Zimbabwe: Cybercrime and Cybersecurity

The appointment of a fully-fledged Minister of Cyber Security, Threat Detection and Mitigation has been met with a lot of scepticism. This has been mainly driven by the perceived duplication of responsibilities among ministries, and also by the lack of public understanding of the real threat cybercrime poses. Such a perception threatens to downplay one of the fastest growing threats to technological development, not only affecting Zimbabwe but globally.

This has not been helped by the fact that this appointment was made following the tabling of the Cybercrime and Cybersecurity Bill (2017) which addresses the associated issues whilst allocating the responsibilities to the already existing Ministry of ICT. Several announcements by senior government officials relating to the use and perceived abuse of social media have also raised fears about what the new ministry will mean for civil liberties; especially those related to freedom of speech but most crucially, also adversely masking the real threat posed by cybercrime. It is indeed unfortunate that the general message coming from the government and the minister himself has an over-emphasis on stopping social media political activism at the expense of real cybercrime. Issues surrounding cybercrime and cybersecurity should not be trivialised by the government’s perceived motive or the reaction of the media and social commentators.

Cybercrime includes a broad range of illegal activities committed by means of a computer system or network. Unfortunately, most cybercrime exploits the poor knowledge and lax security habits of the general public. Cybercrime is no longer confined to fake e-mails “from the son of a dead African King”, but has become much more sophisticated and threatens to derail the economic benefits being achieved through technological advancements. It is the duty of the government to dispel the public perception, and convince the populace that this ministry was not created to instil fear on social media users, but rather to deal with the ever-growing threat from cybercrime. For the country to be adequately protected there needs to be more public sensitisation, education and training to increase awareness of the threats.

The general public is familiar with the usual physical burglary and theft, but the nature of cybercrime is such that the majority of people and businesses will not necessarily realise when digital burglary has taken place. Even though cyber-crime comes in different forms; it can be categorised into attacks against individuals, companies/organisations or other countries.

Personal crimes mainly involve identity-theft related scams in which personal details are stolen. A number of illegal/criminal activities can be perpetrated by an individual using the stolen identity. Besides financial fraud (for example using your ID to obtain a loan in your name), identity thieves commit crimes, such as drug-trafficking, smuggling and terrorism, among many other criminal activities whilst posing as other people.

A range of scams targeting individuals have been identified, with Zimbabwe having its fair share. A

number of people can testify to being lured online into depositing money to buy goods such as cars, clothing, groceries or services such as shipping, with companies and individuals disappearing from the cyber-world after collecting the money. There have also been reports of individuals lured into depositing money to secure non-existent job opportunities among other scams.

Attacks against organisations are becoming common and have recently manifested themselves in the form of Ransomware. This is comparable to real life kidnapping experiences, whereby criminals demand money for the return of kidnapped persons or seized precious items. In the cybercrime world the criminals use a malware or a “dangerous” computer programme to prevent or limit the usage of company services, stopping users from accessing the system/services unless a ransom is paid. Imagine an attack on the EcoCash mobile banking system which disables all associated services such as mobile money transfers even just for a day or disrupts/cuts off Econet, Telecel or TelOne mobile communication! The disruption that can occur and the damage to the economy could be quite substantial! The outcry that accompanied the disruption of WhatsApp services for a few hours last year around the world is a taster of the potential effect of cybercrime on everyday life.

In Zimbabwe, there have been reports of malware attacks on educational institutions and companies’ websites; with the Herald, the government, NUST and the Harare Institute of Technology reportedly affected, reflecting the reality of the threat on Zimbabwe’s doorstep. Companies and banking systems have also been subject to hacking (illegal penetration and use of computer systems) thus being defrauded by individuals of large amounts of money. The case of a Chitungwiza man who hacked OK Zimbabwe’s Money Wave System before stealing $70 000 reported widely, is a typical example of such cybercrime activities.

Another form of attack is one organised by a state against another state's institutions or infrastructure; a form of cyber-warfare. This involves one nation penetrating another nation's computers or networks for the purposes of causing damage, disruption or to obtain sensitive security information. In these types of attacks, one nation attempts to disrupt the activities of organizations or other nations for strategic or military purposes and cyber-espionage. Attacks may also be carried out by terrorist groups. Increasingly, cybercriminals are attacking governments through their critical infrastructure, including transportation systems, banking systems, power grids, hospitals and critical manufacturing.

Numerous incidents of cyber-warfare have been reported, for example, in March 2014; the Russian government allegedly disrupted the internet in Ukraine, enabling pro-Russian rebels to take control of Crimea. North Korea was blamed for the 2014 cyberattack on Sony Pictures after they released the film “The Interview”, which depicted the North Korean leader Kim Jong-un in what the country regarded as negative light. In December 2016, Ukraine experienced a blackout as a result of cyber-attacks on electric power distribution companies. Most recently, and still ongoing are allegations of Russian interference in the USA elections through cyber activities. The WikiLeaks case which also affected Zimbabwe is a typical highlight of another form of cyber-espionage. These incidents have brought into light, situations which used to be viewed as science fiction!

