has set already set pace as the tech hub in Africa with several flagship projects- Konza Tech City in Nairobi while investments in Mobile payment platforms has been on the rise.
The conversation on cyber security is taking place at the right time. The continents cyber security maturity is still wanting but more can be done.
This first issue of CyberScape Africa magazine is inspired by specific need to foster the conversation on cybersecurity in the continent- in print. It will be released on a quarterly basis and will embody subject matter, the industry scene, research and more. This magazine supplements works of CyberInAfrica.Com and Africa Cybersecurity Forum.
Cyber Security plays a critical role as Africa tech disruption. This is already evident from the recent Africa Cyber Security Report released by Serianu. Africa lost over $ 2 billion to cyber related crimes. This has a direct impact to the GDP of the countries as well profitability of businesses. Cyber crime is a silent killer to SME's in Africa as majority of the SME'S are unable to recover after a cyber attack.
Opportunities to get involved in this project include content contributions, sponsorships, marketing and more in line. Get your bran out and build your thought and opinion leadership with us. Send us an email or call us for a detailed talk.
The Cyber threat has been unforgiving to business operating in the continent. From the Ransomware havoc in 2017, DDOS attacks to online presence and BEC atrcaks targeting corporates. Government and organizations need to put more control measures to defend themselves from cyber threat epidemic.
We are eager to have you take a good look at and read this issue. More importantly, your feedback would be a gem to us. Share your thoughts with us via: editor@cyberinafrica.com
Cyber Security is a topic that has to be discussed in Africa. Africa business are operating on an international space where one regions regulations affects how business is to be conducted in Africacase in point GDPR. Organizations in Africa have to develop cyber security strategies so as they serve an international community. In addition local governments and regulatory bodies are demanding more from organizations in the quest of guranteering data privacy.
Editorial Team
04 04
THE PRIVACY TUSSLE
can there be a win-win?
It was a quarter to the hour of eight when I got home with weary and tired legs, surely I was famished and it was kenkey from my favorite vendor, hot pepper and fried eggs on the menu; just when I stuck my thumb into the kenkey Ga-man-style, a notification came through my phone and honestly I thought it’s payment hitting the account (man is hot); but no, it wasn’t in fact it was just a news item, citinewsroom.com has reported a story captioned “Communications Ministry fights BoG over mobile money data” well I chuckled, in my mind I retorted -what’s wrong with my “Ghana people“ again? I continued with the supper whilst I read the article in full, it caught my eye because it does contain a subject am passionate about, yes! data protection it is, the article stated in part “The Communications Ministry in a series of letters had asked the Bank of Ghana to release the data to a private contractor, Kelni GVG, which has been tasked to verify the amount of revenue generated by telcos. The Ministry specifically requested for disclosure of customer balances, transaction amounts, date and time of the transactions. However, the Bank of Ghana declined to grant the Communication Ministry’s request, arguing in a letter signed by its Secretary, Frances Van-Hein that disclosing such an information will breach the guidelines of Electronic Money Issuers and Data Protection Act.” So without wasting much time I decide to make a point or two after the food settles my unintended self-imposed fasting. So here we go, it is true that per section 91 of the Data Protection Act 2012, Act
05
843, the three (3) organs of State are bound by the provisions of the Act, more so when it comes to disclosure. Let just say quickly before I proceed that this is not meant to be a comprehensive lecture on data protection, on the contrary its just a brief touching on key issue I gathered, which is the outright rejection to disclose. As a practitioner, I will proceed to ask why the data is needed in the first place. Regulatory activities or? Well let me just presume and move on, having said that, section 63 of Act 843 should suffice for regulatory activities in so long as the reason fall under the exemptions provided, let’s assume again that it is for taxation or related purposes, then Section 61(1)(c) of Act 843 further allows for exemption for the purposes of the assessment or collection of a tax or duty or of an imposition of a similar nature. Generally, and as a rule of principle, the provisions of the law do not apply to data in so long as the data subjects cannot be identified from the set of attributes, which calls for anonymization or pseudo-anonymization. Well primarily once you properly anonymized data, then data subjects behind the attributes cannot be identified and that means the issues of privacy do not arise. This also means the systems disclosing and receiving the information respectively should envisage this in their technology; either as an added functionality or in-built with something called “privacy-by-design”, but then like I keep saying in various forums; if we build systems that are not resilient to the inherent risk and how to manage same; then due diligence can be
construed as negligible if not nonexistent. As I doze off now, and hoping am not missing the point, the exemptions under Act 843 are not blank cheques, it is exemption to disclose the information therefore all other principles under the law applies with full-force, i.e. accountability, lawfulness of processing, specification of purpose, compatibility with further processing, quality of the data, openness, security safeguards and data subject participation.
potential of appreciating the currency of the digital consumer; this currency is “trust” and therefore further providing competitive business edge, and in as much as one party as a regulator has the right of refusal over the other it is also the case that this refusal cannot be absolute in the face of lawfully justified exemptions. Let the parties re-look their positions.
The provisions of the Act 843 will override the Electronic Money Issuers (2015) Guidelines to the extent that the latter is a substantive law. It can also be a matter of regulator-to-regulator mutual understanding and of course measures of alternative effect under the context of the laws to create a controller-controller or controller-processor relationship and capture the lawful terms of use in a data transfer or exchange agreement as envisioned under the Act 843.
Desmond Israel, Founder - Information Security Architects (ISA) Ltd, Ghana
Permit me to leave you with some thoughts:
Privacy
If the truce won’t work, well I will just sleep soundly by recommending that under section 66, of Act 843 one can coerce the other with a court order to do the needful; but rightly so with lawful justification lest the court throws you out for want of lawful justification.
- like eating and breathing is one of life's basic requirements.”
As the night settles into its late hours may we be reminded that data protection however is a fundamental human right, it's regulations governing data processing is not an outright show-stopper but a business enabler with the
Katherine Neville
06
CYBER SCAPE AFRICA | Q1
2019
CYBER SECURITY LANDSCAPE IN 2018 South Africa suffered tremendously with a mountain of Data Breaches, and cyberattacks in 2018. According to a Trend Labs report, over 133 million incidents of malicious code were detected in South Africa which led to the Information Regulator concern about the increasing number of cyber attacks affecting personal data. Under South Africa’s Protection of Personal Information Act (POPI), companies or their directors that neglect their cybersecurity could face up to an R10 million fine or 10 years imprisonment.
Master Deed’s data breach “biggest” digital security threat in SA
Ster-Kinekor’s database compromised A flaw in Movie theatre chain Ster-Kinekor booking site was found that consisted between 6 and 7 million users in the database. Of those, 1.6 million people had email addresses linked to them on the movie theatre chain’s database.
According to iAfrikan CEO Tefo Mohapi who revealed that over 60 million South Africans’ personal data, from ID numbers to company directorships, was believed to have been affected. The information was traced to Jigsaw Holdings, a holding company for several real estate firms including Realty1, ERA and Aida. The information reportedly came from credit bureau agencies and was used to vet potential clients. The information was stored in an easily accessible manner on an open web server.
