Developing Countries in the Face of Cyber Threats
By Francesca Battilana, Adrien Vanheste, and Larissa Zutter
Developing countries face a unique set of challenges when dealing with cyberthreats. Although these issues differ from country to country, there are some patterns and common root problems that may be identified. This article aims to provide a brief introduction into the key challenges of digital threats in Africa, Latin America and the Caribbean (LAC), and Asia, by focusing on the specific case studies of South Africa, Brazil, and Vietnam. To conclude, we identify some commonalities in these issues and their causes, in the hope of raising awareness of the different contexts in which cyberthreats can present themselves.
Africa: The Case of South Africa
Although Africa does not present the same financial opportunities for cyberattacks on an individual level, the African continent is experiencing higher rates of cyberattacks approaching those recorded in other regions. Considering the stark rise of digitalised business models, the implementation of legal frameworks regarding cybersecurity in Africa is more urgent than ever, as many countries in Africa still lack data privacy laws (Bernstein & MacKenzie, 2021).
In the past five years, there has been a shift from random targeting of victims and demands for small amounts of ransom to much more targeted attacks, with the hope of receiving higher ransoms. Financial institutions especially are top targets in Africa. The malware and cyberattacks on the financial industry are consistently becoming more complex and specific (Zerucha, 2021).
This increasing complexity is particularly visible in the case of South Africa, where there have been notable cyberattacks in the past few years, some of which occurred within a very short timeframe. In 2019, for example, various attacks were made only within a few weeks of each other. The first cyberattack in this timeframe targeted Johannesburg City Power, an instance during which the attackers successfully shut down key city systems. These perpetrators demanded ransom and threatened to do even more damage should the energy provider not fulfil the payment. The second cyberattack, a DDoS attack, was aimed at several South African banks. The attackers demanded bitcoins as they delayed the banks’ transactions and hampered other important services (Kaufmann, 2021; Pygma Consulting, 2018). Further, several internet service providers (ISPs) were hit by DDoS attacks over the course of several months, forcing some of them to shut down operations for multiple days days (“South Africa Is under Attack,” 2021). More recently, there was a major cyberattack on Transnet, a South African state-owned enterprise, which manages infrastructure across the country. As a result of this attack, activities in the ports of Cape Town and Durban were hampered and, more extremely, even halted altogether. Considering the disruption of and the damage on critical infrastructure, this attack was classified as a major attack (Reva, 2021). These events highlight the need for stronger mechanisms to protect critical infrastructure.
As a reaction to the earlier cyberattacks, the government of South Africa drafted and passed more legislation to equip the country with tools to combat these attacks. In 2021, for instance, the Cybercrimes and Cybersecurity Act was signed into law. This piece of legislation forces electronic communications service providers and financial institutions to report cybersecurity breaches within 72 hours and preserve any information that may assist an investigation. The Protection of Personal Information Act also became enforceable in 2021, which “promotes the protection of personal information processed by public and private bodies, outlines the rights of data subjects, regulates the cross-border flow of personal information, introduces mandatory obligations to report and notify data breach incidents, and imposes statutory penalties for violations of the law” (Bernstein & MacKenzie, 2021). These two Acts bring South African legislation up to par with international data protection laws by placing more obligations on processors of information and by regulating personal data processing (Bernstein & MacKenzie, 2021).
However, much of the rest of the continent is still lagging behind. Most of the continent does not meet the ITU’s commitment standards, which include legal, technical, organizational, capacity building and cooperation measures (International Telecommunication Union, 2021). This divergence shows how many of the governments — and many of the continent’s citizens — are not equipped with the tools to combat the strong rise in cybercrimes.
Latin America and the Caribbean: The Case of Brazil
The LAC region is characterized by a relatively recent development of the IT sector; a collaboration between traditional organized crime groups and active cybergroups, the aim being the enhancing of efficiency; a strategic geographic position, making LAC states the most suitable partners for cybercriminals based in Russia and Eastern Europe who are engaging in online banking thefts in the United States; a presence of tax havens jurisdictions, which offer secrecy and anonymity and are thus likely to enable and promote criminal networks; and a lack of legislative and policy frameworks.
Brazil is the country that best represents all these features, being both an source and a target of cybercrime due to its weak defence mechanisms. The economic growth the country has been experiencing since the 2000s is accompanied by a widening and deepening of IT adoption: in 2021, 75% of the population had an internet connection – showing a growth of 6.4% compared to 2020 – spending an average of 10 hours per day on the internet (Kemp, 2021). However, Brazilians have not placed the same level of effort on implementing systems to protect networks and information: only 50.4% of users expressed concerns about how companies use personal data. Both at the individual and governmental level, information security is usually an afterthought and maintains a low priority, as evidenced by the past decade. In 2010, the country ranked 2nd worldwide in terms of absolute numbers of bot infections; in 2012, it topped the list of countries targeted by Trojan bankers (Kshetri, 2013).