Social media remains a favoured target of scammers, as criminals seek to leverage the trust people have in their own social circles. Social media is quickly becoming a daily part of life in Zimbabwe; following a global trend. In social media generated cyber-crimes, criminals take advantage of the sharing facilities and present fake products, video links and “like” buttons which they use to spread their scams. Users are also lured into clicking fake website buttons that install malware with some posting updates on a user’s newsfeed, spreading the attack.

Terror groups have also been taking advantage of social media to further their goals and spread their message presenting governments with another frontier for cybersecurity. Investigations into attacks such as that of the Kenya Westgate Mall have revealed the use of social media and computer networks in planning and co-ordinating the attacks.

Cyber criminals continue to take advantage of vulnerabilities in poorly secured legitimate websites to infect users. Cyber criminals exploit the design weakness to gain access and manipulate these sites for their own purposes. For instance, cyber criminals can penetrate websites and acquire user data, compromising visitors to the affected websites. Attacks on websites and replacing contents are also common, with some websites content replaced by for example, extremist material or pornography.

To safeguard the country against cyber-crime, it is vital to promote the culture of cybersecurity among stakeholders, notably government, companies and cooperatives, civil society organisations and international organisations operating in the country to develop, manage and use information systems. It is important to engage industry, the civil society, and academia in the promotion and enhancement of a culture of cybersecurity. The government must also, on its part, mobilise resources to develop cyber security skills.

The government has to sensitise and provide education and training to the public. Law enforcement powers must be trained so that they execute their cybersecurity duties whilst maintaining the rule of law and meeting human rights requirements. Conditions and safeguards limiting law enforcement powers should be established. Since cybercrime is borderless; the Zimbabwe laws must be compatible with the laws of other countries to permit international cooperation. It should avoid over-criminalisation of social media-content, if it is to stop the stigmatisation associated with the newly created ministry.  

The government must ensure that critical information infrastructure is protected, to safeguard data and sensitive information. Data protection legislation should be put in place to safeguard the general public (critical with the ongoing biometric electoral registration which acquires sensitive individual data such as fingerprints; taking place).

Zimbabwe like other nations has been experiencing various types of cybercrimes including credit card theft, hacking, identity theft, phishing, unauthorised access according to police reports, but these have not received publicity in contrast with social media activism. One of the biggest impediments in advancing cyber security readiness is changing of mindsets to raise awareness about the potential risks of cybercrime; and publicity of ongoing cyber-crimes can go a long way in achieving this. All national stakeholders and citizens must work together in order to change the mindset and public perception of matters relating to cybersecurity.

Cybercrime not only derails the technological advancements but is an attack on economic, social and political advancement of societies.  It is therefore important for the new ministry to create greater awareness and capacity building programs to facilitate cyber resilience in the future whilst ensuring good governance and respect of human rights.

Note: Cybersecurity was rightly incorporated into the Ministry of ICT (and Cybersecurity) - After this article was written ...not because of this article.

BVR in Zimbabwe Elections : Going Forward

 

The arrival of the first batch of Biometric Voter Registration (BVR) kits is a landmark occasion and very significant to the voter registration process in Zimbabwe. It officially marks the shift to a technology-based voter registration system for the first time in Zimbabwe.  Credit should go to the Zimbabwe Electoral Commission (ZEC) and the government of Zimbabwe, for embracing biometrics technology in order to enhance the registration and voting process. Handled in the right way, the introduction of this technology to elections in Zimbabwe will go a long way in eliminating one of the major causes of controversy which has accompanied previous elections.

To carry out a credible election, we have to start with credible voter registration.  Issues surrounding the state of the voters roll have been at the heart of most election disputes in Zimbabwe. The main benefit which will be derived from the use of biometrics for voter registration will be the production of a new clean voters’ roll which contains unique individual information based on the physical characteristic (face image and fingerprints) of each voter.  It is important to emphasise this point as there have been a lot of misconception regarding the usage of biometrics in the upcoming elections.  In the planned BVR process, a voter’s details (name date of birth, address etc.) will be digitally captured and stored alongside their biometric features (face and fingerprints) on a computer.  This is very similar to the process we go through when we apply for National IDs (zvitupa) and passports. These will then be input into a single database where software will be used to clean up the voters roll by eliminating voters who would have registered multiple times.  This is because the software will not only compare names but will also compare the fingerprints. So a person who registers multiple times under different names will be picked out by the system.

