Cabinet approves cyber security policy

An extraordinary Cabinet meeting on Friday approved the National Cyber Security Policy. This is the first time the country puts in place such a policy.
Buyers search the internet for items to buy. The new policy aims at protection them. (File)
Buyers search the internet for items to buy. The new policy aims at protection them. (File)

An extraordinary Cabinet meeting on Friday approved the National Cyber Security Policy. This is the first time the country puts in place such a policy.

It aims at protecting public and private infrastructure from cyber attacks and to safeguard personal information of web users, financial/banking information and sovereign data.

Didier Nkurikiyimfura, the Director General, ICT in the Ministry of Youth and ICT, said yesterday that the policy is very important for the country given that all aspects of development currently rely on ICT to function better and deliver services. “There is need to protect all infrastructure vital to the economy. Hacking, for example, is happening everywhere. It does not target governments alone, but also private individuals and businesses,” he said.

He added: “The policy will establish an environment that will build trust and confidence when people use ICT. It will ensure that we have whatever it takes to protect our interests, and also ably collaborate with other countries because the threat is global.”

Experts define cyber crime, as any violation that involves a computer and a network. In view that computers may be used to commit crimes, they can also be targets.

Increasing threat

According to the Organization for Economic Co-operation and Development (OECD), a forum where governments work together to address economic and social challenges of globalisation, cyber security has become a national policy priority.

This is largely because the Internet and ICTs are essential for economic and social development and form vital infrastructure, OECD says in a 2012 document. 

“As the Internet economy grows, the whole economy and society; including governments, become increasingly reliant on this digital infrastructure to perform their essential functions,” reads part of the paper titled: Cyber security Policy Making at a Turning Point.

However, this has come under threat from cyber crime that is reportedly evolving and increasing at a fast pace.

“They are still initiated by criminal actors but also come from new sources, such as foreign states and political groups, and may have other motivations than money making, such as espionage, sabotage (e.g. Stuxnet) and even military operations,” reads the OECD paper.

Stuxnet is the name given to a computer worm, or a standalone malicious software computer programme that replicates itself in order to spread to other computers. It was discovered in June 2010.

Designed to attack industrial programmable logic controllers (PLCs) or digital computers used for automation of industrial electromechanical processes, Stuxnet functioned by targeting machines using the Microsoft Windows operating system and networks, then seeking out Siemens AG (a German multinational conglomerate company) Step7 software. 

It reportedly compromised Iranian PLCs, collecting information on industrial systems and causing the fast-spinning centrifuges to tear themselves apart. Malicious actors, it is noted, are better organised, in particular to conceal their tracks, and the degree of sophistication has increased significantly, showing clear signs of professionalisation.

Nkurikiyimfura said the policy will now pave way for many things including building the requisite legal frameworks and capacity building to thwart cyber threats.

Key in its ingredients are: strengthening the regulatory framework; promotion of research and development in cyber security; human resource development; creating cyber security awareness; and information sharing and cooperation.

Under the new policy, government will also set up a department fully dedicated to fight these internet-based criminal acts.

It is hoped, the problem of lax security awareness among public and private employees will be cut back. Problems can be as basic as employees leaving their passwords visible or failing to properly switch off computers after work, mistakes that could be addressed with adequate education and awareness.

According to Nkurikiyimfura, while it is difficult to ably quantify or assess losses or the damage caused in the past by cyber criminals as there was no such policy before, he stressed that the danger is real.