Not much happens in Runda. A plush suburb of Nairobi, it is separated from the Kenyan capital by the leafy Karura Forest. So when a fire broke out in a house in Runda last December, nobody could have guessed what would happen next. As flames licked the side of the building, neighbours ran out to help – only to find themselves being shepherded away by dozens of Chinese nationals who suddenly emerged from adjacent houses.

When police entered the six-bedroom mansion, they found windows boarded up with mattresses to keep the noise in and the neighbours out. They found sophisticated radio equipment, banks of computers linked to high-speed internet connections, complex software capable of infiltrating bank accounts, M-Pesa (mobile money transfer) accounts and ATMs. They found servers with online transactions adding up to billions of shillings. And they found the body of a man who had died in the fire.

Within hours, 77 foreign nationals – most of them from China and Taiwan – had been arrested on suspicion of cybercriminal activity. They were all in Kenya on 30-day tourist visas – most had been in the country for over a year.

‘I don’t know what the Chinese were doing,’ a flabbergasted Amina Mohamed, Kenya’s Foreign Affairs Cabinet Secretary, told the National Assembly Defence and Foreign Relations Committee. ‘I was among the top government officials who visited the crime scene soon after the discovery. I am still traumatised.’

Mohamed stopped short of saying what cyber-crime experts across Africa must have been thinking: we’ve just been caught with our pants down.

The Kenyans, however, were not the only ones. In mid-February, the Dutch government confirmed that it had fallen victim to a large distributed denial of service (DDoS) attack in which their servers were flooded with traffic, in turn causing their sites to fail to load. Most of the government’s websites were hit.

Ironically, that attack came on the very same day the US government announced the launch of an intelligence unit to co-ordinate analysis of cyberthreats.

The announcement came, of course, in the wake of the embarrassing Sony Pictures Entertainment hack, which saw the leak of private email exchanges between senior executives. (In one of them, Oscar-winning actress Angelina Jolie was, memorably, dismissed as a ‘minimally talented spoiled brat’.) Sony’s reputation took a huge knock and its co-chair, Amy Pascal, was forced to resign.

Hackers had siphoned hundreds of millions of dollars from more than 100 banks in 30 countries

Within a week of the US government announce-ment, word got out that hackers had siphoned hundreds of millions of dollars from more than 100 banks in 30 countries, in what experts were calling one of the biggest bank heists in history. According to early analysis from global cybersecurity firm Kaspersky Lab, it began over a year ago with a rogue, cash-spewing ATM in Ukraine.

Kaspersky Lab believes that the bank’s internal computers – used by employees to process transfers and conduct day-to-day bookkeeping – were penetrated by malware that allowed cybercriminals to monitor the bank’s daily routines. This enabled the hackers to impersonate bank officials, leaving them free to transfer money out of banks across the world – from the US and Switzerland to Russia and Japan – and into various international dummy accounts. Early estimates claimed that the cyber-criminals got away with at least $300 million. Kaspersky Lab says the final score could be three times that.

The global cybersecurity threat has been growing steadily over the past couple of years. As long ago as June 2013, South African Centre for Information Security CEO and chief information security officer Beza Belayneh warned that SA was vulnerable to attack. ‘Cybercrime is no longer a criminality,’ he said at the time. ‘It is a national crisis.’

Belayneh was speaking shortly after the SAPS’ website had been infiltrated by hacktivist group Anonymous, leaking the names, telephone numbers, email addresses and ID numbers of over 15 700 people who had – anonymously – reported crimes to the police.

‘Governments are hacked, police websites are hacked, banks are losing millions,’ he said. ‘South Africa loses R1 billion a year, and it now threatens human life.’ Belayneh equated the scale of the cyber-crime risk to that of the HIV/Aids pandemic.

It was hard to disagree and, in the months that have followed, it has become impossible to ignore SA’s growing cybersecurity risk.

‘Cybercrime is a global concern and one that we as South Africans need to prioritise,’ says Riaan van Wamelen, Chief Information Officer (CIO) at the JSE. ‘The threat is as serious in South Africa as it is for all other countries, although it is generally accepted that activity in developing countries differs slightly from that seen in developed countries such as the US, United Kingdom, etc.

‘These threats apply equally to the JSE, and may well be more pronounced compared to other South African institutions due to the prominence of the JSE within the South African economy. Global examples bear this out with stock exchanges around the world being in the line of fire.’