Presidency Website Hack The site thepresidency.gov.za came under attack after it was hacked and defaced by a group of ‘hackivist’ Users trying to access the site where statements from the South African presidency can be found were greeted by a notice saying: "Hacked by Black Team. Sahara is Moroccan. And Morocco is ur Lord! (sic)"
Liberty Life Attack Liberty Life had its data breached and potentially exposed the personal details of millions of clients. Liberty Life alerted its customers by sending out a text message warning them that it had "been subjected to unauthorized access to its IT infrastructure, by an external party".
Doreen Mokoena
01
THE 2019 CYBERSECURITY FORECAST As cryptojacking, supply chain attacks, and mobile malware raise the innovation bar in the threat landscape: there are foreseeable drivers of significant change in cybersecurity practices for the coming year.
It is Going to Be Very Cloudy In a recent report, Gartner shows that the cloud market is projected to reach a staggering $206 billion in 2019, from $175 billion in 2018 and $145 billion in 2017. It’s the simplicity and flexibility that will make cloud services more popular and their adoption to keep growing significantly. With the cloud being embraced at unprecedented rates, organizations will have to manage more and more applications and data in the cloud, turning system administrator jobs into real time-consuming and repetitive tasks. Companies of all sizes will be looking to manage their cloud architecture with tools that can automate different processes. Automation will simplify cloud administrators’ jobs by saving costs and time and eliminating manual processes such as sizing, provisioning or backup jobs.
Data Protection Legislation Gaining Ground in Africa In Africa, the number of data protection laws are increasing. More cooperation with cybersecurity initiatives, the move towards formalising data protection frameworks will continue to increase. Many countries including Angola, Botswana, Ghana, Kenya, Malawi, Mozambique, Mauritius, Namibia, Rwanda, Tanzania, Zambia, and Zimbabwe have taken the plunge, and others in the region will soon follow as they wake up to the urgency of national security and data protection for their citizens. As digital maturity varies across the continent, the framework for these countries to roll out their own version of GDPR could take some time to develop, and the path ahead is not straightforward. However, 2019 could be the year many countries take the first steps towards protecting their citizens’ data.
Although cloud computing helps simplify a few areas of security and digital transformation, it also presents newfound challenges such as backup and disaster recovery (DR). Going forward, enterprises must ultimately have the processes, technology and – most importantly – people in place to keep systems adequately secured.
It may take several years before a similar region-wide framework emerges in Africa, but businesses can use the European GDPR’s policies as a framework to start minimising unnecessary personal data collection, which could help minimise risks and exposure in the process.
The Weakest Link: Supply Chain
Nasty Attachments on Business Emails
Digital technology has helped break down barriers to globalization and sharing of data and networks have empowered organisations to embrace new efficiencies through connectivity and analytics. However, there is a downside as vulnerabilities of sensitive data being exposed to opportunistic attackers who prey on weaknesses in existing security in the supply chain. These cybersecurity risks have become more apparent in the vertical industries and will be nearly impossible to avoid as the global supply chain becomes increasingly complex.
In Africa, the number of data protection laws are increasing. More cooperation with cybersecurity initiatives, the move towards formalising data protection frameworks will continue to increase. Many countries including Angola, Botswana, Ghana, Kenya, Malawi, Mozambique, Mauritius, Namibia, Rwanda, Tanzania, Zambia, and Zimbabwe have taken the plunge, and others in the region will soon follow as they wake up to the urgency of national security and data protection for their citizens.
To reduce this kind of risk firstly, identify what information is being shared with which vendors to understand who has access to your data. Next, develop a policy that your vendors must adhere to in order to access and protect your data and determine what cyber insurance policies vendors have in place should an issue arise. Then, set up an ongoing real-time monitoring tool which can flag problems experienced by particular vendors, such as active malware or bots coming from their networks. CSOs will need to conduct deeper assessments of their current vendor relationships and look carefully at traffic within the network (especially third parties) to ensure sensitive information is kept separate and secure. Critical infrastructures and applications must always be up to date.
As digital maturity varies across the continent, the framework for these countries to roll out their own version of GDPR could take some time to develop, and the path ahead is not straightforward. However, 2019 could be the year many countries take the first steps towards protecting their citizens’ data. It may take several years before a similar region-wide framework emerges in Africa, but businesses can use the European GDPR’s policies as a framework to start minimising unnecessary personal data collection, which could help minimise risks and exposure in the process.
Article by Frampol Africa
CYBER SCAPE AFRICA
2019
PRIVACY OUTLOOK FOR AFRICA IN 2019 The past year has been an interesting one on the continent for privacy. The coming into effect of the European Union General Data Protection Regulation (GDPR) birth a new level of consciousness for privacy on the continent. The year also witnessed the publishing of a guideline on data protection by the Internet Society. In addition the year witnessed a country like Uganda enacted its own Data Protection law, some African countries signing the Council of Europe Modernised Convention 108 and the Paris Agreement on responsible use of internet. Africa is not left out of the global conversation on privacy.
Trend in 2019 •
More regulations
•
More African countries will ebb towards enacting a data protection legal framework. Different African countries are currently at different legislative phases for a data protection legal framework.
•
ACFTA and Cross border data transfer
The signing of the African Continental Free Trade Agreement has been touted to steer a new economic direction for the continent. Beyond the issues of trade, there are imminent privacy concerns that stems from cross border data transfer. I expect as the full implementation of the trade agreement comes to life, the concern around misuse and security of data moving across border and whether protection is offered in such jurisdictions will be of concern.
•
Increase in data collection
The continent is witnessing rise of technology startups. Typically, their business model relies on the use of data generated by the interaction of users. The more startups, the more data collection. The point of concern is if these startups consider privacy by design or have privacy immersed in their operations. The lack of data protection laws in most African counties is another cause of concern. However, I expect to see more startups who are looking at global competitive advantage to build a privacy conscious business model.
•
Surveillance
Major reports on the state of digital rights in Africa in the past year has shown increasing surveillance capability by governments. Internet shutdowns and censorship is not unknown to the continent. We are seeing more laws inclined more towards using national security to invoke “lawful interception” of communication, and in most cases no transparency mechanism to review such use of power. The arbitral use of government power has privacy implications on the lives of Africans and I do not expect to see it slow down significantly.
Privacy at the centre of it all
There is wider conversation around the ethics and misuse of personal data. The Cambridge Analytica showed the continent is not immune to such abuse. I expect to see increased conversation around privacy and the intersection of privacy and increasingly ubiqutous technologies. Data subjects are becoming more aware of rights and risk from misuse of personal data. Data subjects in the continent will demand more control over their personal data.
Conclusion 2019 will be a significant year for increased awareness about data protection in Africa. My expectation is seeing more African countries ratify the African Union Convention on Cybersecurity and Personal Data Protection, sign the Council of Europe Modernised Convention and commit to the Paris Agreement. I would like to see African counties develop their privacy framework with attention to peculiarity of their society. Lastly, I would like to see a continent-wide privacy framework for the online protection of the African child.
