23 Lantana Road, Nairobi, Kenya.

Post- Sony Pictures & Pentagon Cyberattacks Landscape

In the aftermath of the massive attack on Sony Pictures and the Pentagon’s social media accounts in 2014, discussions on the preparedness to safeguard critical infrastructure have escalated, for example, Microsoft’s proposed Geneva Convention to protect cyberspace.  In 2014, the Institute for Security Studies in South Africa led the way in Africa by holding a seminar titled, “Is South Africa geared up for new cyberspace challenges”? It explored whether South Africa was balancing the opportunities and threats that cyberspace presents and how its police and corporates would respond to incidents such as those in the U.S. It underlined that “States actors, the private sector and civil society all have a stake in this dynamic cyber environment. While there is a consensus about the enormous potential for advancing development, the control of cyberspace and management of crime and terrorism is still being debated.”

The workshop took place on the back foot the visit to the region by Frank Larue, the then UN Special Rapporteur on free expression to explore the state of play on the protection of privacy and FOE in the digital age.

Ever since the workshops, a number of key developments have occurred:

1.1 Further attacks and emerging norms

  • At the international level, there were further massive attacks including the WannaCry and Petya virus cyber-attacks. The impact on Africa’s critical financial services hasn’t been fully documented.
  • At the regional level, the African Union has been making efforts, though not as encouraging as expected, towards the Convention on Cyber Security and Personal Data Protection. By 20 October 2018, there were 11 signatures, 3 ratifications, and deposits with the AU Commission. Influential African states, such as South Africa, Kenya, and Nigeria, played little role in the Convention’s development and have therefore been showing little appetite for it.
  • At national levels, a number of countries have adopted cybercrime model laws in the context of the only existing and effective global treaty on cybercrime, the Budapest Convention (the “Convention”).

1.2 Cybercrime laws and policy dissonance

  • However, normative developments are not matching up with wider policy developments as sometimes the laws are emerging in the absence of policies and clear policy goals but are driven by fear or investors’ needs, for example, the model laws are being driven by international actors who are keen on closing the gap in Africa that is potentially exposing them.
  • This has led to a conceptual mix up of Internet Governance (IG), cybercrime and cyber security which may be reflected in the draft laws. In the paper, Is cybersecurity eating internet governance? Causes and consequences of alternative framings”, through the use of alternative conceptual frames to explore the relationship between cybersecurity governance and internet governance, professor Milton Mueller highlights that major structural features of the governance problem in cybersecurity and internet governance are analogous.
  • Similarly, through the use of a case study, Privacy International gives a distinction between cybersecurity and cybercrime: Cybersecurity is ultimately about protecting government and corporate networks, seeking to make it difficult for hackers to find and exploit vulnerabilities. Cybercrime, on the other hand, tends to focus more on protecting individuals and families as they navigate online life.

 

1.3. A shift towards Digital society and digital economy issues

  • Sensing African governments’ reluctance to engage in deep cybersecurity issues on the ground of information security doctrine, international and domestic actors in internet governance multistakeholder discussion have been moving towards the digital economy and political economy of the internet. Some of Africa’s Internet rights activists have even suggested that the Western IF agenda does not suit Africa and that Africa needs to come up with its own agenda on the Internet. This has left governments’ securosancts taking an exclusive control over the progression of cybercrime laws, for example, Kenya. For instance, the cybercrime law workshops in Mauritius were mostly a government affair. On the other hand, China’s imminent dominance on issues such as artificial intelligence (AI) and decentralized technologies such as blockchain has also contributed to the renewed attention of the digital economy and society issues. However, the shift from internet freedom is not well informed since freedom of expression is essential to tolerant, self-governing societies, to good governance in general, and to the ability of governments to implement good policies.
  • There has been a convergence of the digital economy and digital society approaches as seen through UNCTAD and UNESCO’s focus on the creation of knowledge economies, AI etc.
  • The next generation internet offers both opportunities and threats for collaboration, for example, despite the social progress promised by AI and digital identities, such systems are prone to abuse if deployed in already opaque government structures. More cities across the globe are implementing such technologies in urban settings with the intention of monitoring citizens and collecting data about them. If managed well, digital identifiers, AI and data analytics can lead to efficient smart cities and government. For instance, in sub-Saharan Africa, Rwanda’s Indangamundu is one of the most advanced integrated multipurpose eID cards and South Africa’s GovChat, which is now being rolled to other regional countries like the DRC and Zimbabwe. South Africa’s Govchat is another good example.

