STATE SURVEILLANCE AGAINST CYBERSECURITY NEEDS

Malawi Communication Regulatory Authority Director General Daud Suleman

BY GREGORY GONDWE

There is a thin line between cybersecurity and state surveillance, which somehow becomes blurred. Two pieces of legislation in Malawi, the Communication Act, the Electronic Transactions and Cybersecurity Act, have been used to demand personal data that should help authorities fight cyber crimes.

Against the backdrop of preventing cyber crimes, the Government has developed Sim Card registration which only fulfils the Communications Act’s provisions, not to mention the National IDs requirements, both of which use personal data.

Sim Card Registration Fighting Cyber Crimes

MACRA said sim registration is important for several reasons: First, it prevents a fraudulent practice called “sim boxing;” it helps recover stolen phones; offers protection from violent, threatening, or hateful texts; instils “discipline” for abusers; helps law enforcement solve crimes; and checks fraud and theft committed via mobile phones. 

Sim Boxing, also called a SIM bank, is a device used as part of a Voice over Internet Protocol (VoIP) – a technology that allows you to make voice calls using a broadband Internet connection instead of a regular (or analogue) phone line – gateway installation which contains several SIM cards, which are linked to the gateway but housed and stored separately from it. A SIM box can have SIM cards of different mobile operators installed, permitting it to operate with several GSM gateways located in different places.

For banks and telecoms companies operating mobile money services, there is also a requirement for what is known as the “know your customer” exercise in which Malawians are required to present their national ID and provide all other salient personal details, including a map of where they stay before they can be allowed to transact and failure to present these details has resulted in freezing one’s account. 

Personal Data Important to Curb Cyber Crimes

Other notable cybercrime incidents that have been observed in Malawi include and not limited to child pornography, sexual harassment, fraud, forgery, crime recorded, mobile money fraud, Government Websites defacement, identity theft, email scams, distribution of compromising images, attacks on computer data and systems.

Malawi is losing approximately MWK1.440-billion (US$137 million) annually to mobile money fraud; according to Malawi Communications Regulatory Authority (MACRA) director general Daud Suleman, this process of getting customers’ data is helping curb the malpractice.

“When you hear the number of cybercrimes that occur in the country, it is an alarming rate. Adopting advanced technology will be slower if more people are defrauded using even 2G technology. As a country, we will be left behind in the global economic space,” he said.

Besides using the law, Suleman says the regulator is working with stakeholders to find a solution as quickly as possible, as mobile money benefits individuals at the macro level and is also a catalyst for economic development.

MACRA Director General Daud Suleman

He said mobile money has become the fuel driving Malawi’s digital economy because the uptake has surpassed what the banking industry has achieved quickly.

“But simultaneously, Malawi is losing huge sums of money to mobile money fraud. This is why the Electronic Transaction and Cybersecurity Act as it creates an environment where, as citizens move to the digital environment, they feel secure and have confidence that their money is safe,” he said.

As of the end of 2021, the number of mobile money subscribers in Malawi surpassed ten million, according to the Bank of Malawi.

Malawi has also adopted a National Cyber Security Strategy. Still, it is yet to sign or ratify the AU Convention on Cyber Security and Personal Data Protection or the Budapest Convention on Cyber Crime.

Suleman believes there is a need to sensitise the masses on cybersecurity as it affects everyone who uses the basics of connectivity, which is 2G like internet, short messages (SMS), mobile payments and bank transactions.

Malawi’s Minister of Information and Digitisation, Moses Kunkuyu, agrees that promoting and adopting information and communications technology (ICT) should ensure users’ safety and security.

He said Malawi undertook a Cyber Security Maturity Model Assessment from which five dimensions are pursued to address security threats in cyberspace.

“The dimensions include the development and implementation of cyber security policy and strategy, promotion of cyberculture and society, cyber security education, training and skills, strengthening of legal and regulatory frameworks and developing cyber security standards,” said Kunkuyu.

