In late August 2018, the government of Nigeria announced that the establishment of its cyber command to be headquartered in Abuja
According to news reporting, at the onset the command would be comprised of approximately 150 officers pulled from the all services in the Nigerian Army and would possess technical skills required of supporting the command. Currently, the Army has obtained advanced technological equipment that is being tailored and configured to meet the expected needs of the military. It has been intimated that such activities would include tracking hostile actors in cyberspace as well as conducting offensive attacks such as distributed denial-of-service (DDoS) attacks against cyber criminals, online terrorist presence, and “subversive elements.”
The establishment of the command is unsurprising given the rampant nature by which cyber crime in Nigeria has flourished. Per the Nigerian Communications Commission in 2017, Nigeria ranked third globally in cyber crimes behind the United Kingdom and the United States. Throughout 2017, hostile cyber activities observed targeting Nigerian interests included ransomware, cyber Ponzi schemes, and cryptocurrency exchanges, among others. Therefore it is unsurprising that Nigeria has been exploited by these criminal elements. According to one Nigerian news source in 2017, Nigeria loses N127 billion annually to cyber-crimes, or approximately .08 of its Gross Domestic Product. This amount is not shocking given the historic challenges Nigeria has faced in curbing the volume of cyber crime permeating in the country. According to one computer security vendor, Nigerian 419 scams have continued to evolve since their early inception. Per the vendor’s findings, these e-mail scam groups have increased in size and have adapted their tactics techniques, and procedures to include using multiple commodity malware tools to modernize their operations.
Given that Nigeria’s digital economy is projected to generate USD 88 billion by 2021, the government has raised cyber security a national concern, and there is evidence that the government has gradually put national-level cyber security initiatives in place. Nigeria’s 2015 Cybercrime Act imposed penalties for a variety of cybercrime successfully prosecuted in the courts, to include the death penalty. In late 2014, Nigeria passed its National Cybersecurity Strategy, a strategic framework to improve the country’s readiness via cohesive measures and actions designed to secure and protect the country’s interests and assets in cyberspace.
Nevertheless, national level action does not necessarily translate into immediate tangible results. While it does demonstrate a nation’s acknowledgement and understanding of a problem, it really remains guidance that needs to be followed and executed at the lower state and provincial levels. More importantly, they don’t necessarily serve as a catalyst for the private sector to implement cyber security measures or make cyber security a priority in their organizations. Per research done by one African technology company that produces content, podcasts, events, publications and other services about Afrika’s burgeoning innovation and technology sector, cyber security is an afterthought of big corporations that prefer to ignore, deny, and threaten litigation in response to data leak reporting. The message here is clear – national policy does not translate into improving cyber security culture in the private sector.
The establishment of the cyber command with its prescribed mission gives the Nigerian government a tool that can be used immediately, and hopefully, successfully against the cyber crime element. This is incredibly important as a 2017 report revealed that nearly 81 percent of cyber incidents that occur in Nigeria go unreported. However, reliance on an offensive-minded government arm such as a cyber command raises other concerns, especially if such a capability is levied against dissident groups or political oppositionists. Nigeria’s cyber crime law allows for communications interception and for service providers to keep all subscriber information and traffic data which could be used against these entities, as does the lack of a digital rights law, a bill of which sits with the president unsigned. Nigeria already has the reputation of spying on technology the users the most of any African state.
How the command unfolds is critical to ascertaining whether the organization will be used as a tool for good or for self-serving interests; whether it will help propel the Nigerian government to regional cyber security leader status or expose the government’s intent to inappropriately its capabilities to censor and eliminate unfavorable content, as well as those creating and disseminating it.
One thing appears clear – the more entities like cyber commands are established, the more capabilities they bestow upon governments to use such power as it suits their needs. And given what’s been exposed about governments conducting cyber espionage, exploiting Internet infrastructure, surveilling, and committing destructive attacks, this doesn’t reduce malicious cyber acts; it contributes to them.