Cyber crime cost Africa an estimated $3.5 billion in 2017 alone, according to pan-African IT business advisory company Serianu, but most countries don't have the right legislation to defend themselves from - let alone prosecute - this new form of crime. The brutal war in Yemen provides a timely example of how what might appear to be a traditional regional conflict of the type far too common in Africa and the Middle East is also one being fought in a uniquely modern way using cyber warfare and drone attacks.
The conflict between the Iran-backed Houthi rebels and a Saudi Arabia-led coalition backed by the United States, United Kingdom and France is brutally old fashioned, fought with guns, mortars and tanks, killing about 91,600 people since 2015 and displacing more than two million others, according to recent reports by the Armed Conflict Location and Event Data Project (ACLED) and the United Nations. But in two ways it is a very modern war; two Houthi drone strikes in September 2019 on Saudi oil facilities threatened 10% of the world's supply, while cyber warfare is also a key part of this conflict.
Rebels also took control of Yemen's internet service provider (ISP), Yemen Net, when they took over the capital, Sana'a, in 2015 - opening up "another front", Allan Liska, a threat intelligence analyst at internet technology company RecordedFuture, said in an interview with Cyberscoop, an online media outlet for technology decision makers. But cyber war is not just part of an active conflict like Yemen; it is growing in Africa, too.
"Cyber crime today knows no borders, and its technical capabilities are improving fast," says Riaan Badenhorst, general manager at IT security consultants Kaspersky Africa. Moreover, cybercrime in Africa is increasing at an "exponential rate", says Nozipho Mngomezulu, a specialist telecoms and internet partner at Johannesburg law firm Webber Wentzel. Quoting Serianu's 2017 cyber security report, Mngomezulu says that in Africa cyber attacks hit Nigeria the hardest, with losses of $649 million, followed by Kenya with $210 million and Tanzania with $99 million.
Meanwhile, during that time, more than 95% of public and private organisations across the continent spent less than $1,500 a year on cyber-security measures, with SMEs in particular failing to invest. Mngomezulu noted that the Institute for Security Studies had found that South Africa was the target of 13,842 cyber attacks every day. "Cyber criminals currently see Africa as a safe haven, where they can conduct their operations without the fear of being held accountable," she told Africa in Fact.
"Cyber criminals view Africans as easy targets that can be easily manipulated. And most African countries are yet to catch up with the rest of the world insofar as cyber security is concerned." Several African countries have also effectively shut down their own internet during times of crisis - including Zimbabwe, Cameroon and Chad - making it possible for repressive regimes to keep citizens from protesting, literally by cutting off their means to communicate. Social media such as Facebook, WhatsApp and Twitter, which are key channels for spreading information, are the most frequent targets.
In the past year WhatsApp, the messaging service owned by Facebook with over a billion users, has been "turned off" in several countries. Social media are also the most important avenues for the spread of disinformation. In September 2019 Google's security team revealed that Apple phones had been hacked, apparently by the Chinese, to spy on the oppressed Muslim Uyghur population in that country.
Not long afterwards, WhatsApp sued Israeli security firm NSO Group for attacks on about 100 users, mostly human rights activists, lawyers and journalists. Yemen has also seen a spike in malicious software, known as malware, although it is unclear whether cyber criminals intend them for espionage or criminal purposes. But "the intent for criminals to take advantage of people in a war zone, as well as nation states to do espionage ... is there," said Winnona DeSombre, a threat intelligence researcher at RecordedFuture in an interview with Cyberscoop.
One fearsome form of cyber crime with clear criminal intent is ransomware, in which hackers take control of computer systems and demand a payment to return control to their owners. In August 2019, Johannesburg's city power utility was hacked with ransomware, while the city of Johannesburg itself was hit in October.
The 2017 WannaCry ransomware attacks, which targeted several African countries, including South Africa, Nigeria, Angola, Egypt, Mozambique, Tanzania, Niger, Morocco and Tunisia, are thought to have hit 200,000 computers in 150 countries, and the total damage was estimated at between hundreds of millions and billions of dollars. A 2016 African Union Commission and Symantec report analysing cyber-security trends and governments' response to them, found 34 out of the continent's 55 countries lacked specific legal provisions to combat cyber crime, says Mngomezulu, citing also "weak infrastructure security, a lack of skilled human capital and a lack of awareness of the sector's dynamics".
"There is little sense of a cohesive strategy to fend off cyber attacks, little knowledge sharing, and certainly no cyber-defence capacity as part of national defences," says Arthur Goldstuck, the managing director of South African-based researchers World Wide Worx. Meanwhile, the threat of ransomware remains as powerful as ever, while it also evolves in sophistication, says Badenhorst.
Attacks on urban infrastructure, such as the recent ones on Johannesburg, are often worryingly successful, he added. They have a far-reaching impact on essential systems and processes and affect local businesses and citizens as well as the municipal or government authority itself. Kaspersky's detection data shows that larger organisations, such as city authorities and enterprises, are the fastest growing target. The company monitored 194,803 ransomware attacks in South Africa alone in 2018. That was a 64% increase over 2017, according to the company. Meanwhile, attacks on the employees of large organisations surged 17.9% in the 12 months to May 2019.
"Phishing and malware continue to be relentless threats, leveraged by cyber criminals," warns IBM's Sheldon Hand, business unit leader at IBM Security, told Africa in Fact. Organisations must understand the need to educate employees about attempts to trick log-in details and other information out of them. "Unpatched vulnerabilities will continue to be exploited by attackers," Hand adds, pointing to the need to continually update business cyber-security measures.
Most African countries are "one ransomware attack away" from waking up to the need for defensive capabilities against these attacks, says Goldstuck. "The most commonly used tactic is to pray that nothing happens. However, prayer does not have a great track record in cyber security." Meanwhile, the threat landscape is changing rapidly, with new cyber threats emerging every year. "Many organisations across all industries face unmanageable levels of threat, the risk of exposure, and an ever-growing attack surface," says IBM's Hand.
Retailers, particularly those with a growing online presence, continue to be vulnerable, while the finance and insurance industries are the most targeted, he says. Transportation services - including airline, bus, rail, and water forms of transport - are an increasingly attractive target for malicious actors, Hands points out, because of the industry's reliance on information technology to facilitate operations, its ubiquitous need for integration of third party vendors, and its vast supply chain.
All around Africa, at a continental level, "the lack of political urgency in enacting adequate cyber-security legislation is particularly worrying," says Mngomezulu. Given the increasing sophistication of cyber crime and cyber warfare, and the general lack of sophistication around these problems in government and business circles, as well as among individuals, we all should be worried.