THE cyber security industry is not one suited to people prone to bouts of paranoia.
This point was driven home at the two-day CyberCon Africa conference hosted in Johannesburg on November 11 and 12 at which the overwhelming message was: It’s not a matter of “if”, but “when”. This certainty was stated by IT security experts from across the continent, the UK and US who were unanimous in their view that companies and individuals are increasingly at risk from criminals looking to exploit security lapses.
“Cyber attacks have dramatically increased both in number and severity in recent years, and millions of customers have been compromised,” said David Isiavwe, General Manager for Audit, Control & IT Security at Union Bank of Nigeria. “In Nigeria, a lot of the banks are under attack on a daily basis that typically emanate from the non-EMV* environment.”
This means that these attacks are targeted at systems and loopholes not related directly to a user’s bank card.
Scale is mind-boggling
And the scale of the problem is mind-boggling. According to the Center for Strategic and International Studies, cyber crime costs the global economy US$445 billion annually.
Trevor Coetzee, regional director for South Africa and sub-Saharan Africa at McAfee, said that South Africa’s economy sacrificed 0.14% of its GDP to cyber crime. Nigeria suffers a loss of an estimated 0.08%, Zambia 0.19% and Kenya 0.01%.
These numbers, however, are more estimates than hard and fast numbers. One of the big reasons for this is that not all cyber crime losses are reported - either by banks, companies or individuals.
The US is one of the few countries that legally require forced disclosure on any IT security breaches.
“I think we are not doing a good job of sharing data across the world,” Isiavwe said. “On average it takes 270 days for an attack to be identified, and we know that the quicker we can detect an attack the lower the impact on the victim. So there is a need to improve on that significantly.”
The issue of global co-operation becomes bigger in Africa because multiple jurisdictions tend to delay rapid and efficient responses.
Law enforcement nightmare
Part of this challenge also lies in a lack of appropriate laws to discourage cyber criminals.
Abdulkarim Chukkol, head of Nigeria’s Cyber Crime and Advance Fee Fraud Section that is part of its Economic and Financial Crimes Commission (EFCC), says law enforcement agencies are “having a nightmare”.
“We’ve seen a transition of how crimes are evolving, and I must admit at this point, it is evolving at a greater speed. We have seen the transition to them embracing ICT and going beyond what we could imagine.
“When you arrest these people, what are the legal frameworks we have? In [Nigeria] the cyber crime law has not yet been passed,” he said.
This problem is compounded once the criminals and their activities cut across several countries, raising serious jurisdictional problems. “In that situation we have to exploit some of the bilateral agreements,” he said.
Matters are not helped by the fact that many countries have not signed the Convention on Cybercrime, also known as the Budapest Convention, which is the first international treaty seeking to address Internet and computer crime by harmonising national laws.
Kileo Yusuph, a Tanzanian cyber security and digital forensics investigation expert, said in many cases the criminals count on this lack of co-operation and clear laws to avoid prosecution.
“We have a lot of awareness programmes in the country and three cyber laws that are in the process of being implemented. The problem here is politics as the laws have been discussed repeatedly, and we expect them to come up again in November in parliament. They don’t see the importance of cyber issues in the country,” he said.
The legal and political hurdles aside, one of the biggest challenges that organisations and law enforcement agencies face is the pace at which criminal syndicates can adapt, and their motivation - easy money.
McAfee’s Coetzee summed it poignantly, referring to cyber crime as risk-free financial crime.
“Generally cyber criminals choose where to target based on the value of the target and the ease of entry. The combination of high value, low risk and low work factor are the determinants of saying should or shouldn’t we go down that road,” he said.
“The cyber criminals in Africa are moving far beyond the simple scams; they’re using more intelligent and sophisticated attacks to generate substantial revenues, and I don’t foresee this slowing down. Especially when you start looking at developing countries improving connectivity, broadband and infrastructure.”
Despite calls from the experts to increase consumer awareness and education about the dangers that lurk on the Internet - and these measures would certainly help - one has to wonder what chance authorities stand against concerted, motivated efforts to exploit systems clearly not yet up to the task of securing users and their information.
*EMV chip technology is becoming the global standard for credit card and debit card payments. It’s named after its original developers (Europay, MasterCard, and Visa).
•Johann Barnard is a journalist based in Johannesburg and contributes to Mail & Guardian Africa.