Cybersecurity: Experts Question Nigeria’s Readiness Under NSA-Led Council

TECHDIGEST – Cybersecurity experts have raised concerns over Nigeria’s ability to respond to possible cyberthreats, questioning the efficiency of the country’s lead advisory team and the management of its dedicated fund.

The Cybercrime Advisory Council, led by the National Security Adviser, Babagana Monguno, was set up in 2016 and was tasked with checking rising cybercrimes and formulating the modalities for implementing the Cybercrime (Prohibition Prevention) Act 2015.

While Nigeria is yet to face a significant cyber attack, experts say the country does not need to wait until that happens before it takes action. They argue that with growing incidents of cybercrimes globally, structures put in place to address such threats need to be functional and funds judiciously used.

Nigeria lost about N250 billion in 2017 and N288 billion in 2018 to cybercrime, a Proshare report said.

Aligning with global trend, Nigeria enacted the Cybercrimes Act in May 2015, its first law to deal with cyber crimes.

The law gave strength to a 2011 ECOWAS protocol on fighting cybercrime, and to the National Cyber Security Policy and Strategy adopted on February 5 of same year.

The legislation empowered the National Security Adviser (NSA) and the Attorney General of the Federation to enforce its provisions, and mandated the establishment of a fund for its operations. It also made it mandatory for the government to set up a multi-agency Cybercrime Advisory Council and the National Cyber Security Fund maintained with the CBN and administered by the NSA.

The fund is funded by a 0.005 per cent levy on all transactions by GSM service providers, telecommunication companies, internet service providers, banks and other financial institutions, insurance companies, and the Nigerian stock exchange.

On April 19, 2016, the Buhari government set up a 31-member council made up of representatives of various establishments and civil society.

With that decision, Nigeria became the fifth African country and the first in West Africa to enact the cybercrime law and set in motion strategies for its implementation.

The inaugurated council was tasked with formulating the modalities for implementing the Cybercrime (Prohibition Prevention) Act 2015.

The CBN on July 4, 2018, set up the cyber-security fund after instructing the relevant organisations to set aside required levies from online transactions made by Nigerians.

However, there are concerns over the efficiency of the council and the management of the multibillion naira fund.

For instance, while the legislation mandates the council to meet four times a year, PREMIUM TIMES learnt that the council has only met six times since they were constituted in 2016.

The last time the council meeting was on July 20, 2020. By the provisions of the law, the council should have met about 20 times at the time. There are also questions surrounding the lack of transparency in the management of the funds.

A member of the council, who asked not to be named due to the sensitivity of the issue, said the council has not been serving the purpose for which it had been set up. The source said since the council has only been able to meet about six times since it was set up in 2016, its efficiency has been called to question “and members are not happy’’.

“We should have met at least 20 times if we are to go by the stipulations of the Act but the NSA rarely calls for meetings. His excuse is that he is always busy. But we know that with the emerging cyber threats world over, this is the right time for the council to be fully functional and discharge its roles but this is not so,’’ the source said.

The source also said there needs to be more openness in the management of the funds and its disbursement should be “for only projects approved by the council’’ and not ‘unilaterally’ approved by the NSA.

The mechanism through which the fund is to be disbursed is not clearly defined in the law and this has made its management at the discretion of the NSA, sources within the council argued.

Section 44(5) merely says up to 40 per cent of the fund “may be allocated for programmes countering violent extremism”. It is not clear if the funds have been deployed in dealing with the violence in the North-east and other parts of the country.

Section 43 also says the fund will be applied “toward the functions of the Council” as well as “establishing an enabling environment and formulating general policy, which includes awarding research and graduate training grants in the cybersecurity field”.

One source said members were stunned recently when, after months of inactivity amid the COVID crisis, the NSA launched a National Cyber-security Policy and Strategy document “which had minimal input from the council members’’.

The source said the NSA also early this year, perhaps in reaction to the unease among members of the council over his handling of its activities, replaced some members.

The source, who was particularly concerned about the lack of transparency in the management of the fund, said “there is no accountability as per the resources that should have been utilised to meet specific timelines and projects specified in the National Cyber Security Policy and Strategy adopted in 2015’’.

‘’For now, the NSA runs a ‘one-man show’ in which council members are now mere onlookers,” the source said. “The main reason why these members were selected from various establishments was to help the NSA implement the strategy as clearly spelt out in the act and the relevant projects to help Nigeria address cyberthreats and related crimes. But now, the council is dormant and has failed to serve the purpose for which it was set up. We don’t meet regularly to agree on anything.’’

Efforts to get a reaction from the NSA on the report were not successful as his known phone line was switched off despite several attempts to connect.