Ridwan Oloyede Famsville Solicitors ridwanyomi@gmail.com
01 09
BEHIND THE BRAND
NEIL’S INTERVIEW So, who is Neil Padmore in the world of cybersecurity? I have been in the technology sector for just over 20 years. I originally started in the banking sector in the late ‘90s. Started by working in the banking sector in the EFT section. Shortly afterwards got involved heavily in IT support for a couple of organizations. Then in 2004 we started Frampol which has now grown into Southern Africa’s largest managed services provider for turnkey cybersecurity solutions and communication connections. We are an internet services provider offering internet solutions to our customers. Am passionate about customer care and the customer experiences. We really are trying to bring customer amazement to Africa. We don’t like that our customers are saying thank you to service providers. We really feel service providers should be saying thank you to our customers. So customer care is at the heart of our business model.
You have been in the technology industry for two decades now. How was it starting out and how have things changed? It is interesting you have mentioned that. I have never been an entrepreneur with big visions. I have never wanted to be an entrepreneur of a big company. I’ve always thought bigger in business is not always better. I believe honestly, and this will fall in the face of what many entrepreneurs will say or do or put forward. The reason is that one has to know their limits and the limiting factors of their environment. I believe strongly that things that grow slowly, grow very strong. So Frampol when I look back at the last 14-15 years, am grateful for our slow but steady growth. It means that the whole team can grow with the organization and that our growth has real substantive foundation which is very vital.
A lot has changed. We started internet service providing 11 years ago in 2007. Our first internet link was 62Kb/s – now we are delivering 70-80Mb/s. A lot has changed and with it the cybersecurity landscape and the threats to network, etc. It is also important to mention that our primary revenue practice and services have changed seven times in 14 years. That is because we are a rapidly evolving sector. If we did not change, we’d have closed by now because we’d not have been relevant.
And what do you think of the wave of venture investments, accelerations and the like. We are living in a microwave society with remote controls, electric gates, auto-driving vehicles. We are a generation of quick fixers, wanting everything in quick fix. As a result that is also into the VC market-where organizations with a lot of money are wanting quick returns almost at any cost. My world-view is that real growth and real returns take time. So, yes am a huge supporter of startups, innovation and creativity being stimulated especially in our mother continent Africa, where we have got so much human potential with so much creativity coming out of the human resource. We should not spread the gospel of quick fix but that of hard work backed-up by honesty and integrity, over a period of time offers the best basis.
What are some of the dramatic or scary risks you have ever taken in the journey of Frampol and serving cybersecurity to the market. By virtue of the fact that I live and work in Zimbabwe, I think I can appreciate that am not that risk averse. Zimbabwe to a foreign investor appears like a high risk, high volatile, loose-your-shirt type of location. Truth is I believe honestly in the Chinese proverb that says: “In the midst of difficulties, there are a lot of opportunities”. Know what we are all Africans, we were born into risk. Risk for us is something we face everyday. I thrive on it and as a result this question is difficult to answer – because we are so used to risk. I don’t see Africa as a risky continent, I see it as a continent of opportunities. The sanitized business environments of US, Europe or Australia unfortunately has caused them to be risk averse. The biggest risk is an entrepreneur with an idea going to company registry and registering his business. For everyone reading this interview, my biggest encouragement is – go out there, register that company and start trading on day one.
Of Businesses following problems Exactly. One of the difficult many people have is that they can’t identify problems with ease. That probably is a result of our schooling system which has taught us to not think outside the box. We need to be a people that ask “why”. The folk in Israel – the startup nation – have no hesitation questioning authority. If a superior says do this, it is not disrespectful for them to ask why. In fact, it is encouraged.
What is your view of cybersecurity in the southern Africa? There is a lot of naivety about cybersecurity. It is really being ignored to a great extent and a lot of organizations are putting their heads into the sand – not facing the cyber risks that there organizations are susceptible to. So for us and our customer base, it’s a constant raising of awareness to bring their attention to the matter. Even when we do, there is a huge amount of skepticism that we are trying to sell irrelevant products for a problem that don’t exist.
What do you think is the most pressing need that need to be dealt with first in cybersecurity in the region? Number one, user education. The biggest risk in organizations are users clicking links in untrusted email and divulge usernames and password.
Having started and grown Frampol Africa to what it is – what would you tell folks who want to establish start-ups especially in cybersecurity? The right products and services and the right team members. We at Frampol have created a team of similar-minded people with a common vision so far as right products and services goes - with passion for customer care and service. In short, the right tool for the right people and vice versa.
What would be your top three cybersecurity business opportunities in Africa. Some of the areas we are operating in and we are looking for partners across Africa to deploy them in reselling basically include: first, firewall deployment. Secondly, cybersecurity education and training for users. And thirdly, hands down, appropriate anti-virus solutions that are cloud-based light on resources and that can be centrally monitored and managed. Also, we have automated penetration testing and vulnerability assessment. These have upward potential for revenue generation.
What are the fears of top level management regarding cybersecurity and how they can be helped. Right. The only way to engage these top-level management guys is with private, one-on-one engagement in my experience. Because many of them do not appreciate to understand the cutting edge technology, so they therefore shy away. The natural approach is first denial. Second, they start resisting change or threat to their business. So, one-on-one engagement- getting them privately, letting them ask what they think are silly or simple questions – giving them the freedom to express their insecurity in a private setting. Many executives know they don’t know the risks. They don’t want to publicly show their lack of knowledge and understanding.
Do you think CISOs should be part of the “big boys” – the board? Absolutely. Critically important. Cybersecurity needs board representation. Herein lies the opportunity for virtual CISOs – one skilled person who can be on the board of multiple companies.
Now, you are down to and keen on customers and people. Tell us about the Helping Zimbabwe project you and Frampol run. Key, when engaging with the customers, ask questions; about their challenges, expectations, budget – this way you are able to understand the customer needs deeply. Helping Zimbabwe is a private voluntary organization – a branch of Frampol- through which we pour some resources back to the community. With started with planting indigenous fruit trees in and around industrial areas in town. Also, litter collection and recycling. We feel as a tech company we should put back to the community, helping Zimbabwe.
BUG BOUNTY HUNTING In this article,I shall focus on one of the ways you can ďŹ nd bugs - a question that I get asked ever so often by people who want to join bug Bounty hunting. We shall be guided by Owasp Top 10-2017 A9- Using Components with Known Vulnerabilities (https://www.owasp.org/index.php/Top_10-2017_A9-Usi ng_Components_with_Known_Vulnerabilities.).
Most of the work is done during recon and this is probably the most important step. I like using Shodan, Google dorks and zoomeye to narrow down to assets of interest. Be on the lookout for advisories especially from the most commonly used softwares; in this article I shall show redacted demos of bugs that I have got bounty from by using Owasp Top 10-2017 A9.
Examples:*
1. Vulnerable Jenkins without authentication: Recon: I used Shodan to search for Jenkin instances and narrowed down the assets that had a bug bounty program (it is important to stick to programs that allow for vulnerability disclosure, otherwise it is criminal)
https://www.shodan.io/search?query=x-jenkins+200 From this, I got a couple that had no authentication and over and above saving several credentials in the code, they allowed me to install a terminal and could have execute code as a jenkins user or root. Full write-up is at https://the-infosec.com/.../from-shodan-to-remote-code-execution-1-hacking-jenkins/
13
2. Unpatched Oracle E-Business suite instances: Recon: I used a combination of google dorks and shodan to identify Oracle EBS instances for my targets. Google dork: inurl:/OA_HTML/
You could use the same for Shodan. https://www.shodan.io/search?query=OA_HTML
Narrow down to your target and try to discover vulnerabilities. Common vulnerabilities I get bounty for include: default credentials, XSS, open redirect (https://www.exploit-db.com/exploits/43592). The writeup for the XSS and default credentials is here: https://the-infosec.com/2018/11/06/oracle-ebs-security-auditing/
3. Vulnerable Kubernetes instances without authentication: K8s use the etcd as the database and commonly runs on port 2379.
