Bridging Cyber Security Gaps: The Commonwealth Telecommunications Organization Trains SMEs in Uganda

By Edrine Wanyama |

Uganda’s Small and Medium Enterprise (SME) sector is credited with contributing 20% to the country’s Gross Domestic Product (GDP) in 2016. While the level of adoption of technology as a key component of operations within the sector remains unclear, its effective utilisation requires entities to also embrace safety and security measures as a priority.

Identifying security controls to defend against cyber threats and data protection thus formed the basis of discussions at a cyber standards training workshop for SMEs in Uganda. Organised by the National Information Technology Authority (NITA-U) in collaboration with the Commonwealth Telecommunications Organization (CTO), the workshop, held in Kampala, Uganda on August 23-24,2017 targeted SME entrepreneurs, banking industry officials as well as ICT sector representatives from non-government organisations and other ICT stakeholders.

The workshop explored the Information Assurance for Small Information Assurance for Small to Medium Enterprises (IASME) which encourages SME’s to comply with international information security management standards.

Currently, possible cyber risks include; theft of data for monetary gain or competition by criminals, hacking, physical insecurity to staff and office equipment, malware attacks, insecure configuration, updating software from unreliable sources, access control and spam.

Discussions on information security are abound in Uganda as the Data Protection and Privacy Bill, 2015 makes slow progress in Parliament while laws like the Computer Misuse Act, 2011, the Electronics Signatures Act, 2011 and the Electronic Transactions Act, 2011 do not fully address the issue of data protection and privacy.

According to a 2016 report based on a global survey of cybersecurity managers and practitioners, cyber security and information security is considered a technical issue rather than a business imperative.  The findings of this study echo sentiment held by civil society orgnaisations which face similar digital security threats including increasingly sophisticated threats and rate of incidents.

In order to be better positioned to address cyber threats, civil society and SME need to be equipped with skills encompassing both online and offline responses. These include know how on policy and compliance, physical environmental protection, risk assessment, access controls, incident management, monitoring, backup, malware identification and technical intrusions.

Through a cyber essentials course and practical exercises, participants at the workshop were equipped with basic skills for enabling non-technical users to establish five information security controls including malware protection, access control, patch management, secure configuration, boundary firewalls and internet gateways.

As a follow-up to the exercise, selected participants will undergo further training for possible contracting as IASME information security assessors for SME’s.

CTO’s international events and seminars are conducted in all countries of the Commonwealth, across the continents of Africa, Europe, the Americas, Asia and the Pacific region. Specifically, in Africa, the events have been held in Botswana, Cameroon, Ghana, Kenya, Liberia, Mozambique, Nigeria, Papua New Guinea, South Africa, Swaziland and Uganda.

In the meantime, the Ministry of ICT & National Guidance on August 20, 2017 held an Awareness Workshop on Cyber Laws such as the Constitution of the Republic of Uganda 1995, National Information Technology Authority, Uganda Communications Act 2013, Electronic Signatures Act, Computer Misuse Act, Registration of Persons Act, Electronic Transactions Act, Electronic Transaction Regulations 2013, Electronic Signatures Regulations 2013, Open Data Policy, 2017, ICT for Disability Policy Draft and the Data Protection and Privacy Bill, 2015, to sensitize member of the public, private sector, academia, government officials and other stakeholders on information security threats and how to best combat them. The work shop put emphasis on the need to know, learn and understand existing and upcoming laws, policies and guidelines that regulate cyber security and how they can be best applied.

