CyberSecurity Levy: An Agenda Against Renewed Hope
Updated on : Sunday, 12 May, 2024
Released on: Saturday, 11 May, 2024
Read (798) |
Join BOOT Party
Tweet #VoteBOOTParty
As an IT Expert who has spent decades in the field of IT Security, I find myself in a position of deep regret and sadness as I discuss the recent imposition of a cybersecurity levy on Nigerians by the Central Bank of Nigeria (CBN). The CBN’s interpretation of section 44 of the Cybercrimes Act 2024 (as amended), which I will refer to as “Section 44” would likely become a subject for a judiciary review and interpretation. Let me use this opportunity to explain this Act and the threat we all face.
The Unseen Threats of the Digital World
In the vast expanse of the digital universe, unseen threats lurk in every corner. Cybercrime, a term that was once alien to many, has now become a household word. Data breaches, identity theft, ransomware attacks - these are not just terms, but realities that millions globally face daily and many Nigerians have been victims. The cost of these cybercrimes is not just financial, but also emotional, resulting in stress, anxiety, and loss of trust in the digital systems we rely on.
The Need for Enhanced Cybersecurity
Given the escalating threats, there is an undeniable need for enhanced cybersecurity measures. Governments and organisations worldwide are grappling with this issue which has resulted in escalating IT budgets. There is no doubt that funding is required for enhancing our Critical National Information Infrastructure (CNII), investing in advanced technology, and training skilled professionals.
The Heartache of the Act
Despite the clear need for improved cybersecurity to protect our CNII, the Act is primarily about cybercrime and not cybersecurity. In fact, the introduction of the levy is primarily for successful interdiction and prosecution of cybercrime and not providing critical national information infrastructure for renewed hope.
Possess Before Safeguarding
One of the objectives of the Act is to “ensure the protection of critical national information infrastructure [CNII]” however, the Act fails to describe or state what are Nigerian critical national information infrastructure (CNII). Instead, it relied on the president, through the National Security Adviser (NSA) to designate certain systems/network as critical. By the letters of section (3) of the Act there is no clarity as to what constitutes the CNII not to talk of protecting it with levy collected from the citizens. You cannot protect what you do not have.
Any information infrastructure that are essential for Nigeria to function and upon which daily life depends are CNII. These would include information infrastructure and personnel that operate and facilitate them, in Communications; Defence; Energy; Finance; Food; Government; Health; Police among others. The sectors that are advanced in information technology among all of these are in private hands. Or was it reported that recent unfortunate incidences of national grid collapse were due to cyberattacks on our industrial control systems.
Standardise for Corruption Prevention
There is need for acceptable standard definition of what constitute a critical national information infrastructure to prevent corruption, which means defining the criteria in clear terms. Mallam Ribadu, the current NSA, still commands respect among many Nigerians as man of integrity but he will not be in the NSA position forever. Imagine an “Emefiele” in such a position in the future. Controls are not only to prevent unwanted consequences, it is first to ensure we continue to have desired outcomes.
From the Sublime to Ridiculous
More than half of the Act’s sections were dedicated to cybercrime offenses with in-depth details of penalties except details which outlines the clear definition of what really constitutes critical national information infrastructure. The Act was poorly written and should not have been signed into law before and now.
One of the most ridiculous sections is Section (19) which states that “no financial institution shall give posting and authorizing access to any single employee.” For the ordinary minds, yes, it is right not to give the same person the yam and the knife. Unfortunately this is the reality of many organisations in the business world, what matters is to have adequate compensating controls when there are violations of separation of duties. The reason why I pointed this out is, like some other sections of the Act, this type of provisions should not be in any law.
The Renewed Hope Agenda of the president is to carry everyone along, especially the youths and I still recall the President’s inaugural speech where he told the youths that he heard them loud and clear. This Act should protect young Nigerians who would train and become ethical hackers. Ethical hackers complete cybersecurity reconnaissance which involves the systematic surveillance or scanning of systems, networks, or web applications to gather information about potential vulnerabilities that can be exploited. The letters of this Act do not state if you can do this without getting into trouble.
Clearly, section 45 has been abused and still being abused by police who use this section of the law to stop and search young Nigerians' phone and digital devices. The recent amendment to the law was an opportunity to address concerns that have been raised in many quarters before now.
Section 44 and “Issue”
It is not clear if the CBN circular of 06 May 2024 referenced PSM/DIR/PUB/LAB/017/004, was all drawn from this Act. I am not a lawyer and I will not pretend to be one however, from my experience, I have a fair appreciation of law and legal issues.
Following the enactment of the Cybercrime (Prohibition, Prevention, etc) (Amendment) Act 2024 the provision of Section 44 (2)(a) states that "a levy of 0.5% (0.005) equivalent to a half percent of all electronic transactions value by the business specified in the Second Schedule of the Act", is to be remitted to the National Cybersecurity Fund (NCF), which shall be administered by the Office of the National Security Adviser (ONSA).
