Keeping Cybersecurity at the Forefront of Digital Business

Being an Opening Address

By

Isa Ali Ibrahim (Pantami), PhD, FNCS, FBCS, FIIM

Minister, Federal Ministry of Communications and Digital Economy, Nigeria

&

Professor of Cybersecurity at the Federal University of Technology Owerri, Nigeria

at the

GISEC Global Africa Program

on

Wednesday, 23^rd March, 2022

All protocols observed.

May Peace, Mercy and Blessings be upon you!

Introduction

I am delighted to give this Opening Address at the auspicious occasion of the Africa Program of the Gulf Information Security Expo & Conference (GISEC). As the leading cybersecurity event in the Middle-East and Africa region, this conference affords Africa a unique opportunity to analyse the cyberthreats on the continent with a view to proposing solutions that will help us to create a secure cyberspace.

There is an ongoing datafication of society, with many services migrating to digital platforms , resulting in the generation of data anytime such services are used.  This transition has made it easier for users to go online and has also made it easier to make informed decisions on the best methods for increasing system efficiency and improving user experience online.  Unfortunately, datafication of society also makes it easier for cybercrimes to occur, at a scale much larger than physical crime.

Comparing Cybercrime and Physical Crime

In the case of physical crime, criminals need to gain physical access and this usually provides a clear evidence of its impact.  Such evidence can be broken doors, as well as forensic evidence like fingerprints and fibres.  Physical proximity is not required in cybercrime and attackers may be thousands of kilometers away, not even requiring a visa to travel to the location where they cause harm.  The detection of cybercrime is usually less conspicuous than physical crime.  Table 1 includes other attributes for comparing cyber and physical crime.

Table 1: Physical Crime vs. Cybercrime

According to a crime index survey by a crowd-sourced global database called Numbeo, the average crime index of top 9 African countries with the highest crime index comes to 63.75.  This crime index is 61% more than the average crime index of 9 of the countries with top economies, the average for these countries is 38.93. The values used in the survey varied from a minimum of 0 to a maximum of 100.  The crime index comparison indicates that there can be potentially more physical crimes in a number of countries on the African continent, when compared to the index of some other countries around the world.  This trend may also be reflective of our vulnerability to cybercrime as a continent and makes it imperative for us to be proactive in the area of cybersecurity.

For example, COVID-19 inspired a global adoption of digital platforms and this has led to an upsurge in cybercrimes around the world. The Executive Director of the European Union Agency for Law Enforcement Cooperation (Europol) captured it well in the 2020 Internet Organised Crime Threat Assessment.  She said “The pandemic prompted significant change and criminal innovation in the area of cybercrime."

The pace of innovation, the growing level of interconnectivity in the digital environment, as well as our “new normal” of high dependence on technologies has created a society that is exposed to security threats which are more numerous,  highly networked, more widely distributed, very adaptive, and can be quite difficult to isolate and deal with.

According to the 2021 Microsoft Digital Defense Report, there is a growing trend of cybercriminals for hire, much like physical criminals have also been hired for their services.  Figure 1 shows some of services offered by cybercriminals and the fees.

Figure 1: Cybercrime Services and Fees

According to Statistica, the average period between intrusion, discovery and containment of some of these cyberattacks can be up to 49 days as shown in Figure 2.  The trend shows that there is a reduction in the period taken to address cyberthreats, nonetheless any downtime can be costly to the institution and the economy.

Figure 2: Median time period between intrusion, detection, and containment of industrial cyberattacks worldwide from 2014 to 2019 (in days)

Impact of Cybercrime on Economic Growth

Cyber-attacks are growing at a rapid rate with more malware being launched than ever before.  According to the Chief Technologist – Security and Privacy for Personal Systems for HP, “A new piece of malware is released every day within 4.2 seconds. One of the problems that Chief Information Security Officers (CISOs) face is how to combat the sheer volume of malware bombarding us.”

The resulting damages of cyberattacks are not only increasing, but are unfortunately projected to cost the loss of approximately $5.2 trillion across the globe by 2023, according to Accenture. This is over 35% of the GDP of China, 137% the GDP of Germany or over 173% to GDP of the entire African continent. By all standards, this is a huge and expensive global threat. 

Cybercrime is one of the challenges resulting from the internet and is a great threat to the global economy. Cybersecurity Ventures expects global cybercrime costs to grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015. This represents the greatest transfer of economic wealth in history and is one of the greatest risks against the drive for innovation and investment.  It is exponentially larger than the damage inflicted from natural disasters in a year, and more profitable than the most traded commodities across the globe.