The second part of the process, if it was to be implemented, would be biometrics-based voter verification or authentication which happens on voting day. This is whereby a person appears on voting day, presents an ID or provides a name. The person’s biometrics face and/or fingerprints are then captured and compared to those in the database.  If there is a match, the person would be verified, gets a ballot paper and continues to vote (manually) in the normal way! The person’s details are then digitally marked as having voted and cannot be used for repeat voting. This is NOT electronic or biometric voting, but manual voting as we are used to! 

However it is important to emphasise that ZEC has clearly indicated that biometrics are going to be used for voter registration ONLY. However with the biometric register in place; in future elections, ZEC can take the next step of using biometrics for voter verification on polling day. It is therefore important to recognise that biometrics are not going to be used on polling day and identification documents will remain critical for identifying voters. On polling day; voters will still be required to present identification documents which will then be cross-checked manually with information in the system before one is allowed to vote. Therefore the current exercise by the Registrar General’s office of issuing IDs should be viewed and judged with this in perspective.

The availability of the BVR kits means the BVR registration exercise can now be kick-started.  However, there are a number of issues that ZEC should now be diligently looking into in order to ensure that this process is a success.

It is essential that ZEC ensures that staff who are going to be handling these kits are adequately trained and skilled. It is unfortunate that the training of the “BVR Master Trainers and Technicians” could not be started earlier; the 5 days allocated for the training may not be adequate. Technology is only as good as the way it is deployed. In order to identify multiple registrations; which is the main benefit of the system, clean data must be submitted. Finger prints and photographs must be clearly captured in the right way, which requires trained and capable staff. Essential skills for staff operating biometric voter registration (BVR) include basic computer skills, with an emphasis on data capture, processing and administration on top of planning and logistical skills. Staff should also be trained to repair and maintain the equipment, so that they do not rely solely on the supplier for maintenance and support issues. The timelines are tight, but the preparedness of the registration team is crucial to the success of the process.

Since election technology has the potential to directly affect the political process, it is important to engender a sense of ownership in its users.  In order to achieve this, ZEC should provide sufficient information to the public to enable them to feel included in the process.  In addition, accessibility, versatility and equality considerations are to be taken into account when deploying these kits to ensure that people with special needs (the old, and disabled for example) are included.  Challenges that may occur during data capture include unreadable prints of old people and physical workers (for example miners), people with missing fingers and software bugs.  Contingency measures should be in place to make sure that none of the affected people are disenfranchised.

There are a number of technical issues associated with the use of BVR which ZEC must be aware of and mitigate against.  The use of technology has associated data security risks which occur as data is collected from individual registration centres to the central registry. Safeguards should be in place to prevent corruption or manipulation of the data. Corrupted data may result in “false rejection” of valid voters. It is therefore important that data security gaps are eliminated from this process.

ZEC has to ensure that there are measures in place for the biometric data collected to be securely transported from registration centres to data centres. There must be mitigating control measures to protect the mobile registration kits and data storage devices from theft, manipulation or destruction during storage and transportation from registration centres.

ZEC must also clarify the issue of the Data Centre (Central Server) which will host the AFIS software (de-duplication software), the centralised biometric data and related systems. There have been conflicting reports emerging from ZEC which ranged from a separate tender process for the central system, provision from existing facilities and recently UN sponsored upgrading of an existing system. Such conflicting statements emanating from ZEC are not helpful. It should be noted that the Central Server will only be required once all the data from the various registration centres has been gathered; so ZEC has got time to resolve this issue.

Once the Central Server is in place, adequate security measures must be put in place; with defined data access privileges (who has permission to access and make amendments to the database?), recovery and back-up procedures. The processes to identify any security breaches and the audit to track any changes to the database to the satisfaction of all stakeholders should be outlined. These security issues are crucial and must be addressed in a transparent manner to avoid post-registration or post-election disputes.

The challenges to ZEC are not only restricted to technology and procurement. Advanced technology alone cannot guarantee the integrity of elections without corresponding legal and administrative protective mechanisms. It is therefore important for ZEC to ensure that the legal framework is compatible with the introduction and use of BVR technology. With all due respect to the legal expertise of  Justice Rita Makarau (the ZEC Chairperson), the Kenyan electoral dispute has highlighted that failures to adhere to constitutional and other legal requirements can occur and may be challenged.

Associated with acquisition of biometric data is the issue of data protection and right to privacy. While there is a need for electoral data to be in the public domain, the balance between, on one hand, the reasonable demands for transparency in electoral processes and the right to privacy of the citizen on the other is a delicate exercise which requires careful handling.

In spite of all the challenges, the introduction of biometrics in the compilation of voter registers should improve the accuracy of the voter registers and provide the foundation for clean, violence-free, fair and credible elections. The biggest benefit of BVR ; as has already been stated is the production of a clean, credible and reliable voters’ register which is at the heart of conducting a fair and credible election. The integrity of the voters’ roll is one of the basic principles on which the legitimacy of an election is founded; and BVR implemented in the right way is a giant step forward.