The Act SECOND SCHEDULE Businesses which Section 44 (2) (a) refers to are —
(a) GSM Service providers and all telecommunication companies;
(b) Internet Service Providers;
(c) Banks and other Financial Institutions;
(d) Insurance Companies; and
(e) Nigerian Stock Exchange.
The Act defines other interpretations present in the law but did not give interpretations to “Electronic Transaction”. Sending an email from one person to another is an “electronic transaction” in information technology.
The businesses were clearly defined in second schedule as listed above.
The issue is whether the CBN has acted out of order. What electronic transaction is the CBN referring to? Without this clarity the law may need to be returned to the National Assembly for amendments.
However, the BOOT Party has been discussing with its legal counsels on the possibilities of a legal challenge on the CBN’s interpretation and circular to the banks.
Just like myself, you may wonder why an Act to address cybercrime would not provide clarity to a critical section as charging of levy. Was section 44 intentional or a rogue seed that has now fallen onto a fertile soil of CBN?
Recommendations
The cybersecurity levy part of the law should be expunged. The levy is akin to incurring “maintenance expense” on a yet- to-be developed nuclear energy plant. It will only fuel corruption and increase entropy in the national development of cyber security capabilities. We should not create problem for future generation. This levy is against every giant strides that have been made by the current administration of President Tinubu’s Renewed Hope Agenda.
Yes, we need a cybercrime law. Like any other laws, it should be achieving its intended purpose and not causing undue burden. In its current state, it is not effective and lacks ability to accomplish the desired objectives with a minimum expenditure of time and resources. Put simply, this law will hinder the growth of world-class cyber professionals in Nigeria to say the minimum, hence an immediate review is urgent.
Globally, legislations only do a catch-up with ICT development so a regular review of the entire law is necessary for it to accomplish its intended outcome.
Thank you and God bless you and God bless the Federal Republic of Nigeria.
Yours sincerely,
@SonnyAdenuga
The BOOT Party is a cooperative-like political leadership system.
@TheBOOTParty
Send Feedback
WhatsApp: +234-705-774-9595
Signing up is free.
Join BOOT Party and Get Involved!
Download BOOT Party App to
Vote in BOOT Party Election Primaries
Donate Because Nigeria Matters
CyberSecurity Levy: An Agenda Against Renewed Hope
Updated on : Sunday, 12 May, 2024
Released on: Saturday, 11 May, 2024
Read (798) |
Join BOOT Party
Tweet #VoteBOOTParty
As an IT Expert who has spent decades in the field of IT Security, I find myself in a position of deep regret and sadness as I discuss the recent imposition of a cybersecurity levy on Nigerians by the Central Bank of Nigeria (CBN). The CBN’s interpretation of section 44 of the Cybercrimes Act 2024 (as amended), which I will refer to as “Section 44” would likely become a subject for a judiciary review and interpretation. Let me use this opportunity to explain this Act and the threat we all face.
The Unseen Threats of the Digital World
In the vast expanse of the digital universe, unseen threats lurk in every corner. Cybercrime, a term that was once alien to many, has now become a household word. Data breaches, identity theft, ransomware attacks - these are not just terms, but realities that millions globally face daily and many Nigerians have been victims. The cost of these cybercrimes is not just financial, but also emotional, resulting in stress, anxiety, and loss of trust in the digital systems we rely on.
The Need for Enhanced Cybersecurity
Given the escalating threats, there is an undeniable need for enhanced cybersecurity measures. Governments and organisations worldwide are grappling with this issue which has resulted in escalating IT budgets. There is no doubt that funding is required for enhancing our Critical National Information Infrastructure (CNII), investing in advanced technology, and training skilled professionals.
The Heartache of the Act
Despite the clear need for improved cybersecurity to protect our CNII, the Act is primarily about cybercrime and not cybersecurity. In fact, the introduction of the levy is primarily for successful interdiction and prosecution of cybercrime and not providing critical national information infrastructure for renewed hope.
Possess Before Safeguarding
One of the objectives of the Act is to “ensure the protection of critical national information infrastructure [CNII]” however, the Act fails to describe or state what are Nigerian critical national information infrastructure (CNII). Instead, it relied on the president, through the National Security Adviser (NSA) to designate certain systems/network as critical. By the letters of section (3) of the Act there is no clarity as to what constitutes the CNII not to talk of protecting it with levy collected from the citizens. You cannot protect what you do not have.
Any information infrastructure that are essential for Nigeria to function and upon which daily life depends are CNII. These would include information infrastructure and personnel that operate and facilitate them, in Communications; Defence; Energy; Finance; Food; Government; Health; Police among others. The sectors that are advanced in information technology among all of these are in private hands. Or was it reported that recent unfortunate incidences of national grid collapse were due to cyberattacks on our industrial control systems.
