Olabode Olaoke Senior Manager, Risk Assurance Services, PricewaterhouseCoopers (PwC) spoke to FRANK ELEANYA on the recent developments in global cyber security, the implication for Nigeria, the need to implement the legislation for cyber crimes in the country and what inaction in harmonising biometrics portends for Nigeria.
In light of recent developments in cyber security, what is the level of threats we are facing?
I think it is a very serious one. We are in a situation where as a country the level of awareness and competence is relatively low compared to the rest of the world. We are not fully prepared for what is to come. Back in the day when countries talked about territory, about areas of possession, you will hear things of defence around land, sea, air and space. There is a fifth dimension today – the cyberspace. It is more real than blood. It has come to stay. In 1939 warfare was physical; it was fought on land, sea and air; today it is in cyberspace. People do not step out of countries, yet they wage war capable of destroying infrastructure, killing and doing things you cannot imagine.
Unfortunately for us we are late to the party; we are not prepared and we are not catching up fast enough. What that tells us is that we are at risk. It was better back in the days, where, if there was war and you did not participate because geographically you were separate from it. Today there are no geographical boundaries; there are no limitations; there are no exclusions – so we are really not protected. If you are not protected and you are not prepared, how do you respond to what you do not understand fully? The sooner we got on to being serious about cyber security the better for us.
Some commentators commend the Buhari administration for the attention it is giving to ICT, are you satisfied with the efforts?
I would not say this government alone, rather, I will say recent governments. To be fair to the previous administrations, we have seen a Nigeria where until very recently we did not even have ICT as a ministry meaning we did not understand the importance of ICT and the accompanying cyber security challenges. Now we have come to the point where we came up with a broadband plan showing some level of awareness on the need and the importance of internet. The United Nations in one of its gazettes describes access to internet as a fundamental human right. It is not just access to education or food, but access to internet. I think recent governments generally have come to an awareness of this need. But, as you may know awareness is not sufficient. You need to go beyond awareness to active direction setting and championing of whatever is critical for your development. There are many countries that do not depend primarily on raw materials, agriculture and so on for their sustainability. A key example is India. India’s largest export today is technology. The West wants to outsource all technology to India. The European Union the same and you see that India is actually moving into that space. Their biggest companies today are technology driven. It tells you that some countries realised very early the importance of internet, cyber security, information technology and all that it takes to protect and operate in that space and are leveraging it very quickly. It will become in the near future more valuable than any natural resource.
Let me give you an example, if I were to cross a border today and I had a huge bag or a small bag, regardless of the size of my bag, working through customs in any country they will search my bag. But nobody ever searches what is in my head. It tells you that with all my ICT-related knowledge, I can cross all the borders around the world and smuggle that knowledge or skill without being stopped. It means cyber criminals can do damage across all borders without being checked because there is really no way to tell what skills a person has until you are able to identify that person correctly and link him with the capabilities. In the US today, there are very many people that are wanted for cyber crimes against the state. In Nigeria we do not even know the individuals that have taken adversarial positions against us from a cyber security perspective. We do not know those individuals that are penetrating our government information systems, business information systems, and financial information systems. What that means is that these people can enrich themselves on our information resources, increase proximity, come to our country, take advantage of our information system and probably export all of it. Really we are the point where our level of preparedness is at best aspiring.
A cybercrime prohibition Act was passed into law in 2015, to what extent do you think we have benefited from this bill?
I took part in the process that led to the development of that initiative. You must give it to the key actors that saw a need for a cyber security strategy. Cyber security is important and we need to have strategy to address it. Until recent times it was impossible to actually prosecute a cyber criminal properly in Nigerian courts because our judicial system did not have a fundamental requirement to handle such cases. There was a lot of extensive work done around setting up a strategy, then the policy and putting together a bill to parliament which eventually was accented to by the President culminating in what you call the Nigeria Cyber Crime Prohibition Act 2015. What that does really is, it focuses primarily on legalisation of the entire process or managing cyber crime. It also means there is now a method, laid down laws around prosecuting cyber criminal cases in Nigerian courts which was not possible before.
Where it is at today is what I will call ‘intent’. If I decide today I am going to acquire a land and build a house. I go to an architect and share my ideas and he comes back with designs. We review it and eventually I get a version that I approve and I select the house. All of that at best is called ‘intent’. With information systems security and cyber crime basically there are three levels of any control you put in. The first and the lowest level is called ‘intent’ what you intend to do – put in a policy, put the laws in place. There is the next step is “implementation”. Here, you have gone beyond what you say you intend to do into doing something. So you go and acquire the land, get the right approvals from the government, you start to dig the soil and put a foundation. That comes with implementation.
The question is “what have we implemented after putting all of these strategies?” There is something in the bill about Nigeria Cyber Emergency Response Team that should be set up; there is also an advisory council which was set up April this year by the National Security Adviser. You start to see some levels of implementation but do we have full implementation? We do not. There is content in that cyber crime bill that talks about reporting and mandates every organisation registered in Nigeria that has a cyber/information security breach with a responsibility to report it to a certain emergency monitoring team. Does that happen today? As we speak, organisations in Nigeria are being breached. Is the information about those breaches being reported to the right authorities? This is considering that the Act actually says that those events should be reported within seven days.