 
 
 

Bridging Cyber Security Gaps: SMEs Trained in Uganda

By Edrine Wanyama |
Uganda’s Small and Medium Enterprise (SME) sector is credited with contributing 20% to the country’s Gross Domestic Product (GDP) in 2016. While the level of adoption of technology as a key component of operations within the sector remains unclear, its effective utilisation requires entities to also embrace safety and security measures as a priority.
Identifying security controls to defend against cyber threats and data protection thus formed the basis of discussions at a cyber standards training workshop for SMEs in Uganda. Organised by the National Information Technology Authority (NITA-U) in collaboration with the Commonwealth Telecommunications Organization (CTO), the workshop, held in Kampala, Uganda on August 23-24,2017 targeted SME entrepreneurs, banking industry officials as well as ICT sector representatives from non-government organisations and other ICT stakeholders.
The workshop explored the Information Assurance for Small Information Assurance for Small to Medium Enterprises (IASME) which encourages SME’s to comply with international information security management standards
Possible risks include; theft of data for monetary gain or competition by criminals, hacking, physical insecurity to staff and office equipment, malware attacks, insecure configuration, updating software from unreliable sources, access control and spam.
Discussions on information security are abound in Uganda as the Data Protection and Privacy Bill, 2015 makes slow progress in Parliament while laws like the Computer Misuse Act, 2011, The Electronics Signatures Act, 2011 and the Electronic Transactions Act, 2011 do not fully address the issue of data protection and privacy.
According to a 2016 report based on a global survey of cybersecurity managers and practitioners, cyber security and information security is considered a technical issue rather than a business imperative.  The findings of this study echo sentiments held by civil society organisations which face similar digital security threats including increasingly sophisticated threats and rate of incidents according research conducted by the Collaboration for International ICT Policy in East and Southern Africa (CIPESA). It revealed that various CSOs were concerned about, or had been victims of hacking attempts on their email accounts and internal networks, that they had been targeted by phishing emails, and that they feared their activities were being surveilled by authorities
In order to be better positioned to address cyber threats, civil society and SME need to be equipped with skills encompassing both online and offline responses. These include knowhow on policy and compliance, physical environmental protection, risk assessment, access controls, incident management, monitoring, backup, malware identification and technical intrusions.
Through a cyber essentials course and practical exercises, participants at the workshop were equipped with basic skills for enabling non-technical users to establish five information security controls including malware protection, access control, patch management, secure configuration, boundary firewalls and internet gateways.
As a follow-up to the exercise, selected participants will undergo further training for possible contracting as IASME information security assessors for SME’s. CTO’s international events and seminars are conducted in all countries of the Commonwealth, across the continents of Africa, Europe, the Americas, Asia and the Pacific region. Specifically, in Africa, the events have been held in Botswana, Cameroon, Ghana, Kenya, Liberia, Mozambique, Nigeria, Papua New Guinea, South Africa, Swaziland and Uganda.
 