MACRA Board Chairperson Dr. Stanley Khaila

MACRA Board Chairperson Stanley Khaila said Africa needs to shift away from the national boundary mindset and take the modern approach of collaboration and coordination on cybersecurity.

“Without collaboration, the advantage in cyber security can and will belong to the attackers,” he said. “The digital world has no boundaries, and the perpetrators of these cybercrimes and the cyber-crimes themselves are not unique and localised to any geographical location.”

The MACRA Board Chairperson acknowledged the digital revolution’s positive impact on people’s lives, especially as a driver of the digital economy; however, he conceded to the reality that the systems are prone to attacks.

“Consumers of ICT services and network owners tend to fall victim to cyber-attacks such as hacking, phishing, ransomware, and scams,” he said.

MACRA is responsible for implementing the Electronic Transaction and Cyber Security Act and may impose administrative penalties for violations.

MACRA oversees Malawi’s National Computer Emergency Response Team (mwCERT), which is responsible for critical information infrastructure protection actions and serves as a base for national coordination to respond to cybersecurity threats, including assistance in response to incidents.

Digital Laboratory for the Malawi Police

Cognizant of the rising cases of digital fraud, MACRA is building a digital forensic laboratory for Malawi Police Services to enhance the fight against cybercrimes in the country.

Khaila also said MACRA has partnered with the police on mobile fraud task force, where various key stakeholders have come together to harmonise efforts in the fight against the vice that is mobile fraud.

Apart from MACRA and the police, the task force includes the Reserve Bank of Malawi, Airtel, TNM, Prison Services, and the National Registration Bureau.

According to the Malawi Police Service (MPS), the country’s notable cyber threats incidents include mobile money fraud, fake news on social media platforms, web defacement, and the recent emergence of ransomware.

The MPS expressed concern about victims’ failure to report cybercrime, claiming that this undermines all efforts to convict the perpetrators.

Gladwell Kubwalo of the Malawi Police

According to MPS Assistant Public Relations Officer Felix Misomali, the Police always need help investigating matters that are not reported.

“It is concerning because many victims do not come forward to report cybercrime incidents, even though the Electronic Transaction and Cybersecurity Act requires the MPS to handle such crimes, but most victims simply complain to their colleagues or on social media platforms,” he said.

Head of Digital Forensic and Cybersecurity at Malawi Police Services, Gladwel Kubwalo, agreed that many people are unaware of cyber crimes in the country.

“We are promoting awareness meetings to sensitise masses on the crimes,” he said.

Data Centralisation Increasing State Surveillance

University of Malawi lecturer Jimmy Kainja believes all the laws that the Government uses to collect personal data have led to what he called ‘data centralisation’.

He says this paves the way for state surveillance, and in Malawi, evidence of state surveillance is emerging.

He cited incidents between 2021 and 2022, where over eight people were arrested, and two were convicted for online activities.

“However, one thing that stands out from these arrests is that those detained had allegedly offended influential people in the country, including the State President, a Member of Parliament and one of the big banks,” he said.

Malawi’s National Cybersecurity Strategy to Transform the Space

In the preface of Malawi’s National Cybersecurity Strategy (NCS) 2019 – 2024, Principal Secretary for the Ministry of Information and Digitisation Francis Bisika highlights the aims of the strategy, which among other things, is ‘to provide a national framework for ensuring secure, safe and resilient cyberspace, as well as fostering trust and confidence in cyberspace by Malawians’.

The strategy, which has high-level strategic goals and specific objectives, provides the basis of the nation’s direction to cybersecurity and establishes the Actions that need to be taken for each.

“It is a bold and ambitious approach to tackling the many threats our country faces in cyberspace. The Government recognises its special responsibility to lead the national efforts in managing and mitigating cyber threats,” he says.

The strategy acknowledges that the Communications Act has governed the communication services in Malawi (1998), developed during the era of second-generation (2G) technologies.

However, over time, Malawi has witnessed the growth of access and usage of ICT services, including an increasing number of online transactions for services.

