When a private hospital in Ghana contracted a cybersecurity expert to fortify its online presence against data breaches, little did it know it was rather opening itself to future hacks that nearly compromise its client-doctor confidentiality.
A month after the hospital paid thousands of cedis to hackproof its online infrastructure, hackers took over its website and internal database for clients.
A pornography site lorded over its website while nurses, doctors and lab technicians struggled to access clients’ database.
The hackers demanded a payoff or have patients’ health records leaked.
The cyber security expert the hospital contracted insisted he had nothing to do with the cybercrime. An audit later showed the system had malware infestation which made it easy to spy and steal data.
However, the cybersecurity expert denied knowledge. Eventually, another company was hired to fix the problem.
Cybersecurity threats including malware infestations an everyday occurrence in Ghana with some practitioners said to be operating without ethics because their victims (individuals and institutions) for the fear of losing their clients keep mute.
But the Cyber Security Authority (CSA) says it would soon throw such service providers out of business. Starting from January 2023, all cybersecurity service providers would have to register to practice.
This would make Ghana the only country in Africa and second in the world after Singapore to require the licensing of cybersecurity service providers.
High levels of compliance
The Deputy Manager in charge of International Cooperation at the Authority, Emmanuella Darkwah, revealed this at the opening of a national roundtable on addressing Ghana’s cyber security capacity needs in Accra.
In a speech she read on behalf of the Director General of the Authority, Dr Albert Antwi-Bosiako, she said the move was meant to “attain a higher level of compliance and ensure industry standards, in line with international best practices.”
“If you are a business, a firm or an individual, you will not be able to offer cybersecurity service to anyone unless you’re licensed or accredited by the authority,” she stated.
The event, which was organised by the Media Foundation for West Africa with support from the UK-based Global Partners Digital Ltd, was meant track the progress the country had made in building its cybersecurity capacity and its challenges.
With an increasing reliance on information communication technology and digitization, Ms Darkwa said there was the need to ensure that country’s ICT investments were well protected.
“This is to ensure that different individuals who are using these platforms are able to safeguard their experiences. Due to COVID and reliance on ICT, a lot of people are transacting online.”
But with the opportunities come vulnerabilities, she pointed out.
“In spite of the potentials we can gain from it[digitization] there is a lot of opportunity for cyber criminals to utilize as well, and intercept peoples’ experiences. They take advantage of reliance on these platforms for malicious purposes,” she said.
It was in response to these threats that the government passed the Cybersecurity law.
The implementation of the law, she said had yielded dividends, and pointed to Ghana’s position on the Global Cybersecurity Index.
Ms Darkwa said as part of the implementation of the law, the Authority had embarked on major campaigns nationwide to draw the attention of the public to be conscious about online hazards and the need to protect themselves in addition to the launch of a cybercrime incident point of contact.
“This provides the platform which allows citizens to reach computer emergency response team (CERT) in the authority. If you have any issue, you’re able to call the CERT team. This bridges the gap between the authority and the citizenry.”
The team, she said had received more than 13,000 calls in 2022. However, only 559 of the complaints were related to cybersecurity.
In another presentation that touched on how Ghana is ensuring a human-rights respecting implementation of international cybersecurity capacity and security initiatives such as UN-Open-Ended Working Group on ICT, she said the country is guided by the global cyber norms. The norms focus on cybersecurity in the context of international peace and security.
They are hinged on 11 pillars: interstate cooperation on security, consider all relevant information, prevent misuse of information communication technologies (ICTs), cooperate to stop crime and terrorism, respect human rights and privacy, no damage to infrastructure, protect critical infrastructure, response to request for assistance, ensure supply chain security, Report ICT vulnerabilities and Do no harm to emergency response teams.
Ghana passed the Cybersecurity Act, 2020 (Act 1038) to help in cybersecurity development and in response to cybersecurity challenges.
As a build-up to the implementation of the law, the Cyber Security Authority (CSA) was set up in October 2021 to implement the law and regulate the cybersecurity ecosystem in the country.
Delivering the welcome address, the Executive Director of the MFWA, Sulemana Braimah, noted that it was one thing having the Cybersecurity law and another thing people taking advantage of it and using it to empower themselves.
He said it was important to educate and empower the citizenry to understand the law and also use it to assert their rights as they engaged in the cyber and digital space.
While pledging the MFWA’s commitment to champion digital literacy in Ghana, he also rallied key stakeholders including the Cyber Security Authority and the Data Protection Commission to create awareness among the populace the reduce their level of vulnerability in the cyber and digital space.
The participants made the following suggestions and recommendations to help build a more robust cybersecurity capacity in the country:
- There is the need for the CSA to share feedback on complaints and actions taken to improve trust and confidence in its work.
- The CSA needs to provide a balance of engagement on awareness creation both on social media and mainstream media.
- The need to highlight human right issues in the cybersecurity space.
- The CSA needs to increase its awareness creation in markets and other informal business settings to rope in more segments of the population who are more vulnerable to cyber-attacks.
- There is the need for regular capacity building in Cybersecurity for ICT teachers to keep them updated with the evolving cybersecurity world.
- Civil Society Organisations and the CSA should focus more on community level interventions and design awareness programmes that take into consideration local languages.
- The CSA needs to engage academia and religious organisations, particularly churches and mosques to increase its reach.
- The Ghana Investment Fund for Electronic Communications (GIFEC) needs to be more proactive and live its mandate of empowering the vulnerable and under-served communities throughout Ghana.
- The Girls in ICT project by the Ministry of Communication and Digitalisation needs to revised and modelled to benefit more girls across the country.
- The CSA needs to engage more in the internet governance space.
- The CSA needs to be consistent with its awareness creation in schools because in behaviour change communication and cybersecurity, one off interventions do not make much impact.
- The CSA and the Ministry of Communications and Digitalisation must be concerned about the safety-by-design standards of the apps approved for public use.
- Stakeholders must engage the telecommunication companies on the increasing cost of data which could leave millions of people behind in the digital space.