The cyber security bill has been the talk of the nation for a while now. People are already misinterpreting several parts of it, as is common with legislation. Our focus today is not on the bill and its contents but rather the doomed nature of it all in the global scope of information technology and the corresponding efforts of our local government.
Teaching the police to police
A friend recently had a cyber harassment challenge due to a work dispute. The criminal was almost clever, but not clever enough. She used a South African sim card (roaming) to create a throw-away WhatsApp account and sent several messages with the intent to cause harm to my friend’s marriage. It worked, until I was called in (you can imagine me doing a Matrix style, Neo entrance here complete with trench coat and shades in slow motion).
To catch the culprit, we had to instruct the police on how to write requests for data to mobile network operators. They had no idea that catching a criminal this way was possible, using IMEI logs. Now remove an individual who is tech-savvy from that equation and you have criminals getting away with all sorts of shenanigans. No one in the police force is remotely aware that this is even possible and there are no training courses provided by the government.
The issue of training on how technology works should be a priority for the government. To take a cybersecurity course right now, your best bet is to have United States Dollars to pay for an online course. This immediately rules out more than 60% of the national populace given the current state of economic affairs. The lack of training is doubly true for the police who do not seem to be able to appropriately charge non-cyber-crimes in the first place.
The government is also not equipped with any infrastructure to deal with any real cybersecurity threats. Several government departments have gone digital (registry, health, V.I.D) but all they have are software to perform their tasks easier and no protective infrastructure in place.
I know Excel and Word, let me handle security
When the government introduces software into its service stack, there are generally no dedicated and trained personnel who are employed. The existing employees are simply asked if there are any among them who can use a computer. There is always a one-eyed-man (or woman) among the blind and that individual, without any additional training, becomes the head of that particular new department. The state of affairs is so terrible that you can get reprimanded for reporting bugs within internally developed software.
The government then purchases laptops and phones to be used by civil servants to execute their duties. These gadgets are then treated like cars, for work use between 8am and 5pm, becoming personal gadgets afterwards. You end up with government employees carrying around mobile devices that have direct access to national health, birth/death and Zimra records. The same gadgets are also used to browse the internet at home, for social media and to watch movies. A hacker who gains access to any one of these gadgets will own the data of the whole country. Civil servants, due to low salaries are at an even greater risk to fall for security breaches that originate from scams promising easy money.
Have some free money
There has been a fake USAID advert circulating on social media, promising covid-19 relief from a partnership between the government and the USAID. For me, that was the first red flag, USAID does not work with the government of Zimbabwe or any other government, they work with non-governmental organizations. The second red flag was the website that was linked to the advert. The web address contained www.usaid-zw.stuff.com (I altered the actual link, replacing some of it with stuff to protect Techzim readers). To an individual with basic knowledge of how the internet is organized, the link can easily be identified as a fake website but I am willing to bet thousands have fallen for this scam.
Even specialized ICT courses offered in Zimbabwean colleges do not teach how to spot potentially fake and scam websites from the real deal. This lack of information security awareness is a nationwide problem that needs to be addressed for successful cybersecurity. A man from Bulawayo lost his $26,000 pension to a similar, poorly organized scam that worked effectively. Wait, before I go on, let me tell you a story that happened at NUST Zimbabwe during a lecture! This is a true story.
A student got hold of his friend’s phone and changed the name he was saved under in the phonebook to Econet. During a lecture, he sent a text message with the contents, “Congratulations, you are one of 10 Econet subscribers to win a Range Rover!” This was cruel, but the student brought the entire lecture to a stop in celebration. A keen-eyed student then noticed the Econet sender had a phone number you could call and that was how it was dismissed as a fake. Had both our student and the unfortunate pensioner known how to identify real and fake messages, both the practical joke and the scam would not have worked.
The cheap Huawei devices
Huawei devices were found making web-based call to servers linked to the Chinese ministries of defense and information. I have since then distanced myself from any Huawei gadgets but the issue was not related to mobile phones only but also to network devices used in cellphone towers and also computer modems. Econet still uses Huawei devices in its cell towers as well as other MNOs which means we are effectively handing over data to the Chinese.
As long as not just Zimbabwe but other developing nations continue to use imported devices, we will always be at risk and have limited control over our cyber security. The few close friends I told about this did not seem to care either. IT security education and awareness are not included in the academic curriculum of Zimbabwe leading to citizens who do not appreciate the value of information.
The unprotected child
Our children are also not protected against several forms of cyber-crime. We have unaware parents giving their children free rein on social media, leaving them vulnerable to child pornography, sexual predators and financial scams. A form two schoolgirl on social media stands no chance against the charms of a sex predator/paedophile with a few dollars to spare.
The core focus of the cybersecurity bill seems to be preventing citizens from organising protests against the government instead of actual information security. The majority of the bill covers so-called crimes committed against the government and some financial scams but it neglects the more harmful threats. As economies shift from traditional to tech-based, the cybersecurity bill and its supporting infrastructure and government effort will not be protecting anyone from the real threats.