Protection of Ghana’s Critical Information Infrastructure in the Cyber Security Act

Critical Information Infrastructure (CII), which is also referred to in some jurisdictions as critical national infrastructure or critical infrastructure, are institutions of a country that, when disrupted, will disturb the economy, livelihood, and security of the citizens of that country. These infrastructures are at the heart of every state, hence any disruptions to them will jeopardize the smooth running of the state.

Due to their importance, they have become a major target for terrorists, hackers and other states as witnessed globally in recent times. According to Jackpotting & Muncaster (2018), out of over 200 responses received from CII organizations in the UK, 70% of them had experienced service outages in the past two years. 35% of these outages were due to cyber-attacks.

According to the World Economic Forum’s 2020 Global Risks Report, cyberattacks on CII (ranked 5^th top risk in 2020) is now “the new normal” in the health, energy, and transportation industries.

Ghana’s Cybersecurity Act, 2020 (Act 1038) spells out a number of controls (provisions) for protecting Ghana’s CII. Sections 35 to 40 of the Act are dedicated to protecting these infrastructures. In my view, the Act itself and the inclusion of these provisions is largely influenced by the Ghana National Cyber Security Policy & Strategy document dated March 2014.

In the presentation of the National Cyber Security Advisor at the 17^th Knowledge Forum of the Ghana Chamber of Telecommunications (7^th July 2021), he mentioned the following 13 sectors as CII of Ghana: education, finance, defence & security, ICT, transportation, health, government, mining, manufacturing, energy, water, emergency, and food & agriculture.

The following sections of this article discuss provisions of the Act related to protecting Ghana’s CII.

Designation and withdrawal of CII

The Minister may upon the advice of the Cyber Security Authority (CSA), designate a computer system or network as a CII if it is deemed necessary for national security, or the economic and social well-being of Ghanaians.

The determination of a CII should consider if the infrastructure is necessary for the security, defence, or international relations of Ghana if it is related to communications and telecommunications, financial services, public utilities, public transportation, public key infrastructure, public safety, public health, international business or communication affecting Ghanaians, the legislature, executive, judiciary, public services or security agencies.

Designated CII shall be gazetted, and a procedure for regulating them shall be established by the Minister.

The Minister may, also upon the advice of the CSA and by a gazette publication, withdraw the designation of a CII at any time if the infrastructure is considered as no longer meeting the defined criteria of a CII.

Registration of CII

The CSA is mandated to register all CII. It shall determine the registration requirements, procedure and any other matter relating to the registration.

Duties of owners of CII

Owners of registered CII shall, within seven (7) days after a change of ownership, inform the CSA of such change. Contravention of this clause shall result in the payment of administrative penalty between GH¢6,000 and GH¢120,000.

Owners of CII shall report cybersecurity incidents within 24 hours after detection to the relevant sectoral computer emergency response team or the national computer emergency response team. They shall also cause an audit to be performed on their infrastructure and submit a copy of the report to the CSA. Contravention of this clause shall result in the payment of administrative penalty between GH¢3,000 and GH¢120,000.

Management and compliance audit of CII

The Minister shall recommend minimum standards for prohibitions regarding the general management of CII, considered necessary for protecting national security.

The CSA shall conduct periodic audits and inspections on CII to ensure their compliance with the provisions of the Act.

Unauthorized access to CII

A person shall not access or attempt to access a CII without authorisation. Anyone who contravenes this clause can be convicted to a fine between GH¢30,000 to GH¢180,000 or imprisoned between 2 years to 5 years, or to both.

If unauthorized access to a CII results in a serious bodily injury, financial loss or damage to the infrastructure, the perpetrator can be convicted to a fine between GH¢60,000 to GH¢600,000 or imprisoned between 5 years to 15 years, or to both. However, if the unauthorized access is considered to be a terrorist act, the perpetrator can be imprisoned between 7 years to 25 years.

If the unauthorized access is related to an organization, the organization can be convicted to a fine between GH¢300,000 to GH¢600,000. Also, every director, officer, or management of the organization shall be deemed to have committed this offence and can be convicted of a fine between GH¢60,000 to GH¢600,000. However, a person cannot be convicted under this clause if it is proven that he/she exercised due diligence in preventing the commission of the offence, and the offence was committed without his/her knowledge or involvement.

Conclusion

The recent wanton cyber-attacks on CIIs globally give cause to worry as a nation. It is extremely important for CII to cooperate with the Cyber Security Authority to safeguard the security, economy, and safety of Ghana.

Compliance with the stipulations of Act 1038 ought to be taken seriously, irrespective of the sector (Private or public) and industry.

The Cyber Security Authority ought to collaborate with key stakeholders to create more awareness on this Act for the general public, owners of CII, the security agencies, lawyers and the judiciary.

