Nigeria: The Urgent Need to Rescope the Domestic Cybersecurity Programme

30 September 2024
opinion

The Domestic Cybersecurity Programme (DCP) should shift towards a civilian-centric leadership rather than a security intelligence-centric approach.

I urge the President to swiftly reassess the National Cybersecurity Programme in line with the nation's best economic interests, while prioritising the balancing of privacy, security, innovation, and maintaining public trust through a transparent and accountable governance system. Achieving a collective and sustainable national cybersecurity programme requires civilian-centric institutional leadership, with a stakeholders' governance model.

The International Telecommunication Union (ITU) recently released its 5th Global Cybersecurity Index 2024 (GCI 2024), which assesses countries' commitment to cybersecurity based on the framework's five pillars: legal measures, technical measures, organisational measures, capacity development, and cooperation. Nigeria is categorised within the tier-three nations in the GCI 2024 report, which signifies that the country is experiencing a rise in digital service provisions and increasing online access for the populace, but has failed to integrate cybersecurity measures into its fundamental socio-economic and digital connectivity strategies.

Nigeria, among the top five African countries in the 2018 GCI report, has now fallen behind. In the 2024 report, Ghana, previously ranked 11th, has surpassed Nigeria and is now listed among the tier-one countries. This decline in Nigeria's cybersecurity performance is a direct consequence of the country's failure to implement and direct its national cybersecurity programme effectively.

The recent government Designation and Protection of Critical National Information Infrastructure Order (2024), which is officially gazetted, is a commendable step. The designation criminalises attacks on any classified infrastructure listed in the Order as a national security offence. Nigeria has implemented various measures to address cybersecurity challenges. These include amending the Cybercrime Act in 2015, enacting the Nigeria Data Protection Act in 2023, creating a national cybersecurity policy and strategy, and establishing a National Cybersecurity Coordination Centre under the Office of the National Security Adviser (ONSA). These efforts have helped the nation achieve the ITU GCI Tier-Three level ranking, which is not very impressive. ITU recognises that the ICT sector has substantially impacted the nation's growth in digital services and an increase in the online population. This is reflected in the Q4 2023 report by the National Bureau of Statistics (NBS) indicating that the ICT sector contributed 16.66 per cent to Nigeria's real GDP. This is an increase from the 16.22 per cent recorded during the same period in the previous year.

However, there remains a deficiency in the pragmatic integration of cybersecurity within the national economic sectors and developmental objectives. There is an urgent need to reassess the country's approach and address the nation's digital economy's weaknesses and inherent vulnerability. There is a misconception about the governance, accountability, and operationalisation of the country's national cybersecurity, especially given the recent public reaction resulting from the Central Bank of Nigeria's directive on the cybersecurity levy.

Regrettably, the current national approach repeatedly faces challenges in moving the country forward in this regard. The challenges are apparent within the current institutional arrangement, which is inadequate in legal, technical, and capacity development expertise, and lacks the necessary drive to consistently realise this fundamental national cybersecurity developmental objective over the past years. The existing institutional framework is inadequate, owing to a conservative and regimented operational approach, redundancy, and rigid bureaucratic structures that hinder progress in domestic cybersecurity. Implementing a national cybersecurity programme requires a dynamic and adaptable approach, and such requirements cannot be underestimated, given the swiftly changing landscape of cyber threats.

In many countries, a national security agency serves as the authority responsible for overseeing cybersecurity measures. While the role of the security sector in cybersecurity is undeniably critical, it is plausible that security actors may not exhibit the necessary adaptability to govern the cybersecurity ecosystem within the country effectively.

The Office of the National Security Adviser's (ONSA) primary objective in its law is coordinating intelligence activities, such as intelligence collection. This task could potentially hinder the objective of delivering a fast-paced and inclusive domestic cybersecurity programme. The approach would also stifle the country's cybersecurity developmental initiative, escalate privacy apprehensions, and undermine the necessity for innovation and trust-building.

However, the Defence Space Agency (DSA) already provides cyberspace defence capabilities for the military, security, and intelligence entities. It is guided by the statutory mandate to safeguard the nation from existential cyber threats, while overseeing and protecting affiliated security agencies (Defence Space Administration Act, 2016). The DSA framework effectively handles the country's military and security dimensions of cyberspace from the existential threat perspective.

Should the Federal Government continue to use the current security-centric arrangement for the national cybersecurity initiative, the nation would continue to face challenges associated with this decision and waning confidence from the domestic stakeholders. Overly rigorous security measures and a deficit in transparency would obstruct progress in cybersecurity.

The Domestic Cybersecurity Programme (DCP) should shift towards a civilian-centric leadership rather than a security intelligence-centric approach. The shared key success factor behind the success of the best-performing African countries listed in the recent ITU GCI One-tier is derived from their role-modelling approach to implementing civilian-led cybersecurity.

For instance, Ghana has been acknowledged as the top-tier-performing African country in cybersecurity. The country has integrated a citizen-centric, stakeholders' strategy at the core of its efforts to address its cybersecurity challenges. In contrast, Nigeria's security-driven approach has demonstrated limited performance, with stunted growth over several years, despite having previously led the way among African nations.

