National policy and strategy

Ghana’s Experience

Eric AkumiahHead, CERT-GH

National Cyber Security Policy and Strategy: Ghana’s Experience

Ghana’s Experience05/01/2023 2

Agenda

Background

• Existing Policy and Law on the fight against cybercrime• Gaps in Existing Policy/laws and Need for Policy & Strategy

National Cyber Security Policy

• Policy Development Process• 9 Pillars of Our Policy

5 Year Strategic Action Plan

• Special Initiatives

Way Forward


BACKGROUND


Existing Policy & ACTS• ICT4AD (Pillar 14) 2003

– ICT4AD is Ghana’s policy guidelines for ICT development– Comprise 14 Pillars address all ICT needs in Ghana– Pillar 14

• Policy measures and mechanisms to address – national security – law and order issues

• Electronic Transaction Act (ACT 772) 2008

– Legal text embracing key instrument for the fight against cyber crime• ICT Tribunal• Cyber Inspectors• Electronic Government Services• Cyber Offenses• Protected computers and Databases• Consumer protection

• Data Protection Act (843) 2012

– Focuses on application of Principles of Data Protection• Privacy of Individual• Collection of personal data• Security measures

– Data Protection & Enforcement– Disclosure of information

Ghana’s Experience05/01/2023

Why the need for Cybersecurity Policy?

Some shortfall in policy & Laws

• ICT4AD does not adopt a PPP approach to ensuring cyber security

• All prospective target audience not properly addressed by Pillar 14

• Protection of CNII not properly addressed under policy and ETA

• Culture of cyber security across sectors not properly covered

• In adequate cyber laws and capacity building for National security agencies and law enforcement to fight cybercrime

Challenges

• Prevalence of Cyber Frauds called “Sakawa”• Defacement of multiple government websites• Several Financial establishments hit with funds of

customer stolen• Prevalent SIM Box Fraud – loss revenue to

Government on International call traffic • Lack of awareness of risk to mobile data users on

the Internet • Low awareness of risk of children using the Internet• Uncoordinated cyber initiatives across Ghana/ no

information sharing • Lack of Information security technology framework

in place 5


Person Specific

• Consumer User• Corporate user

Device Specific

• Telephones• Wireless Cell Devices• Personal Digital Assistant (PDA)

Network Specific

• Wireless Carrier’s Transport• Local Area, Metropolitan Area and Wireless Area• Internet

Targets: National Cyber Security Framework


Level 1:Home and Small Business users

Level 2: Large Enterprise Users

Level 3: Critical Sectors

Level 4: National Priorities

Level 5: Global

Levels


CNII Sectors Identified for Ghana

1.National Defense and

Security 2. Banking and Finance

3. Information and Communications

4. Energy

5. Transportation

6. Water

7. Health Services

8. Government

9. Emergency services

10. Food and Agriculture


DRAFT NATIONAL CYBER SECURITY POLICY


Initiated by Ministry of Communica

tions in 2011 with support

from UNECA

National Stakeholder Meeting to review areas for

upgrade in National

ICT needs

Adhoc Technical

committee established by MOC to

develop policy and strategy

Stakeholder

meeting to

review draft

Final review by

Adhoc committe

e to include

comments

Validation

Workshop

Policy Development Process

2011 2015


Policy Development Process-2

• Step 1: Multi-stakeholder Adhoc Technical Committee formed

• Step 2: Defined Terms to be used• Step 3: Reviewed existing Policy and Laws to determine

gaps• Step 4: Reviewed conventions and country specific

policies and strategies.– Budapest Convention, AU draft Convention

• Step 5: Developed text of Policy


Vision & Mission• Vision

A secure and stable connected Ghana with Internet users working and creating wealth in a safe cyber space, with a well-researched and trained academic and professional community protecting Ghana’s cyber space equipped with global standards and responding swiftly to cyber incidents, and with up-to-date laws and systems in place to efficiently prosecute cyber criminals.

