The Next Big Threat — Is Nigeria ready?

If you have been paying attention, then you know cyberattack is among the significant threat in the world. Disrupting nuclear programs (Stuxnet), attacking financial services (Epsilon), allegedly influencing elections (US elections), activism (Anonymous), car hack/hijack (Jeep cars), the list goes on and on. DDoS attacks, disruption, hacking, phishing, cyber this, cyber that; hearing these words have become part of us. We hear them during an election, protest, in our offices, pretty much everywhere. You can’t turn on the news without hearing these words. Some of the stories are straightforward; some are so convoluted that even professionals find it hard to digest.

Because of how humanity continues to rely on technology, it makes technological safety of paramount importance. Any threat to the technology that revolves around us becomes a threat to whichever part of us depends on that technology. The media and every major country are paranoid when it comes to cybersecurity. Why? — Because they are paying attention. For Nigeria, if we are okay today, what happens if the next Boko Haram comes in the form of technology? I mean, cyberterrorism is a thing — Imagine someone hacking into a hospital database, just to alter a patient’s diagnosis, or, worse, intentionally prescribe the wrong medication to a patient. Before you bury me for wishing ill towards our dear nation. Ask yourself, is it possible, and is Nigeria ready for these kinds of threats?

Let us use Boko Haram as an example of our readiness capability. We all know the way the Boko Haram situation was handled at the early stage could be better — the situation should never have gotten this worse. Within a short period, Boko Haram proved to be uncontrollable with initial attacks in Bauchi. In 2010, I think everyone within the Bauchi metropolis heard the sounds of machine guns when Boko Haram went on a rampage to free their fellow members from Prison. This happened right in front of Bauchi Emirs Palace in the month of Ramadan, few days to Eid al-Fitr celebrations. I’ll never forget that day. The following year, Boko Haram attacked the UN headquarters in Abuja. That attack and other major ones immediately brought Boko Haram to the global spotlight. After that, Boko Haram went haywire.

One doesn’t need to be a counter-terrorism expert to see the signs if we were paying attention. The signs were all there. Nigeria was frowned upon and considered a failed state, not because we were victims of terrorist attacks. No, not all, but because we failed to/couldn’t contain Boko Haram on time. Our sloppiness resulted in Boko Haram growing far beyond control and establishing dominance. It is good that things are getting better, but no doubt, Nigeria has failed the actual victims of Boko Haram.

What are we doing to ensure that such a scenario never happens again? Nothing (or at least, not in the public view). We all know that Nigeria is not a proactive nation. We handle issues poorly before and after it happens. If we inadequately address current issues, then what plans do we have for what is bound to happen? — If one says cyberattacks don’t pose a threat that could result in loss of life, sure I agree to some extend. It doesn’t directly. But it doesn’t mean cyberattacks are not capable of putting a nation in a miserable condition.

Nigeria is the biggest country in Africa by GDP and population. Gradually, we are seeing signs, which, if left unattended, might lead us to another disaster. Looking at some few cases; In 2013, some foreign LGBT activist(s) hacked Nigeria’s Federal Government website because Nigeria(ns) decided the oppose LGBT rights. In 2015, INEC’s website got hacked on the day of the presidential elections. NITDA estimated that Nigeria(ns) lost approx $450 million to digital fraud. The following year, it was $550 million. In the same year, Nigeria saw a thousandfold increase in cybercrime. I am not only talking about the 419 scammers, defrauders, and social engineers. But also real hackers who hijack infrastructure, hack emails, or worse influence Nigeria’s policy and economy.

Internet usage in Nigeria is increasing (which is good), but with that increase comes more threats. If the signs mentioned above are not good enough, then Nigeria can learn from what is going on around the world. Cyberattacks allegedly influenced the 2016 US election, the election campaign. With Nigeria moving towards digital voting. It is only a matter of time before the electronic voting devices becomes the target. (Ignore the fact that Nigeria outsource the electronic voting systems we use — which definitely have a tendency to be altered since we don’t even know the architecture behind the devices).

