Here is how to implement a national cyber defence system
It was reported earlier today that USAhas accused China of Cyber Stalking, something which China has refuted in the strongest terms. How can countries avoid such in future?
The extent of cyber challenges are rising every day. The use of cyber intelligence, cyber weaponry and cyber tactics in national security management are top agenda for any government. This is the future of national security. Sophisticated weaponry and defence systems are taking the largest share of the R&D budgets. The battlefield is no longer geographical. It is cyber or cloud based. As such, it causes insecurity to everyone globally. Is Uganda prepared to prevent any cyber attack? As a country, you can ignore this new reality at your own peril.
The Internet is very difficult place to manage. It is easy for any one with Internet access and basic IT skills to acquire special skills in the creation, deployment and use of cyber weapons. The Internet itself has lots of resources to enable anyone develop high level skills in the area of programming and hacking, as long as they have the interest and time.
Developing countries are at a greater risk of cyber attack.
There is a person I know living in Kampala, Uganda. According to his internet bill, he uses about twenty gigabytes of data every month on his private machine. I was made to understand; over 70% of his traffic is outbound. How sure is such a person not stealing valuable data from several local business or government unsecured databases?
Critical national infrastructure like banking, intelligence, military operations, payment processing, financial management and communication are automated. It is reported that many government ministries in developing countries are victims of cyber attacks on a daily basis. Executives are just investing in automating their processes with little consideration in securing their infrastructure. In any company, investment in countermeasures in terms of tools and staff training is not more than 20% of their total IT budget. That is how they are getting it wrong. Cyber fraud incidents are on the rise.
No one wants to admit it. That is another big challenge. When a company is hit, they rather keep quiet about it and instead transfer the cost to the customer instead of investing in experts to investigate and bring the culprits to book. This approach of ‘saving face’ is escalating the scale of the problem.
Little knowledge is a bad thing!
As a CEO of Summit Consulting, a local company that trains ethical hackers and digital forensic specialists, majority of senior executives, ministers and senior law enforcement officers concern is “how sure you are not training terrorists? How do you ensure people you don’t train as someone as an ethical hacker only to turnout as a cyber crime and start terrorising our computer systems?
This is a good concern. However, I think it is a result of lack of knowledge about how the Internet works.
My experience and knowledge is that, once you connect to the Internet, you get exposed to hackers regardless of their physical location globally. If they have not attacked you [yet], it is because you are not a valuable target. There is no value or motivation for them to attack you. Cyber crime comes in many forms the common being denial of service, theft of data or modification of your data. If you have to delete more than say 20 spam emails daily, you are probably a victim of cyber criminals. That time you spend in reviewing or deleting the unwanted mails, is a huge cost to you in the long-run.
The best defence against cyber crime is not stopping local people from studying. That is foolish. The best strategy is to identify young people and giving them the tools, skills and all support they need to learn and re-invent new tools and strategies to protect the country. That is what developed countries have done: to empower all young minds to be better than the rest in the world. It is no wonder that China and USA are accusing one another for cyber spying. They have the best of the best among them.
How big is the risk?
At national security level, the game plan is different.
Many of the computers, vehicles, and a plethora of electronic gadgets used in Africa are manufactured as well as assembled in Asia, particularly in China. How would majority of developing countries independently review the imported gadgets and equipment into their countries to ascertain whether there are no key loggers or hardware based spyware in the new gadgets?
How many countries can avoid such a kind of attack vector? Which international body ensures that it is not done to unsuspecting victims?
Your security is your responsibility
Every country has the responsibility for implementing a robust cyber defence and response system that has been set up by the specially developed national cyber management team. For better results, nationals must be entrusted with such a system. The challenge has always been how can a developing country, without a special team of experts develop their own special cyber defence team without assistance from external expertise? How do you ensure that external experts do not leak your skills, tools, techniques to another client (country)?
Any country feels secure when the most trusted folks are in control of the key national defence systems. This feeling of securityis most assured when the specifically groomed citizens are in the driving seat. In the physical defence, it is easier to train such local people and put them in charge. In the cyber defence arena, it is difficult. It takes over 10-30 years to train some of the best cyber experts. It means the best first year computer/ science graduates must be specifically groomed for the next 20 years. They must study at some of the best global universities. Then come back in a specially set up local facility and be allowed to be creative so that they devise their own ‘cyber’ technologies and defence systems beyond anything seen before.
At one of our clients we were engaged to implement a cyber management strategy, the government made it clear that they did not want us to set a system that can be replicated. As a project manager, my recommendations were simple: implement ‘Chinese walls’ in the implementation of the national cyber management strategy.
How did we achieve this?
We first administered an assessment test to over 100 brilliant nationals. These people included university students, law enforcement, public servants and other specially nominated individuals identified as brilliant and enthusiastic about technology. You had to be 20 years or less to qualify to sit for the admission exam. We trained all these in basic computer skills. They were then subjected to another practical exam to create a Trojan in their local languages. About 30 students passed this and progressed to the next level. Our target was to develop at least 10 top experts.
We then invited special cyber experts from US, China, Europe and India to train them. Each of these experts taught a different skill to our experts. They were exposed to the best in that area. If it was using backtrack for example, a special master did the training. Another would cover a different area altogether without any idea of what his/ her colleague had covered.
In the end, we had experts with skills no one else had. We had created our own cyber crime specialist team. And that client is sure that they are themselves to blame in case anything went wrong.
The lesson is don’t trust your total technology and cyber defence system to a single expert. I am happy to have been the team leader on this fantastic project.
Mustapha B Mugisa, CFE, CHFI is founder and CEO of Summit Consulting Ltd, a firm that specialises forensic, security and fraud management.