.• Mission

Our mission is to determine, analyze and address the immediate cyber security threats posed on identified critical national information infrastructure by providing adequately protection for the critical national information infrastructure and over time become a self sufficient country attending to its cyber security needs.


9 Pillars of Our Policy

Effective Governance

Legislative & Regulatory Framework

Cyber Security Technology Framework

Culture of security and Capacity Building

Research & Development towards Self-Reliance

Compliance and Enforcement

Child Online Protection

Cyber Security Emergency Readiness

International Cooperation


FIVE YEAR STRATEGIC PLAN (2016- 2020) TO BE REVIEWED ANNUALLY


Special Initiative 1: National Cybersecurity Awareness Program

Program to train different stakeholders on different aspects of cyber security with the intent of helping them provide a reasonable security consummate with the risks to avoid

incidences of cyber attacks.

Will take the form of identification, need assessment, training

and evaluation of different sets of stakeholders.

The program will include a cyber security awareness portal that

will establish a permanent awareness

campaign on the internet


Special Initiatives 2: Computer Emergency Response Teams

Establishment of National Computer Emergency

response Team (CERT-GH)

Phase I

Established with support

ITU/IMPACT

In August 2014

In January 2015 11

Government website

defaced but brought under

control with 24 hours by

CERT-GH

Sharing Alerts and Advisories

with constituents to proactive lyimprove security of

systems

Working to

establish phase II in

2015Introducing probes on

Ghanaian networks and subscribing to HORNET

and AWARE early warning systems

Phase III to be

implemented in 2016

Establishment of National Forensic

Laboratory


Special Initiative 3:National Cyber Security Centre

• Defines, communicates and updates (when necessary) the national cyber security programs to all the CNII.

National Cyber Security Policy Implementation:

• Closely coordinates cyber security initiatives of various key Agencies and organizations in Ghana. National Coordination:

• Promote and facilities formal and informal mechanism for information sharing across the CNII. This includes promoting cyber security awareness, training and education programs to grow the competency of information security professionals and the industry as a whole.

Outreach:•Facilitiate the monitoring of compliance to cyber security policies and standards across the CNII. Compliance Monitoring:

•Assesses and identifies cyber security threats exploiting vulnerabilities and risks across the CNII. Risk Assessment:

•Assist the National Cyber Security Council in all its function activities and help industry to test its emergency plans Support:

•Contribute to application of international standards on cyber security as well as on accreditation and certification of ICT infrastructure, services and suppliers. Contribution:


Special Initiative 4: National Cyber Security Council

Governance institution with full oversight of policy and ensuring full implementation of policy after its creation

To serve as the highest-level liaison

body for cyber

security

Responsible for adopting or approving the policies put forward

for implementation of the function centre.

To ensure that

appropriate policies are in place to

make Ghana a safe

destination for cyber activity

To boost national

image in its sphere of influence

and make it a leader in the region

To ensure Ghana is part of

international conventions

and is playing its role as a

leader in the region


Special Initiative 5:National Cybersecurity Crisis Management Plan

Conceived to ensure that a coordinated swift response is made to any cyber incidences having a bearing on national security.

Objective is to:

Increase preparedness of country

against cyber

attacks

A management committee which will be under the council where ultimate decisions are made on any major attacks and a working group created as PPP and having membership from the center, the national CERT, CNII sectors and any related agencies to enforce any tactic adopted for resolving any major attacks


STRATEGY TIMELINE ACTIVITIESShort Term Year 1 -2

Holistic assessment of CNII and addressing immediate Concerns & Awareness Creation – Identify issues with CNII, analyze vulnerabilities and put in place stop gap intervention to safeguard systems while setting up institutional structures and creating public awareness

Medium Term Year 3 - 4Building the infrastructure for Cyber security - Setting-up the necessary systems, process, standards and institutional arrangements (mechanisms) and building capacity amongst researchers and information security professionals