Civilian-led leadership would fast-track and transform most aspects of the nation's cybersecurity policy and strategy through a multi-stakeholder governance and accountability framework. The approach would redefine inter-agency responsibilities and deliver a better responsive capability. Nigeria should learn significantly from Ghana's approach in fostering cyber capabilities and trust between government and citizens, while mitigating threats effectively. Achieving Nigeria's cybersecurity programme requires expertise across civilian sectors. Neglecting these facts is counter-productive and stifles national cybersecurity capability and growth.

A security-centric approach to national cybersecurity hinders international cooperation, as other countries would hesitate to collaborate with an intelligence agency based on the deficiency of trust and innovation. The amended Cybercrime (Prohibition, Prevention, etc.) Act 2015 lacks an adequate legal framework to empower the current approach to regulating, enforcing, or overseeing cyber-related breach investigations and cybersecurity development. The country lacks adequate focus and direction in cooperation, technical management and capacity development in implementing overarching cybersecurity regulations for the domestic space. Nigeria is a major digital economy player and cannot afford to maintain its current approach, which has persistently stifled significant investment and research opportunities in cybersecurity.

The country should avoid cross-border digital services and data transfer disputes, which may evolve through the trade agreements established under the General Agreement on Trade in Services of the World Trade Organization (GATS) and the African Continental Free Trade Agreement (AfCFTA). These agreements are designed to facilitate the formation of a unified continental market for goods and services in Africa, including digital products and services. Such frameworks emphasise the necessity of meaningful cyber-diplomacy and regulatory cooperation in addressing cybersecurity-related incidents, rather than depending exclusively on exceptions for intelligence security.

Establishing a transparent and accountable civilian-led agency for domestic cybersecurity programmes to oversee local regulation for developing the nation's cybersecurity industry in partnership with the private sector with proactive international cooperation is paramount in the current reality.

Should the Federal Government continue to use the current security-centric arrangement for the national cybersecurity initiative, the nation would continue to face challenges associated with this decision and waning confidence from the domestic stakeholders. Overly rigorous security measures and a deficit in transparency would obstruct progress in cybersecurity. The public would increasingly express apprehensions regarding possible violations of constitutional privacy rights, coupled with a stagnation in innovation that could have significant consequences for individuals, enterprises, and the country in general.

Presently, cybersecurity measures are implemented in silos among public and private sector institutions, and innovations through research and development (R&D) remain stunted. Over 5,000 Nigerian youths are actively pursuing careers in cybersecurity and related academic programmes in various universities and educational institutions. Establishing a thriving cybersecurity industry within an efficient and transparent regulatory framework has the potential to offer promising career prospects for Nigerian youths. Otherwise, the nation faces the risk of these youths being enticed by cybercriminal syndicates, leading to losing their talents within the depths of the dark web.

I urge the President to swiftly reassess the National Cybersecurity Programme in line with the nation's best economic interests, while prioritising the balancing of privacy, security, innovation, and maintaining public trust through a transparent and accountable governance system. Achieving a collective and sustainable national cybersecurity programme requires civilian-centric institutional leadership, with a stakeholders' governance model. This rescoping should be facilitated with immediate intervention from the president.

Mr President should set up an expert panel from the government, private sector, technical and professional bodies, and civil society organisations to review and recommend changes to the current cybersecurity governance structure to align national cybersecurity efforts with established laws and best practices.

Mr President should consider the following recommendations, which are critically essential in addressing these concerns:

  1. Set up an expert panel from the government, private sector, technical and professional bodies, and civil society organisations to review and recommend changes to the current cybersecurity governance structure to align national cybersecurity efforts with established laws and best practices.
  2. Issue an executive order to establish a new civilian-led agency to implement a national cybersecurity programme in line with the administration's regulatory and economic development programme.
  3. Designate a civilian cybersecurity advisor to provide strategic counsel and direction to the administration in forming an appropriate coordination framework within a national context that is aligned with regional and international standards, while supervising national cybersecurity development initiatives.
  4. Request the National Assembly's cooperation in assessing the Amended Cybercrime Act 2015 to establish a thorough unifying framework and institutional arrangement for cybersecurity. The review should facilitate the creation of a holistic national cybersecurity legal framework that considers various measures such as technical aspects, institutional structures, innovative regulations, workforce capacity, and industry advancement, thereby strengthening the country's capabilities.
  5. Direct the implementation of the reforms and clarify the ONSA's role in focusing on cybersecurity for intelligence gathering purposes only, in accordance with its constitutional mandate and National Security Strategy.
  6. Ensure that adequate funding and resources are designated for the establishment of a civilian-led cybersecurity agency that operates under a self-sustainability model. This recommendation is strategic to the country's ownership of its cybersecurity programme.

The President's review of these recommendations would help to address public mistrust, promote transparency and accountability through co-funding regulatory measures that would attract private sector investments, and stimulate economic growth in the cybersecurity sector. Consequently, new industries would emerge, leading to increased foreign exchange earnings and job opportunities, which would align with the administration's development goals.

Segun Olugbile is a pioneer member of the Cybercrime Advisory Council and cybersecurity policy leader. He can be reached through solugbile@gmail.com.

AllAfrica publishes around 500 reports a day from more than 100 news organizations and over 500 other institutions and individuals, representing a diversity of positions on every topic. We publish news and views ranging from vigorous opponents of governments to government publications and spokespersons. Publishers named above each report are responsible for their own content, which AllAfrica does not have the legal right to edit or correct.

Articles and commentaries that identify allAfrica.com as the publisher are produced or commissioned by AllAfrica. To address comments or complaints, please Contact us.