In what seemed like a terrible week for the good guys campaigning against the perils of cybercrime, Colonial Pipeline made a $5 million ransom payment to an organised criminal gang to recover data held hostage in a ransomware attack. Separately, Ireland’s health care system was brought down, also by a ransomware attack. The Colonial Pipeline, (owned by Colonial Group, a gas company in the US) which acts as a critical artery for delivering gasoline and aeroplane fuel across the U.S. Eastern Seaboard, was shut down on May 7, following a ransomware attack by a criminal hacking group named DarkSide. The shutdown resulted in gasoline prices spiking amid panic buying. In some locations, there were even reports of shortages of oil and gasoline.
Ransomware is a type of malicious software that threatens to publish the victim’s data or perpetually block access to said data unless a ransom is paid, usually in cryptocurrency.
This is a stuff of nightmares for not just private businesses but also for many governments around the world and their military. The attack, fuelled by Darkside’s claim of just wanting to make money, not causing disruption or harming anyone, caused President Joe Biden to release one of the longest Executive Orders this week to combat the threat that cybercriminals pose, especially to critical infrastructure such as public health facilities.
There are lots of takeaways for us in Nigeria. Cybersecurity has been an important lexicon in social communications since the age of the internet. In the same vein, the menace of internet fraud, known in Nigerian parlance as “Yahoo” has gained a significant foothold among the country’s teeming unemployed youth population. The stereotyping of Nigerians across the globe as fraudsters has roots in this.
However, the theory that poverty is the cause of the glorification of the crime and the practice thereof was tested this week when Abidemi Rufai, an aide to the Ogun State governor, Dapo Abiodun, was arrested by the FBI in the United States for stealing COVID-19 relief packages from the US government after gaining access to the social security numbers of thousands of Americans. It is an established fact that a number of wealthy Nigerians are also involved in this “hustle” for a couple of motivating factors aside from poverty.
The attack on Colonial Pipeline portends a dilemma that should never have been. Nigeria’s public hospitals (I can only speak for Lagos and Abuja from my own personal experience) only found the importance of computerised health records very recently. This writer visited Maitama General Hospital in Abuja two weeks ago and found the attendant using an old version of the Microsoft Windows operating system to log a patient’s file. Although it was not exactly clear what version of Microsoft desktop the attendant used, it was very evident that the model was way older than Windows 7, an OS which Microsoft ceased to support in 2015, six years ago!
At the core of this slow arrival into the 21st century is the problem of leadership. Exactly a year ago, Nigeria’s Minister of Communications and Digital Economy, Dr Isa Pantami, supervised Windows 7 (the same unsupported OS) to be used by government officials for video conferencing In 2020 despite a ₦17 billion budget for his ministry in 2019. It is clear that the government does not understand the threat cybercrime poses. The dilemma here is this: for much of our filing system in public institutions yet to embrace technology, the threat that an attack like the one on Colonial Pipeline gives them that relative security provided by what a tech person like my boss, Cheta Nwanze, calls an air gap. But that feeling of security is fleeting because of our disregard for data gathering and data protection which not only makes obtaining information tedious, but opens up avenues to mindless corruption. The question from here is: are we willing to upgrade to the 21st century with all the baggage of cybersecurity or remain in the stone age that makes data difficult to collate?
From Pantami’s actions, forgetting that Microsoft no longer offers support for Windows 7, it is clear that the government is not willing to lead the fight against cybercrime as it is quite content with leaving the EFCC to focus on internet fraudsters. One of the lessons of the #EndSARS’ protests last year is that we cannot rely on the government to lead that fight, especially seeing how easy it was for Anonymous Central–an ethical hacking group with global acclaim–to release sensitive data on police officers across the country. It has been about ten months since that data breach, but unlike the US where President Biden swung into action by introducing an Executive Order which sets ambitious targets and strategies as a means of an extraordinary consolidation of the various responses to cyberattacks that have hit the United States particularly hard over the past few months, as well as deploying the Deputy national security adviser, Anne Neuberger, to lead the government’s response to the ransomware attack on Colonial, we are yet to see similar actions from the Buhari administration.
As a result, the charge–sensitisation and awareness–is being led by the private sector. The importance of the government’s aloofness is that going forward with the influx of new technologies by the minute, in this current decade, Anonymous Central or Yahoo Boys with dyed hair and iPhones would be the least of its problems. The time to innovate is now.
McHarry is an analyst with SBM Intelligence