Long Term Year 5+

Developing self-reliance & international Cooperation – Adopting technology and developing capacity of professionals, monitoring the mechanisms for compliance, evaluating and improving the mechanisms and creating the culture of cyber security

Implementation Timelines


Way Forward

• Ghana’s Draft Policy Develop started in 2011• Submitted to Cabinet to review and approve in 2013.• Validation workshop held in 2015 for final cabinet

approval• Development of detailed implementation framework

of each policy Pillar after Cabinet approval• To develop or not to develop new Cyber security and

Cybercrime laws - discussion


Thank You!

eric.akumiah@cert-gh.orgwww.cert-gh.orgwww.nita.gov.ghwww.moc.gov.gh

mailto:[email protected]

http://www.cert-gh.org/

http://www.nita.gov.gh/

http://www.moc.gov.gh/


Additional Slides


Definitions-1 Cyber Security is “Enhancing security and building confidence in the use of ICT applications” (ITU GCA)

Cyber Security means the collection of tools, policies, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect organization and user’s assets on the cyber environment. Organization and user’s assets include connected computing devices, computing users, applications/services, communications systems, multimedia communication, and the totality of transmitted and/or stored information in the cyber environment. (ITU-T Recommendation X.1205)

Cybersecurity ensures the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment. The security properties include one or more of the following:– Availability

– Integrity, which may include authenticity and non-repudiation

– Confidentiality


Definitions -2• Critical Infrastructures (CI) are generally considered as the key

systems, services and functions whose disruption or destruction would have a debilitating impact on public health and safety, commerce, and national security, or any combination of those matters.

– Economic and industrial sectors have their own physical assets which today depend upon reliable functioning of Critical Information Infrastructure (CII) to deliver their services and to conduct business.

– Critical Information Infrastructure Protection (CIIP) protects virtual elements (such as systems and data) of the CII.


Policy Pillar 1 & 2• Effective Governance

Government will centralize coordination of national cyber security initiatives and promote effective cooperation between public and private sectors. In order to sustain the gains from any initiatives, government will establish formal and encourage informal information sharing exchanges.

• Legislative & Regulatory Framework

Government will in collaboration with the Attorney General’s department setup a periodic process of reviewing and enhancing Ghana’s laws relating to cyber space to address the dynamic nature of cyber security threats. In order to empower national law enforcement agencies to properly prosecute cyber security crimes, government will establish progressive capacity building programs to acquire new skills and effective ways of enforcing cyber laws. Government will ensure that all applicable local legislation is complementary to and in harmony with international laws, treaties and conventions.


Policy Pillar 3 & 4• Cyber Security Technology Framework

Policy measures will be put in place to develop a national cyber security technology framework that specifies cyber security requirement controls and baselines for CNII elements. This will be accompanied will mechanism to implement an evaluation/certification program for cyber security product and systems.

• Culture of security and Capacity Building

Government will invest every resource needed to develop, foster and maintain a national culture of security. As part of the process of development of culture of cyber security, government will support the standardization and coordination of cyber security awareness and education programmes across all elements of the CNII. Government will also:

– Establish an effective mechanism for cyber security knowledge dissemination at the national level

– Identify minimum requirements and qualifications for information security professionals


Policy Pillar 5 & 6• Research & Development towards Self-Reliance

In order Ghana become self-reliant in protecting the CNII to a level that is commensurate with the risk, government will formalize the coordination and prioritization of cyber security research and development activities enlarge and strengthen the cyber security research community. Research and development will be encouraged by promoting the development and commercialization of intellectual properties, technologies and innovations through focused research and development. Government will also put measures in place to nurture the growth of cyber security industry

• Compliance and Enforcement

In order to ensure compliance and enforcement, policy measures and mechanism will be put in place to standardize cyber security systems across all elements of the CNII. Government will also strengthen the monitoring and enforcement of standards and develop a standard cyber security risk assessment framework


Policy Pillar 7 & 8• Child Online Protection

Policy measures will be implemented through multi-stakeholder working by government industry, Civil Society, and relevant international child online protection agencies. Government will encourage dialogue at national and local levels to engage all concerned and create awareness of the possibilities and dangers of the Internet.

