A Framework for an African Policy Towards Creating
Cyber Security Awareness
IST-Africa 2011, Gaborone, Botswana
11-13 May 2011
Zama Dlamini - CSIR
Barend Taute - CSIR
Jabu Radebe – Dept. of Communications,
South Africa
Imagine
Sipho, a small business owner from Mussina, wants to register his business (selling
goods to Zimbabwean visitors on behalf of Makro SA) with Revenue Service and the
Department of Labour using the newly available online system.
 A friend of a friend encouraged Sipho to use the online system in order to
avoid the queues and delays.
 As a first time internet user (now that broadband internet is available 24h a
day) he goes to the Revenue Service website on his mobile phone and
enters all his personal information as asked (not realising that it was a
phishing website and not aware of the potential risks).
 He even enters his bank account number and PIN to pay his value added
tax.
× He pays VAT for a year, at the end of which he submits his Tax Return,
only to discover that he was never registered and that his money is lost.
× Not knowing who to ask for help, Sipho eventually loses his business 
Purpose and Approach
• Purpose
― To highlight the importance of an African Cyber Security Strategy
that will specifically increase Cyber Security Awareness
• Approach
1.
Review of the cyber security landscape in Africa
2. Review of Cyber Security Policies from developed countries
(USA, UK, Estonia, Korea)
3. Conceptual framework for an African Cyber Security Strategy
4. Framework for Cyber Security Awareness
Outline
•
•
•
•
•
•
•
•
•
Introduction and Background
Cyber Security Landscape in Africa
Cyber Security Policies in Africa
Examples of Implementation in Africa
Cyber Security Policies from the
Developed Countries
Learning from Developed Countries
Framework for African Cyber Security
Policy
African Cyber Security Awareness
Recommendations & Conclusion
Introduction and background…
• Global concern on Cyber Security
• Cyber security has become a GLOBAL issue of concern, judging
from the increase in importance in the developed world (USA,
UK, EU, Estonia, Korea, etc.)
• Unique Challenges in African continent
– The digital divide
– Dealing with low levels of IT literacy
– Dominant use of mobile devices and wireless networks (security
solutions less advanced or not used)
– Roll-out of broadband internet access in Africa (vulnerable and
open to exploitation)
– African Cyber Security policy lacking at this stage
• How do we address the challenges to get to the desired
future?
Cyber Security Landscape in Africa:
 Key player organizations on African cyber security
• United Nations Economic Commission for Africa (UNECA)
— addresses CS as African Information Society Initiative (AISI)
• International Telecommunication Union (ITU)
— builds confidence and security in the use of ICTs internationally
• International Criminal Police Organization (Interpol)
— has its ISRT, recommends IS awareness at ALL levels
• African Network Information Centre (AfriNIC)
— has AfWG-tasked with raising Cyber Security awareness in Africa
• Information Security Group of Africa (ISG-Africa)
— Wide membership, partnered with different companies, eCrime Portal
• Others that we have not identified?
Cyber Security Policies in Africa…
• Draft South African National Cyber Security Policy
―
―
―
―
―
―
Legislative Framework
Policy Objectives
Creating Institutional Capacity to Respond to Cyber Crime and Threats
Reducing Cyber Security Threats and Vulnerabilities (CSIRT)
Coordinate Local and International Partnerships
Continuous Innovation, Skills Development and Compliance
• Mauritius National Cyber Security Policy
― National Awareness Programs and Tools
― Good Governance of Cyber Security & Privacy
― Harnessing the Future to Secure the Present
― Personal Cyber Security
― A holistic approach integrates many elements
CSIRT/CERT = Computer Security Incident Response Team/
Computer Emergency Response Team
…Cyber Security Policies in Africa
• Kenyan National Cyber Security Policy
―
―
―
―
―
―
―
Collaboration between stakeholders
Develop relevant Policies, Legal and Regulatory frameworks
Establish national CERT thus providing a Trusted Point of Contact
Build Capacity: technical, legal and policy
Awareness creation is key
Research and development
Harmonization of Cyber Security management frameworks at the regional level
• Tunisian National Cyber Security Policy
―
―
―
―
―
―
―
Defining Legal Cyber security Framework
Cyberspace protection
Training and Education
Research and Development
Raising Awareness
International Cooperation
Creating Execution and Implementation mechanisms
Some Examples of Implementation in Africa
CSIRTs provide a means for detecting and responding to cyber security
incidents and collaboration on issues such as cyber security awareness –
locally, continentally and internationally
• Mauritius: Emergency Response Team (CERT-MU)
― Computer Incident Response Team (CIRT)
― Cyber Security Awareness Portal
― National Cybercrime Prevention Committee (NCPC)
• Tunisia: Tunisian Computer Emergency Response Team (tunCERT)
― Computer Emergency Response Team – Tunisian Coordination Center
(CERT-TCC).
