By Dr. Katherine W. Getao, EBS, CEO, ICT Authority Kenya
In March 2020, the World Health Organization declared a global pandemic in response to the rapid spread of the new virus COVID-19. Since then countries around the world have struggled with hundreds of millions of infections, hospitalizations that have stretched health systems, and 1.65 million deaths by the end of 2020. The pandemic came as a shock for almost all countries. This is a shock that could be felt in a similar way by a computer virus, or a cyber attack. These are the lessons learned from the pandemic for the cyber security and cyber diplomacy community.
Protocols have been designed to foster global cooperation and good practice in the arena of cybercrime, cybersecurity and state-to-state conflicts involving ICTs. These come in response to the rise of crime and wrongful actions stemming from the misuse of information technology and the internet.
In Africa, the African Union developed a Convention of Cybersecurity drafted in 2011, and African members of the Commonwealth unanimously agreed to take action on cybersecurity through the text of the Commonwealth Cyber Declaration at the 2018 Commonwealth Heads of Government Meeting. Furthermore, since 2014 several African countries including Ghana, Kenya, Mauritius, and South Africa have participated in the United Nations Group of Governmental Experts on advancing responsible state behaviour in cyberspace in the context of international security.
At the national level Kenya has passed laws on computer and cybercrime as well as data protection and privacy. There are draft laws on critical infrastructure protection and ICT practitioners which are in the process of stakeholder engagement. There is a vibrant and effective Computer Emergency Response Team (Ke-CERT), a National Cyber Command Centre designed to coordinate cybersecurity response, and an Information Security Team at the ICT Authority that delivers cyber-hygiene interventions including implementing the national public key infrastructure; development of a model Information Security policy for the public sector; and engaging in awareness creation, capacity building and incident analysis.
The African continent has made strides in addressing cybersecurity issues and cybercrime risks at both the national and international level. Yet in light of observing the global response to the COVID-19 pandemic, what are the lessons learned that could be applied in cybersecurity? What more must we do?
Lessons from the Pandemic
Lesson 1: It Will Happen
A pandemic appeared to be the stuff of fiction, but it has happened. There are many opinions about the level of maturity of emerging technologies, the capacity of non state actors to access and competently use the type of ICTs that can cause a serious incident, the proportion of countries that have implemented technologies that expose them to serious risks and so on… The conclusion sometimes drawn is that there is very little risk of a serious global incident in the near future. Personally, I now believe that it will happen, and soon.
The role of information technology in every level of public and private life combined with the growing number of ICT threat actors and threats (see, for example, NS Nappinai’s ‘Technology Laws Decoded’) makes a serious global incident increasingly likely.
Lesson 2: Leadership is essential.
Having observed successful and not-so-successful management of the COVID-19 pandemic in different countries it has become obvious that leadership is a critical element in the management of crises. The public and corporates have depended on regular, clear and consistent messages from trusted political leaders as well as trusted technical leaders. The simple, practical measures which were promoted by the World Health Organization early in the Pandemic, repeated by local leaders, have saved many lives in developing countries that did not have ready access to other interventions. Policy recommendations that promote a competent governance and leadership structure and the design of clear messages for consumption by the public during cybersecurity incidents are important.
The imperative to respect national sovereignty adds complexity to the debate on cybersecurity leadership. The security concerns of integrated regions (e.g. Europe,) global superpowers (e.g. USA and China,) and the more fragmented, developing countries may differ (see Fierke, p.38). Developing countries are always at risk of becoming ideological as well as technological proxies unless the capacity and confidence to develop effective strategic and technological interests in the cyber domain are fostered; enabling genuine leadership in cyber issues.
Lesson 3: There is no worse time to discover the weaknesses in your system than in a crisis
COVID-19 was sudden and aggressive. Life-saving equipment, critical care beds and medical personnel were in short supply and countries had varying degrees of success in quickly scaling up. Part of any policy involves not only being encouraged to know what you have in place, but also how additional capacity could be accessed in the event of a major incident.
One of the revelations of the COVID-19 pandemic, is the critical importance of the financial and health sectors to national security. This revelation must influence the definition of “Critical Infrastructure” by states; criminals have already recognized the value of health systems and health intellectual property. The role of states in crisis management (see Galloway p. 160) has also become clear and reaffirms the need to keep states active in global cybersecurity policy recommendation bodies such as the United Nations Group of Governmental Experts in Information and Communication Technology (UNGGE).
Lesson 4: Trust is key
Incident response requires cooperation, and cooperation works best when the parties concerned trust each other. Trust between countries, and trust between leaders and people will be the point where cybersecurity policies succeed or fail. While we laud the innovators who have quickly developed vaccines for COVID-19, it is clear that vaccination programs will only succeed if the compact of trust between leaders and citizens is restored and maintained.
Clarifying the rights, duties and even cultural expectations (norms) of states (the UNGGE and OEWG processes at the United Nations are active in this area) is an important step towards building a safer cyberspace.
Greater fairness in distributing the benefits of technology will also foster better relations and more trust. The COVAX initiative in the health sector, for example, has been a demonstration that some actors are concerned about the fair distribution of Vaccines to all parts of the world. The Global Forum for Cyber Expertise (GFCE) is a forum that promotes cost effective delivery of expertise in the cyber domain to all countries. Capacity-building, sharing of technology and technological information and willingness to help and share the burden when a damaging incident occurs, will build more trust in international fora.