Over and above the common vulnerabilities on Kubernetes information disclosure is common - API keys and other credentials can be leaked without authentication by requesting http://example.com:2379/v2/keys/?recursive=true
14
4. Vulnerable Jira instances Following this advisory CVE-2017-9506, attackers were able to exploit the open redirect, chain it to an SSRF and reected XSS. To get Jira instances one can use the google dork below. Other Atlassian products were also aected.
5. Vulnerable Apache struts which allows for RCE This list would not be complete without mentioning one of the biggest bugs in 2017 and early 2018. Surprisingly, not all companies have this patched! Google dorks FTW!
Using commonly available tools, and the vulnerable version of Apache Struts leads you straight to a nice shell - a P1 vulnerability.
15
The above are just examples of how to find bugs for the bug bounty hunters and most importantly for blue teamers on how they can identify what is being exposed on the internet and how they can remediate before the black hats exploit the vulnerabilities. *The examples are for bugs that have been reported and closed. Public disclosure has been discussed with programs. The examples are also to help the Blue teams to understand the vulnerabilities and remediate. Takeaways: • Be on the lookout for advisories - this is especially important for hunters and blue teams • Learn to use google dorks, shodan, zoomeye etc. Also, contribute to these forums #PayForward; don’t be a leech! • Script for efficiencies - remember bug bounty is a competition among hackers; the faster you can complete a task, the better. The author has been acknowledged and rewarded by multiple companies globally and regularly blogs at https://the-infosec.com and regularly contributes to exploit-db. He can be reached on twitter @emenalf.
16
THE C-SEAT Interview with Steve Mambo, COO Yelbridges.
3. Anything super interesting or dramatic you have done in your career or say you have seen in your time Dramatic? We once gave a client recommendation to improve their security posture. They ignored, a few months after they were compromised with the attacker leveraging on the same vulnerabilities we mentioned to the client. You can imagine me telling the client – You know I told you these things.
4. Now, cyber insurance - you are among only a few folk dealing in it in Africa. What is it about & how does it work in brie? Tell us, what made you get into it considering its not a well understood area around. Really!! Cyber insurance is new frontier in Africa and globally its less than 20 years old. I agree cyber insurance is unchartered water but as a captain leads ship there is an opportunity to craft out a new route for cyber risk transfer. The idea behind cyber insurance is transferring the risk and protection from financial losses from cyber crime. Cyber insurance policies cover an organization from both direct and indirect losses that emanate from a cyber crime. The losses here range from funds lost, incident management costs, and forensic investigation costs, regulatory fines, communication costs, just to name a few. Organizations that are victims of cyber crime have to deal with those costs which have a negative impact on the financial performance of the organization. In Africa, cyber crime is a silent killer to SME’s as majority are unable to recover after an incident. Cyber insurance comes in handy to address the financial loss from such incidents. An organization that is covered on cyber crime is highly likely to survive and attain cyber resilience in the long run.
1. So, tell us who Steve is & what you currently do in cyber security Am a cyber security consultant, spending most of my time advising organizations on how to best secure their enterprises. Am also involved in other initiatives that promote growth of the cyber security industry in Africa.
2. You have been in the field for a while now, how was it starting out and your journe till thus far I gained interest in cyber security in 2009(back then we still referred to it at Information Security). Around that time digitization was starting to gain speed and I realized a gap in security – few organizations understood the real impact of cyber security on their operations.
5. You consult in cybersecurity testing and audit too. Any thoughts on the business outlook and marketplace for these information security services. I usually recommend security audits (VAPT) as the end result gives a clear picture of the organizations security posture.
8. A quote by you: "Three things are inevitable in life: taxes, death and cyber attack." What's this about?
You get an answer - How secure are we? Secondly, of which I believe is important to the board/senior management is how to budget for cyber security. Cyber security MUST be incorporated in organizations strategy as failing to do so is preparing for failure. Cyber attacks will occur at some point and its important to organizations to accept that fact and prepare themselves to deal with that situation.
Its sad but true, the three are inevitable in life. The point here is to be prepared as at one point you have to deal with all. It’s just stressing the point that cyber attacks do threaten the existence of an organization.
There are quarters that argue that a pentest/security audit is dead. I disagree with them. Organizations still need security audits for the reasons mentioned above. Financial institutions were a lead for those offering the services but the importance of cyber security is now appreciated by almost all industries. The space is growing hence more players who can offer quality audits are needed in the space especially in Africa. Despite the importance of security audits organizations must plan for cyber resilience – the ability to sustain operations despite an adverse cyber attack. That’s what sets apart successful enterprises.
8 Cyber4Growth and YelBridge are your new projects. Tell us about these and what we should expect from them in 2019. Cyber4Growth is a project funded by German government and a no. of private corporate to promote growth of cyber security which a recipe for fair trade between East Africa and Europe. Europe is advanced in cyber security know-how while in E.Africa we are leaders in tech innovations e.g. MPESA, AfyaPoa etc. Europe is interested in doing business with E.African however they are concerned on our cyber security posture and secondly there are regulations (Security & Data Privacy) that must be adhered to before they do business with us. Cyber4Growth main mission is to provide hands-on training on cyber defense in a simulated environment. The participants will gain skills that will help them defend their organizations better building that bridge between the two regions. The project runs from Jan 2019, with participants from Uganda, Tanzania, Rwanda joining us in Nairobi. This is just a beginning of a bigger project that is expected to spread across the entire Africa.
6. Lets consider the cybersecurity environment in the region - your 2018 observations What should Africa anticipate in 2019 I call 2018 the year of regulations thanks to GDPR. Cyber security is dynamic and every year the industry is shaped by new threats, actors, innovations and of course new regulations. We are in post GDPR era where Data Privacy and Protection has gained ground globally. In Kenya, a number of cyber fraud cases that are in public domain have shaped how organizations handle their security. There also have been laws/regulations passed and regulatory bodies that contribute to growth of the industry. It’s a clear manifestation that cyber security is a corner stone to the growth of our economy.
9. On initiative you are already involved in is CyberSpeak LC - a homegrown cybersecurity events & meetup effort to prom infosec in Africa. Can you share more on this.
7 From a CEO perspective, what is your approach to cybersecurity especally when dealing with organizations.
CyberSpeakLC is yet another great innovation from the Savannah Silicon Valley –Nairobi. It’s an event & meet-up series that provides an opportunity to learn and connect with fellow professionals, thought leaders, actors and enthusiasts in the CyberSpace in Africa. Feedback from over 20 series (Online & In-person) clearly shows its something the continent was yearning for. Great strides have been achieved and lots of lessons. 2019 will be an exciting time for CyberSpeakLC and its followers.