What African Countries Can Learn from European Privacy Laws and Policies

By Edrine Wanyama |
The General Data Protection Regulation (GDPR) came into force in the European Union (EU) in May 2016. The 28 EU member states have until May 2018 to apply the Regulation to existing national laws to ensure the protection of citizens with regard to the processing of personal data and its transfer within the EU and beyond.
In Africa, only 14 countries (Angola, Benin, Burkina Faso, Mali, Gabon, Ghana, Ivory Coast, Lesotho, Madagascar, Morocco, Senegal, South Africa, Tunisia and Zimbabwe) have enacted data protection and privacy laws. Others, including Kenya, Niger, Nigeria, Tanzania and Uganda, have bills that are yet to be passed into law.
Whereas a continent-wide convention on Cyber Security and Personal Data protection was adopted by the African Union back in 2014, only eight countries (Benin, Chad, Congo, Guinea-Bissau, Mauritania, Sierra Leone, Sao Tome & Principe and Zambia) are signatories and only one (Senegal) has ratified the convention.
Meanwhile, as part of efforts to ensure data protection within the different regional blocs, the Southern African Development Community (SADC) has developed a model law on data protection while as of 2010, the Economic Community of West African States (ECOWAS) had the  Supplementary Act A/SA.1/01/10 on Personal Data Protection Within ECOWAS. Unlike its regional bloc counterparts in the south and west, the East African Community (EAC) has not adopted legislation on data protection and privacy – it only has a Framework for Cyberlaws which calls for member states to enact laws that protect personal data.
Meanwhile, some of the proposed and existing national laws fall short of comprehensively protecting data and privacy. For instance, Uganda’s Data Protection Bill, 2015 and Ghana’s Data Protection Act, 2012 lack succinct clauses on key areas such as notification of breach and data portability, and also have limitations on the right to access, among others. Despite this, mass collection of personal data continues across the continent, leaving the majority of Africans vulnerable to the violation of their data privacy.
This contrasting state of affairs formed part of the discussions at a July 2017 convening of lawyers, government officials, civil society representatives, academics, and students at the Institute for Information Law at the University of Amsterdam for a five-day training course on issues pertaining to privacy and data protection law relate to the internet and electronic communications.
For over 60 years, the European Convention on Human Rights (1950) has functioned as the framework to guarantee the right of privacy for private and family life. More recently, the European Charter of Fundamental Rights, 2000 has reinforced this right. These instruments are the basis of the robust protections provided for under the GDPR. In Africa similar frameworks which address privacy are less than 15 years old, such as the Declaration of Principles on Freedom of Expression in Africa (2002) (Part V), the  Resolution on the Right to Freedom of Information and Expression on the Internet in Africa – ACHPR/Res. 362(LIX) 2016, and the civil society led African Declaration on Internet Rights and Freedoms.
However, where European instruments have been largely endorsed and supported by member states, many African instruments still struggle to gain similar recognition by member states.  As in the EU, African countries need to uphold the principles laid down in these instruments towards the recognition and enforcement of citizens’ right to privacy and data protection.
Further, per the GDPR, European states are required to establish Data Protection Authorities (DPAs) to ensure that safeguards are in place to protect user data including across different jurisdictions. African states should embrace similar measures to guard against infringement on citizens’ privacy.

Data Protection Authorities are mandated to independently monitor, raise awareness, handle complaints and conduct investigations, among others, to uphold personal data protection.

Overall, the course highlighted the need for a robust privacy regime across the world to ensure that citizens enjoy due protection of their online data. It also highlighted the need for more efforts in citizen sensitisation on data protection and privacy alongside better frameworks in the African context to support these rights.
CIPESA participated in the course together with representatives from Ohio State Moritz College of Law and Capital University Law School; Global Privacy Practice, Covington & Burling; Institute for Information Law, University of Amsterdam; Berkeley Center for Law & Technology, UC Berkeley School of Law; Dutch Data Protection Authority; and the Washington University Law School, among others.
There are lessons for Africa to learn from the European experience, including the establishment of state and regional mechanisms that strengthen data protection frameworks. However, it is integral that more African countries enact data protection laws, and for countries that have with this law, it should be implemented with oversight from independent bodies as more user data is generated and stored online.
 
 

