About a month ago, a group of hackers attacked and rendered inoperable several government portals and brought to the front pages a subject little discussed in Mozambique until then: we are facing a global computer pandemic that affects more and more people, companies and the sovereignty of nations themselves.
To get an idea, last year alone, according to a report by the World Economic Forum, there was a 151% increase in ransomware attacks (and ransomware is far from being one of the main threats), with losses reaching 6 billion dollars. Defense measures exist, but in addition to a necessary generalized change in mentality, the problem is complex and requires strategy, a concrete plan, and coordinated action between the public and private sectors. And in Mozambique, although with good will, we are still far from this reality.
How many times have we read that bank accounts have been hacked and money stolen? That hackers have accessed the back office of a mobile phone operator, as happened recently in Portugal with Vodafone, affecting four million users, with obvious financial and patrimonial damage to the company and its clients?
Or, at the private level, who doesn’t have someone they know who has had their social network account hacked and used for fraudulent purposes? Or that the electronic systems of ministries and governmental organizations have been compromised, as recently happened, admittedly without major consequences, in Mozambique?
The truth is that there has been no lack of news of this kind in recent years, with a noticeable increase in the last few months, especially during and after the pandemic.
This has long ceased to be a “problem of others,” but, in Mozambique, little is known or was known until recently. And, because this is a subject that almost everyone hears about “on the quiet”, E&M contacted a number of specialists working in the field of Cybersecurity, a branch that has been gaining more and more importance given the magnitude of the problem that the increasingly digital world has brought us.
After all, it was necessary to go through the labyrinths of Cyberspace where cybercrime moves, to know the risks to which we are all subject, the damage in the economic, social and political spheres, as well as the vast set of individual and collective behaviors to adopt and the investments necessary to reduce exposure to attacks.
Whenever we use computer equipment, be it computers or cell phones, connected through access, we are susceptible to attacks
Ricardo Velho, engineer specializing in Information Security, who holds the position of business development manager at InSite – a Mozambican company that operates in the field of consulting and implementation of management systems for information security and Cybersecurity, among other areas – explains to E&M that “cybercrime is not a new phenomenon, even in Mozambique it happens and became more present with the recent attacks. What characterizes it is the fact that it is invisible and this is where the danger lies. That is, “we may be under attack at a certain moment, but we don’t know it and we only realize it after the attack, if there are symptoms!”
The Cybersecurity Pyramid
Going to the conceptual root of what cybercrime is and how cybersecurity should be viewed, the expert explains that “we have to analyze it from three angles: the institutional, in the sense of defining the legal framework and the implementation plan for Cyber Defense that a country should have, done at the level of the entity responsible for fighting cybercrime; the organizational or business, to guide on the requirements to be gathered in order for companies to protect themselves and their clients from attacks; and, finally, at the base of the pyramid, at the level of people, in a growing awareness of the dangers and the adoption of behaviors and procedures recommendable when dealing with technological means. “
In Mozambique there is a portal of the National Institute of Information and Communication Technologies (INTIC), which is the regulator of Cybersecurity and responsible for managing issues at this level in terms of regulation. And it is INTIC that is implementing the Cybersecurity policy and strategy. But to what extent are the three steps of the cybersecurity pyramid, cited by Ricardo Velho, in sync and working together? And, if not, to what extent are we (in)secure?
A definition and implementation of a legislation coordinated action plan is still missing
Despite a visible change in the paradigm in the last two years (since the pandemic broke out) – it is fair to say that more organizations have started to worry about obtaining information at this level if one were to make an analysis of the state of the art of digital security in the country – the conclusion would be unanimous among the specialists in the matter with experience in the national market: with regard to information security, and there being only two certified entities in this respect in the country (McNet and a market insurer), in general, the ignorance in Mozambique is great regarding what Cybersecurity is.
This happens because, endemically, there are many public and private leaders who undervalue these subjects, seeing them as a cost and not as an investment, foreseeing future and big potential losses (financial and reputational), and often preferring to think that they are merely matters of responsibility of the IT professionals, which is wrong.
As a result, there will be very few public entities with consolidated digital defense systems, there is, however, in the private sector, a growing concern with the theme, especially, and naturally, in the financial and telecommunications system, which are among the best prepared sectors to face this “virtual war” in the country. Then there are still the statistics on the degree of exposure to this type of crime, which is, in fact, one of the major problems pointed out by experts: the lack of compiled information about existing attacks and sharing it between public and private sectors so that everyone can share and prevent similar threats. This situation puts the country in a more fragile situation regarding the definition of defense mechanisms to be adopted. From what is known, the Financial, Communications, Energy, Logistics and Health sectors are among the most exposed among us.