 

  1. Examples, Enablers, and inhibitors to multistakeholdersim

 

Introduction

The author has been involved in cybersecurity issues and processes in Zimbabwe, Swaziland, Lesotho, Kenya, Djibouti, and the USA. I shall discuss concrete case studies at the end, but in summary, I have seen the good, bad and the ugly including:

  • Seen local IGF chapters emerge, mutating and dying or operating parallel to government security discussions
  • Lack of trust leading to different threat models, for instance, I have attended the meeting where state agents are reluctant to discuss spyware attacks, government professes ignorance, and instead focus on issues around the protection of children and critical infrastructure or even access and connectivity
  • A lack of knowledge in local civil society on tech issues since most ICT professionals choose to work in commercial settings
  • However, a good example in Lesotho, the discussion between the regulator, government and Facebook which averted the threatened Internet shutdown in 2016.

 

From the above, it is clear that any stakeholders’ discussions at national levels should sit and find strength in regional frameworks and also largely depended on how international model laws are domesticated. Two challenges are clear:

Four years after the heads of state signed the convention, a regional or continental talk of multi-stakeholder should perhaps reflect on why African countries have stalled on this process. The African Union is a major stakeholder in cybersecurity processes (Karanja, M, 2018). Article 35 of the AUC CyPDP says: “The Convention shall enter into force thirty (30) days after the date of the receipt by the Chairperson of the Commission of the African Union of the fifteenth (15th) instrument of ratification.”

On the cybercrime laws, there has been a lack of a bottom-up approach whereby laws are generated from within while benefiting from multi-stakeholders input. Being a treaty instrument the Budapest Convention does not provide specific legislative language for implementation of the principles outlined by its provisions, although the language of the Convention has been used by a number of countries to draft domestic legislation. It thus leaves the precise language for implementation of the principles enshrined in treaty obligations to the discretion of each sovereign member state (Council of Europe, 2014.) A number of governments have therefore cherry picked the language and provisions that suits them within those provisions.

The issues that arise from the above are:

2.1 Different approaches to security and threat models

State focuses on sovereignty, cybercrime and perceived threats to national security which may result to disproportionate responses that breach fundamental rights (criminalization and militarization of cyberspace). This also limits the instances the state consults other stakeholders as they do not wish to disclose their technical capabilities, where they are etc. There are also fissures in governments. Examples include the securitization of the cybercrime law process in Kenya and of the intelligence clusters in Zimbabwe and  South Africa.

Civil society including international civil society focus on the personal dimension of security: “The right of the people to be secure [including on the internet]” is the heartbeat of cybersecurity.  Thus, the conceptualization of cybersecurity in Africa must encompass the broad areas such as privacy, security, freedom of expression and equal treatment of data traffic on the internet. Civil society has thus far focussed on how to use free open source software to resist government censorship. Yet, organizations like the French Linagora use the same software for development.

On the other hand, the corporates focus on cybercrime and protection of their assets with a major emphasis on the fintech. See Liquid reports, Symantec report. However, all the above objectives can be mutually inclusive.

2.2. Different threats models lead to dissonance in technical capabilities

A different context to security, which leads to different threat models, also leads to different approaches to how different stakeholders view technology and its application. For the government, technology is inherently political.  This has manifested in some of the examples given below:

  • Military-Industrial complex

The distinction between military and civilian has also become less clear, now that states are using the same communications devices, software, and networks which are used in war, for example, the use of sting rays to spy on protesters.

  • Attitudes on encryption, circumvention and obfuscation technologies

 

Governments and the internet freedom community are playing a cat and mouse game, for instance, one developer recently noted, “Government censorship may have evolved elsewhere, as yet unknowable, but evolution is nothing to be afraid of. As censorship technology evolves, so do we. Building a community that includes developers is part of the plan, and such a community allows our technology to evolve as censorship technology evolves.”

Yet an employee at Psiphon noted, “We use political skills and technology to pursue a greater good of internet and democratic freedom”.

There is no agreement on encryption standards leading to compromise of commercial encryption, for instance, anti-encryption attitudes in Zimbabwe and Uganda and elsewhere across Africa.

Governments across the world are increasingly demanding access to encrypted messages, including democratic ones and sometimes for good reasons, for instance, the revelations by the Dutch police that they were able to spy on criminals by cracking the encrypted messages were sent using IronChat, a supposedly secure encrypted messaging service available on BlackBox IronPhones. Another less relevant example is the use of Google dorking by the Iranians to identify U.S. spies.

●       Internet shutdowns. 

In a documentary called Blacked Out Africa, Cameroonian authorities profess the threats and harm posed by the internet: how president Paul Biya’s government came to view the internet and social media as a “new form of terrorism.” On the other hand, the citizens in the two regions reaffirm its importance not just for economic growth but also help plug the information void during turbulent times.

We also see the policy contradictions when Liquid Telecoms was castigated for saying African governments guilty of an Internet shutdown should be denied resources

2.3   Need for a more comprehensive threat model

 

National levels

 

In matters of national security, it is unrealistic to think there will ever be an ideal multistakeholder approach, save on soft issues and may be at a normative level at best. This cooperation may grow to the extent that it focuses on protecting commercial interests. Governments are likely to cherry pick pro-government technologies they trust.