Standardise for Corruption Prevention
There is need for acceptable standard definition of what constitute a critical national information infrastructure to prevent corruption, which means defining the criteria in clear terms. Mallam Ribadu, the current NSA, still commands respect among many Nigerians as man of integrity but he will not be in the NSA position forever. Imagine an “Emefiele” in such a position in the future. Controls are not only to prevent unwanted consequences, it is first to ensure we continue to have desired outcomes.
From the Sublime to Ridiculous
More than half of the Act’s sections were dedicated to cybercrime offenses with in-depth details of penalties except details which outlines the clear definition of what really constitutes critical national information infrastructure. The Act was poorly written and should not have been signed into law before and now.
One of the most ridiculous sections is Section (19) which states that “no financial institution shall give posting and authorizing access to any single employee.” For the ordinary minds, yes, it is right not to give the same person the yam and the knife. Unfortunately this is the reality of many organisations in the business world, what matters is to have adequate compensating controls when there are violations of separation of duties. The reason why I pointed this out is, like some other sections of the Act, this type of provisions should not be in any law.
The Renewed Hope Agenda of the president is to carry everyone along, especially the youths and I still recall the President’s inaugural speech where he told the youths that he heard them loud and clear. This Act should protect young Nigerians who would train and become ethical hackers. Ethical hackers complete cybersecurity reconnaissance which involves the systematic surveillance or scanning of systems, networks, or web applications to gather information about potential vulnerabilities that can be exploited. The letters of this Act do not state if you can do this without getting into trouble.
Clearly, section 45 has been abused and still being abused by police who use this section of the law to stop and search young Nigerians' phone and digital devices. The recent amendment to the law was an opportunity to address concerns that have been raised in many quarters before now.
Section 44 and “Issue”
It is not clear if the CBN circular of 06 May 2024 referenced PSM/DIR/PUB/LAB/017/004, was all drawn from this Act. I am not a lawyer and I will not pretend to be one however, from my experience, I have a fair appreciation of law and legal issues.
Following the enactment of the Cybercrime (Prohibition, Prevention, etc) (Amendment) Act 2024 the provision of Section 44 (2)(a) states that "a levy of 0.5% (0.005) equivalent to a half percent of all electronic transactions value by the business specified in the Second Schedule of the Act", is to be remitted to the National Cybersecurity Fund (NCF), which shall be administered by the Office of the National Security Adviser (ONSA).
The Act SECOND SCHEDULE Businesses which Section 44 (2) (a) refers to are —
(a) GSM Service providers and all telecommunication companies;
(b) Internet Service Providers;
(c) Banks and other Financial Institutions;
(d) Insurance Companies; and
(e) Nigerian Stock Exchange.
The Act defines other interpretations present in the law but did not give interpretations to “Electronic Transaction”. Sending an email from one person to another is an “electronic transaction” in information technology.
The businesses were clearly defined in second schedule as listed above.
The issue is whether the CBN has acted out of order. What electronic transaction is the CBN referring to? Without this clarity the law may need to be returned to the National Assembly for amendments.
However, the BOOT Party has been discussing with its legal counsels on the possibilities of a legal challenge on the CBN’s interpretation and circular to the banks.
Just like myself, you may wonder why an Act to address cybercrime would not provide clarity to a critical section as charging of levy. Was section 44 intentional or a rogue seed that has now fallen onto a fertile soil of CBN?
Recommendations
The cybersecurity levy part of the law should be expunged. The levy is akin to incurring “maintenance expense” on a yet- to-be developed nuclear energy plant. It will only fuel corruption and increase entropy in the national development of cyber security capabilities. We should not create problem for future generation. This levy is against every giant strides that have been made by the current administration of President Tinubu’s Renewed Hope Agenda.
Yes, we need a cybercrime law. Like any other laws, it should be achieving its intended purpose and not causing undue burden. In its current state, it is not effective and lacks ability to accomplish the desired objectives with a minimum expenditure of time and resources. Put simply, this law will hinder the growth of world-class cyber professionals in Nigeria to say the minimum, hence an immediate review is urgent.
Globally, legislations only do a catch-up with ICT development so a regular review of the entire law is necessary for it to accomplish its intended outcome.
Thank you and God bless you and God bless the Federal Republic of Nigeria.
Yours sincerely,
@SonnyAdenuga
The BOOT Party is a cooperative-like political leadership system.
@TheBOOTParty
Send Feedback
WhatsApp: +234-705-774-9595
Signing up is free.
Join BOOT Party and Get Involved!
Download BOOT Party App to
Vote in BOOT Party Election Primaries
Donate Because Nigeria Matters