The increasing demand for ICT applications and services, coupled with the provision of high-capacity fibre backbone connectivity across the nation, has resulted in substantial opportunities for further growth in the ICT sector. These developments are also expected to drive significant socio-economic growth in Malawi.

Consequently, to create a conducive environment for the sustained growth and use of ICTs in Malawi, as well as address the threats that come with increased adoption of ICTs, the Government of Malawi undertook a review of existing legislation and developed the Communications Act (2016) and the Electronic Transactions & Cyber Security Act (2016).

ICT has become a critical driver for socio-economic development, with the deployment and adoption of ICTs across the nation resulting in noteworthy improvements in all aspects of lives and institutional operations, according to the strategy.

It, however, lists several risks and threats that exist or have emerged that restrict the smooth operation and resilience of ICT systems and, consequently, the nation’s socio-economic development.

Cybersecurity Strategy to Achieve 14 Actions

The Malawi National Cybersecurity Strategy has set out to achieve 14 actions, some of which include developing a National Critical Information Infrastructure Governance Framework, which provides details on Critical Information Infrastructure protection procedures and processes.

The other action in the strategy is to expedite the establishment and operationalisation of a national CERT with clear processes, defined roles and responsibilities.

Another of the Cyber Security strategy actions is to continuously develop the capacity of staff at Malawi National CERT to address the fast-changing technical requirements and develop abilities to actively obtain information in cyberspace about current cyber risks and threats and continuously monitor, analyse and assess cyber threats and potential risks and be able to provide a real-time overview of the state of cybersecurity across the country.

As per the strategy, Malawi will also develop a Cybersecurity Governance Framework for defining the roles and responsibilities of all stakeholders in the cybersecurity ecosystem and describe Standard Operating Procedures and a Code of Conduct in responding to incidents.

The country will also establish a call centre or helpline for reporting incidents or seeking assistance with incidents as well as develop and implement cybersecurity incident simulation scenarios and programs that can be used during the national exercises while continuously updating cybersecurity contingency plans, which will include roles of the military or security forces during cyber-attacks and emergencies.

Malawi will also develop and test requisite crisis management measures during frequent cyber drills, besides evaluating cyber drills to develop options for improving crisis management measures.

Through the strategy, the country will also develop a Cyber Defence Strategy that details approaches to addressing threats to national security in cyberspace, and this will be side by side with a Central Defence Command and Control Centre for cybersecurity in Malawi.

MwCERT Waiting for Cyber Inspectors to be Operational

Good on the paper, as the Malawi Computer Emergency Response Team (MwCERT) is yet to start running full throttle.

So far, MACRA has since established the Malawi National CERT as per the law. However, for it to be operational,, cyber inspectors need to be in place.

MACRA’s acting Communications Manager, Wezzie Nkhoma-Somba, says the Malawi Computer Emergency Response Team MwCERT is a unit within MACRA and was established under Section 6 of the Electronic Transactions and Cyber Security Act, 2016 of the Laws of Malawi.

“This indeed has been established and operational,” she said before adding:

“Currently, the cyber inspectors’ appointment has not been made as regulations are being developed by a consultant who has been engaged through the digital Malawi project.”

More Laws that Would Increase State Surveillance

Moses Kunkuyu, Minister of Information and Digitisation

Kunkuyu, the information and digitisation Minister, said that Malawi also intends to review the Electronic Transactions and Cyber Security Act and the Communications Act, besides developing other digital laws that align with international best practices.

Some legal instruments that the Malawi Government intends to formulate include the E-Transactions and E-Commerce Act; Cybersecurity Act; Data Protection Act; Cyber Crimes Act, and E-Evidence Act.

It is unknown whether these laws will help draw a clear line between state surveillance and cyber security requirements that Government must put in place to protect its citizens exposed to the advent of digital technologies.

—This article on digital surveillance was supported by the Media Policy & Democracy Project, jointly run by the University of Johannesburg and the University of South Africa.