Permanent Danger
Whenever we use computer equipment, be it computers or cell phones, connected through an access, we are susceptible to attacks. As a matter of fact, this is the last point to which we should be alert, since the problem starts way back in time. “The truth is that the Internet, when it appeared, was developed by researchers and university students without any concern for security, for the sharing of knowledge and means of communication between academic work groups. Then, in the 90’s, it started to become massified, allowing access to thousands and thousands of pages.
There are security certificates that protect the data in such a way that, if they are attacked, no matter how much the hacker manages to get it, it reaches him encrypted and he cannot use it.
The advent of social networks has given rise to the creation of a virtual space that is called Cyberspace. This virtual world promotes the interconnection and interaction between countless computer applications, banking services, countries’ social services, and… people among many other critical services such as power
or water distribution.
There is everything in this virtual world, including people and professionals with good intentions, but also those who take advantage of such facilities for criminal actions, typically associated with the Darknet.
This new universe has evolved too fast for many organizations and millions of people to prepare for its dangers,” explains Paulo Borges, InSite partner consultant and specialist with 36 years of professional experience in the various areas of information security, Cybersecurity and Business Continuity, who spoke to E&M from Portugal. He continues: “Going along with what I was saying, even an application like WhatSapp can be attacked, of course. Or serve as a means to execute attacks. It should be noted that a cell phone is essentially similar in functionality to a computer. That is, through it, it is possible to enter and capture data from a person or organization if it is not used correctly”, he warns.
But why, in the last few years, have we all started hearing about computer attacks? According to the expert, “the covid-19 pandemic led organizations to use alternative means of accessing business applications, and this happened very quickly. But many of them, which had systems, strategies, policies and security practices directed to a context of presence in a certain physical perimeter, ended up not extending and applying these precautions to a delocalized way of working from digital security installed in the office environment.
In other words, the systems were installed in inappropriate machines and infrastructures and when the employees of the companies and other organizations had to work from home, many of them ‘forgot’ that the security perimeter also had to go to each person’s home. Once at home, most of the workers used their own means, so we had a clear weakness, since the access control was done without the observance of security conditions”.
Engineer Edson Chilengue, executive director of ITGest Mozambique, meanwhile, using global statistics that state that 42.3% of successful cyber attacks happen due to human negligence, mentions the need to “make people aware of the observance of care.” And it basically refers to “watching carefully before accessing certain links to access unknown windows, invitations to accept conditions imposed by certain sites to access their information, and proposals for events and games – do a thorough check of links received by email before clicking.” And he explains that this is usually how hackers access control of the device (computer or smartphones) and the organization’s entire system.
But attention itself is not an easy condition to observe and comply with. Milton Lauchande, commercial director
of DataServ, also in the technology sector and active in Mozambique at the level of cybersecurity, argues that the portals “work as windows and doors that should always be open to facilitate the flow of information. That fact alone offers opportunity for attacks to cybercriminals.”
“If we consider security means an expense…how much is the information that we’ve been building for several years and that ensures that the organization has continuity worth?”
A curious fact posed by Milton Lauchande is the fact that very few people are trained in areas that make it possible to develop cybercriminal skills. Is this a good thing? “In part, yes, because there are fewer cybercriminals, but, on the other hand, it limits the possibility of also having national “brains” capable of creating solutions at the cybersecurity level.”
From here, the role of regulators is invoked to legislate and discipline the market, which is still not happening or, at least, is not satisfactory, as we will see later.
So where does one go to get the defense? And at what cost?
In a more simplified way, and looking at the end user, all the specialists heard by E&M talk about the availability in the market of antivirus, which are the best known means of protection against dangers when using the internet or accessing a link or portal. There is, for example, the firewall, which is an application that protects an institution’s machine against any external invasion.
There is also an application called IDS, which automatically monitors all the actions that are being performed in the organization, either by employees or by the team of technology technicians, and automatically blocks the threats it detects, storing them at a point where the technology manager can check the quantity and types of threats suffered. For companies that work intensively with web pages, there is webfilter, an application that filters the sites that may or may not be consulted within the organization, blocking all those that are not allowed. Regarding prices, Edson Chilengue, executive director of ItGest Mozambique, talks about the existence of antivirus brand representatives that are not expensive. “There are security certificates that protect the data in a way that, if they are attacked, no matter how much the hacker manages to get them, they reach him encrypted and he cannot use them. This stuff can cost, on average, between 400 and 500 euros (between 28,000 and 35,000 meticais).
