The article appearing in the Standard Newspaper dated Tuesday 29th December titled ‘New Law tightens noose on Online hackers‘ starts as follows
You will now need your national identity card, birth certificate or passport before using the internet, the Communications Authority of Kenya (CA) has said.
You wonder whether this is sensational journalism trying to rope you in to read another of their articles. Then it gets worse, really, here is what one paragraph reads
In addition, CA wants service providers to retain data that will allow them to trace and identify the source of communication, the type of gadget used (phone, tablet or computer), the destination, the date, time and duration of the communication and even the geographical location of the sender and recipient of the message.
That’s right in the ball park of the Orwellian world in the book 1984.
Before we even begin, how does CA even plan on getting the “geographical location of the recipient of the message”. also, birth certificates?
Where do I even start?
Let me start with the impracticability of implementing and enforcing these regulations.
How will CA monitor and ensure every establishment sticks to the rules? Full time CA officers stationed at their premises? Periodic review of all the logs and CCTV footage by an army of CA analysts stationed in a windowless room surrounded by banks of monitors?
Where will all the competent network administrators come from? Most of the ones around are ill-equipped to manage basic security requirements of a WiFi network. Trust me, breaking into most WiFi networks is embarrassingly trivial.
How do these establishments keep track of every client and internet activity that happens over their network, when they arrived and left, the devices they had, and who is who on the CCTV footage? Some form of Artificial Intelligence solution CA will provide? The logistics of this are a nightmare and the hardware expensive. Most corporate networks struggle with this exact scenario and they have teams of highly skilled personnel on their payroll.
Is there a data security standard that the establishments will have to comply with? What with them holding extremely sensitive data, our full names, ID numbers, browsing habits and so on. I read that they should hold system logs for a period not less than one year. Even forgetting the logistics , that scares the hell out of me. Your neighbourhood cyber or coffee place doesn’t exactly inspire confidence where information security is concerned. Come to think of it, the only logical explanation would be that this is a nefarious plot by CA to scare us off public internet access. That’s if we suspend all belief and decide to credit them with a level of aptitude betraying authors of such ill-thought out legislation.
I could go on and on, on the impracticability of implementing these regulations but I think you get the drift.
Let’s humour them a bit and assume that these regulations are practically implemented and enforced.
As a normal internet user, I visit a restaurant with free WiFi and present my National ID and let them inspect all the WiFi enabled devices I am carrying. The CCTV camera overhead zooms in to record my entry into the premises (we are assuming this will be correlated with my details and WiFi activity). A trained network administrator provides me with a username and password that I’ll use to login in to their WiFi network. Everything is going on smoothly as warranted by CA. I then order coffee and decide to check my mail. I’ve heard that I should use a (Virtual Private Network) VPN when using public WiFi to protect myself, so I connect to one. I then proceed to use the internet at my leisure.
That’s what a normal security conscious public internet user would do. With that single act of using a VPN, all that other foreplay of tracking me goes to naught. It will be as if I never browsed the internet from their network. Good luck to the network administrator and the army of CA suits even finding out what website I visited.
Let’s shake up things a bit. Let’s see how the person that CA is supposedly targeting would act, you are an up-to-no- good hacker. These are all scenarios that beat the system.
Just do everything by the book and then use a VPN or some anonymous browser or software like TOR. Easy!
Mess with the registration process. You know those guards that require you to register before entering a building? I can assure you a lot of people leave fake details, maybe a fake second name and ID number. A hacker worth his salt would find a way to leave fake details with the resident coffee place registrar of public internet users.
Go through the process until the hacker is allowed into the network. After that, the hacker gets into their system and does as he/she wishes. Next could be, alter CCTV footage and network logs, hijack another client’s credentials, or even exempt themselves from the monitoring solution in place. The possibilities are endless. We are talking of a hacker who knows their business, aren’t we?
Go to a building, hijack the internet connection of a client in a neighbouring restaurant and now even the CCTV factor becomes moot. WiFi by design isn’t limited by walls, so they don’t have to be there physically.
The point is, these regulations will not deter a hacker, quite to the contrary, what it’s bound to do is to make them that bit more careful and harder to track.
The legal issues that will surround these regulations are likely to be crippling. From people’s right to privacy and protection of their data to establishments challenging the implementation. That’s a whole unopened Pandora’s box waiting to be happen.
It is quite honestly sad that several people in charge of providing direction in an esteemed institution such as the CA sat down, came up with this, presented it to the Director General and patted themselves on the back for a job well done.
It is sad that they either missed how illogical it all was or were deluded enough to believe that this was a legitimate solution.
It is sad that the average person out there could look at the regulations and immediately poke holes that challenge their core fabric.
Anyway, let’s assume that the people who came up with these regulations actually had a clue as to how to tackle the challenge of online hacking. Here’s some five ways they would go about it.
1. Enforce regulation requiring any network/system that handles public data to meet minimum security baselines. This would involve having the right people, security controls, awareness and periodic security assessments. This alone would keep out a majority of the hackers out there looking for easy targets.
2. Build a workforce of skilled information security personnel. A lot of capacity is needed in both government and private organisations in terms of skilled manpower. CA could lay the groundwork by introduction of relevant courses and guide the creation of syllabus and content with assistance from industry experts.
3. Educate the public and promote security awareness of the population at large.
4. Push for the implementation of the National Cyber Security Masterplan. This was meant to comprehensively address cyber security in the country in a wholesome approach but it gathers dust somewhere unimplemented.
5. Equip the Computer Incident Response Team (CIRT) with the necessary resources and build up the team to a high level of competence.
To sum it all up, hackers will attack from anywhere, from some remote Eastern Europe country, from their home, from a coffee place, and that is one area CA cannot control. They however can limit the attack surface. Make it hard for your network/system from being breached and your run of the mill hacker will move on to the next network, or in this case country.
An analogy for this is a bucket leaking water from multiple holes on each side with a multitude of crooks illegally collecting the water all around. Instead of fixing the holes, CA is trying to chase away one crook at a time, and it isn’t even doing it right
My advice to CA is to fix the holes and maybe then, we can start talking about taking the fight right to the hackers’ doorsteps. Leading us into a dystopian society is the wrong way to go about it.