Cyber security conversation has to start from the top. The board/senior management must give direction on how the organization is to deal with business risk – its no longer a IT problem, it’s a business problem. We always engage the boards of organization to create awareness which enables them appreciate what cyber crime can do to their business. That drives the conversation of how can you help us deal with this menace. It’s paramount to ensure that IT/cyber security teams are on your side as majority of the times they usually have brought the idea up but it was given the seriousness it deserved. Gaining trust from the two quarters is crucial to building a lasting relationship with your clients.
10. Any parting shots. In the near future successful companies will not just be defined by their financial performance but we also expect to see cyber resilience as critical factor in the equation.
19
Social Cybersecurity The growth of social media has changed the way cybersecurity works, we have been so fixated on the physical and networking side of cybersecurity. There is an emerging field on cybersecurity called social cybersecurity which tries to examine cyber security from a social side.
Social Cyber Security is defined as an emerging scientific area focused on the science to characterize, understand, and forecast cyber-mediated changes in human behaviour, social, cultural and political outcomes, and to build the cyber-infrastructure needed for society to persist in its essential character in a cyber-mediated information environment under changing conditions, actual or imminent social cyber-threats
Attacks are changing shape as witnessed in the Blue Whale challenge with has so far claimed more than 150 lives. The Blue Whale Challenge was a series of self-harm causing tasks that are propagated via online social media under the disguise of a “game.” The list of tasks must be completed in a duration of 50 days and they cause both physical and mental harm to the player. The final task is to commit suicide. The game is supposed to be administered by people called “curators ”who incite others to cause self-mutilation and commit suicide. The curators and potential players are known to contact each other on social networking websites and the conversations. between them are suspected to take place mainly via direct messages which are difficult to track. Another example is the use of fake news to confuse and misinform as well as the increased use of social media in terrorism recruitment. Cyber Threats in the social space could lead to the next world war due to misinformation. The question most raise is whether these social cyber threats are truly a cybersecurity issue or more of a governance issue. I strongly believe that within the few coming years the danger posed by a malicious tweet with outweigh those of a data breach. Social media has the power to connect millions if not billions of people immediately, and that can be abused by malicious actors. Tendai Marengereke, Harare Institute of Technology, Zimbabwe.
Cyber Insurance Threat Landscape is ever evolving
Technology has changed the world we live in – 50% of world population online who contribute to billions of interactions over internet on a daily basis. Business of the day is interwoven with technology – they are inseparable. Despite the opportunity harnessed from adoption of technologies in business there is need to address the risk of cyber attacks. Cyber attacks are inevitable; they have devastating effects on business and are getting more sophisticated day by day. Cyber resilience refers to the ability of an enterprise to run its operations despite an adverse cyber attack or data breach.
Security experts agree that there are no silver bullets in cyber security. No one solution can protect your organization from cyber attacks. In addition, despite the best solutions & controls in place an organization can’t completely secure its information due to the fact the threat landscape keeps on evolving. There too many unknown unknown’s (Threats you don’t know and you don’t know that they exist) which pose a greater risk due to the fact you can’t anticipate for them based on past experiences. Organizations are putting an emphasis on cyber defense as they set up blue-teams to be on the lookout of the attacks targeting the organization and working tirelessly to defend the organization from those attacks. The defense strategy has even enhanced with breakthrough technologies that enable automated defense. Artificial Intelligence (AI) & machine learning are enhancing the security posture of organizations by enabling quick learning and identification of outliers which could be indicators of compromise. Automation in defense promotes prompt detection enabling organization to proactively respond to the attack.
Cyber resilience aims to defend the organization against potential cyber attacks and ensure the organizations survival following an attack including minimizing customer harm, reputation damage and financial loss. Sophistication of the threat landscape can lead to catastrophic events to organizations – some may even go out of business. Organizations MUST accept that the inevitable will occur. Once that fact is accepted then focus should shift to how to reduce impact after a cyber attack/data breach.
Is Cyber Resilience necessary for a business?
It will happen Today economy and business environment runs on an interconnected world. The reliance of technology creates efficiency and effectiveness in delivering organizations mission however the same technology can be compromised rendering the usefulness of the technology. Acknowledging that cyber attacks are part of the game is an important realization. Once that has been accepted an organization will stop jumping like a headless chicken whenever there is a data breach reported in the media. Secondly, the organization becomes laser focus on – Response & Recovery. Two elements that are critical survival trait during and after a successful cyber attack.
21
GDPR is here
Cyber resilience is a structured journey not a random walk.
Regulators are putting pressure on organizations to protect customer data and ensure business continuity during & after a data breach. Article 32 says that personal data must be processed in such a way that ensures the security of data, including protection from unauthorized/unlawful processing, against accidental loss, destruction or damage by implementing appropriate technical and organizational measures. The article goes further to provide the security measures expected of the entities that are in scope of the regulation. The regulator expects the entities to cyber resilience in order to;
The journey starts off by understanding the business, its operations and strategy. What the marketing team is doing is important to the CISO who is developing a resilience strategy. A good understanding of the business gives a clear picture of the main functions that keep the business going and what are the main cyber risks that could potentially hurt the business. A good foundation is great, but organizations must develop and implement the appropriate safeguards to limit or contain the impact of a potential cyber security incident. Beyond business and IT controls, it’s of paramount important for an organization to implement continuous monitoring to detect anomalies and potential cyber security incidents before they can cause any significant damage. Next phase is on building capacity on incident response measures which help the organization take necessary steps to minimize the impact of the attack. The essence of cyber resilience is to survive an incident and be able to return to return to business as usual following an attack.
• Provide ongoing confidentiality, integrity, availability and resilience of processing system & services. • Restore the availability and access to personal data in a timely manner in the event of physical or technical incident(which includes cyber attacks). The hefty penalty (4% of annual turnover) does promote security of organizations. Organizations will have a hard time explaining to their shareholders why they had to pay such penalties which would have been dividends paid out. The management will focus on cyber security to avoid penalties as well as the tough questions from their shareholders – either way it’s a win for the organization.
Building a strong foundation For Burj Khalifa to stand tall at 829.8M a strong foundation of over 45,000 m3 of concrete was used to construct the foundation. Structural engineers tell us that the strength of any building is based on the foundation. The same concept is applicable in cyber resilience – the ability to continually provide services to clients despite an adverse cyber attack is based on the organization cyber security programme.
22
Cloud Security How does one secure a cloud? With all the jargon, threats and ever-changing technology, securely tying down your digital assets may appear to be almost as impossible as trying to secure the real thing… I mean an actual cloud that floats in the sky, rains and shoots out the occasional lightning bolt. As convenient and “virtual” as the concept of a digital cloud in 2018 sounds, your precious data still needs to reside somewhere, and that somewhere like anything in life is still prone to theft, loss or attack. So, how does one secure a cloud?
Cloud security is basically a broad set of policies, technologies, and controls used to protect your data, applications, and the connected infrastructure of cloud computing. It is a sub-domain of computer security, network security, and more broadly, information security. It’s certainly possible to keep your personal and company’s data on cloud servers secure but cyber threats are evolving and cloud servers are a becoming a major target. Organisations and individuals are increasingly migrating to the cloud to process their IT resources. Gartner predicts that cloud data centres will process 92 percent of workloads by 2020.
