Zimbabwe: Cybercrime and Cybersecurity

The appointment of a fully-fledged Minister of Cyber Security, Threat Detection and Mitigation has been met with a lot of scepticism. This has been mainly driven by the perceived duplication of responsibilities among ministries, and also by the lack of public understanding of the real threat cybercrime poses. Such a perception threatens to downplay one of the fastest growing threats to technological development, not only affecting Zimbabwe but globally.

This has not been helped by the fact that this appointment was made following the tabling of the Cybercrime and Cybersecurity Bill (2017) which addresses the associated issues whilst allocating the responsibilities to the already existing Ministry of ICT. Several announcements by senior government officials relating to the use and perceived abuse of social media have also raised fears about what the new ministry will mean for civil liberties; especially those related to freedom of speech but most crucially, also adversely masking the real threat posed by cybercrime. It is indeed unfortunate that the general message coming from the government and the minister himself has an over-emphasis on stopping social media political activism at the expense of real cybercrime. Issues surrounding cybercrime and cybersecurity should not be trivialised by the government’s perceived motive or the reaction of the media and social commentators.

Cybercrime includes a broad range of illegal activities committed by means of a computer system or network. Unfortunately, most cybercrime exploits the poor knowledge and lax security habits of the general public. Cybercrime is no longer confined to fake e-mails “from the son of a dead African King”, but has become much more sophisticated and threatens to derail the economic benefits being achieved through technological advancements. It is the duty of the government to dispel the public perception, and convince the populace that this ministry was not created to instil fear on social media users, but rather to deal with the ever-growing threat from cybercrime. For the country to be adequately protected there needs to be more public sensitisation, education and training to increase awareness of the threats.

The general public is familiar with the usual physical burglary and theft, but the nature of cybercrime is such that the majority of people and businesses will not necessarily realise when digital burglary has taken place. Even though cyber-crime comes in different forms; it can be categorised into attacks against individuals, companies/organisations or other countries.

Personal crimes mainly involve identity-theft related scams in which personal details are stolen. A number of illegal/criminal activities can be perpetrated by an individual using the stolen identity. Besides financial fraud (for example using your ID to obtain a loan in your name), identity thieves commit crimes, such as drug-trafficking, smuggling and terrorism, among many other criminal activities whilst posing as other people.

A range of scams targeting individuals have been identified, with Zimbabwe having its fair share. A

number of people can testify to being lured online into depositing money to buy goods such as cars, clothing, groceries or services such as shipping, with companies and individuals disappearing from the cyber-world after collecting the money. There have also been reports of individuals lured into depositing money to secure non-existent job opportunities among other scams.

Attacks against organisations are becoming common and have recently manifested themselves in the form of Ransomware. This is comparable to real life kidnapping experiences, whereby criminals demand money for the return of kidnapped persons or seized precious items. In the cybercrime world the criminals use a malware or a “dangerous” computer programme to prevent or limit the usage of company services, stopping users from accessing the system/services unless a ransom is paid. Imagine an attack on the EcoCash mobile banking system which disables all associated services such as mobile money transfers even just for a day or disrupts/cuts off Econet, Telecel or TelOne mobile communication! The disruption that can occur and the damage to the economy could be quite substantial! The outcry that accompanied the disruption of WhatsApp services for a few hours last year around the world is a taster of the potential effect of cybercrime on everyday life.

In Zimbabwe, there have been reports of malware attacks on educational institutions and companies’ websites; with the Herald, the government, NUST and the Harare Institute of Technology reportedly affected, reflecting the reality of the threat on Zimbabwe’s doorstep. Companies and banking systems have also been subject to hacking (illegal penetration and use of computer systems) thus being defrauded by individuals of large amounts of money. The case of a Chitungwiza man who hacked OK Zimbabwe’s Money Wave System before stealing $70 000 reported widely, is a typical example of such cybercrime activities.

