INTO THE BREACH - JSE MAGAZINE

INTO THE BREACH

Africa needs to do more to prevent becoming the weak link in global supply chain cybersecurity

INTO THE BREACH

Billionaire Eugene Kaspersky was warming to his theme as his doomsday slides flashed across the screen. Aircraft falling out of the sky. Utility grids going dark. Nation states firing nukes. Nothing but doom, defeat and despair across the board. This was his prediction: globalised cybercrime will disrupt life as we know it, and not in a positive, creative way either.

I was bemused on meeting him to find he was actually a jovial, friendly sort, and into fast cars and adventure. It turns out that, as the founder of the Kaspersky security software business, international cybercrime is just a trigger issue for him. He came up through the finest cryptography schools of the Soviet Union and today has legions of crack hackers at his disposal. He likely knows a whole lot more than we would ever want to know.

So I checked some of Kaspersky’s claims with other cybercrime experts probing for what Africa’s exposure would be in all this. It became clear that cybercrime would exploit the so-called digital divide in Africa. The continent may have leapfrogged fixed-line telephony to go mobile, but a lot of digital infrastructure has not kept pace. In a global supply chain where local small businesses supply local branches of multinational companies, the former become the weak link in the IT security chain. Is all its software legitimate and updated? Does the SME have a smartphone security policy? Already we have seen small businesses in SA shut down by ransomware.

Right now, there are programmers in Cape Town writing code for Amazon.com. And there are local animators uploading code to Hollywood studios. But who is servicing their PCs? So it becomes a David and Goliath scenario where Acme Computers in Alberton is unwittingly fighting off the virtual might of the North Korean government.

Also, experts agree that all but the most sophisticated attacks could be stopped by applying the so-called hygiene factors. By simply maintaining equipment, updating software and introducing a basic code of digital practice for small businesses (strong passwords and smartphone rules, for example) only the most determined and well-funded attacks would succeed. This would leave government, state-owned utilities and companies operating critical infrastructure free to focus all their resources on a much smaller attack surface area. Known as advanced persistent threats, these attacks are the most sophisticated and require the kind of financial resources and expertise only nation states can muster. Few African countries have a digital network infrastructure as complex as SA’s, so there is ample opportunity to easily harden cybersecurity in these countries. On the issue of cost, one African ICT minister smiled wryly and muttered: ‘Maybe about the same price as one military helicopter.’

Disturbingly, Kaspersky makes little distinction between cybercrime and cyberwarfare. He maintains the business concerns of companies have become almost indivisible from the broader economic concerns of the countries themselves. Donald Trump even claims his sanctions against Chinese tech products are in retaliation for hackers stealing intellectual property (IP) of US businesses.

High-level cybercrime might entail, for example, the theft of business IP, ransomware and extortion, or a staged public relations disaster to weaken the target company’s share price. Cyberwarfare, which happens silently, would most likely target critical national infrastructure, from power grids to water supply and, of course, telecoms – failure of which interrupts business and brings economic activity to a grinding halt.

Ominously, the end goal of international cybercriminals is not to extort five figures from (very) small SA businesses. Their goal is to find a back way into the listed entities for which a public data breach will have far more serious consequences.

Today, the country is looking like a victim of its own success. While PCs per capita remain very low in SA, the growing penetration of smartphones dramatically increases the surface area for cyberattacks. And while HR slowly figures out phone usage policy, SA’s IT professionals are racing to close the holes opening in our firewalls.

By Gavin Dudley
Image: Wilnicque Rall