Goldphish Cyber, SA
1. Data Breaches
4. Denial of Service attacks
A data breach might be the primary objective of a targeted attack or simply the result of human error, application vulnerabilities, or poor security practices. It might involve any kind of information that was not intended for public release, including personal health information, financial information, personally identifiable information, trade secrets, and intellectual property. The risk of a data breach is not unique to cloud computing, but it consistently ranks as a top concern for cloud customers. 2017 for example was a huge year for data breaches. 143 million ordinary people were affected by the September’s Equifax breach, and in May 2017, OneLogin who provides identity management and single sign-on capabilities for the cloud services of over 2,000 companies worldwide discovered a major data breach. Over 1.4 billion records were lost to data breaches in March 2017 alone, many of which involved cloud servers.
Denial of Service (DoS) attacks are pretty simple for cyber attackers to execute, especially if they have control of a botnet. DoS attacks are designed to prevent users of a service from being able to access their data or applications. By forcing the targeted cloud service to consume inordinate amounts of finite system resources such as processor power, memory, disk space, or network bandwidth, attackers can cause a system slowdown and leave all legitimate service users without access to services. DDoS-as-a-service (Distributed Denial of Service) is also growing in popularity on the Dark Web. Now attackers don’t need know-how or their own bots; all they have to do is transfer some of their cryptocurrency in order to buy a Dark Web service. An effective DDoS attack on a cloud service gives a cyber attacker the time they need to execute other types of cyber attacks without getting caught.
2. Data Loss
5. Account Hijacking
Data stored in the cloud can be lost for reasons other than malicious attacks. An accidental deletion by the cloud service provider, or a physical catastrophe such as a fire, flood or earthquake, can lead to the permanent loss of customer data unless the provider or cloud consumer takes adequate measures to back up data. Threats to your cloud data don’t always look like malicious characters in the shadows wearing hoodies. It’s easy to underestimate the risk of something bad happening to your data due to an innocent mistake and because it’s so “virtual”, so keep multiple backups at physical sites at different geographic locations.
Account or service hijacking is not new, but cloud services add a new threat to the landscape. Masquerading as legitimate users, operators, or developers attackers can read, modify, and delete data; issue control plane and management functions; snoop on data in transit or release malicious software that appears to originate from a legitimate source.
3. Insider Threats Insider threats to cloud security are also underestimated. Most employees are trustworthy, but a rogue cloud service employee has a lot of access that an outside cyber attacker would have to work much harder to acquire. When an organisation elects to store data or host applications on the public cloud, it loses its ability to have physical access to the servers hosting its information. As a result, potentially sensitive data is at risk from insider attacks. According to a recent CSA report, insider attacks are the sixth biggest threat in cloud computing. Therefore, cloud service providers must ensure that thorough background checks are conducted for employees who have physical access to the servers in the data centre.
24
6. Spectre, Meltdown and others – device and cloud vulnerabilities. Intel processors are having a Meltdown while AMD and ARM are being attacked by a Spectre. Is a James Bond villain making our computers freak out? No, it’s a new vulnerability found within these processors that affects Windows PCs, Linux, Mac, and even Android phones. System vulnerabilities are exploitable bugs in programs that attackers can use to infiltrate a system to steal data, taking control of the system or disrupting service operations. At the beginning of the year (2018), everyone was talking about “Meltdown” and “Spectre” that potentially exposed data in everything from servers and desktops to tablets and smartphones. The flaws, which impacted the chips in many popular devices, allowed hackers to inconspicuously manipulate a common efficiency technique used to speed data processing. As a result, chip manufacturers and software makers scrambled to issue patches and work out the performance sluggishness that came along with blocking the risky optimisations. At the same time, though, a larger concern was also looming: Spectre and Meltdown represented a whole new class of attack, and researchers anticipated they would eventually discover other, similar flaws. In May this year (2018) researchers from Microsoft and Google’s Project Zero disclosed a new, related vulnerability known as Speculative Store Bypass Variant 4 (Meltdown and Spectre collectively make up variants 1-3) that impacts Intel, AMD, and ARM processors. If exploited, an attacker could abuse the bug to access data that is meant to be stored out of reach. Microsoft says that the risk to users from this bug is “low,” and Intel notes that there is no evidence that the flaw is being used by hackers. But it is a major cause for concern – what other “bugs” or “backdoors” into our devices and cloud-stored data might there be? Time will only tell.
For now though, prevent hackers from taking advantage of Meltdown, Spectre and others yet to be named: •
• •
Make sure to keep all the software on your computer updated, including web browsers. Keep Flash updated as well. Then run security software to be sure you don’t have any unwanted or malicious software on your system. Finally, be on the lookout for phishing emails. A hacker could use this to trick you into letting their malicious code onto your system.
THE NEW DATA WAVE IN AFRICA
BAN
KC ARD
569 J A C K S 2 3 MITH 985 147 9
APP PLE
ROV
ASE
598
8
ED
SIG
NH
ERE
:
Privacy and Security
The advancement in technology and proliferation of internet enabled devices has given birth to both security and privacy challenges globally. These technologies are increasing the generation, collection, processing, sharing and the use of data. The increase in internet penetration means more Africans and businesses are connected to the grid. A cyber-attack or privacy breach could have effect on productivity, impact on revenue and financial loss, erosion of trust, dent to brand reputation, risk of sanction and fines and risk to personal security. Africa is not left behind in the spreading wind of change.
26
Data fuels the commercial activity of our digital world. The privacy and safety of personal data are vital for the actualization of a digital economy. This requires balancing the comfort of technology, usability, the interest of commerce, privacy rights, and security concerns. Major events globally like the Facebook – Cambridge Analytica, Wannacry ransomeware, Arik Air data breach shows Africa is not immune from the growing phenomenon. According to a report, cybercrime cost the continent $3.5 billion USD in 2017.
The Wave
The way forward
Globally, the past year has been a remarkable one from both privacy and security point of view. The year witnessed more regulation and scrutiny around the subjects. The European Union General Data Protection birth a new wave of legislations across the globe including Africa. The increase in the cost and sophistication of cybercrime has drawn attention to the risk. According to a Symantec report on cybercrime and cybersecurity trend in Africa, there is rise of ransomware and cryptolocker, social media scams, and email threat, business email scams and vulnerabilities.
Building a stronger security and privacy framework will require a deliberate multi-stakeholder approach. The government, policy or laws, tools alone cannot curb the wave of security and privacy risk. Institutions need to regularly train their staff. Individuals will need to use more privacy friendly tools and other strategies to ensure safety online. Corporations processing and controlling personal data need to be transparent and accountable with dealing with personal data. Corporations need to build strong security culture into their ecosystem. There should be stronger case for privacy and security by design.
Regulating the wave
For African companies to build a global competitive brand, they need to take privacy and security compliance serious. Lastly, there is a growing need to make regulations to regulate emerging technologies that has privacy and security concern – but first, we need to understand these technologies.
