Recent press reports indicate that Kenya’s progress in ICT has now matured, to a point where we are a target of interest for both global and local cybercriminals.
Banks, the Kenya Revenue Authority (KRA), the National Transport and Safety Authority (NTSA), mobile operators and the Independent Electoral and Boundaries Commission (IEBC) are included in a list of major organisations cited as being recent victims of an elaborate cybercrime syndicate.
It is, indeed, a wake-up call for organisations, both in the private and public sector, to set up, fund and operationalise their information security departments.
Many organisations jump onto the computerisation bandwagon with little or no regard for how they will secure their ICT investments against cyber attacks. Information security tends to be secondary, or an afterthought that comes to mind only after being hit hard by cyber-criminals. How did we get so exposed?
POMP AND COLOUR
Several years ago, in 2009, Kenya launched TEAMS the first submarine cable to connect the East African coast to the global internet.
For the first time in the history of communications, all East African countries could now enjoy high-speed communications that were 100 or more times faster than the satellite links that previously connected us to the internet. There was pomp and colour as President Kibaki commissioned and celebrated the project.
A few analysts noted that global cybercriminals would be amongst those celebrating the feat in great interest. They could now remotely deploy their hacking tools on a state that was previously protected from attacks by its very poor international connectivity.
A high-speed link to the global Internet is good for the country, but also for highly-skilled cyber criminals seated comfortably abroad, collaborating with their local counterparts to mount attacks on critical infrastructure.
Are we prepared to deal with these attacks? Unfortunately not.
SPLIT THE LOOT
Yes, we have made tremendous progress in terms of instituting and equipping national cyber-security teams, both in national security agencies and the private sector. However, we have failed to address the weakest link in the security chain.
The weakest link in security matters generally, and information security in particular, is the human element. It does not matter how expensive and comprehensive your firewall infrastructure is if hackers can simply break in by sending an enticing email to all or some of your employees.
A few of them are likely to open the attachment, and in so doing, introduce some surveillance or sniffing software into the network. Such software will then sit quietly within the network infrastructure, listening in and communicating key passwords that would subsequently be used to infiltrate your system.
What’s worse is that there appears to be a relatively low ethical threshold in our newly minted ICT graduates. Hackers therefore need not look for ways to install surveillance software to get that important super user password. In all probability, they simply need to state how they will split the loot once the illegal entry has borne some economic fruit.
So unless and until this human weakness is addressed, Kenya should be prepared to read about about its next cyber-attack sooner rather than later.
Another weakness is the fact that our judicial arm of government seems not to have made strides as far as dealing with cybercrime is concerned.
Whereas the Kenya Information and Communications Act has provisions for dealing with hacking, Kenya needs other complementary laws to address the investigative, prosecution and judicial aspects of cybercrime.
It is one thing to round up cybercrime suspects, but it is quite an uphill task to successfully sustain and prosecute a digital case in court. This is made worse when the magistrates trying the case may have no clue about what the defence and prosecution counsel are arguing about.
At the end of the day, cybercrime suspects may be acquitted due to inadequate investigation, poor prosecution, judicial ignorance or all of the above.
The war against cybercriminals will not be won until and unless all these sectors move in tandem and read from the same page.
More importantly, lack of regular training for employees to apprise them of emerging cybercrime trends will continue to present the weakest point of entry, which hackers are likely to exploit for a long time to come.
Mr Walubengo is a lecturer at the Multimedia University of Kenya, Faculty of Computing and IT. Email: [email protected], Twitter: @jwalu