Author

Sherrif Issah (Information Security Governance, Risk & Compliance Professional, and Director of Communications; IIPGH)

For comments, contact author mysherrif@gmail.com | Mobile: +233243835912

Source: www.iipgh.org

Data Protection in Africa

Data protection is about safeguarding our fundamental right to privacy by regulating the processing of personal data: providing the individual with rights over their data and setting up systems of accountability and clear obligations for those who control or undertake the processing of the data. Digital rights are basic human rights in the internet era - linked to freedom of expression and privacy, those that allow people to access, use, create and publish digital media, as well as access and use computers, other electronic devices, and communications networks. As a user of digital technology, you also have the right to privacy and the freedom of personal expression.

2020 brought several major developments in the world of data protection legislation. Also, the rise of so many digitally enabled markets in Africa means that more consumers are being asked to give access to their personal data, including financial, demographic, and geolocation data. As the 55 African countries of the African Union (AU) move towards greater integration of trade policies through the African Continental Free Trade Agreement (AfCFTA), one area of noted trade policy divergence is the governance of digital trade. African nations have varied rules governing the protection of personal data, with some countries offering little to no protection policy while others have extensive digital governance frameworks. As internet connectivity, broadband access, and digital trade have converged with wider economic development, the extent to which African nations form policies governing the digital landscape can also shape development across the whole continent.

The Internet has introduced new spaces. The online environment has gone mainstream, and there is more democratic participation. As we increasingly conduct our lives online—shopping, socializing, and sharing information—our digital rights, particularly the rights to privacy and freedom of expression, are becoming more important. We need to understand how our data is being used by companies, governments, and internet giants such as Facebook and Google. Is it being handled fairly and carefully, sold, or shared without our consent?

As governments and companies collect our personal data, cybercriminals are also easily collecting our personal data and tracking our movements and activities. It is important to know who has access to the data trail or footprints we create online. Brands want to look at the content that we create and share, such as our social media profiles and location data from mobile phones, because it helps them build a picture of how we spend our time and money. Also, employee records, customer details, transactions, and data collection through surveys need to be protected. This is to prevent that data from being misused by third parties for fraud, such as phishing scams and identity theft. Thus, the regulations governing the protection of personal data are becoming increasingly important.

Data privacy is a fundamental right that is yet to be completely established across many countries in Africa. Only 32 countries in Africa have data privacy laws. The African Union convention on cybersecurity and personal data protection (Malabo Convention) 2014, sets a strong intention of protecting personal data and ensuring cybersecurity in Africa. The Convention seeks to establish a credible framework for cybersecurity in Africa through the organization of electronic transactions, protection of personal data, and promotion of cybersecurity, e-governance, and combating cybercrime. It also provides a personal data protection framework that African countries might switch into their national legislation for it to have the full force of the law and encourages African countries to recognize the need for protecting personal data. By this, emphasizing the responsibility of African states to respect, protect and fulfil human rights online for all people.

The continent is divided along the line of countries with a framework, an insufficient framework, and no framework. Many countries are also yet to adopt any major data protection regulations. The divergent framework creates a fractured terrain for data protection and enforcement of the law across the continent, and for establishing a common market for regional trade in digital goods and services.

Despite the gaps, Ghana has spent considerable efforts to update and amend laws and regulations to encourage the establishment of a larger digital trade economy. This includes laws that govern the protection and privacy of personal data. Ghana’s Data Protection Act came into force in 2012 to protect the privacy of individual and personal data by regulating the processing of personal information. In 2019 Kenya, Nigeria, Togo, and Uganda enacted data protection policies, followed by Egypt, to create a data protection framework with its Personal Data Protection Law. Next came South Africa, whose Protection of Personal Information Act came into force in 2020. Other countries are revising existing data protection policies or working to establish structures to enforce existing laws and regulations.

Although the gaps and wide flexibility of privacy and data protection laws from country to country, the economic and trade impact on technology firms seems to be minor, as the size of the African digital market is still growing. In the wake of emerging technologies, several new data security laws around the world will be enforced, introducing among others, mandatory data breach notifications, and increased penalties for non-compliance. 2021 will see these changes applied and for Ghana and other African digital economies to grow, we must push for enforcement and compliance, and fall in line with the international standard set by the General Data Protection Regulation (GDPR). Cross-border transfers are likely to be one of the big compliance issues being tackled by legislative bodies and data protection authorities must ensure a regularization and normalization of data transfers between countries.

 Author: Richard Kafui Amanfu – (Director of Operations, Institute of ICT Professionals, Ghana)

For comments, contact richard.amanfu@iipgh.org or Mobile: +233244357006

Source: www.iipgh.org