guest column:Bibi Khofi-Phiri

CYBER attacks are increasingly threatening the integrity, privacy and security of individuals and organisations in Zimbabwe, with irreparable damages to their reputation and financial standing. According to the Reserve Bank of Zimbabwe (RBZ) (2015) and the Zimbabwe’s National Risk Assessment (NRA) report, of 2015, cybercrime has contributed to the US$1, 8 billion proceeds generated from criminal activity annually in Zimbabwe.

Attackers are not merely interested in stealing funds or holding companies’ information hostage. They now wish to infiltrate and manipulate the entire ecosystem it belongs to.

Subsequently, cyber attackers exploit these gaps in systems and functions. This article aims to highlight the necessity of a cyber-security framework that needs to be implemented in Zimbabwe to minimise cyber risk and exposure. Investment in cyber security systems is required to raise awareness and train professionals on the relevance of cyber security.

Security features and regulatory enactments are required to serve as a guideline to identify and sanction cyber crime. Support must be given to cyber security strategies that detect and respond to cyber threats.

Innovations in cyber security need support from all stakeholders including civil society, organisations, businesses and the government of Zimbabwe. Cyber risk management must be made mandatory and implemented in all organisations. Efficient rapid response is required in the face of threats or attacks in order to mitigate and minimise the exposure and impact of cyber attacks.

Investment in cyber security structures and policies need be prioritised and implemented in Zimbabwe to minimise the risk and loss caused by cyber crime. Investment must be done in securing the internal, online and digital frameworks. The framework suggested by the National Institute of Standards and Technology (2018) is a foundational map that is meant to assist in identifying actions to minimise cyber security risk in business.

The current framework that governs cyber crime in Zimbabwe is the Constitution of Zimbabwe (Amendment Number 20 of 2013) being the supreme law of the land enshrining all fundamental rights relevant to cyber security such as the right to human dignity (section 51); the right to personal security (section 52); the right to privacy (section 57); the right to freedom of expression and the freedom of the media (section 61); the freedom of artistic creativity, academic freedom (section 61 (1)(d) and freedom of scientific research and creativity (section 61(1)(b)); the access to information (section 62); the right to administrative justice (section 68); the right to a fair hearing (section 69); the right of accused persons (section 70).

The Criminal Law Codification Reform Act (Chapter 9:23), the Interception of Communications Act (Chapter 11:20), and the provisions of the Income Tax Act (Chapter 23: 06) and the Postal and Telecommunications Act (Chapter 12:05) remain the backbone of all telecommunications, internet, and electronic based communications are the main legislations governing cyber crime.

According to the Misa, (2015) the Criminal Procedure and Evidence Act (Chapter 9:07), the Civil Evidence Act (Chapter 8:01) all relate to adducing of evidence in criminal and civil matters, however they have noticeable shortcomings on how computer related evidence or a crime committed through a computer or against a computer can be adduced in the courts.

In the process of enacting the Cyber Bill, consideration needs to be given to the National Institute of Standards and Technology (NIST) (2018) framework, which can be used as a guideline in identifying and developing a customised cyber security framework with the mandatory security features required from each business and support for critical functions in line with a risk management strategy.

The broad categories of the first function known as the identification function of the framework are: asset management; business environment; governance; risk assessment; and risk management strategy. Cyber security threats attack the connectivity of critical infrastructure systems, the country’s security, the economy and public safety at large.

There are various risks which affect companies’ bottom line which include financial, reputational and cyber security risks. These risks increase the operational costs and place a dent in the revenue of organisations and businesses. The ability to innovate, gain and maintain customers is severely compromised when a company’s security system has been breached. Cyber security can be an important tool for protecting and preserving a company’s reputation and financial profile.

It is unfortunate that cyber security is not prioritised in Zimbabwe by individuals, businesses and the government, and this leaves them vulnerable to cyber-attacks. The RBZ reported over 140 cases of cyber crimes between 2011-2015 which consisted of: phishing (20); credit card fraud (13); identity theft (10); unauthorised access (24); hacking (72); and telecommunications piracy (1).

To avoid further cyber-crime, Zimbabwe needs to take a holistic approach in tackling cyber-crime and staying abreast with the advances in technology. It needs to align its national laws with international cyber security frameworks in order to be adequately prepared for any breaches in security systems. The problem Zimbabwe faces is overreliance on one service provider such as Econet and EcoCash.

Should Econet experience an attack on their system the whole nation will be affected, financial transactions will be adversely disrupted and the public’s private information and data will be highly compromised. Cyber criminals take advantage of this anomaly and capitalise on the shortfall of services and illiteracy levels in society.

Zimbabweans are still a long way from having access to exposure and education on cyber security. Only 3% of the Zimbabwean population has access to or can afford electricity and only 47% of the population has access to the internet. This can be used as a leverage to easily infiltrate and hack systems that have little to no protection by cyber criminals. Therefore, data security and protection is of paramount importance. The NIST framework (2018) advises companies and governments to implement the protection function which is an arm that deals with: identity management and access control; awareness and training; data security; information protection processes and procedures; maintenance; and protective technology.

Awareness training programmes and regulatory frameworks are also needed at grass root levels in Zimbabwe. The skills gap and competency levels need to be addressed in Zimbabwe.

Unfortunately, the qualified professionals have left the country in search of better paying jobs outside the country also known as a brain drain and this has made the awareness levels on cyber security laws and legal frameworks be recorded to almost zero. — African Thinker
It is advised that the Zimbabwean cyber laws and regulations will need to be developed by qualified and certified professionals who can align the cyber laws with the NIST framework in order to tackle the challenges currently faced in cyber security.

Immediate detection and response to any threat is crucial in combating cyber security attacks, and the minimisation of the impact of cyber security breaches needs to be prioritised.
The NIST Framework (2018) advises that the detection function of the framework needs to be developed and implemented in each country to discover cyber security threats. This involves looking at: anomalies and events; security continuous monitoring; and detection processes.

The response function delves into developing and implementing rapid response and action against all detected cyber security infiltrations. This assists in containing the impact of potential cyber security breaches and includes: response planning; communications; analysis; mitigation; and improvements.

The recovery function of the framework helps in maintaining plans to minimise the impact of any disruptions faced in any organisation. It supports the resilience of the business and the continuity of its growth; it protects the brand and trust of the business and restores any services that were impaired due to a cyber-security breach.

This arm looks at: recovery planning; improvements; and communications. It is critical that these three functions are developed and implemented in Zimbabwe by trained professionals who can promptly respond to threats and cyber-attacks as well as mitigate all risks involved with security breaches.

To prevent further cyber-attacks and security breaches in Zimbabwe, the government needs to take a collective approach in aligning the cyber laws with international standards. Global regulation advises the harmonisation of national laws with global conventions and declarations. This is necessary to avoid jurisdiction issues where legal disputes arise.

Further financial loss to Zimbabwean institutions and organisations need to be minimised by a framework that can identify security breaches and threats. Awareness training programmes need to be increased across all professions and begin at grass root levels.

Zimbabwe needs all stakeholders to be involved in being capable to detect and respond rapidly to all attacks and quickly recover from any security breaches. A framework that caters for these functions will be definitely creating a human firewall against cyber crime in a world that is evidently becoming reliant on cyber space.

Do you have a coronavirus story? You can email us on: news@alphamedia.co.zw