3 min read
Summary: The proliferation of digital devices and services in all facets of life brought with it an unwanted consequence; cybercrime. As nations and organisations worldwide continue to take steps to fight cybercrime, Nigeria has signed into law the Cybercrime Act of 2015 and released the revised National Cybersecurity Strategy and Policy in 2021 as part of its efforts in fighting the increasing number of cyberattacks. Unfortunately, the EndSARS protests in October 2021 revealed how vulnerable some of the government’s cybersecurity controls were. This calls for new and innovative strategies for fighting cybercrime. Bug bounties, which are programs where organisations offer rewards to external researchers to find vulnerabilities in their software, can be one of such strategies.
When Nigeria rebased its GDP figures in 2013, many observers assumed there would be doubts about the new figures that made Nigeria Africa’s largest economy, after South Africa. Indeed, it was the former figures that were deemed unreliable, because they largely ignored the tremendous contributions made by new sectors such as entertainment, services, and telecoms to the economy. The Economist magazine estimated that the telecoms sector alone accounted for more than 25% of the rebased GDP. Thus, Nigeria began the transition from a monolith petroleum-based economy to a more diversified economy. And with the expansion of the entertainment industry (for example Nollywood, second only to Hollywood), the remarkable growth of the financial services, and the greater integration of digital in the public and private sector, intellectual property and cybersecurity assumed greater importance.
The increasing importance of cybersecurity in Nigeria is well laid out in industry publications such as Deloitte’s Nigeria Cybersecurity Outlook, which details what observers of the cybersecurity scene in Nigeria already know — cybercrime has become more sophisticated in Nigeria each passing year. The covid -19 pandemic has also increased the risk and incidence of cyberattacks in Nigeria, as people and organizations are forced to work in remote and less secure environments outside the walls of organizations. The impact of the pandemic which portends some lasting changes to the nature of work and the increasing waves of cyberattacks globally (amongst them the infamous Solarwinds hack) makes the recent signing in February of Nigeria’s revised Cybersecurity Strategy and Policy even more poignant.
On paper, Nigeria’s Cybersecurity Policy, and its Cybercrime Act both specify a detailed and well-thought-out cybersecurity regimen for the nation. Nevertheless, the #EndSars protests of October 2020, which saw hacktivists compromise a number of government and private digital assets, demonstrate that actual cybersecurity preparedness is different from what is specified in policy.
To be sure, Nigeria’s Cybersecurity Policy has provisions for a National Cybersecurity Coordination Centre (NCCC) and a Nigerian Computer Emergency Readiness Team (NgCERT) which together have oversight over cybersecurity incident management in different sectors both public and private in the country. Aspects of vulnerability testing and assessment are also codified in the policy (for example initiative 6, page 107, “implementing an Enterprise Application Security Testing regimen’’; initiative 9 page 109 “Developing Blue team and Red team capabilities among cybersecurity actors’’, amongst others).
Could bug bounty programs improve cybersecurity preparedness in Nigeria?
The activities of the #EndSars hacktivists, however, showed just how vulnerable key national cyber-assets are, and perhaps suggests including another layer of defense in the nation’s cybersecurity framework. Could bug bounty programs improve cybersecurity preparedness in Nigeria? Evidence elsewhere in the world suggests they are a useful addition to the range of measures nations and organizations implement to strengthen cybersecurity. Bug bounty programs are often initiated to supplement internal code audits and penetration tests as part of a vulnerability management strategy. Codifying bug bounties in cybersecurity practice in Nigeria could positively impact the sector and improve cybersecurity readiness particularly in the private sector.
Despite the promise of bug bounty programs, however, they face at least two hurdles in Nigeria. One is the perceived reputation the country already has as a haven for cybercriminals. This reputation is held not just outside the country, but also within it. This lack of trust will limit the effectiveness of bug bounty programs — which typically work by ordinary citizens with cyber skills unearthing vulnerabilities in digital assets. This lack of trust in Nigeria leads to businesses entrusting cybersecurity penetration tests to other cybersecurity organizations, rather than institute bug bounties. Another hurdle seems to be Nigeria’s Cybercrime Act. Part 3 of the Act, “Offences and Penalties’’ has clauses that might criminalize the work of bounty hunters.
These hurdles notwithstanding, a bug bounty program could invigorate Nigeria’s cybersecurity sector, channel the energy of a new generation of cyber-professionals, and help to plug the holes in Nigeria’s cyber-infrastructure — as so brazenly exposed during the #EndSARS protest of 2020.
• The National Cybersecurity Advisory Council can collaborate with cybersecurity experts to evaluate the viability of bug bounty programs in Nigeria. They can find ways to modify and adapt them to Nigeria’s cybercrime environment.
• Organisations considering offering bug bounties need to assess their strengths and weaknesses before doing so. Hiring an external penetration tester, outsourcing vulnerability assessments, or vulnerability disclosure policies might be better for most organizations.
About the Author:
Tunde Okunoye – Musings at the intersection of Technology and Developmentusings at the intersection of Technology and DevelopmentFollow
Keywords: Cybersecurity, Bug bounties, Cybercrime, Nigeria