• Cyber Security Emergency Readiness

To ensure cyber security emergency readiness, government together with all stakeholders will develop effective cyber security incident reporting mechanisms. This will include the development and strengthening of the national computer security incidence response team (CSIRT) and sector CSIRTs, dissemination of vulnerability advisories and threat warnings in a timely manner and the development of a standard business continuity management framework. The government will also encourage all elements of the CNII to monitor cyber security events and perform periodic vulnerability assessment programs.


Policy Pillar 9

• International Cooperation

Policy measures will be put in place to encourage active participation of Ghana in all relevant international cyber security bodies, panels and multi-national agencies. Government will make every effort to promote active participation in all relevant international cyber security activities by hosting an annual international cyber security conference.


Action Plan 2016 -2020

31

Item Thrust Actions and Special Initiatives Policy Drivers

1. Effective Governance Setup Governance Structure and institutions to enable long –term substance of Cyber Security activity including information exchange. Institutions include: National Cyber Security Council National Cyber Security Center National Cyber Security Policy Working Group

Ministry of Communications, National Security Council, NITA, NCA

2. Legislative and Regulatory Framework

Setup Cyber Law Review Committee under the Attorney General’s Department to do a study on the laws of Ghana to accommodate legal challenges in the Cyber environment and review every three year Stage 1: identifications of issues in the cyber

environment Stage 2. Review current laws on cyber

environment Stage 3. Make recommendations for

amendment of national laws

Attorney General’s Department

3. Cyber Security Technology Framework

Review and adopt international cyber security standard such as MS ISO/IEC 27001 to increase robustness of CNII sectors

Expansion of national certification scheme for information security management & assurance

Ministry of Communications, NITA NSC



32

Item Thrust Actions and Special Initiatives Policy Drivers4. Culture of Cyber

Security & Capacity Building

Reduce number of Information security incidents through improved awareness & skill levelo Increase Certification course

on information and cyber security,

Develop a National Cyber Security Awareness program and portal targeted at stakeholders by content providers using different packaging for different demographics

Ministry of Communications, Ministry of Information, (National Cyber Security Council, National Cyber Security Center, National CSIRT , National Cyber Security Policy Working Group)

5. Research & Development towards Self–Reliance

Develop National R&D Roadmap for Cyber Security

o Identify technologies relevant & desirable for CNII

o Provide domain competency development

o Nature growth of Cyber Security Industry

o Update roadmap regularly

National Cyber Security Council, National Cyber Security center, National CERT , Universities, CSIR, Professional certification Centers

6. Compliance & Enforcement

Develop Risk Assessment framework for CNII


Action Plan 2016 - 2020

Item Thrust Actions & Special Initiatives Policy Drivers

7.Child Online Protection Develop a framework for the protection of

children as they engage with the Internet which ensures that agencies and stakeholders work together to address children’s online risk by

1. Ensuring that Organizational Structures put in place for

A Monitoring Framework Technical and Procedural Measures for

working with all stakeholders 1. Capacity Building – Awareness raising and

public education.2. Legal Measures 3. Implementation and International

Cooperation

Ministry of Communications Ministry of Gender, Children and Social Protection; Ministry of Interior, Ministry of Educations



Item Thrust Actions & Special Initiatives Policy Drivers

8 Cyber Security Emergency Readiness

Frame work for cyber attack responds – Mitigation of Cyber attacks National and sector CSIRTs National Cyber Crises management

Committee National Cyber Crises Management WG

Private Sector and Government Network Operators, Academic, Financial Sectors, Security agencies, Utilities, National Cyber Security Council,

9.International Cooperation

Engage in relevant international cyber security meetings

Prioritize international engagements, sign and ensure compliance of International/regional conventions

Ministry of CommunicationsMinistry of Foreign AffairsAttorney Generals’ DepartmentNational Security Council