Bracing for cybercrime

Namibia a ‘late responder’
The rise of cybercrime globally - fuelled by increased connectivity, remote work, reliance on technology, and automation - is a reality for Namibia as well.

As Namibians increasingly rely on information and communication technologies, there has been a corresponding rise in criminal activities in cyberspace, posing threats to digital connectivity and the integrity of critical infrastructure.

As access to the internet and digital ­services increases, there is no matching growth in ­security expertise to combat cyber threats in organisations and law enforcement.

Namibia’s law enforcement bodies face challenges in combating cybercrime, including skills shortages, inadequate training, and a lack of specialised resources.

Exposed

Namibia’s overall security maturity in terms of awareness is extremely low and organisations, especially micro- to medium-sized enterprises, are inadequately prepared to guard against a growing cybercrime ecosystem, as is evident from the number and intensity of attacks and breaches experienced by organisations.

This has led to Namibia being considered one of the most exposed countries in Africa.

In a country where poverty and unemployment are high, slackness in implementing ­cybersecurity laws and regulations enables cybercrime because of the lack of any credible deterrence.

Namibia is being targeted by advanced persistent threat (APT) groups and, increasingly, by cybercrime networks.

Trojan horse

In the financial space, for example, Namibia has the highest number of infections with the Emotet Trojan horse virus globally, leading to millions of dollars lost.

This malware, spread by the APT group Mealybug from Ukraine, infects computers in the banking sector and steals sensitive information. Emotet relies on sophisticated phishing campaigns for Windows-based users and was initially launched to target banks in Germany.

A national computer security incident response team (CSIRT) with the capability to stay abreast of APTs and their targets would play a pivotal role in combating such attacks.

Namibia is significantly impacted by the evolution and transnational nature of cybercrime, and it is trying to establish suitable defensive mechanisms and controls.

China

The increase in internet access and adoption of mobile technologies is partly made possible by the influx of cheaper feature phones from China.

But not only do feature phones lack the advanced capabilities of smartphones, such as the adding-on of applications, but they may also introduce security risks that are often unknown to the user.

The cybersecurity and antivirus firm Kaspersky Lab tested several feature phones to determine possible security threats and revealed that, in addition to leaking user data, some were also programmed to steal money by, for example, sending hidden text messages to paid numbers.

To enhance the growth and adoption of digital financial services, unstructured supplementary service data (USSD) codes are used for accessing such services, especially on feature phones.

The GSM Association, a nonprofit industry organisation representing the interests of mobile network operators worldwide, has estimated that 90% of mobile money transactions in Africa are still driven by USSD.

According to the Financial Inclusion Global Initiative and the International Telecommunication Union, security testing for USSD revealed threats and vulnerabilities, including remote unauthorised access to and tampering with mobile devices.

Strategy

While regulations are vital in combating cybercrime, educating citizens about the risks associated with it and the significance of cybersecurity is also important. The National Cybersecurity Strategy and Awareness Creation Plan, launched in 2023 by the ministry of information and communication technology, aims to protect critical information infrastructure, educate the public and collaborate with public and private entities on cybersecurity to enhance the safety of internet users.

It targets government employees, ministries, agencies, regional councils, local authorities, school learners, teaching staff and the public.

The plan aims to build awareness around mobile technologies and the safe use of applications, which will improve financial inclusion in the digital space.

The implementation of the plan began with the signing of a memorandum of understanding between the government and the Namibian company SALT Essential IT for an initial five-year period to develop and deliver cybersecurity training to the government sphere.

The memorandum of understanding is indicative of the government’s commitment to increasing the security awareness of the general population.

Law enforcement

Namibia must develop and foster specialised law enforcement units, focusing on technical skills such as digital forensics, and develop legislative frameworks to ensure successful prosecutions.

It is vital to manage cyber risks at the national level with a strategy adapted to Namibia’s unique and increasingly complex threat profile, to be implemented through national policies and framed by laws and regulations.

Forgoing a risk-based approach to identifying threats, probabilities and impacts that is based on Namibia’s specific macro and micro threat profile will lead to misallocation of resources and implementation of ineffective controls.

Establishing and implementing such a national strategy requires, among other things, commitment, specialised skills, advanced knowledge and digital and human capital.

Solutions

Information security is continuous, and the array of potential crimes in the digital space requires a mesh of solutions.

Strategically, smaller-scale approaches may yield early benefits to ensure digital inclusion and growth as well as a safe environment for users, business and the government.

Such approaches could include capacity- and knowledge-building in defined pockets of excellence, partnerships with vendors and global organisations, intensified security awareness drives, and incident-response channels.

Namibia is a late responder to cyber threats, and its national governance environment does not facilitate cybersecurity intelligence filtering down to the population.

With the bulk of the population spread out in rural communities, and digital adoption being driven by cheap, imported, insecure feature phones, threats are widely present.

Channels

Communication channels should be utilised to spread incident response plans and threat intelligence, adding to the development and fostering of a cybersecurity awareness culture.

Namibia faces increasing cybersecurity challenges as it embraces digitisation and technology.

Sophisticated threats like phishing, ransomware and data breaches pose risks to individuals, businesses and government institutions.

Lack of awareness of and education on cybersecurity practices is a major obstacle, leaving many vulnerable to attacks.

Additionally, there is no comprehensive, country-specific legal and regulatory framework for cybersecurity.

Proactivity

However, there are opportunities to strengthen cybersecurity through government proactivity, such as partnerships with AI and machine learning companies to aid in the design and implementation of mitigating controls.

A collaborative approach involving government, businesses and individuals is crucial to promoting awareness, education and best practices.

Awareness training programmes, such as those provided by SALT Essential IT, may strengthen information flow structures and help them develop resilience.

The Seventh National ICT Summit, held in October 2023, also saw the launch of the iSecureBot, a WhatsApp information bot that provides cybersecurity awareness and education to the public.

Awareness culture

Cybersecurity is an emerging topic within the Namibian business environment, which is still in its infancy of awareness and management on these issues.

Building a cybersecurity awareness culture at the national level is vital, as is the provision of secure infrastructure and actionable threat intelligence to adequately control cyber risks.

Cyber risks should be managed as an extended enterprise, incorporating different levels of controls to ensure a security-mature population. At the centre must be policies, regulations and laws to help cybersecurity professionals curb adversaries and threats.

Namibia’s lack of high-level policies greatly hinders the country’s move toward greater digital inclusion.

The protection of personal information and digital assets is currently left to individuals, who mostly lack the necessary knowledge, skill and authority to adequately protect their digital assets.

Balance

Balancing risk with digital growth requires standards, awareness, knowledge and skills to address the security susceptibilities in Namibia’s cyber landscape.

A national cybersecurity strategy, implemented in partnership with current and upcoming stakeholders in industry, is required.

Expanding the cybersecurity incident response capability—in terms of technology, monitoring capabilities and expertise—must be part of that strategy. International vendors already present in Namibia have the ability to provide targeted threat intelligence and solution guidance.

International standards and frameworks to guide cyber risk management processes, especially around the protection of critical infrastructure, are essential, as are increased international cooperation between agencies to share information and capabilities.

With its extensive growth in digital infrastructure and applications driving greater financial inclusion, Namibia requires a unique cybersecurity strategy based on its current posture, cultural and language profile, vast geography, population size and spread and level of literacy.

And by not merely adopting processes and models from South Africa, Namibia could set an example for the continent.