Today, many African countries face challenges in protecting their critical infrastructure. These include lack of policy and legislation, lack of an information sharing and coordination framework for government and private sector owned or managed infrastructure, inadequate capacity and resources, acts of terror and vandalism.
Liberia: In 2016, an overzealous hacker employed by one major telecommunications company sabotaged the network of a rival resulting in half the country being cut off from bank transactions. Cut off from internet access, Liberia’s information minister, ostensibly in charge of the country’s response, was left asking for help on French radio. Despite Liberia’s appeals abroad for assistance, authorities did not make arrests until after the software employed in the attack was used to disable Deutsche Telekom.
Nigeria: In August 2012, Boko Haram reportedly hacked the personnel records databases of Nigeria’s secret service, revealing the names, addresses, bank information, and family members of current and former personnel of the spy agency. The breach was executed in the name of Boko Haram as a response to Nigeria’s handling of interactions with the group. The attack was significant as it represented a substantial shift in tactics of the group which has an anti-Western stance.
South Africa: In June 2020, Life Healthcare, the second largest private hospital operator in South Africa was hit by a cyberattack. This attack, which happened during the COVID-19 pandemic, is believed to have cost the organisation more than a month in downtime, affected its admission systems, business processing systems, and email servers, with some systems being forced offline.
The state-owned enterprise Transnet, operating rail, port, and pipeline in South Africa faced a cyberattack in July 2021. The attack caused Transnet to declare force majeure at several key container terminals, including Port of Durban, Ngqura, Port Elizabeth, and Cape Town. The impact of the attack was ‘unprecedented’ according to the Institute for Security Studies (ISS) because it was that the ’operational integrity of the country’s critical maritime infrastructure has suffered a severe disruption’ for the first time, resulting in the shut down of a critical trade route and disruption of vital trade services in the middle of a global pandemic.
The African Union Convention on Cybersecurity and Personal Data Protection requires states to develop a national cybersecurity policy and a strategy that sets out the objectives and timeframes for the successful implementation of the policy. Developed in collaboration with stakeholders and based on an all hazards approach, the policy should identify the risks facing the nation and recognise the importance of Critical Information Infrastructure (CII). The convention requires countries to adopt legislative and/or regulatory measures necessary to identify and protect the sectors and support ICT systems that are critical to national security and the well-being of the economy.
The protection of critical infrastructure requires the national commitment set out in the relevant strategy, policy, and legislation.
Protecting critical infrastructure and critical information infrastructure is like predicting an earthquake. In Geology, we know where an earthquake will strike and at what magnitude, but, what we do not know is when.
Source: Video – Strathmore University Business School Webinar – Kenya’s Critical Information Infrastructure: Exploring the Effectiveness and Impact of Existing Legal and Institutional Framework
Reflection point: Cyberattacks on infrastructure
– Identify cyberattacks on infrastructure that have happened in your country.
– What was the economic and social impact of the disruption caused by the attack?
– What measures have been put in place by the Government to prevent and mitigate similar attacks?