It is already a common trend in Nigerian elections to have allegations of voting/election hacking. The common trend is multiple registrations by voters. How easier would it be to manipulate elections by the time we become dependent on just the electronic voting devices? Do you now agree that cyberattack is capable of altering a nation’s decision — The signs are all here, we are just not paying attention.

There is no humiliation in being a victim of a cyberattack, but there is something wrong in not addressing the problem. These problems won’t go away. On the contrary, they will become more severe. It is not that easy; remember, the adversary only needs to discover one attack surface, but the defenders must defend most (if not all known) and, in some cases, counterattack. Because it is not that easy, that is why developed nations are steady fighting what is happening, ensuring it never happens again, and investing for what is going to happen next. Nigeria should learn from that. I believe there are some forms of cyber-defense currently in place within the NSA, DIA, or NIA. But the truth is, it is not enough for what is about to come. We need more cybersecurity professionals ready to fight the next battle.

According to Serianu (an IT company), Nigeria has approx 1500 number of certified cybersecurity professionals. Even though certifications are not benchmarks, and one does not need a certification to be a cybersecurity professional, the figure indicates Nigeria lacks enough cybersecurity professionals. Especially in a country where competence is often measured based on one’s credentials and not capabilities.

Most IT professionals in Nigeria lack adequate technical training, and the truth is, it is not because they are not talented, but because they require the necessary tools, environment, support, and education. Our curriculums are outdated, and our employers don’t provide adequate training/support. Unless one can afford (or lucky enough) to study out of the country, one will be technically disadvantaged, this is a common experience among Nigerian IT/CS graduates in the diaspora. Ask anyone that studied in Nigeria and later find himself elsewhere to advance his/her study. We have all experienced that. You come out of Nigeria, just to realize you don’t even know 10% of what you are supposed to know as an IT/CS graduate. If we think it will not catch up with us, then obviously we haven’t learned anything. How long do we have before Nigeria faces a national cybersecurity threat? Imagine China, Russia, or even some random activist organization focusing on Nigeria. We can’t defend ourselves, and if we can’t protect ourselves today, are we for tomorrow? What happens if some cyber-terrorist decide to hijack Nigeria’s infrastructure? What would happen when the next election comes? Do we have enough workforce to ensure Nigeria is safe? The truth is, we don’t. And the worst part is we are not preparing for it.

Consider Boko Haram vs. Nigerian Military. The military lacks the resources required to fight Boko Haram. Cyberwarfare is the new battlefield. Now is the right time to start focusing on cybersecurity in Nigeria. But to get ahead of the curve before it gets worst, we need to invest in our cybersecurity sector. In Nigeria, we have the ngCERT, which operates under the Office of the Nigerian Security Advisor (NSA). But Nigeria also needs a dedicated Cybersecurity unit or command with a primary goal of combating cyber threats. And not just a group under a non-IT security-focused agency like NITDA (NITDA focuses on IT development) or a National defense-intel agency like NSA, NIA, EFCC or DIA but rather a dedicated IT defense unit with 24/7/365 CSOCs (Cybersecurity Operations Centers) across the nation dedicated to monitoring, detection, analysis, and response. This will help with cybersecurity readiness and also create thousands of jobs across the country.

Nigeria also needs to support in house IT SMEs by leveraging them as cyber defense contractors (not outsourcing everything like we do, which always results in giving too much access to foreign nations). These SMEs can focus on research and analysis of tools and infrastructure Nigeria can use.

Above everything else, Nigeria needs to prep enough professionals. Not only from a technical viewpoint for IT/CS students but also Lawyers who can handle cybersecurity policies, Law Enforcement Agents that can handle forensics, etc. There is no better way to achieve readiness than to invest in students, employ professionals, offer cybersecurity scholarships, etc. If we don’t tackle these problems soon, we are surely going to cry tomorrow. It takes time to become ready, hence why most nations are continuously investing in cybersecurity scholarships. It is only logical we do the same.

Cyber risk is real, and the earlier we understand that, the better.