The African Union Convention on Cyber Security and Personal Data Protection sets a strong intention for the continent. However, only 11 countries have signed the convention. “Currently, only 23 out of 55 African nations have passed or drafted personal privacy laws, and only nine of them have data protection authorities.” Uganda, been the most recent with her enacted data protection law. A good number of African countries do not have specific legislation on cybersecurity. A number of African countries have acceded to the Budapest Cybercrime Convention, the Council of Europe Modernized Convention 108+, and some are at different legislative phases like Kenya and Nigeria. Regulations will guarantee the rights of data subjects and right to seek remedy when there is breach, it also makes organisations more responsible.
Defending the continent’s Cyberspace Some African countries now have a Cybercrime law designating certain sectors of the economy as critical national infrastructure (CNI) which has led to the establishment of a National Computer Emergency Response Team (CERT). The core mandate of CERTs is to ensure the protection of a nation’s CNI’s. Egypt, Tunisia, Nigeria, Uganda and Morocco are example of countries with CERT. The Nigerian Army recently established its cyber warfare command with the responsibility of protecting the country’s cyberspace against aggression.
The Challenge The challenge plaguing the continent includes lack of legislations and harmonised framework, low number of data protection authorities (DPA) – only 10 African countries has a DPA, lack of investment in building strong resilience, inadequate skillset and capacity development, low awareness and understanding of privacy and security risk, lack or low reporting and notification, lack of framework for protection and security of cross border transfer of data. Lack of home-grown technology and inadequate framework for cyber insurance is also a problem
BSIDES IN A NUTSHELL Security BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional conďŹ nes of space and time.
Bsides Cairo is an information security conference which will host information security professionals, security researchers, academics, undergrads, graduate students, corporations and any person who wants to share knowledge and learn from others. We look forward to bring together experts, researchers and students to share their thoughts, projects, experiences to face together the current information security challenges of our days and to come up with new ideas and collaborations.
Our mission is to create a more knowledge-based event regardless of age, academic title or industrial position, and to provide the egyptian community with an alternative event by removing the current common industrial and marketing-driven conferences barriers and providing a more technical approach regarding all the organization aspects of an information security conference, from the speakers, to the target audience.
Responding to Risk in an Evolving Threat Landscape
Steps for Responding to Heightened Risk Step 1: Understand Risk You should understand that there will always be some level of risk in today’s cyber landscape. Working to define a businesses’ acceptable risk, and to determine what it will take to maintain an acceptable risk level, this will solidify your partnership if using an MSP. Keep in mind that security needs to be both proactive and reactive in its capabilities for risk levels to remain in check.
There’s a reason major industry players have been discussing cybersecurity more and more: the stakes are at an all-time high for virtually every business today. Cybersecurity is not a matter businesses can afford to push off or misunderstand—especially small and medium-sized businesses (SMBs), which have emerged as prime targets for cyberattacks. The risk level for this group in particular has increased exponentially, with 57% of SMBs reporting an increase in attack volume over the past 12 months, and the current reality:
Step 2: Establish Your Security Strategy
• • •
Step 3: Prepare for the Worst
Once you’ve identified where the gaps in your protection lie, map them to the type of security services that will keep those risks constantly managed. Providing regular visibility into security gaps, offering cybersecurity training and leveraging more advanced and comprehensive security tools will ultimately provide you with the desired state of protection.
Your SMB clients will be attacked. Basic security will not stop an attack. The MSP will be held accountable.
At this point, it’s not a question of if your business will experience a cyberattack, but when. That’s why it’s important to establish ongoing, communicative relationships with your MSP to improve risk level over time..
While MSPs may have historically set up clients with “effective” security measures, the threat landscape is changing and the evolution of risk needs to be properly, and immediately, addressed. This means redefining how your clients think about risk and encouraging them to respond to the significant increase in attack volume with security measures that will actually prove effective in today’s threat environment. Even if the security tools you’ve been leveraging are 99.99% effective, risk has evolved from minimal to material due simply to the fact that there are far more security events per year than ever before. Again, the state of cybersecurity today is pretty straightforward: with advanced threats like rapidly evolving and hyper-targeted malware, ransomware, and user-enabled breaches, foundational security tools aren’t enough to keep SMB clients secure. Their data is valuable, and there is real risk of a breach if they remain vulnerable. Additional layers of security need to be added to the equation to provide holistic protection. Otherwise, your opportunity to fulfill the role as your clients’ managed security services providerwill be missed, and your SMB clients could be exposed to existential risk.
Step 4: Get it Right with People, Processes, and Technology Keep your security goals well-defined and internal communication with your staff clear. Through a combination of advanced software and services, you can build a framework that maps to your specific security needs. Once you understand how to effectively respond to new and shifting risks, you’ll be in the best possible position to keep your clients secure and avoid potentially debilitating breaches.
Article by Webroot Blog
29
What's in store for cybersecurity in 2019? I've never been the one to give out predictions living in a world of technology and being a security knowledgeable person. This year has been a broadening scope of offensive and defensive moves, like chess pieces on a board, on such a wide playing field, your abilities were pushed to the limit daily. What I will say in 2018, it was a year of many succinct changes in Cyber Security. No longer are we seeing just targeted attacks from specific groups. But, largely organized attacks from Nation States, ( Russia, N. Korea, Germany, and China ), which leads me to believe in 2019 those attacks will become more focused and concentrated.
Privacy Protection
Voters Rights
This leads us into Personal and Protected Privacy of individuals. Just a few days before this writing. Australia, passed a law allowing the government to access encrypted data on devices, a “backdoor” of sorts of their citizens. Seeing as they do not have constitutional amendments and right privileges as we do in the states.
In the United States, this action leads us into voter fraud, and protecting of right of individual voters. Protecting the integrity of the system to make sure all those who can vote are allowed through opportunity to do without it being tampered with as we saw in 2016, and within the midterm elections of 2018. The voter system may need to go to 2FA, ( two-factor authentication ). Where you are identified by a government issued ID, and then a pin is sent to your phone for further verification. Simply, a password can not do anymore, two factor authentication will become the Industry standard from here on out for validation of identity.
The government can now go to Facebook and WhatsApp to remove encryption data features for its citizens devices. How do they now go about protecting data, that in a sense their government says, they have no right to their own privacy? Who's governing the people with the access, and with it what could they be doing with it? Imagine the amount of information that could be attained. ( Financials, photos, contacts, emails, and SMS text ), the list goes on. What a huge change in policy all under the guise of, “National Security”.
Ellington Shane, Ellington Consulting, USA.
“Train, Learn and Practice, what you “Train, Learn and Practice, what you know today is know today ischange obsolete and what comes tomorrow will everything.” obsolete and what comes tomorrow will change everything.”
DATA PRIVACY AFRICA SUMMIT
Experts drawn from regulatory authorities, government representatives, advocacy groups, the private sector, multinational companies and industry associations shared their desire for a continent-wide data protection/privacy framework and recognition by African governments of the critical role of data protection in the digitalization agenda.
