Nigeria’s revised Cybersecurity Policy
Codifying Bug Bounty Programs in Cybersecurity practice
When Nigeria rebased its GDP figures in 2013, many observers assumed there would be doubts about the new figures that made Nigeria Africa’s largest economy, after South Africa. Indeed, it was the former figures that were deemed unreliable, because they largely ignored the tremendous contributions made by new sectors such as entertainment, services, and telecoms to the economy. The Economist magazine estimated that the telecoms sector alone accounted for more than 25% of the rebased GDP. Thus, Nigeria began the transition from a monolith petroleum-based economy to a more diversified economy. And with the expansion of the entertainment industry (for example Nollywood, second only to Hollywood), the remarkable growth of the financial services, and the greater integration of digital in the public and private sector, intellectual property and cybersecurity assumed greater importance.
The increasing importance of cybersecurity in Nigeria is well laid out in industry publications such as Deloitte’s Nigeria Cybersecurity Outlook, which details what observers of the cybersecurity scene in Nigeria already know — cybercrime has become more sophisticated in Nigeria each passing year. The covid -19 pandemic has also increased the risk and incidence of cyberattacks in Nigeria, as people and organizations are forced to work in remote and less secure environments outside the walls of organizations. The impact of the pandemic which portends some lasting changes to the nature of work and the increasing waves of cyberattacks globally (amongst them the infamous Solarwinds hack) makes the recent signing in February of Nigeria’s revised Cybersecurity Strategy and Policy even more poignant.
On paper, Nigeria’s Cybersecurity Policy, and its Cybercrime Act both specify a detailed and well-thought-out cybersecurity regimen for the nation. Nevertheless, the #EndSars protests of October 2020, which saw hacktivists compromise a number of government and private digital assets, demonstrate that actual cybersecurity preparedness is different from what is specified in policy.
To be sure, Nigeria’s Cybersecurity Policy has provisions for a National Cybersecurity Coordination Centre (NCCC) and a Nigerian Computer Emergency Readiness Team (NgCERT) which together have oversight over cybersecurity incident management in different sectors both public and private in the country. Aspects of vulnerability testing and assessment are also codified in the policy (for example initiative 6, page 107, “implementing an Enterprise Application Security Testing regimen’’; initiative 9 page 109 “Developing Blue team and Red team capabilities among cybersecurity actors’’, amongst others).
Could bug bounty programs improve cybersecurity preparedness in Nigeria?
The activities of the #EndSars hacktivists, however, showed just how vulnerable key national cyber-assets are, and perhaps suggests including another layer of defense in the nation’s cybersecurity framework. Could bug bounty programs improve cybersecurity preparedness in Nigeria? Evidence elsewhere in the world suggests they are a useful addition to the range of measures nations and organizations implement to strengthen cybersecurity. Bug bounty programs are often initiated to supplement internal code audits and penetration tests as part of a vulnerability management strategy. Codifying bug bounties in cybersecurity practice in Nigeria could positively impact the sector and improve cybersecurity readiness particularly in the private sector.
Despite the promise of bug bounty programs, however, they face at least two hurdles in Nigeria. One is the perceived reputation the country already has as a haven for cybercriminals. This reputation is held not just outside the country, but also within it. This lack of trust will limit the effectiveness of bug bounty programs — which typically work by ordinary citizens with cyber skills unearthing vulnerabilities in digital assets. This lack of trust in Nigeria leads to businesses entrusting cybersecurity penetration tests to other cybersecurity organizations, rather than institute bug bounties. Another hurdle seems to be Nigeria’s Cybercrime Act. Part 3 of the Act, “Offences and Penalties’’ has clauses that might criminalize the work of bounty hunters.
These hurdles notwithstanding, a bug bounty program could invigorate Nigeria’s cybersecurity sector, channel the energy of a new generation of cyber-professionals, and help to plug the holes in Nigeria’s cyber-infrastructure — as so brazenly exposed during the #EndSARS protest of 2020.