Lesson 5: Capacity building is a two-way street
When the pandemic began, there were dire predictions about its impact on the African continent. While there has been death and suffering on this continent, it has not happened at the predicted scale. Perhaps it was forgotten that Africa is one of the continents with extensive experience in dealing with health emergencies. Whether in health or cybersecurity, we can all learn from one another. The global nature of the cyberspace is an excellent opportunity for states from all parts of the world to learn from one another.
Lesson 6: Rapid innovation and rapid implementation is possible with collaboration and political will
It has been impressive to observe how quickly scientists, working collaboratively, have developed complex vaccines in a fraction of the usual time. Even in the less-technologically advanced countries innovators, working together, have succeeded in rapidly producing critical technology, such as ventilators and tracing applications. When rapid innovation is combined with the political will to cut red tape and enable quick technology adoption, wonders can be achieved. Cyber incidents develop in seconds rather than weeks, so it will need even greater collaboration between technical experts and greater and faster political intervention.
International policy recommendations for collaborative research in the realm of cybersecurity and cyber diplomacy (UNIDIR, ITU and others have already been active in this area) are important for setting up the networks and methodologies that will become necessary when quick action is needed.
Lesson 7: Data-deficiency is dangerous
It is clear that the successful implementation of a vaccination program in a country, for example, will require a lot of data: who needs the vaccine most? Where are they? Where is their nearest viable delivery point? Which health providers have been trained to deliver the vaccine? Who has received the first dose? The countries with effective health information systems will have the easiest task in delivering a vaccine. Similarly, the issue of cybersecurity data- its collection, management and use will be vital in successful responses to cybersecurity incidents. International policy norms must continue to promote data recording in coherent formats and data sharing across geographies.
Conclusion
Unlike the pandemic, the major impacts of a global cyber incident may not be illness and death. However, they may be social inconvenience, economic damage through financial and operational disruption and losses to individuals and enterprises. Cybercriminals, activists, terrorists and even states are exploiting vulnerabilities in ICT infrastructure and systems to further their aims.
Developments in the digitalization of Government (eGovernment) must be matched by developments in cybersecurity technology and policy. eGovernment enables the integration of Government functions for greater efficiency, adoption of rational, holistic approaches for complex, public-sector problem-solving, automated recording and instant access to public data and information. All of these can lead to greater public sector transparency which can help to build trust between governments and citizens. It is perhaps no accident that the countries with a good penetration of eGovernment are also the countries with good relations between Government and citizens. However, cyber-insecurity can erode such trust by enabling data breaches, significant damage to national critical infrastructure and system malware that causes operational malfunction.
It is imperative that the global community collaborate to develop binding policies as well as cultural norms to guide the behavior of states during such an incident as well as making the necessary preparations. The pandemic has taught us that it will happen and we need to be ready.
References
Adams J.; The Next World War; 1998; Arrow; ISBN 0-09-922542-5.
Agade K.M. (ed.); Security Governance in East Africa: Pictures of Policing from the Ground; 2018; Lexington Books; ISBN 978-1-4985-5365-0.
Chinkin C., Kaldor M.; International Law and New Wards; 2017; Cambridge University Press; ISBN 978-1-107-17121-3.
Fierke K.M.; Critical Approaches to International Security; 2nd Edition, 2015; Polity Books; ISBN 978-0-7456-7053-9.
Flynn N., Asquer A.; Public Sector Management; 7th Edition, 2017; Sage; ISBN 978-1-4739-2517-5.
Fukuyama F.; Trust: The Social Virtues and the Creation of Prosperity;n1995; Free Press Paperbacks; ISBN 978-0-6848-2525-0.
Galloway S.; Post Corona: from Crisis to Opportunity; 2020; Bantam Press; ISBN 978-1-7876-3480-0.
GFCE Meridian Good Practice Guide on Critical Infrastructure Protection for Governmental Policy-makers; 2016; Meridian.
Hough P.; Understanding Global Security; 3rd Edition, 2013; Routledge; ISBN 978-0-415-68840-6.
Loo B.; Military Transformation and Strategy: Revolutions in Military Affairs and Small States; Routledge; ISBN 978-1-138-01058-1.
Luiijf E.; Understanding Cyber hreats and Vulnerabilities; p.52 in Lopez J. et al; Critical Infrastructure Protection: Information Infrastructure Models, Analysis and Defence; 2012; Springer Verlag; ISBN 978-3-642-28919-4.
Mambi A. J.; ICT Law Book: A Source Book for Information and Communication Technologies and Cyber Law; 2nd Edition, 2014; Mkuke wa Nyota Publishers; ISBN 978-9987-08-074-8.
Nappinai N.S.; Technology Laws Decoded; 2017; LexisNexis. ISBN 978-9-3503-5972-3.
Rutenberg I.; Cyber Law in Kenya; 2nd Edition, 2019; Wolters Kluwer; ISBN 978-94-035-1241-9.
Trott P.; Innovation Management and New Product Development; 6th Edition, 2017; Pearson; ISBN 978-1-292-13342-3.
Tucker D.; The End of Intelligence: Espionage and State Power in the Information Age; 2014; Stanford Security Studies; ISBN 978-0-8047-9042-0.
Von Glahn G., Taulbee J.L.; Law Among Nations: An Introduction to Public International Law; 10th Edition, 2016; Routledge. ISBN 978-1-138-69172-8.
Comments