Hacked again - why the government's cybersecurity must be questioned

So the government was hacked last week – yet again. The Ministry of Foreign Affairs experienced what is known as a ‘social-engineering’ attack.

Social engineering is a pretty common attack that plays on the victim’s psychology by deceiving them into divulging confidential information.

In this case, staff at the ministry were tricked into sharing their email passwords with the hackers. Using these passwords, the hackers managed to log into the staff email and harvested some not-too-sensitive data.

This followed an attack in 2012 by an Indonesian hacker that took down 103 government websites.

Although the ICT Cabinet Secretary Joe Mucheru has downplayed the impact of the attack, it does raise some pertinent questions.

How prepared are we as a country to deal with cybercrime? ‘Country’ should refer to the government, the private sector and non-governmental organisations.

As a matter of fact, most of the country’s digital data sits outside, rather than inside government data centres.

Banks, hospitals, supermarkets, mobile operators, and universities are some of the data repositories outside government, and one can only speculate on the level of data security employed in each of their data centres.

Worse still, data breaches in these organisations never get publicly reported, leading to a false sense of security, and complacency.

This leads us to the next question. What, as a country, are our overall data security requirements? One cannot secure that which they don't know about.

We need a national audit of our information assets before determining the best way to protect them. Critical information infrastructure, as mentioned before, exists both in the public and private sector.

One must take stock and classify each data repository in terms of socio-economic impact in the event of a security breach. Such a breach includes not only data leaks, but also attacks aimed at bringing down services or illegally modifying existing data in order to falsify it.

The ongoing turbulence in our banking sector is a case in point.  The fact that banks were able to consistently alter data to reflect better results in their financial statements without appropriate action from the regulator reflects poorly on our capacities to deal with information security.

What should be done to correct this state of affairs? We have to start at the top.  Policy, legislation and the tone on regulation of information security must be set at national level.

The Kenya Bureau of Standards has published several information security standards for enterprises, but these remain optional.

Cybersecurity or information security will not be effective, however, if it is left to individual organisations to determine what to secure and how to secure it.

All entities within the country must adopt similar standards and procedures for protecting data that has national or public-good implications. Security, after all, is only as strong as the weakest link in the security chain.

As an example, most multinationals may boast of robust information security practices as dictated by their headquarters in developed economies. However, such secure operations, surrounded by insecure neighbouring networks and environments, amount to little.

Indeed, most international hackers are known to launch attacks from ‘safe-havens’ where they know that nothing will happen to them legally in the event that they are caught in acts of cybercrime.

Additionally, security training, and more training, is necessary. It does not matter how sophisticated or expensive your security system is if your staff keep falling for common and emerging social engineering tricks.

Training should also be extended to the Judiciary and law enforcement. Without an up-to-date judicial system, enacting the pending Data Protection and Cybercrime Acts would be futile, since most hackers would be acquitted for ‘lack of digital evidence’.

Finally, there is a need to increase more information and cybersecurity professionals, to match the increasing automation within both the public and private sectors.

Such professionals would undertake regular internal and external security audits, set up incident response teams and liaise with law enforcement where necessary.

As a country, are we ready to deal with cybercrime ? Not quite. If we are ahead of our neighbours, we still have a lot of catching up to do to guarantee security of our digital environment.