TheCable

In February 2021, President Muhammadu Buhari launched the National Cybersecurity Policy and Strategy (NCPS). While unveiling the document, the president said he was delivering on his promise to tackle insecurity, strengthen the economy, and fight corruption. 

The president also stated that part of the objectives of the NCPS is to leverage the benefits of the digital revolution, while also dealing with cybercrime.

“In a bid to ensure that we effectively embrace and harness the benefits of [the] digital revolution, while effectively combating rising cyber threats, the Federal Government has been proactive in ensuring progressive use of the Internet and cyberspace,” President Buhari had said.

TheCable takes a closer look at the policy document, undresses the key takeaways, and brings you all you need to know about Nigeria’s latest cybersecurity policy and strategy.

DASUKI’S BRAINCHILD

Dasuki and Jonathan

Sambo Dasuki is so popular for Dasukigate that many Nigerians often forget he made some major moves as the National Security Adviser under the leadership of former president Goodluck Jonathan.  Dasuki is said to have received an extra-budgetary allocation of $2.1 billion from the Nigerian National Petroleum Corporation (NNPC) which was used to fund Jonathan’s presidential bid in 2014/2015.

Asides from the $2.1 billion, scandal, one of those things Dasuki carried out, was the development of the first National Cybersecurity Policy and Strategy in 2014. The 61-paged document put together by the Dasuki-led office of the National Security Adviser (ONSA) formed the basis for the new policy and strategy document released in February.

According to the Dasuki document, cyberspace has become an indispensable global domain coming after Land, Sea, Air, and Space as number five. Unlike the other four, this space has no boundaries, hence, its administration has to be unique. This necessitated a set of rules which has made both policy documents.

The new policy document, however, improves on Dasuki’s brainchild — avoiding the mistakes and covering all criticised loopholes.

TO BE REVIEWED EVERY FIVE YEARS

The National Cybersecurity Policy and Strategy is to be reviewed every five years to meet up with the ever-changing cyberspace.

This means the 2021 NCPS was supposed to be launched in 2019 (five years after the 2014 policy document), but due to the challenges of the times had to be delayed till 2021. The next review is due by 2026.

Every year, from 2021 to 2026, there shall be an annual performance report to show how much of the policy and strategy has been implemented in the year. The Dasuki document was criticised for not having a monitoring and evaluation plan. This was fixed by the NCPS 2021.

CHARGING THE BANK CHARGES (N5 on N1,000)

You would be contributing to the implementation of this policy via your banks

NCPS is heavily reliant on funds for its execution. In line with this, the policy comes with a funding strategy, which involves government, the private sector, and citizens like you.

One of the funding paths, which may affect you is that a portion of your bank charges will be taken off the banks to fund the country’s cybersecurity plan. According to the document, there will be a 0.005 levy on charges taken for every electronic transaction within the country.

In essence, when you carry out a bank transaction or buy an item online, you pay charges to your bank, and your bank pays charges for cybersecurity. For instance, when you transfer N10,000 and your bank takes N25 as charges, 0.005 of that N25 should go to the National Cybersecurity Coordination Center (NCCC). For now, it is unclear if those charges have been included in your bank charges or if they’d be newly introduced.

However, for every N1 billion your bank makes in charges for various electronic transactions, N5 million is expected to go to the nation’s cybersecurity team coordinated by the NCCC.

The joke, however, is that the NCCC does not exist.

ESTABLISH NCCC, APPOINT COORDINATOR

One of the major objectives of the Dasuki document was “to develop a national mechanism for the establishment of National Cybersecurity Coordination Center (NCCC) to serve as the focal point for cybersecurity incident monitoring and response”.

Seven years down the line, NCPS 2020 repeats almost the same objectives, clearly showing that the NCCC was not established as stipulated in the 2014 document, and as mandated by section 41 of the Cybercrimes Act 2015.

Based on the new policy document, the office of the National Security Adviser plans to finally establish the NCCC and appoint a national coordinator for the day-to-day running of the country’s cybersecurity team across all sectors.

PROTECT POWER GRID, CRITICAL INFRASTRUCTURE

Imagine a scenario where your bank account is hacked and your monies moved to an offshore account in the Maldives. When you complain to the bank, you’re told that the bank CEO just suffered a heart attack following the theft of N500 billion from the bank — through various customers’ accounts.  That was not hard to imagine, was it?

Paint this picture with us; someone hacks the Transmission Company of Nigeria (TCN) and ensures no power in every part of the country. When the ‘someone’ decides to give power, they send heavy power to a small section of the country, which destroys lives and property. The possibilities are endless.

To avoid this, the document identifies 13 critical national infrastructure which must be protected at all times to keep the country working for the wellbeing of Nigerians.

In addition to protecting the critical infrastructure, ONSA and other stakeholders shall conduct cyber drills to re-evaluate the National Vulnerability Assessment (NVA) from time to time.

AMEND CYBERCRIME ACT, PROTECT WOMEN

One of the major steps to be taken to implement the NCPS is to amend the Cybercrime Prohibition and Prevention Act 2015 to cover new areas such as child and gender rights online.

The policy document recommends a synergy between internet service providers, owners of online platforms and the NCCC to keep women safe online. “Combating online violence against women is a crucial priority for the Nigerian government,” the document reads.

Still, on protecting children online, the policy paper recommends that the National Orientation Agency (NOA) works with other agencies to drive online safety awareness for children. Platforms shall also be created to allow children to report any sexual molestation or exploitation online.

What cannot be done to children offline are also not permitted to be done to children online.

CREATE NATIONAL FORENSIC LAB & OFFENDERS REGISTER

The policy and strategy paper also seeks to establish a National Digital Forensics Laboratory (NDFL) and a National Offenders Register. The forensic lab will be under the NCCC and shall have facilities for digital forensics investigation and intelligence gathering.

As of 2019, the Nigerian government had only three forensic labs; two in Lagos and one in Abuja. The lack of digital foresics labs across the country has made some investigations and data gathering on key national security issues impossible.

The establishment of the NDFL is expected to drive the development of digital forensics labs across Nigeria. This would create jobs, increase expertise in academia and the security space, while also opening new possibilities for the country.

NCCC alongside the federal ministry of justice are also expected to create offenders register for convicted child online abuse offenders. This register is to name and shame those abusing children on the internet.

CONCLUSION

The document also recommends training members of the Nigerian armed forces to help them develop a cyber defence plan to protect the country from cyber-attacks. The Defence Space Administration (DSA) is also recommended to work with the NCCC to create a National Cyber Defence Plan (NCDP).

The 107-paged document makes numerous ambitious recommendations, which are reminiscent of the 2014 document. But if the implementation is not carried out speedily, and funding is not made available immediately, its objectives would not be achieved at the expiration of the life of the policy paper in 2026.