In 2004, the number of losses from online financial fraud in Brazil were estimated to exceed the losses resulting from bank robberies (Kshetri, 2013). Hackers in this country have demonstrated considerable expertise in writing malware, as well as a tendency to share more information than hackers in more developed countries. Underground entrepreneurs have even designed ad hoc courses to cater the needs of all aspiring criminals, no matter the degree of experience (Kshetri, 2013).
In the last few years, the government has recognized the importance of cybersecurity across all institutions. However, a national cybersecurity awareness program has not yet been established, and Brazil continues to lack specific data protection and privacy laws (IDB & OAS, 2020). One reason for this disconnect between awareness and action is the “bottleneck” problem from which the country is suffering. This “bottleneck” refers to the violent crimes overburdening law enforcement agencies and diverting these organizations’ attentions away from cybercrimes. The problems associated with the lack of a cybersecurity legal framework is also compounded by the strength and resourcefulness of hackers in the country who, as stated by a Brazilian internet security expert, “have little to fear legally” (Smith, 2003).
Brazil is just one example of the two-thirds of LAC countries showing little or no progress in levels of maturity regarding cybersecurity education and skills development (IDB & OAS, 2020). Overall, in this group of countries, training in digital security is either nonexistent or severely incomplete. On the other hand, in the last two years, the remaining one-third of the LAC region has seen a significant increases in cybersecurity competency, reaching mid-level maturity levels; coincidentally, almost all of these countries have a national cybersecurity policy or strategy.
Asia: The Case of Vietnam
Information Communication Technologies (ICTs) are seen by the Vietnamese government as an effective way to foster economic growth, but it should be noted that the rise of ICTs was made at the detriment of cybersecurity considerations. Indeed, regional peers in Southeast Asia like Malaysia and Singapore are in the top 20 of the Global Security Index 2017 by the United Nations International Telecommunication Union, whereas Vietnam ranked 101st out of 195 (International Telecommunication Union, 2017). However, mobile connection rates have reaches 1.57 per person and the percentage of internet users is 70% of the population (Kemp, 2021). A lot of attacks are reported to take place inside Vietnam or originate from Vietnam. The amount of attacks in Vietnam not only damages the image of the country abroad, but also impedes the development of the digital economy (Interpol, 2021).
The cybersecurity of infrastructure around Vietnam remains weak. This deficiency is exemplified by the 2016 cyberattack against the two biggest airports of Vietnam. The problem partly stems from the overwhelming use of obsolete or unlicensed – and thus potentially unsafe — software like old OS versions of Windows. Other reasons include human resources-related causes. As mentioned by the Information and Communication Minister of Vietnam, sensibilization of the population has also been a detriment. Furthermore, there is a talent shortage in the country, which has led to the government announcing plans to educate its population to build up its cybersecurity component (Trân Dai, 2015).
According to the Vietnam Information Security Association, 78% of government websites have serious security flaws. So while cyberhygiene laws exist, issues also arise from the lack of implementation of these best practices in the development phase (Trân Dai, 2015). To develop capacities in monitoring and incident response, the Vietnamese Computer Emergency Response Team, also known as the VNCERT, was set up.
The fight against cybercrime is impeded by several factors. Upstream, a lot of cybercrime remains underreported, and there is no survey on cybercrime at the national level. Once a cybercrime has been perpetrated, the units in charge lack both human and technical resources to arrest criminals. Downstream, the prosecution remains problematic. The first mention of cyber criminality offences in the Vietnamese Criminal Code, borrowed from Russian law, dates back to 1999, but the lack of legal expertise in cyber offence resulted in virtually no cases being prosecuted under this first cybercriminal legal basis until 2008. It is not until a cybercrime legal packet was adopted by the Vietnam Legal Assembly around this time that cybercrime trials were actually held, numbering hundreds between 2009 to 2017. Punishment, however, is piecemeal. According to Vietnamese experts, sanctions, for instance, related to cybercrime are mild when considering Vietnam’s standards of sanctions, and this practice has not dissuaded cyber criminals from committing acts of crime (Luong et al., 2020).
To add on, cybersecurity cooperation between Vietnam and other countries is not efficient. The limited judicial partnerships between Vietnam and other countries has limited the possibility of putting criminals on trial for cybercrime. Additionally, the roles of various state agencies are unclear when it comes to dealing with cyber issues, and the lack of distinction has dissuaded legal movement and discouraged active mitigation.
Common Patterns and Conclusions
Although these regions, and the countries within these regions, face different obstacles and different degrees of these issues, there are some common threads seen in many developing countries when it comes to cyberthreats. By identifying these commonalities, countries may encourage greater comprehension of these complex problems and better cooperation among the international level.
Three main commonalities have been identified, namely:
- Under-regulation and negligent policing and enforcement;
- Poor public knowledge and education regarding cyberthreats;
- Rapidly increasing usage of digital services like social media, payment apps, digital tools for businesses.