Preparing Africa to Deal with Cybercrimes

African Statistics on Cybercrime

As Africa’s gross domestic product (GDP) reached $3.3 trillion in 2017, the cost of cybercrimes for the same year also grew significantly with Nigeria, Kenya and South Africa, recording the largest losses. According to a report by Serianu, a Kenya-based cybersecurity IT firm, cybercrimes cost African economies $3.5 billion in 2017 . In that year, annual losses to cybercrimes were estimated for Nigeria at $649 million, and Kenya at $210 million. Likewise, according to the South African Banking Risk Information Centre (SABRIC), South Africa loses approximately $157 million annually to cyberattacks.

For most African countries, unsecured telecommunication infrastructure has created an enabling environment for cybercrimes to thrive; a situation which partly accounts for the decline in productivity across several sectors. It is quite surprising to note that approximately more than 90 percent of African businesses are operating without the required cybersecurity apparatus.

Furthermore, the Africa Center for Strategies, in a 2021 Report, stated that Africa faces a growing 100,000-person shortfall in certified cybersecurity professionals. This is one of the reasons why I have been advocating for the grooming of cybersecurity professionals in Nigeria and Africa.

Africa as the Next Epicentre of the Global Tech Ecosystem

There is growing global interest in the African tech space and for good reason.  Africa is the fastest growing continent, with the youngest population, largest single free trade zone valued at about $3 Trillion, through the African Continental Free Trade Area (AfCFTA).

In addition to this, there is a rapid growth in the tech ecosystem; prior to 2015, there was very little Venture Capital flowing into the continent but, according to Techcrunch, since 2015, there has been a 40% average growth rate of Venture Capital funds into the continent.  This is remarkable and points to the fact that the world sees great potential in the tech sector of Africa. 

In addition to this, leading tech companies are paying greater attention to Africa than they have paid since they were established.  In fact, the CEO of Microsoft recently referred to Africa as Tech’s Investment Destination.  As such, there is an urgent need to fortify our cyberdefence if we do not want our digital transformation efforts to accelerate the breaching of our cyberspace. Indeed, we have to keep cybersecurity at the forefront of digital business on the continent.

A Framework for Securing Africa’s Cyberspace

In one of my recent books, “Cybersecurity Initiatives for Securing a Country", I dwelt extensively on ways through which countries can keep cybersecurity at the forefront of digital business.

In a chapter of the book, I presented a framework on how cybersecurity can be used to secure a country.  The framework can be expanded and adapted to address the cybersecurity needs of our continent.  This framework is shown in Figure 3 and will be discussed briefly.

Figure 3: A Framework on the use of Cybersecurity to Secure a Nation

The main action points are listed below:

1. develop a National Digital Economy Policy to serve as the overarching policy for issues relating to cybersecurity;
2. conduct a baseline study to identify the main cyberthreats and the key elements of the cybersecurity ecosystem;
3. develop a National Cybersecurity Policy/Law;
4. establish a National Cybersecurity Centre, to include a Shield to Scan and provide a Safety Score for Government and Critical Private Websites;
5. enhance Data Protection and Privacy and support for the accelerated implementation of a Digital Identity Programme;
6. make NIN mandatory for all citizens and legal residents;
7. establish and utilize Internet Exchange Points;
8. establish cybersecurity departments/units in key public and private institutions;
9. establish national and sectoral Computer Emergency Readiness and Response Teams (CERRTs);
10. enhance and protect Critical ICT National Infrastructure;
11. build capacity in cybersecurity and support advocacy and innovation;
12. introduce Elementary Cybersecurity Courses for students from the primary to the tertiary education levels; and
13. prioritise collaboration.

More on Digital Identity as an Enabler for Cybersecurity

The importance of legal identity has been acknowledged by the international community through agreement of target 16.9 of the Sustainable Development Goals, which calls for all UN member States to “provide legal identity for all, including birth registration” by 2030. This is in recognition of the role of digital ID systems in supporting multiple development goals.

The McKinsey Digital Identification Report of 2019 states that digital ID has the potential to unlock economic value equivalent to 3-13% of GDP in 2030. It estimates that emerging economies could achieve economic value equivalent to 13% of GDP in 2030, while in mature economies, the average country could achieve economic value equivalent to roughly 4%, with 65% of potential value accrued to individuals on average in emerging economies, making it a powerful tool for inclusive growth.