• South Africa : Electronic Communications Security - Computer Security
Incident Response Team (SA- ECS-CSIRT)
• Kenya: Kenya Computer Security Incidence Response Team (KE-CSIRT)
Learning from Developed Countries…
• UK National Cyber Security Policy
―
―
―
―
―
―
―
―
Safe, Secure and Resilient System
Policy, Doctrine, Legal and Regulatory issue
Awareness and Culture Change
Skills and Education
Technical Capabilities and Research and Development
Exploitation
International Engagement
Governance, Roles and Responsibilities
• USA National Cyber Security Policy
―
―
―
―
―
―
Leading from the Top
Building Capacity for a Digital Nation
Sharing Responsibility for Cybersecurity
Creating Effective Information Sharing and Incident Response
Encouraging Innovation
Action Plans
Learning from Developed Countries…
• Estonian Cyber Security Policy
―
―
―
―
Threats in cyberspace
Fields of activity supporting cyber security: Description and analysis
Enhancing cyber security in Estonia
Implementation of the Strategy
• Malaysian Cyber Security Policy
―
―
―
―
―
―
―
―
Effective Governance
Legislative and Regulatory Framework
Cyber Security Technology Framework
Culture of security and Capacity Building
Research and Development Towards Self-Reliance
Compliance and Enforcement
Cyber Security Emergency Readiness
International Cooperation
Framework for African Cyber Security Policy…
• The goal for cyber security in Africa should be to enable the full
benefits of cyber space to all African countries
• The proposed framework (combining key points from other
strategies) includes:
1.
2.
3.
4.
5.
6.
7.
Improved and Effective ICT Governance
Cyber Security Awareness
Formal Training
Improve and Maintain Response to Crime and Security Incidents
Technological Governance
Research, Development and Innovation on Cyber Security
Globalisation
…Framework for African Cyber Security Policy ...
1. Improved and Effective ICT Governance
― Leadership, laws and policies, partnerships (EU Convention on Cyber
Crime), cyber security standards and best practices
2. Cyber Security Awareness
― support public, business and government cyber security awareness
programs
3. Formal Training
― cyber security skills training at universities with African cooperation
4. Improve and Maintain Response to Crime and Security Incidents
― National and sector-based CSIRTs/CERTs, crime intelligence, crime
investigation and forensics, international cooperation
…Framework for African Cyber Security Policy ...
5. Technological Governance
― digital device use, exploitation and cyber space
6. Research, Development and Innovation on Cyber Security
― Grow R&D capability for reactive and proactive security
― Promote growth in the ICT security industry
7. Globalisation
― Participation continentally and globally on cyber security initiatives
African Cyber Security Awareness
• Awareness is used to stimulate, motivate, and remind the
audience what is expected of them. Needed in Africa.
• Components for a Cyber Security Awareness Programmes
(according to Peltier):
―
―
―
―
―
―
―
―
―
―
―
Security Awareness Goals and Objectives
Identify Current Training Needs
Obtain Support
Identify Intended Audience
Define Topics to be covered
Establish Security Policy
Define Delivery Methods to be used
Develop a Strategy for Implementation
Design Awareness Strategy
Design Training Strategy
Develop Evaluation Methods
Recommendations & Conclusion
• Awareness campaigns should not wait for continental
strategies
• Cyber Security awareness should reach and inform all internet
users
• Collaborate with existing initiatives- the proverbial weakest link
can affect all countries.
• Coordinate better across Africa to learn / support each other
• This will enhance resilience against cyber crimes and attacks
and inform African policy development
---- and now back to Sipho, the small business owner in Mussina ...
The Future – our small business owner is now fully aware of
cyber security risks and has access to good advice:
 Sipho uses his smart ID card to access e-Government
services via his cellphone.
 The certificate on his ID card is issued and recognised by
the South African Government.
 He completes the transaction in 5 minutes
 This includes confirmation of the company name and
verification of his data already on record (address and tax
status).
 In order to protect his private information, he knows that the
interaction with the back-end system is encrypted.
 He receives a signed certificate for his business registration
and uses this to open a business bank account.
 After 5 years Sipho changes his company into a listed
company and then retired a wealthy man in 30 years later
...Thank You??
Other Cyber Security Structures from
Developed Countries
International CERTs
• Global- CERT
—
—
—
—
—
—
US- USCERT
Australia- AusCERT
UK- UKCERT
Canada- CanCERT
Japan- JPCERT
Hong Kong- HKCERT
• Sector specific UK CERTs
— Academic
— Military
— Governmental
• Sector specific US CERTs
— Energy
— NASA
— Military
• Other CERTs
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
—
CERT-China
CERT-Croatia
CERT-France
CERT-Germany
CERT-Italy
CERT-Denmark
CERT-Finland
CERT-Korea
CERT-Lithuania
CERT-Mexico
CERT-Netherland
CERT-Norway
CERT-Poland
CERT-Russia
CERT-Slovenia
CERT-Spain
CERT-Sweden
CERT-Switzerland