Let’s take it back; do organisations have capability to detect cyber security breaches within seven days? Most organisations in Nigeria – about 50%, being overly modest, do not even know when a breach has occurred. Hence somebody breaks into your systems meaning there is now compromise on your information, he takes that information, he leaves malware within your systems for days, weeks, and months and people have absolutely no idea that there is something in the system. What you find is that people do not even have the capability to detect when incidents or breaches occur and we expect them to report in seven days? The level of implementation is actually very low.
Second, is there regulation in each of the industries? You may not be able to enforce that across all industries but there are major industries in Nigeria like oil and gas, telecommunications, insurance and financial services. Are there regulations from any of the regulators in those industries for monitoring as empowered by the Act? There isn’t. There is a lot of intent; and implementation that is beginning to trickle down but it is still a fancy one – just to show we are doing something.
The third level of any control is effectiveness. You have a plan; you implement it, how effective is it? We have seen houses that even before they are finished with the construction, they start to collapse. If you take a look at developed nations people are required and mandated to disclose whenever breaches occur, the severity of the breach and what has been compromised.
How do we enforce the provisions in the Act?
There are statements in the Act about what should be done, when and how it should be done. Get the right individuals, take it piecemeal, and say for example, for this part we will implement this much at least to kickoff the implementation. Ensure that it is implemented in the next six months. Get the right stakeholders to implement it. Fortunately Nigeria is blessed with talents and PwC as an organisation is one of the big five. An organisation like this has talents, knowledge and network globally. You can easily leverage competencies, capabilities and experience from our entire network and localize them. We are available to private as well as government institutions. There is no reason to reinvent the wheel.
In PwC we have seen that most times when an incident occurs it takes about over forty days before organisations actually detect it. We have put together a service that helps to detect when incidents occur and the impact of the incidents/breaches. It is called a breach indicator assessment. If there is a regulation that mandates organisations to periodically run through their system and see if there are cyber security breaches, determine when they occurred and the impact of those breaches, then you can have a system that actually matures from the ground up due to the regulation to check. If we had not been checking before, now we must check.
What is the implication of delay in harmonising the biometrics as directed by the Presidency?
The Vice President issued an order – statement of intent. Why should it be done? If we understand why it should be done it will make it easier for us to think of how it should be done. Should we harmonise identity information? I think we should – everybody should think we should. The reason is this, in the past ages if you had an apple and I had an apple and we exchange the apples you will still have one apple and I will have one apple. Today, if you had one information resource and I had one and we exchange we will both have two. It means that if we have information in multiple places, then it can be compromised without depriving the original owner that information. What that means is keeping our information resources, our databases in multiple disparate databases creates a huge loss of efficiency and difficulty in managing the confidentiality. How do you protect it? If you go to organisations that have critical hardcopy information, they take their information and put it in a safe. They need to manage that safe. It is probably locked up in a secure room. But if you have it in every room, how do you effectively protect every room? The resource requirement will be too much. The compromise is that the level of protection will be watered down. Instead of consolidating your protection initiatives you now have to spread it out thinly and instead of having one guard at a door you now have a need for ten guards at ten doors. So what you find is that you will really never be able to effectively protect that information efficiently. Also in terms of value, if you do not harmonize it, then as an example, I can be Olabode Olaoke in one database, I can be Olabode Adelowo Olaoke in another database, and how do we tell that it is the same individual? Go to the north for example a lot of people can bear the same name, Adamu Ibrahim – in fact within the same community. How do you differentiate?
If you do not harmonise that information then it becomes easy for an identity thief to assume the identity of either one of those individuals and use that maliciously. Because it is not correlated, you will have a lot of identity theft and you will have information that is not giving you value.
How important is cyber insurance?
Cyber insurance is important and it is not important. Let us bring it home to Nigeria because a lot of things that happen in developed nations are different from the way they happen in Nigeria. With cyber insurance what you are trying to do is insure organisations against cyber breaches. Let us take insurance on your information systems such that if you are breached and you lose XYZ then the insurance can compensate you. Are we able to correctly and adequately value information? If you have an information resource, really what is the value? Is it how much time and effort it took you to put together the information or how much it cost you to buy infrastructure to put it on or both? Or how much it will cost you to replace it if you were to lose it? Or how much will a competitor be willing to pay for it? Or how much will someone that wants to embarrass your organisation be willing to pay? If you cannot correctly value something, how then do you insure it? The other thing is how do we even conclude correctly that an organisation has been breached and determine the extent of loss? Many organisations do not even know where their information systems are and they do not know how they are protected. They cannot tell correctly that they have been breached. Our insurance companies are not enabled or capable to look into organisations and estimate the extent of loss. So if I take insurance how do we determine the insurance premium based on this value we don’t understand? How do we determine what the loss is? Are they going to pay for loss or breach? Also loss could be in terms of reputation which is not tangible in financial terms. In more developed nations you can actually quantify the value of information correctly. If you look at the PCIDSS standards for example which are targeted at credit card based financial services, there are amounts that you are liable for if you get breached and are non-compliant with the standard. Elsewhere, there are no such things. Organisations in the insurance services will require partnering with professional services firms that can actually help estimate correctly the level of protection put in place so that we can determine how risky the information systems of an organisation are. Based on that, we can start to put a value on the information systems because insurance is compensation of loss considering risk of loss.
So cyber insurance is extremely important, it is useful and it can drive a lot of things but we are not ready yet as a country. What I will expect in that space is for regulators like NAICOM to come out with guidelines for cyber insurance.