Supercharging Human Rights Defenders // East Africa

By Small Media |
Building off the success of our 2016 report ‘Supercharging Human Rights Advocates in the Levant’, the Small Media team is excited to announce our latest project in a whole new region. Making use of the practices we’ve developed in our work across the Middle East, Small Media is setting out to survey the cybersecurity landscape in East Africa. Over the course of this project, we aim assess the state of internet controls in the region, and support the development of a regional community of internet freedom researchers, digital security experts, and human rights defenders.
Over recent years, regional civil society organisations and human rights defenders have been confronted with significant security challenges as internet freedom is threatened across East Africa. The Collaboration on International ICT Policy in East and Southern Africa (CIPESA), one of our local partners for this project, have highlighted various issues involving undue prosecution of Internet users in East Africa in their 2016 State of Internet Freedom in Africa report. In Tanzania this has involved users being targeted and arrested for offenses including ‘insulting the president’ and news sites being shut down. Netizens in Uganda faced blocked social media and mobile money services in the build up to the February 2016 elections, alongside crackdowns on ‘offensive communications’, in the form of bans on social media accounts that criticise the government. Burundian social media users have seen platforms including Viber, Twitter, WhatsApp and Facebook shut down during public protests against government figures. In addition to this, Rwandan citizens face among the world’s worst restrictions on freedom of speech and political activity, including stringent online censorship targeted at those discussing ‘sensitive’ topics.
Freedom House’s 2016 Freedom on the Net report highlights the challenges faced in Rwanda and Uganda, but there are a number of gaps in regional knowledge that we aim to fill. With levels of access to the Internet growing steadily in the region, and some concerning indications of a ramping-up of state efforts to crackdown on internet freedom, it is important that the digital security needs of CSOs and netizens are addressed in an urgent manner.
Thus, focusing on Uganda, Rwanda, Burundi and Tanzania, our research seeks to fill the gap that exists by identifying the digital security threats facing CSOs in the East Africa region, recommending a plan of action and then developing the capacity of CSOs to respond to the threats that they face.
Our Project
The first phase of this project involved working with two of our local partners, CIPESA and DefendDefenders, to select high-quality workshop participants and trainers, in order to create and train a secure, strong and enthusiastic community of regional, on-the-ground digital security experts and researchers. The training given at the workshop has equipped local actors to engage in comprehensive and long-term digital security research, thereby supporting the future needs of CSOs across the region.
Building on the successful outcome of the workshop, our local researchers – working alongside our regional partners – are now hard at work carrying out the core components of the research project, including:

  1. Legal and Policy Analysis – to assess the current legislative frameworks that exist within East African states, and to establish what powers governments have to monitor and prohibit online communications.
  2. Network Measurements – to assess the internet infrastructure in each of the target countries. Our researchers are using OONI Probe and ICLab’s Centinel software to establish the level of censorship taking place, and highlight any network vulnerabilities to state-directed internet shutdowns.
  3. CSO Cyber Capacity Assessments – interviews are being undertaken with a number of CSOs to identify the most urgent digital security threats they face, and to measure their defences.

With the training workshop completed, Small Media and our local partners are currently working with an enthusiastic team of local researchers to carry out the on-the-ground research components. We’ll be busily compiling our research findings over the next couple of months, but we look forward to presenting you with our findings and recommendations upon the report’s publication in March 2017. Stay tuned!
This article was sourced from the Small Media website.
 

UPDATE: Maxence Melo Charged with Obstruction of Investigations and Operating a Domain Not Registered in Tanzania

By CIPESA Writer |
Jamii Forums Founder, Maxence Melo has been charged with three offences before a court in Dar es Salaam, Tanzania. The charges are:
1: Management of a domain not registered in Tanzania under Section 79(c) of the Electronic and Postal Communications Act (2010).
2: Obstruction of investigations under Section 22 (2) of the Cyber Crimes Act  of 2015 for not complying with an order of disclosure of data in his possession. This followed an order by the Tanzania Police Force to release data pertaining to electronic communications published on his Jamii Forums site between April 10, 2016 and December 13, 2016.
3: Obstruction of investigations under Section 22 (2) of the Cyber Crimes Act  of 2015 for not complying with an order to disclose data in his possession. This follows an order by the Tanzania Police Force to release data pertaining to electronic communications published on his site between May 10, 2016 and December 13, 2016.
Section 79 of the Electronic and Postal Communications Act (2010) provides for the regulation of all electronic communication numbering and electronic addresses by the Tanzania Communications Regulatory Authority (TCRA). Part C of the section mandates the authority to perform oversight role of management of the country’s code Top Level Domain (ccTLD).
Meanwhile, Section 22 of the Cyber Crimes Act 2015 relates to unlawful interference with investigations and refusal to comply with an order under the Act.
Max was arrested on Tuesday December 13. He remained in police custody until his arraignment before court this morning. According to his lawyer, a bail application has been denied.