It has been a slow process, but the world is finally waking up to the reality of cyber-security in Africa.
The International Cyber Security Protection Alliance (ICSPA) has identified Africa as a problem area in its eight-year evaluation of the modern threats to the world’s internet security. The most serious issue is the large gap between the scale of the continent’s security capability and the volume of internet-enabled devices now in the hands of ordinary Africans.
Africa is a hotbed of cyber-crime activity
The problem isn’t necessarily one of education, however. Both the criminals and the security forces already have a wealth of skills gained from direct experience on their home turf.
The Duqu malware, successor to the infamous Stuxnet, was first reported in Sudan. South Africa is home to the malware Dexter, perpetrating credit card fraud every bit as sophisticated as those you would find in Europe, Brazil and the US, and Nigeria has even provided the name for the “419” scam, after section 419 of its criminal code which the trick violates.
In response, governments across Africa have been setting up computer security incident response teams (CSIRTs) designed to counter the threat. These provide both a practical defence against on-going attacks, and a knowledge-base for the government of each country when passing laws regulating the internet. Some have even grouped together in regional initiatives, such as AfricaCERT, offering advice and expertise across the region.
The major problem, though, is that these promising ventures are by no means the norm across the continent. Just as the problems that each country faces are often very different, so too are the methods used to combat them and the laws that are in place. For example, with a higher proportion of higher wealth individuals, credit card fraud is the hot-button issue in South Africa. In North African Morocco, with greater links to Europe, network security is a priority.
Governments must come together
This inconsistency makes it difficult for Africa as a whole to present a united front against cyber-crime, which can cost the economy millions of dollars. It is estimated that ordinary Kenyans lost £14 million last year as a result of fraud, but the knock-on effects of an ongoing crime problem can have a deeper impact on the economy. It is impossible to calculate the damage to Nigerian businesses, who have been virtually blacklisted by retailers around the world that refuse to ship to the country that has become a byword for online scams in recent years.
In order to provide a lasting defence for the whole continent, much more cooperation is needed between governments, security agencies and IT professionals to align their laws, training and policies and make sure there is nowhere for criminals to hide amongst the patchy legal and security systems.
It is pointless eliminating high tech crime from Egypt if the perpetrators can cross the border to Sudan and carry on undeterred. And improving network security in Senegal is only a partial solution when the vast majority of internet use is on mobile devices.
FIRST is looking to Africa, offering training and networking between agencies, because of the threat that cyber-crime in Africa poses to the rest of the world. If Africa continues to be a weak link, criminals won’t need to fear even the most sophisticated European security, because they already have a softer entrance into the global network through Africa.
When we help develop the same terminology, similar approaches, and get innovative CSIRTs to share their technologies and experiences, that’s when we can make meaningful change.