Balaclava, Mauritius, November 23, 2018
A Digital Single Market for Africa
A multi-stakeholder Focus Group at the first ever Data Protection Africa Summit has called for African governments, policy makers and other stakeholders to prioritize privacy and data protection issues as part of digitalization initiatives including the creation of a Single Digital Market for the continent and implementation of national Identity and addressing systems. The African Dialogue meeting on the sidelines of the Summit also called for the harmonization of data protection laws of the various countries in Africa to enhance citizens’ rights and free flow of data within the continent to promote economic prosperity.
The Focus Group on the role of data protection in facilitating the Africa Single Digital market applauded ongoing efforts aimed at creating a Single Digital Market to complement the recently signed AfCFTA. The Group acknowledged the importance of removing barriers that inhibit the free flow of data within the continent to allow for the use of digital tools/services that enable e-commerce and Cloud related services to create and drive economic development and inclusion. They however recognized that Data Protection is crucial to gain the trust of citizens in Africa if African citizens and governments are to fully benefit from this digital transformation and have urged the need for regulatory alignment and interoperability for personal cross-border data to flow, be processed and stored unimpeded across borders within Africa, and between Africa and the rest of the world. The Group was mindful of the need to build capacity and develop policy/guidelines for data protection. In this regard there are plans to develop policy/guidelines and engage strategic stakeholders at different levels to facilitate the cementing of data protection as a cornerstone of the Single Digital Market initiative. The Focus Group would also submit a series of papers to provide expert opinion and guidance to relevant stakeholders.
31
National Identification and Address Systems
African Dialogue on the harmonization of Data Protection Laws
The Focus Group discussed digital identity and addressing, recognizing that national identification (ID) and addressing systems will empower Africans – irrespective of their economic status, ethnicity, location or financial situation – to benefit from the burgeoning digital economy. The Group was also of the conviction that digital identity is crucial for doing business, facilitating inclusion and creating access to social services for all citizens. The Group, aware of the risks associated with such systems, stressed the need for governments and policy makers to ensure that adequate data protection and privacy safeguards are put in place prevent abuse and misuse of personal information. Steps must also be taken to ensure accuracy and reliability of the information collected (data quality), the interoperability of systems and the adherence to other fair information principles and information security measures. The Group recommended that moving forward, information sharing parameters within government must be clearly defined in accordance with applicable laws, data protection frameworks and best practices to regulate information sharing within governments and between governments and the rest of the world. The Group was of the opinion that the interests of individual citizens should at all times be the paramount consideration. To facilitate this objective the Group would in the coming months develop a code of practice on ensuring data protection for the creation, development and use of national IDs and databases, digital identification and national addressing systems.
As the continent strives for economic prosperity, the African Dialogue (comprising regulatory authorities, advocacy groups, multinational companies and industry associations) deems it imperative that data protection laws are harmonized across Africa. The Dialogue were of the view that a harmonized framework must address the peculiar cultural, legal, cultural, political, economic needs of the African landscape, without compromising accepted international standards of data protection. They also emphasized that the approach to achieving harmonization must be driven by consensus that is practical, enforceable and relevant to the continent. The African Dialogue noted that to date only 171 out of 55 African countries have enacted data protection laws, with a few more undergoing the process of legislation. The continent meanwhile continues to miss out on massive investment opportunities for the digital economy, while many citizens’ fundamental rights to privacy are left open because of the lack of comprehensive data protection laws in majority of countries. To this end the African Dialogue would continue to identify and engage relevant stakeholders on the need to harmonize data protection laws on the continent. The Dialogue further called for the resourcing and strengthening of data protection authorities on the continent to enable them to facilitate the process of bringing Africa up to global standards of data protection to benefit from the enormous potential of the global digital economy.
Data Protection Africa Summit
About the Africa Digital Rights’ Hub
The Data Protection Africa Summit aims to build capacity, facilitate collaboration, showcase expertise and explore the issue of data protection/privacy on the African continent by creating an enabling environment for the collection and use of personal data as a strategic and critical resource for socio-economic development in the 4th Industrial Revolution. The summit is organized by the Africa Digital Rights’ Hub.
The Africa Digital Rights’ Hub is a not-for-profit think tank registered in Ghana that advances and promotes research and advocacy on digital rights across the African continent. Interested in the impact of digital technology on people living in the Continent, the Hub brings together academic researchers, stakeholders, policy makers, regional and international bodies to address digital rights issues in Africa.
DATA PROTECTION
Privacy outlook for Africa in 2019 Trend in 2019
The past year has been an interesting one on the continent for privacy. The coming into effect of the European Union General Data Protection Regulation (GDPR) birth a new level of consciousness for privacy on the continent. The year also witnessed the publishing of a guideline on data protection by the Internet Society. In addition the year witnessed a country like Uganda enacted its own Data Protection law, some African countries signing the Council of Europe Modernised Convention 108 and the Paris Agreement on responsible use of internet. Africa is not left out of the global conversation on privacy.
• Increase in data collection The continent is witnessing rise of technology startups. Typically, their business model relies on the use of data generated by the interaction of users. The more startups, the more data collection. The point of concern is if these startups consider privacy by design or have privacy immersed in their operations. The lack of data protection laws in most African counties is another cause of concern. However, I expect to see more startups who are looking at global competitive advantage to build a privacy conscious business model.
• More regulations More African countries will ebb towards enacting a data protection legal framework. Different African countries are currently at different legislative phases for a data protection legal framework.
• Surveillance Major reports on the state of digital rights in Africa in the past year has shown increasing surveillance capability by governments. Internet shutdowns and censorship is not unknown to the continent. We are seeing more laws inclined more towards using national security to invoke “lawful interception” of communication, and in most cases no transparency mechanism to review such use of power. The arbitral use of government power has privacy implications on the lives of Africans and I do not expect to see it slow down significantly.
• ACFTA and Cross border data transfer The signing of the African Continental Free Trade Agreement has been touted to steer a new economic direction for the continent. Beyond the issues of trade, there are imminent privacy concerns that stems from cross border data transfer. I expect as the full implementation of the trade agreement comes to life, the concern around misuse and security of data moving across border and whether protection is offered in such jurisdictions will be of concern. • Privacy at the centre of it all
• Conclusion 2019 will be a significant year for increased awareness about data protection in Africa. My expectation is seeing more African countries ratify the African Union Convention on Cybersecurity and Personal Data Protection, sign the Council of Europe Modernised Convention and commit to the Paris Agreement. I would like to see African counties develop their privacy framework with attention to peculiarity of their society. Lastly, I would like to see a continent-wide privacy framework for the online protection of the African child.
There is wider conversation around the ethics and misuse of personal data. The Cambridge Analytica showed the continent is not immune to such abuse. I expect to see increased conversation around privacy and the intersection of privacy and increasingly ubiqutous technologies. Data subjects are becoming more aware of rights and risk from misuse of personal data. Data subjects in the continent will demand more control over their personal data.
Ridwan Oloyede Famsville Solicitors
33
www.cyberinafrica.com/cyber-scape-africa-magazine
Cyber Scape Africa
bringing Africa's cybersecurity to the fore
Cyber In Africa, P. O. BOX 62371 - 00200, Uganda House, Kenyatta Avenue M: +254 710 573 580, E: editor@cyberinafrica.com @CyberInAfrica
www.scapecyberafrica.com