Is Ethiopia Ready for Cyber Warfare?
With the growing use of information communication technologies, more and more organizations are increasingly becoming efficient. Business, education, even health care services are also getting more accessible. However, the battle between online protagonists and antagonists is at its highest point now than before. Ethiopia is no exception. EBR’s Ashenafi Endale consulted with technologists, government officials and research to explore the extent of the problem that the country could face and analyses its readiness to avert the challenges.
May 12, 2017 was no ordinary day in cyberspace. It saw the quick spread of WannaCry ransomware, a computer virus which instantly affected hundreds of thousands of computers worldwide. From individuals to corporations and multiple government and non government organisations, cyber criminals targeted computer systems by blocking access and demanding ransom to restore control over files to the victims.
For staffers at Ethio-CERT – Ethiopian Cyber Emergency Readiness & Response Team, a division of Ethiopia’s National Cyber Defense Force, that fateful day in May proved the critical need to stay vigilant at all times. “Ethio-CERT is active around the clock and it immediately detected the ransomware. The Team was responsible for detecting and countering over 380 cyber attacks that targeted Ethiopia between July 2016 and March 2017,” according to Mohammed Idris, special advisor to the Director-General of the Information Network Security Agency (INSA).
CNN reported quoting a research by the Russian based cyber security firm Kaspersky that Ethiopia’s financial institutions were targeted with other countries by a hackers group called ‘Lazarus’ based in North Korea.
Barely a year after the nation grappled to conduct its annual national school leaving examination following an unprecedented leak from the government agency that administers national examinations and the subsequent blanket shutdown of internet services, questions remain wide and far about the country’s capabilities to ward off any cyber security threats from within and outside of a given institution.
Just over a decade since its inception, INSA is mandated with securing Ethiopia’s cyberspace and bears the sole dominion in the country’s cyber governance. Re-established in 2011, the Agency has far-reaching power in providing protection from cyber and electromagnetic technologies used to attack the country’s interests.
With the availability of a widely accessible internet connectivity and an ever rising number of people connected to the internet, cybercrime – “an act that covers the entire range of crimes which involves computers, computer networks or other digital technologies either as its target or as an instrument,” according to Halefom Hailu, a legal expert, is very real in Ethiopia.
We live in the digital era where people are virtually connected through various networks of computers and mobile devices practically interacting in almost all aspects of conventional life. Ethiopia is far from reaching the phenomenon known as the ‘Internet of Things,’ but Mohammed believes that “we live in the era of electromagnetic warfare,” where data is the most precious resource. “The country faced 353 major cyber attacks between July 2016 and February 2017,”he added.
Nerved by the recent WannaCry ransomware attacks, various institutions in Ethiopia are taking measures, under the guidance of INSA, which oversees the security of the country’s key infrastructures, national data center, and important institutions. But as we embrace more of what the digital connectivity has to offer, how secure is Ethiopia’s cyberspace?
A study by the Chatham House, a London based think tank covering international issues, found that Ethiopia, despite having a small connectivity rate, “has developed increasingly advanced legal and technical means to ensure greater control over the information transiting over communication networks and to defend the country from cyber attacks.”
This shows that ensuring cyber security is not only a technological undertaking; it involves framing clear policy and legal instruments. To this end, Ethiopia has put in place a national information security policy, complemented with various legal instruments and procedural standards.
Just a few months ago, the Agency rolled out the Critical Mass Cyber Security Requirement Standard, which is aimed at implementing cyber security frameworks at national level and creating alignment with cyber security practices at key institutional levels, including financial organizations, officials at the Agency noted.
Despite the country’s apparent institutionalization of cyber security, some experts are skeptical about its actual capabilities to guard against an increasingly sophisticated and evolving cyber threat against certain industries. Gezahegn Mesfin, Information Security Director at Awash Bank, has concerns about the state of cyber security in Ethiopia’s nascent digital financial service provision. “IT capacity of private banks is very weak, due partly to low attention given,” argues Gezahegn. He says, the databases of core banking, ATMs, and the currently taking off mobile and internet banking services are highly exposed to cyber-attacks.
Painting a rather dark picture, Gezahegn notes “the various applications in the industry have coding errors, operating and design gaps considering they are designed by humans and highlighting for institutions to continually undertake functionality and security assessments on the apps.”
While there is a big shift regarding the priority banks give to cyber security, recently pledging to allocate 0.5Pct of their annual budget, other experts remain unmoved with the current level of awareness to protect data. “Purchasing the technology alone cannot ensure security,” argues Abrham Gulilat, Chief of Operations at BelCash Ethiopia, a mobile banking technology platform provider for HelloCash. He remains dismayed “with no bank in the country having a ‘Chief Security Officer’ yet.”
He is not a single voice in the industry who hold that the country has never experienced any major security breach, not because of the strength of its cyber security, but because the Birr is not yet digitally convertible to other currencies. This view is in sharp contrast to what officials at INSA underscore, Mohammed claims “Ethio-CERT is the strongest of its kind in Africa.”
While the debate as to the country’s preparedness rages on, given the quickly moving dynamism in cyberspace, there remains a wide consensus about the presence of various vulnerability spots for Ethiopia’s institutions especially in finance, energy, health, education and telecom. The level of awareness and availability of skilled manpower remains a challenge. “Institutions purchase CISCO routers and leave the admin as it is. They do not understand that they have to configure it by themselves, create new passwords, and build firewalls. This single mistake means many open backdoors,” states Abrham. He encourages service providers to utilize multiple data backup systems and real-time identification and notification mechanisms to curb the impacts of cybercrime.
Gezahegn also shares this point, claiming “it takes at least a whole year to find a decent IT security expert in the current jobs market.”