In Nigeria, to accelerate the implementation of National Digital Identity Programme and enhance security in the Nigeria, President Muhammadu Buhari, GCFR approved the transfer of NIMC to the Ministry in August 2020. This move has helped to align NIMC’s mandate to the vision outlined in the National Digital Economy Policy and Strategy (NDEPS) for a Digital Nigeria.  It has also promoted synergy between the National Identity Management Commission (NIMC) and the other parastatals in the ministry, as well as the other members of the identity ecosystem.

The National Identity Management Commission (NIMC) Act has been in existence since 2007, providing for the mandatory use of National Identity Number for accessing several government services.  The enrolments since then till 2020 stood at just about 42 million records, or an average of about 3.2 million records annually.  After the approval in August 2020, the transfer of  the supervision of NIMC to our Ministry was completed in October 2020.  Since then we have recorded an unprecedented increase in enrolments, with more than 35 million new enrolments!

As we pursue digital transformation and adapt to a world where digital devices, services, and banks interact with customer’s data, it is important to promote digital identity and a stronger user authentication as important parameters towards improving cybersecurity.

Further to this, a Revised National Digital Identity Policy for SIM Card Registration was developed with the objective of making the use of NIN mandatory for all SIM registration in the country. This NIN-SIM verification specifically will help security institutions in checkmating the activities of cybercriminals, fraudsters, kidnappers, bandits, and terrorists.

An integrated NIN-SIM will make it easier for security and intelligence agencies to profile, track and arrest criminals regardless of their location. In addition, the adoption of the national digital identity scheme will make citizens feel safe while interfacing with the digital economy.

Conclusion

In conclusion, I would like to reiterate the importance of ensuring that Africa’s cyberspace is safe and secure for citizens. As we explore implementing the framework presented, capacity building and collaboration are some of the areas that should be prioritized. Together, we can ensure that we enjoy the prospects of digitalising our continent, while limiting the problems that cyberthreats can bring.

Thank you for your kind attention and I wish you all a very successful conference.

REFERENCES

1. Albert, O., Alex, C., Andrew, O. Krishna S. (2016). The Rise of the Data Economy: Driving Value through Internet of Things Data Monetization. https://www.ibm.com/downloads/cas/4JROLDQ7
2. Allen, N. (2021, January 19). Africa’s Evolving Cyber Threats. Retrieved from African Centre for Strategic Studies: https://africacenter.org/spotlight/africa-evolving-cyber-threats/
3. , Cukier. (2007, July 2). Hackers Attack Every 39 Seconds. Retrieved from University of Maryland: https://eng.umd.edu/news/story/study-hackers-attackevery-39-seconds.
4. Kelly Bissell, R. L. (2019). The Cost of Cybercrime: Ninth Annual Cost of Cybercrime Study–Unlocking the Value of Improved Cybersecurity Protection. Michigan, USA: Ponemon Institute Llc.
5. (2019). Digital Identification: A key to inclusive growth. United States: McKinsey & Company.
6. Microsoft Digital Defense Report. https://www.microsoft.com/en-us/security/business/microsoft-digital-defense-report
7. NumbeoCrime Index Per Country. https://www.numbeo.com/crime/
8. Ogunjuyigbe, O. (2021, December 20). Policy. Retrieved from Ventures Africa: https://venturesafrica.com/cybercrime-costs-africa-billons-of-dollars-per-year/#:~:text=In%20sub-Sa-haran%20Africa%20alone%2C%20billions%20of%20dollars%20have,at%20%24649%20million%2C%20and%20Kenya%20at%20%24210%20million.
9. Pedroncelli, P. (2020, February 18). Cyberattacks Targetting Africa. Retrieved from Moguldom Nation: https://moguldom.com/257909/10-things-to-know-about-cyberattacks-targeting-afri-ca/#:~:text=The%20South%20African%20Banking%20Risk%20Information%20Centre%20calculated,to%20the%20Africa%20Cyber%20Security%20Report%202017%20pic.twitter.com%2FUyWZbsGbh6
10. Rajan, G. A. (2018). A Comparative Study on the Difference Between Conventional Crime and Cyber Crime. In-ternational Journal of Pure and Applied Mathematics, 119(17), 1451-1464. Retrieved from http://www.acadpubl.eu/hub/
11. Venture capital investment in Africa predicted to reach a record high this year. https://techcrunch.com/2021/05/25/venture-capital-investment-in-africa-predicted-to-reach-a-record-high-this-year/ .