‘Rather than paying the consequences, it makes more sense to take care of your security beforehand’

ELENA KHARCHENKO, CONSUMER PRODUCT MANAGEMENT HEAD, KASPERSKY LAB

High-profile attacks on bourses – or, at least, the ones that we know about – include the Hong Kong Stock Exchange, Nasdaq OMX Group, Bursa Malaysia, the Tel Aviv Stock Exchange and BATS Global Markets. 

The issue loomed like a shadow over the WEF in Davos, Switzerland, in January. Speaking at this year’s annual meeting, Accenture CEO Pierre Nanterme said that the ‘four biggest challenges the tech industry faces in coming years are security, security, security and security’.

In early February, US President Barack Obama described cyberspace as ‘the new Wild West’. Addressing a cybersecurity summit at Stanford University, which was attended by many of the leaders of Silicon Valley, he said: ‘Everybody is online, and everybody is vulnerable. The business leaders here want their privacy and their children protected, just like the consumer and privacy advocates here want America to keep leading the world in technology and be safe from attacks.’

The summit was part of the Obama admini-stration’s attempts to tighten up cyberlaws and prevent attacks. In particular, it wants closer co-operation between private companies and the government. This followed the White House announcement that a Cyber Threat Intelligence Integration Centre would be formed to gather information across all US government agencies in an effort to streamline knowledge of existing hacker outfits and help pinpoint possible future attacks.

As Lisa Monaco, Obama’s homeland security adviser, explained at the Stanford summit: ‘Cyber-security, like terrorism, requires a sustained effort to meet what is a constantly changing, a constantly evolving enemy.’ Everybody, everywhere, is at risk.

Addressing a cyber-security summit, US President Barack Obama described cyberspace as ‘the new Wild West’

Cisco’s 2015 Annual Security Report, released in late January, paints a frightening picture. ‘Attackers have become more proficient at taking advantage of gaps in security to evade detection and conceal malicious activity,’ it states.

‘Defenders, namely security teams, must be constantly improving their approach to protect their organisations from these increasingly sophisticated cyber campaigns.’ And while cybercriminals are getting better by the day, users – that’s you and anybody else in your organisation who has access to the internet or email – are being dragged in as unwitting accomplices.

Users are caught in the middle, claims Cisco. ‘Not only are they the targets, but end-users are unknowingly aiding cyberattacks. Cisco’s threat intelligence research revealed that throughout 2014, attackers increasingly shifted their focus from servers and operating systems as more users are downloading from compromised sites – leading to a 280% increase in Silverlight [a Microsoft plug-in] attacks along with a 250% increase in spam and malvertising exploits.’

So what is an organisation – large or small – to do about it? As one would expect, Kaspersky Lab advocates a proactive approach to security threats. ‘Some users regard cyberthreats as some sort of remote entities that can only do damage in cyberspace,’ says Elena Kharchenko, the company’s consumer product management head. ‘However, many online threats have clear implications in the real world – be it lost data or stolen money. Rather than paying the consequences, it makes more sense to take care of your security beforehand.’

Van Wamelen’s response to the threat is clear: ‘Companies and organisations in South Africa should protect themselves and their clients by establishing an information security programme that considers all aspects thereof, including governance, risk, compliance, people, process and technology.

‘This programme should be championed and sponsored at executive level with alignment to business objectives. Such an information security programme should leverage global best practice standards as applicable to each organisation.’

Sabrina Dar, Cisco East Africa GM, points to the internal threat – or what IT staff have for years been referring to as ‘picnic’: problem in chair, not in computer.

Commenting on the release of the Cisco report, she said: ‘To protect organisations against attacks across the attack continuum, CIOs need to ensure that their teams have the right tools and visibility to create a strategic security posture, as well as educate users to aid in their own safety and the safety of the business.’

Whatever they do, they’ll have to do it well – and quickly. While official numbers are impossible to come by, security consultants Wolfpack Information Risk estimated that cybercrime cost SA businesses about R2.5 billion in the 2012/13 financial year. Other estimates put that number at as high as R5 billion per annum. Last year, a WEF/McKinsey report pegged the potential global cost of cyber-crime at $3 trillion, should the current approaches to cybersecurity not be changed.

Meanwhile, SA is still waiting for the release of the National Cybersecurity Policy Framework – passed by Cabinet almost three years ago – to give strategic direction to the country’s approach to cybersecurity. And as it waits, cybercriminals continue to go on the offensive.

By Will Sinclair