It is possible for a company to have just one key certification that can be used by the whole company, even to protect e-mails against cyber attacks. In addition, there are smaller applications that cost around 100,000 meticals annually for secure protection. It will depend on the financial capacity of the organization to define what is expensive or cheap, and one must also assess how much data security is worth,” he explained. Looking at more complex systems, aimed at companies, the tools are more expensive and require supervision by an IT team specialized in the matter, which may prove more complicated, especially for organizations with weak financial power, as many in Mozambique. However, “if we consider the means of security an expense, we should question how much is worth the information that we have been building for several years, which ensures that the organization has continuity and runs its course”. Ricardo Velho, from InSite, continues: “many times, when organizations analyze the technical proposals for implementing the management systems or information security provided by their company, they end up considering too much the investment in cybersecurity, which is clearly a mistake.
We often use the proverb ‘robbed house, lock the door’, and it applies here. Many companies only realize the damage after being attacked, losing information, customers, or having their operation compromised with serious reputational and revenue damage. It is always better to prevent as much as possible, so I would say yes, betting on security and certification of that security is today.
Mozambique is a ‘sandbox’ for hackers
“How to avoid attacks on sovereignty, similar to the threat that the Government of Mozambique has just suffered?” The question, timely, is asked by Paulo Borges who, even though he recognizes that no technology is perfect enough to guarantee the total inviolability of data, because there is a continuous evolution at the same pace that invasion mechanisms are becoming more sophisticated, says that much remains to be done. Looking at the national case, he typifies, based on available information about the recent attack on government portals, what kind of digital security we have in the country: “There are statistics that indicate that countries like Mozambique, with insufficient cyber defense infrastructures, are being used as international ‘sandboxes’ (i.e., they are training places where hackers can experiment to test their technical ability to then execute attacks elsewhere, knowing that the consequences of such action will not be great for those who practice it). It is assumed, therefore, that the recent case was clearly a game of experiments, tests done or simply for fun done, I would say, by a group of young people, who may even be students having fun.”
“There are statistics that indicate that countries like Mozambique, with insufficient cyber defense infrastructures, are being used as international ‘sandboxes’ (that is, they are training places where hackers can experiment to test their technical ability to then execute attacks elsewhere, knowing that the consequences of this action will not be great for those who practice it
Introducing the term “sovereign cybersecurity,” an area he has been working on for many years, the expert explains that each country “must determine its strategy, how it interconnects with the international community and create conditions to organize and articulate all of its cybersecurity.” And he is of the opinion that “no nation should work in isolation, it is necessary to establish alliances similar to those made in military contexts, of mutual aid and knowledge sharing,” he asserts.
Paulo Borges observes, moreover, “that security technological devices already exist in all European countries and in the overwhelming majority of African countries. But, in the case of Mozambique, the operational dynamism is missing, from this global network of computer attack warning centers, to interact with the national public and private organizations, on a daily basis, addressing these problems, in order to adopt immediate preventive measures and not only to react, as it currently happens.”
Lack of regulation and… action
Ricardo Velho, also from InSite, explains that this whole matrix of aspects aimed at the defense of sovereign cybersecurity is foreseen in Mozambique since last year, with the approval of the National Cybersecurity Policy and Strategy “but the state of implementation of the strategy is not known.”
In Portugal, for example, there are regulations for the use of cyberspace, in addition to the need, by Law, for these types of incidents to be reported to the operational entity, which makes these regulatory bodies hold a set of information to prevent occurrences, impacts and help spread these practices to communities.
In the case of Mozambique, the country has been trying to accelerate the pace and there are even teams being formed at the CERT-MZ level – an institution that coordinates aspects related to information security and to promote the culture of cybersecurity in Mozambique – but there is not yet sufficient installed capacity in terms of human skills and technological means, so it needs greater investment.
Edson Chilengue, who has a degree abroad in technology-oriented sciences and is the executive director of ITGest Mozambique – a company that operates in the area of technologies, including cybersecurity – adds that the recent attack on the Government’s electronic services “should be a source of inspiration for us to change direction, starting with the creation of a Data Protection Law,” he launches.
“Public institutions have to develop information management policies that say what the employee should or should not access when performing work tasks. Today it is common to find employees accessing social networks on a work computer and this is a huge risk,” stresses the engineer, repeating an aspect in which all specialists are unanimous: “The State must take on the task of investing in training staff in the area of technologies and academic institutions must begin to design curricula that help seek solutions at this level, because there is no going back – with the increasing digitalization of society, there will be more and more security weaknesses and, of course, more attacks.
Basically, this is a problem that has left Hollywood movie screens and is now (literally) in our hands – on the screens of our smartphones and laptops. And it’s up to all of us to be responsible with what we click at home or at work, it’s up to the companies that want to invest in their (and our) security, and it’s also up to the State itself, which must ensure that this whole security ecosystem flows smoothly, without mishaps, defending itself as well.
Economia & Mercado Magazine
Celso Chambisso e Pedro Cativelos
