Cyber security policy in developing countries: Rowing in an unfamiliar world without a paddle

Developing country cyber security

The advent of borderless information has brought endless opportunities to all nations with tech playing a vital role in the core of economic stability. Citizens bear witness to how governments can be at the mercy of advancement, especially so when it comes to curbing the pandemic.

In this era where data and information are already more valuable than gold and oil, gaining the upper hand in acquiring, and eventually monopolising, information is an unspoken, round-the-clock Olympics.

The world is evolving at an insane pace. We’re now used to seeing first world countries’ home garage-grown startups become unicorns and help shape the world, generation after generation. Along with this progress comes the predicaments of technology, and especially security. Critical bugs, unsanitised codes, exploited vulnerabilities, denial of service, botnet attacks, cyber espionage, advanced persistent threats, and data breaches continue to target organisations large and small. These attacks can ground planes, cripple industrial plants, and even disrupt nuclear plants’ centrifuges.

Whilst developed countries are already taking strides towards sustaining multifaceted cyber security approaches, developing countries are navigating their own labyrinths of internal issues in lobbying policies for digital infrastructures. Meanwhile, underdeveloped nations are at the foot of digital transformation and are still struggling to comprehend.

Issues closer to home

Coming from a developing country in Southeast Asia, one cannot set aside envy whenever one thinks of even a minuscule of comparison to what developed nations have to offer. It does not take a genius to learn in kindergarten the very names of developed countries, their capital cities, and the plethora of adjectives that come with them. The facts just became more and more obvious by the day: developing countries are indeed a couple of decades behind first worlds. This goes beyond employment rate, GDP, healthcare, and higher education, to name a few.

Developed countries have mustered robust cyber security capabilities. Since they’re viewed as prominent models of cyber security strategies, policies, and tech advancement, developing nations try to mimic European countries and the United States. Reluctant leaders hastily jump to legislation, initiate large-scale propositions, create CERTs, and find ways to generate resources for national cyber security infrastructures. They do so without reviewing their own ICT roadmaps or first improving the very foundations of their state of technology: internet services, communications, peace and order, costs of doing businesses, resources, and investment security.

With the promise of comfort in computing, government institutions begin digitising services without considering the risks. Unnecessary automation has created a lucrative avenue – a new breeding ground for corruption.

Why cyber security policy is hard to implement and enforce in the developing world

Even if frauds, scams, and rampant online malpractices, aside from the regular cyber crimes, appear, unfortunately there are no concrete laws in place to penalise offenders. If there are, they usually fall under the discretion of the jurisdiction.

Unlike other domestic crimes, cyber crimes transcend physical and political boundaries. Although a cyber criminal may be in your jurisdiction, their victims could be halfway around the world. Even if they get caught in the act, they can still get away with it since authorities do not have the competency to do digital forensics and provide irrefutable evidence to pin them down. With this, international cooperation is paramount. Recent examples include the Esthost takedown in Estonia and the Emotet takedown.

The Bangladesh Heist, which cost a local bank $81M (from an attempted $951M), routed a substantial chunk to a bank in the Philippines. Investigations were haywire because of relaxed anti-money laundering and dysfunctional cyber crime laws, the perfect ingredients for big game hunting.

Cameroon in Africa is among the countries greatly impacted by cyber crime. A few years ago, there were talks to launch multiple cyber security skills programmes to help combat this problem. Policy makers, however, feared that after finishing the training, the trainees would use the skills gained to commit cyber crime.

Its neighbour’s ‘Nigerian Prince’ has become the standard of phishing. Though unsophisticated, the scheme has already sucked billions from gullible individuals and trusting pockets around the globe. Nigerian fraud rings have been intercepted in multiple different countries, but indictment depends on the nations where they’re apprehended.

It is therefore possible that we have large cyber crime dens in developing countries. We have seen fraud call centres in India. The operatives working in Joker’s Stash or new silk roads on the dark web may be established anywhere, away from the prying eyes of those who know all too well what they’re up to.