Two officials in the Office of the NSA initially agreed to speak on the matter on the condition of anonymity, but later failed to send a response days after an email was sent to them as requested.

A subsequent reminder sent to one of the officers asked to give an official response was not responded to.

Also, the director, Corporate Communications of the CBN, Osita Nwanisobi, did not respond to enquiries from PREMIUM TIMES on the status of the fund, days after he also asked that the questions are sent to him via his phone.

Separately, PREMIUM TIMES confirmed that banks and related financial outfits have been remitting fees from customers’ online transactions into the fund, as directed by the law.

A member of the council who represents the Association of Telecommunication Companies of Nigeria (ATCON), Olusola Teniola, told PREMIUM TIMES the council convenes whenever pertinent issues that the NSA needs assessing are brought to its (his) attention.

“The most recent one to my knowledge was the updating of the National Cybersecurity Policy and Strategy that was concluded efficiently and on time and approved by Mr President Buhari GCFR earlier this year,” he said.

He said the policy and strategy document released is relevant “and all the focus should be on implementation and execution of the numerous recommendations already laid out. This is still work in progress and engagements with critical stakeholders will begin in earnest.’’

He added that “all cyber threats are actively being monitored by all stakeholders in a collaborative manner. Cyberspace is vast and the most critical stakeholders are you and I. There is a need to raise public awareness programmes across all communities and of course, distil digital literacy to encourage safe internet usage.’’

Mr Teniola’s optimism is not shared by some industry experts who want Nigerians to take more than a cursory interest in the nation’s preparedness for cyber threats and how the funds are being managed.

The Executive Director of the Centre for Cyberspace Studies, Nasarawa State University, Uche Mbanaso, said Nigeria is ill-prepared to handle cyber-threats, arguing that the NSA-led council is not enough.

“The fund is a good initiative. This is what almost every other country does to be able to appropriately fund such a complex security terrain in cyberspace,’’ he told PREMIUM TIMES. “However, the cybersecurity sector in Nigeria has really suffered a lot of setbacks simply because there is really no agency mapped out to take the responsibility of cybersecurity.’’

“Cybersecurity is very vast and complex. In many instances, it is not something you can subsume under ONSA (Office of the NSA) because ONSA, for instance, doesn’t have its own staff. It takes staff from security and intelligence agencies. You cannot enhance cybersecurity by ad-hoc staff. You need a consistent and sustainable workforce that can champion cybersecurity,’’ he notes.

He also said policing the cyberspace is not as easy as policing the physical space.

‘’Before someone gets into our physical space in Nigeria, he (or she) must obtain a visa. Someone coming into your cyberspace does not need a visa. Someone coming into Nigeria also has to pass through immigration. Not so for cyberspace. These are some of the factors that make policing cyberspace a very complex and sophisticated venture.’’

He said Nigeria is not yet serious about securing its cyberspace.

“UK has nothing less than six agencies that work on cybersecurity. There are different aspects of cybersecurity. Look at our critical infrastructure, for instance, it is very huge. Many countries have agencies just for the protection of critical infrastructure. They also have agencies that are dedicated to responding to threats. They have agencies that deal with research and development.”

The scholar, who said it was time for the nation to take practical steps to secure its cyber assets, then took a swipe at the council.

“Who are those in the advisory council? How many experts are in that council? People cannot give what they don’t have. The council is made up of mostly civil servants. Most of them don’t have anything to offer as per knowledge in cybersecurity. This is an area that needs expertise. In years to come, our military may be procuring cyberweapons with millions of U.S. dollars and even exporting it from Nigeria will be a tug of war. Cyberweapon is more lethal than a nuclear weapon. Why not start now by creating centres of excellence? We don’t want to invest….’’

Uche Mbanaso The Executive Director, the Centre for Cyberspace Studies, Nasarawa State University
Ayoola Falola, a cybersecurity expert based in Abuja said the NSA-led team appears set up for failure.

“Just like many other ‘advisory’ councils set-up in Nigeria – the law mandates ministries and MDAs to ‘donate’ members. There is no care if such government establishments have the right staffing and framework to support such membership,” he said.

‘’Cybersecurity is a fast-paced industry; but based on the membership representation from government agencies, the council doesn’t seem to have enough theoretical and technical knowledge to support the mandate they are given.

‘’To help make the council effective, I recommend they elect permanent members (based strictly on merit) and invest in a programme that would keep the council busy and engage the ‘stakeholders’ to ensure that the goals of the act are established and fulfilled.’’

He also called for more transparency in the management of the cybersecurity funds and called for more companies to be made to contribute to it.