Security holes created by human error are also a big concern for cyber security at the Ministry of Finance and Economic Cooperation (MoFEC) according to experts. “We cannot say we are secure,” Kedir Ali, System Security & Audit Team leader at the Ministry’s Integrated Financial Information System (IFMIS) project told EBR. Cyber security for Kedir starts with human beings. “Creating awareness among people, setting clear strategies and policies to guide the use of technology followed by a systemic auditing and updating the service are key factors to cyber security,” he stressed.
Enhancing cyber security at the Ministry comes at a time when the government body is stepping up its efforts to partially roll out an automated workflow involving various ministries and budgetary institutions during budget proposals and purchasing of certain items like fuel. “An Oracle App has been customized for these functions and was on trial for the past three years,” Kedir noted.
INSA’s Critical Mass Cyber Security Requirement Standard aims to provide the procedural measures that institutions like MoFEC need to take when going digital. Accordingly, IFMIS has acquired genuine computer products and applications directly from Microsoft. “We also patch our Microsoft Office operating system immediately after the company posts an update,” Kedir said.
In line with the Standard, users are forbidden from using pirated software or loading unauthorized apps or programmes. “Antiviruses are updated on a weekly basis and each user has a dedicated email account which is licensed on our server,” Samuel Birhanu, the Ministry’s data center Wide Area Network Administrator told EBR.
Samuel is confident that they have made significant progress in patching up security holes at the Ministry. Work is still ongoing to “deploy auditing tools in collaboration with INSA that can trace and counter attacks in real time, all the time.” But he is weary-eyed when it comes to other network infrastructures IFMIS depends on.
The project is set to incorporate over 600 users with INSA and Ethio Telecom playing important roles during online transactions. “MoFEC cannot protect the data alone, whatever our efforts,” argues Samuel.
Collaborating with INSA, MoFEC is developing localized Security Operation Centers (SOC along with the Commercial Bank of Ethiopia (CBE)). Though extremely expensive, the center can prove instrumental in monitoring and sending out alarms whenever there is a security breach in the data network.
Though some institutions are taking strides in beefing up their cyber security apparatus, the same cannot be said about some public institutions in the country. The Central Statistics Agency (CSA) administers a huge amount of data in the country. It is currently preparing to conduct the fourth national census and plans to go digital with data encoding to be carried out using “tablets which will send their inputs to a central data pool through various mobile networks,” Kifle Gebre, Information System Technology Director at the Agency said.
A 75 million Birr MoU has been signed between the Agency and INSA to ensure the census goes without any digital hiccups. Despite these efforts, however, the Agency does not have its own large-scale data center to back up its data. “We’re planning to use the Data Center at the Prime Minister’s Office,” he said. “Though an offsite back up is badly needed, security concerns have ruled out using a cloud service, and the fact that there is only one telecom provider in the country has made using different network infrastructures to store data impossible.”
The official also revealed that the Agency is in the process of purchasing genuine computer and IT products to ensure cyber security, though “purchasing technologies was not the real problem in Ethiopia but the lack of skilled expertise to make full use of it.”
Kifle also points the intricate link that exists between other critical infrastructures such as electricity to prevent loss of data and promote digital security. “All our activities are dependent on an uninterrupted provision of telecom networks and power,” he noted.
As businesses, households, public institutions and related infrastructures continue to suffer from unpredictable power outages, it is worthwhile to consider how secure the country’s power grid is from cyber threats.
Two companies are tasked with the provision of electric services in Ethiopia – Ethiopian Electric Utility (EEU) and Ethiopian Electric Power (EEP).
“EEU has launched a 61 million dollars project to deploy SCADA operating system and to automate the power grid system,” Birhanu Kebede, IT Department Head at the Utility told EBR. The operating system is also designed to protect the billing system of all its 15 districts which run on a network connection. “We also run intensive training drills to protect the automated system and sustain flawless power service to bridge the gap on awareness and technology skills,” he added.
Ethiopian Electric Power, the institution in charge of generating and delivering power to the country, currently uses an isolated fiber optic transmission based network for the grid system, separate from the main telecom network, according to officials at the organization.
“Though external threats are highly unlikely to target the national grid system, if there is a considerable vulnerability, it remains to be from the inside,” the official speaking on conditions of anonymity noted.
“Someone within could infect the grid system or some key line of power plants by infecting the system using a USB flash,” the official underscores It is not hard to imagine the impact on the day to day activities of individuals, organizations and businesses if such an attack was to happen.
EEP controls lines over 132MW, while lines with less power are under the supervision of EEU. Both companies use standards on using flash disks to avoid risk of infection. They work closely with INSA and the latter has recently made some security recommendations for EEP.
Though EEP’s security structure is based on US and Italian frameworks, it is not fully implemented because “it focuses on high-tech, huge investment, skilled manpower on IT and cyber security,” the official said. “No school in the country provides training on cyber security in the sector.” he said. This for him is one of the basic challenges facing the promotion of internet security in Ethiopia.
This sentiment is also shared by experts in a variety of fields. For Abrham, the critical recommendation for Ethiopia is investing in universities to provide quality education and undertake research and development. To bridge the shortage of skilled manpower in the sector, INSA recently signed memorandum of understanding with Mekelle Institute of Technology and Addis Ababa Institute of Technology for the launch of a Master’s programme in cyber security management.
“Ethiopia needs to develop real time alerting and countering systems of cyber-attacks at every vulnerable institution.” Gezahegn stresses.
The country may experience relatively less severe cybercrimes now, but as the economy and way of communication evolve and better and faster internet connectivity becomes the norm, the threat is set to rise. This calls for a need to invest more in education, research and development to bolster Ethiopia’s cyber security. EBR
5th Year • August 2017 • No. 53