A Clarion Call for the Implementation of the National Cybersecurity Policy and Strategy

Introduction[1]

In 2004, a framework for cyber security was developed on the recommendations of the Presidential Committee on Illegal Online Activities. It was the first attempt at having an agenda for cyber security in Nigeria.

The framework was for the purpose of setting a clear direction for the coordination of Nigeria’s activities in the cyberspace, and to defend the national interests and sovereignty of Nigeria. This culminated into the establishment of the Cyber Security Focal Point under the Office of the National Security Adviser (“NSA”).

Sequel to the above, the Office of the NSA headed by M. S. Dasuki CFR in 2014, formulated the Cybersecurity Strategy (“Strategy”) and Cybersecurity Policy (“Policy”) for Nigeria.

A perusal of the Policy showed that 5 cyber threats were identified which are; cybercrime, cyber espionage, cyber conflict, cyber terrorism, Child online abuse and exploitation.

The Policy stipulated that measures will be taken to improve Nigeria’s cybersecurity posture and ensure that it is adaptable to the dynamism of cyber threats. The Policy also noted that to improve cybersecurity in Nigeria, it must be anchored on stakeholder’s coordination, cooperation and international collaboration.

The Strategy on its part provides for mitigation strategies covering all national priorities, and addressing the nation’s cyber risk exposure. The Strategy identified capacity building, public awareness, and technical skills to ensure that the country respond promptly and effectively to cyber attacks.

Post 2014 Strategy and Policy

In 2015, the erstwhile President of Nigeria, Dr. Goodluck Ebele Jonathan assented to the Cybercrimes (Prohibition, Prevention, etc.) Act (“Cybercrimes Act”).

Section 41(1) (b) Cybercrimes Act stipulates that the office of the NSA shall “ensure formulation and effective implementation of a comprehensive cybersecurity strategy and a National cyber security policy for Nigeria”.

Since 2015 when the Cybercrimes Act became effective, the Office of the NSA has neither formulated nor issued any comprehensive cybersecurity strategy and cyber security policy for Nigeria. Hence, Nigeria still rely on the 2014 Strategy and Policy.

Assuming that the Strategy and Policy is still viable though ought to have been reviewed due to the changing trends of cyber attacks, there is no indication that the 2014 Strategy and Policy has been effectively implemented.

Indicators of Non-implementation of the 2014 Strategy and Policy

Cyber attacks are increasing as internet penetration and dependence continues in Nigeria.

According to the 2016 Serianu African Cybersecurity Report, African countries lost the sum of $2 billion to cybercrimes in 2016 while Nigeria lost $550 million to cybercrimes.

Nigeria’s Minister of Communications, Mr. Adebayo Shittu at the 8th Cybersecurity, Technology Optimisation and National Development, organised by Information System Audit and Control Association (ISACA) stated that 70 percent of cyber attacks targeted at Nigeria were successful. He also stated that 3,500 cyber attacks carried out in Nigeria resulted in loss of $450 million[2].

The federal government of Nigeria in 2016 stated that the estimated annual cost of cybercrime to Nigeria is 0.08 per cent of the country’s Gross Domestic Products (GDP), which represents about N127 billion.[3]

On April 7, 2017, there was a published report in the Punch Newspaper that North Korea was hacking Nigerian banks for the purpose of stealing funds to finance her nuclear weapon programme.

Recently a cyber attack called wannacry affected over 150 countries; fortunately, Nigeria was not a victim of the attack.

It is obvious that despite having a Policy and Strategy for cybersecurity in Nigeria, the country has not started winning the war against cyber attacks.

Nigeria is Prone to Cyber attacks

The 70 percent success rate of cyber attacks is an indication that Nigeria is feeble and prone to cyber attacks. Thus, the country may not be far from experiencing a massive cyber attack like Bangladesh which resulted in the loss of $81 million.

As Nigerians, we may say “God forbid” and wish it away. However, such prayers may not work when it comes to cyber attacks. This is because cyber attack is not a question of “if it will happen” but “when it will happen”.

In 2015, the global cost of cyber attacks was estimated at $500 billion, it is expected to rise to $2 trillion by 2019,[4] with a further prediction that it would cost in excess of $6 trillion annually by 2021[5].

Until concrete steps are taken to ensure the implementation of the 2014 Strategy and Policy, cyber threat may remain dominant in Nigeria.

Cybersecurity Emergency in Nigeria

On Tuesday, May 23, 2017 the Nigerian Senate enjoined the NSA to alert all security agencies and financial institutions on the increase of cyber attacks in the country. It also passed a resolution mandating the Senate Committee on ICT and cybercrime to immediately convoke a national stakeholder conference with a view to stimulating a collective reflection among relevant stakeholders and articulating a national and broad based approach to keep the country ahead of the challenge.

The resolution of the Nigerian Senate is an indication that there is an urgent need to for cybersecurity in Nigeria.

The current cyber quagmire in the country is a corollary of the reluctance or inefficient performance of statutory obligations by those saddled with ensuring protection of Nigeria from cyber attacks.

As noted above, the Office of the NSA has neither formulated nor effectively implemented a comprehensive Strategy and Policy for Nigeria as stipulated in Section 41(1) (b) Cybercrimes Act.

Conclusion and Recommendation

Our financial institutions and data infrastructures are susceptible to cyber attacks. The Office of the NSA and other security agencies need to take the bull by the horn.

We need to admit that we cannot wish away cyber attacks. We need to build systems that will ensure we are able to prevent cyber attacks through capacity building, detect cyber attacks swiftly, and respond to the cyber attacks appropriately.

In order to achieve these, the starting point will be to review the country’s 2014 Policy and Strategy, score the performance of the Office of the NSA on its implementation, and revise our Strategy and Policy to combat cyber threats that face the country.

It is my sincere desire that when the Senate Committee on ICT and cybercrime finally converge the national stakeholder conference on cybersecurity, Nigeria’s Policy and Strategy would be discussed and that the conference will cumulate to concrete measures to save the country from future cyber attacks.

[1] Akinkunmi Akinwunmi Esq. LLM in Business and Technology Law (UC, Berkeley). Follow on Twitter @Akin_TechLawyer

[2] https://economicconfidential.com/news/national-news/cyber-attacks-nigeria-successful/

[3]Nigeria Loses over N127bn Annually through Cybercrime, published April 19, 2016, retrieved on May 8, 2017 from https://www.thisdaylive.com/index.php/2016/04/19/nigeria-loses-over-n127bn-annually-through-cybercrime/

[4] Junipter research titled “The Future of Cybercrime & Security: Financial and Corporate Threats & Mitigation”

[5] Cybersecurity Ventures, 2016 Report, page 3

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s