If the citizenry cannot trust its legal system to protect them, other socioeconomic factors are drastically affected. Sustainable development highly depends on an incorruptible and stable justice system, and able law enforcement.

Whilst developed nations open-mindedly adhere to bug bounty programs to assist them in protecting their national infrastructure and government systems, developing countries abhor responsible vulnerability disclosures and go after security researchers as criminals.

Do these circumstances come with any benefits?

On a different note, perhaps the only amusing advantage of poor countries in a tech world would be its ability to fend off DDoS attacks, cut off unauthorised remote-control access, and obstruct lateral attacks due to internet instability. Also, industrial critical infrastructures are obsolete and were created before cyber security became a thing. Though some may be vulnerable due to hardcoded credentials, most may still be running on relatively old industrial systems. No SCADA systems to be bothered with, no imminent Stuxnet, Duqu, Flame, and Gauss-like weaponised malware attacks to be haunted with. With this, a technological handicap can be quite rewarding.

Even if there are myriads of attack vectors coming from adversaries both foreign and domestic, most in the public and government sectors think they already have sufficient defence capabilities and breach mitigations in place. This is not the case. They downplay malware outbreaks in their devices filled with cracked software, torrent downloads, apps which came from malvertisements, and have paid excessive amounts for software that they do not religiously update.

Also, in the midst of COVID-19 when employees were transitioned to a work from home setup, most didn’t have the proper protection configuration in place. In addition, the lack of awareness on basic cyber safety sits like a time bomb, which just waits for the proper website, clickbait, or email attachment to detonate. BYOD has warped into ‘Bring Your Own Disaster – Home Edition.’

Taking a global approach to cyber disparities

If we stand back and take a broader look at nations’ cyber security capabilities, one common denominator amongst first world countries would be their wealth in human resources, and it all starts with proper education and training. Nurturing knowledge, upskilling, and building competencies could help close the cyber security gap between developed and developing countries.

In completing studies, undergraduates are schooled with engineering, scientific, industrial, and technological concepts, and best practices. Scholars on the other hand are just re-echoing what they learned back then. They may have seemingly forgotten that one size does not fit all. Demographically and geographically, we are all different, and we also do have different resources and traditions. But one thing is for sure, technology is so agile and fickle minded that textbooks alone cannot cope.

It may be cultural in nature, but most developing countries have trouble interacting with other sectors. Let the lessons of the past remind us of Government-Academe-Industry-Linkages (GAIL), which was the first step towards a holistic cyber security capability approach.

We may be lacking in resources, but if we concentrate strengths from each sector, it would be a great start. This could include:

  • No nonsense academic curricula to produce industry ready graduates
  • Proper government allocation of budget for infrastructure, policies, and roadmaps
  • Cyber security organisations lending human resources and corporate machinery to aid and provide consultancy to the government to make sure they are doing things as they should

Stakeholders should collectively address the increasing cyber security risks of interconnectivity in the developing world. These are perils that not only impact the most vulnerable populations, but have economic and political repercussions to developed nations as well.

Interestingly, although neither noted as a nation for tech or cyber security, Malaysia quietly made it to the top of worldwide cyber security index, sitting next to the EU and US. Leveraging policy capacity with a broad network of international intel, their first cyber security policy dates back 15 years ago and they have constantly evolved ever since. This perfect example shows us that we do not need to drain our banks to achieve cyber security maturity. The operative word here is manpower: the concerted efforts of different sectors in society. It was not done overnight, it took a while, but consistency, clear vision, and political will were all key.

As third world countries gather the right armaments to secure their domains, despite the “silent,” constant cyber war amongst governments, developing nations are left with one alarming stance: will they be ready when worse comes to worst and state sponsored attacks point toward them? They may have been breached already, they just haven’t noticed it yet.