Nevertheless, different stakeholders need to keep building trust and shared knowledge, e.g. Facebook’s partnerships of trust, as currently, civil society lacks knowledge. A good example is how NETBLOCKS has utilized commercial remote scanning and probing capabilities to detect internet censorship and measure the social and economic impact of such censorship but also how they are helping in shaping up protocol standards.  Establishing a regulatory framework that both protects citizens and allows for healthy economic development should be the end goal for many African nations. See proposed Microsoft Convention and also the APC-La Rue framework. This is necessary because of the following developments,  facts, and figures:

·         The 2016 WannaCry and the subsequent Petya attacks represented a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today- nation-state action and organized criminal action whereby corporates can no longer rely on government protection.  In Africa, security expert Kaspersky says more than 49 million cyber-attacks took place on the continent in the first quarter of last year, with most occurring in Algeria, ahead of Egypt, South Africa, and Kenya.

·         Cybercrime has been pervasive in South Africa, with security firm Norton saying 70% of South Africans have fallen victim to cybercrime, compared with 50% globally. McAfee, another cybersecurity firm, reported that cybercrime cost South African companies more than $500m (£340m) last year.

·         According to Liquid Telco African businesses finds themselves at a crossroads, where they must balance digital transformation with a greater focus on security policies and how to protect customer data. Cybersecurity isn’t just a technology issue. A recurring theme throughout the report is how vital the human factor is in the fight against cybercrime.

 

Regional Level

 

The AU should rally the support of major influential states towards adoption and ratification. According to Fiddler, “influential African states, such as South Africa, Kenya, and Nigeria, played little role in the Convention’s development”. Yet according to Tom Jackson, South Africa and Kenya lead in the Cyberattacks figures in Sub-Saharan Africa and “cybercrime is actually most pervasive in South Africa, with security firm Norton saying 70% of South Africans have fallen victim to cybercrime, compared with 50% globally.

Case studies

Case study 1: Zimbabwe cyber-crime bill

From 30 May 2017, I supported the legal drafters of Zimbabwe’s cybercrime bill who included a former judge. I crowdsourced resources from colleagues in the Internet Freedom community who gave me material on protecting human rights in particular on the need to balance legitimate crime investigation and civil liberties.

The information addressed: a lack of understanding of the severity of intrusion caused by blanket retention/mass surveillance of data (and the potential cybercrime issues that that raises, beyond the human rights concerns), tending to lead to calls for all electronic data to be stored or monitored.

In response, the judge said, “They would make use of as much of the material as possible and wished I had the opportunity to talk to government officials on these issues. He said, “The problem with me as a legislative draftsman is that I put down on paper what the principal wants. I hope they will take into account some of your observations.”

I was meant to do training with parliamentarians, which is still on the table.

Case study 2: Cyber-attack of Zimbabwe election management body (ZEC) website

 

I supported Qurium who had been monitoring the presidential
elections in Zimbabwe, and on August 1st, we detected a defacement of the Zimbabwe Electoral Commission’s (ZEC) website. As was it is deeply concerning that the official website of an electoral commission could be defaced during an on-going election, they decided to look into the matter closely. Qurium produced a forensics report covering the defacement, focusing on how it was made, by whom and the general (lack of) security
of the ZEC website. The forensics report is titled “The cyber-attack against the Zimbabwe Electoral Commission” and can be found here.

There were quirks and hesitation on whether to share the report with the government/ZEC, for instance, Qurium said, “We are discussing if we should inform ZEC before releasing the report as it is very sensitive.”

One third party who was following and advising said, “My thought would be that ZEC and all parties, and perhaps accredited observers, be given simultaneous notification and access to the findings and that the data then be revealed publicly in whatever form—summary/descriptive and/or at the technical level—you see as appropriate.  Hard to speak to the sensitivities without knowledge of what they are. Bottom line: transparency and data access are crucial in this matter.”

The above demonstrates some of the inhibitors to collaborating with the government, for instance, they may question the motive and the methods the forensic investigators used.

Conclusion

  1. Improvement of collaboration frameworks at international, regional and national levels, e.g. the Budapest Convention
  2. Building trust. This is a gradual process and could start by knowledge sharing
  3. Protecting three types of security: personal, commercial and state but also three dimensions of security: confidentiality, Intergrity and availability.
  4. Clarity to international law on cybersecurity, for example, the fifth-dimension warfare which has many related concepts like information warfare, irregular warfare, cyber warfare, grey war etc, in particular, Cyber-attacks that cause physical consequences are considered to be in violation of the use of force prohibition should the effects reach a certain severity threshold. That premise does not extend to cyber-attacks that cause economic harm due to a dated distinction between kinetic and other effects.

 

 

 

 

 

 

Post Author: Global South

Leave a Reply