Another form of attack is one organised by a state against another state's institutions or infrastructure; a form of cyber-warfare. This involves one nation penetrating another nation's computers or networks for the purposes of causing damage, disruption or to obtain sensitive security information. In these types of attacks, one nation attempts to disrupt the activities of organizations or other nations for strategic or military purposes and cyber-espionage. Attacks may also be carried out by terrorist groups. Increasingly, cybercriminals are attacking governments through their critical infrastructure, including transportation systems, banking systems, power grids, hospitals and critical manufacturing.

Numerous incidents of cyber-warfare have been reported, for example, in March 2014; the Russian government allegedly disrupted the internet in Ukraine, enabling pro-Russian rebels to take control of Crimea. North Korea was blamed for the 2014 cyberattack on Sony Pictures after they released the film “The Interview”, which depicted the North Korean leader Kim Jong-un in what the country regarded as negative light. In December 2016, Ukraine experienced a blackout as a result of cyber-attacks on electric power distribution companies. Most recently, and still ongoing are allegations of Russian interference in the USA elections through cyber activities. The WikiLeaks case which also affected Zimbabwe is a typical highlight of another form of cyber-espionage. These incidents have brought into light, situations which used to be viewed as science fiction!

Social media remains a favoured target of scammers, as criminals seek to leverage the trust people have in their own social circles. Social media is quickly becoming a daily part of life in Zimbabwe; following a global trend. In social media generated cyber-crimes, criminals take advantage of the sharing facilities and present fake products, video links and “like” buttons which they use to spread their scams. Users are also lured into clicking fake website buttons that install malware with some posting updates on a user’s newsfeed, spreading the attack.

Terror groups have also been taking advantage of social media to further their goals and spread their message presenting governments with another frontier for cybersecurity. Investigations into attacks such as that of the Kenya Westgate Mall have revealed the use of social media and computer networks in planning and co-ordinating the attacks.

Cyber criminals continue to take advantage of vulnerabilities in poorly secured legitimate websites to infect users. Cyber criminals exploit the design weakness to gain access and manipulate these sites for their own purposes. For instance, cyber criminals can penetrate websites and acquire user data, compromising visitors to the affected websites. Attacks on websites and replacing contents are also common, with some websites content replaced by for example, extremist material or pornography.

To safeguard the country against cyber-crime, it is vital to promote the culture of cybersecurity among stakeholders, notably government, companies and cooperatives, civil society organisations and international organisations operating in the country to develop, manage and use information systems. It is important to engage industry, the civil society, and academia in the promotion and enhancement of a culture of cybersecurity. The government must also, on its part, mobilise resources to develop cyber security skills.

The government has to sensitise and provide education and training to the public. Law enforcement powers must be trained so that they execute their cybersecurity duties whilst maintaining the rule of law and meeting human rights requirements. Conditions and safeguards limiting law enforcement powers should be established. Since cybercrime is borderless; the Zimbabwe laws must be compatible with the laws of other countries to permit international cooperation. It should avoid over-criminalisation of social media-content, if it is to stop the stigmatisation associated with the newly created ministry.  

The government must ensure that critical information infrastructure is protected, to safeguard data and sensitive information. Data protection legislation should be put in place to safeguard the general public (critical with the ongoing biometric electoral registration which acquires sensitive individual data such as fingerprints; taking place).

Zimbabwe like other nations has been experiencing various types of cybercrimes including credit card theft, hacking, identity theft, phishing, unauthorised access according to police reports, but these have not received publicity in contrast with social media activism. One of the biggest impediments in advancing cyber security readiness is changing of mindsets to raise awareness about the potential risks of cybercrime; and publicity of ongoing cyber-crimes can go a long way in achieving this. All national stakeholders and citizens must work together in order to change the mindset and public perception of matters relating to cybersecurity.

Cybercrime not only derails the technological advancements but is an attack on economic, social and political advancement of societies.  It is therefore important for the new ministry to create greater awareness and capacity building programs to facilitate cyber resilience in the future whilst ensuring good governance and respect of human rights.

Note: Cybersecurity was rightly incorporated into the Ministry of ICT (and Cybersecurity) - After this article was written ...not because of this article.