In many developing countries, there are no sufficient legislation and enforcement mechanisms to protect and assist citizens, businesses, governmental agencies in preventing such crimes (International Telecommunication Union, 2021). Further, poor public awareness and knowledge of the risks associated with cyber activities and new digital tools is poor in many of these regions. One main issue is that many digital tools are in English, which is not spoken everywhere and which is further enforced by a lower accessibility to education in many developing countries. Finally, the rapid adoption of many of these new technologies has made developing countries even more vulnerable as they have often not sufficiently considered cybersecurity before implementing them. Both citizens and businesses have rapidly increased their usage of technology. However, the legislative framework, enforcement, public awareness, and capacity building have not been able to keep up with this rapid adoption (Kshetri, 2013).
Since we live in a globalized world and the nature of digital crime is interconnected and global, it is important for all governments to be aware of the different circumstances that are being faced by different countries in order to avoid incurring the same threats.
The views expressed in this article are the author’s own, and may not reflect the opinions of the Sciences Po Cybersecurity Association.
Image source: getty images
Accenture. (2020). Insight into the Cyberthreat Landscape in South Africa. https://www.accenture.com/_acnmedia/PDF-125/Accenture-Insight-Into-The-Threat-Landscape-Of-South-Africa-V5.pdf
Bernstein, D., & MacKenzie, J. (2021). Africa: Implementation of Cybersecurity and Data Protection Law Urgent Across Continent. https://www.bakermckenzie.com/en/insight/publications/2021/06/africa-cybersecurity-data-protection-law
Dludla, N. (2018, June 18). South Africa’s Liberty Holdings suffers cyber attack. Reuters. https://www.reuters.com/article/ozatp-uk-liberty-holdings-cyber-idAFKBN1JE0JS-OZATP
IDB, & OAS. (2020). Ciberseguridad. Riesgos, Avances y el Camino a Seguir en América Latina y el Caribe—Reporte Ciberseguridad 2020. https://publications.iadb.org/publications/spanish/document/Reporte-Ciberseguridad-2020-riesgos-avances-y-el-camino-a-seguir-en-America-Latina-y-el-Caribe.pdf
International Telecommunication Union. (2017). Global Cybersecurity Index 2017. http://handle.itu.int/11.1002/pub/80f875fa-en
International Telecommunication Union. (2021). Digital trends in Africa 2021 Information and communication technology trends and developments in the Africa region 2017-2020. https://www.itu.int/dms_pub/itu-d/opb/ind/D-IND-DIG_TRENDS_AFR.01-2021-PDF-E.pdf
Interpol. (2021). ASEAN Cyberthreat Assessment 2021: Key Cyberthreat Trends Outlook from the ASEAN Cybercrime Operations Desk. https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwjzn4W2sM3zAhVL4YUKHeKxCO4QFnoECAIQAQ&url=https%3A%2F%2Fwww.interpol.int%2Fcontent%2Fdownload%2F16106%2Ffile%2FASEAN%2520Cyberthreat%2520Assessment%25202021%2520-%2520final.pdf&usg=AOvVaw2iMYNTHmFm2WCLvTGgCpk1
Kaufmann, N. (2021, April 29). Cyber Attacks Hit the City of Johannesburg and South African Banks. Hashedout. https://www.thesslstore.com/blog/cyber-attacks-hit-the-city-of-johannesburg-and-south-african-banks/
Kemp, S. (n.d.-a). Digital 2021: Brazil. Datareportal. Retrieved October 13, 2021, from https://datareportal.com/reports/digital-2021-brazil
Kemp, S. (n.d.-b). Digital 2021: Vietnam. Datareportal. Retrieved October 15, 2021, from https://datareportal.com/reports/digital-2021-vietnam
Kshetri, N. (2013). Cybercrime and cybersecurity in the global south. Palgrave Macmillan. https://search.ebscohost.com/login.aspx?direct=true&scope=site&db=nlebk&db=nlabk&AN=620282
Liquid Cyber Security. (2021). The evolving Cyber Security threat in Africa: IT and financial decision makers respond to critical developments in South Africa, Kenya and Zimbabwe. https://liquid.tech/wps/wcm/connect/corp/00d614b5-e6cf-4552-9085-c12e47b6246c/Liquid+Intelligent+Technologies+Cyber+security+Report+2021.pdf?MOD=AJPERES&CVID=nKxjVS0
Luong, H. T., Phan, H. D., Van Chu, D., Nguyen, V. Q., Le, K. T., & Hoang, L. T. (2020). Understanding Cybercrimes in Vietnam: From Leading-Point Provisions to Legislative System and Law Enforcement. https://doi.org/10.5281/ZENODO.3700724
Pygma Consulting. (2018). Cybersecurity Governance in South Africa: A Perspective on Policy, Legislation and Regulation. https://pygmaconsulting.com/cybersecurity-governance-in-south-africa-a-perspective-on-policy-legislation-and-regulation/
Reva, D. (2021, July 29). Cyber attacks expose the vulnerability of South Africa’s ports. https://issafrica.org/iss-today/cyber-attacks-expose-the-vulnerability-of-south-africas-ports
Smith, T. (2003, October 27). TECHNOLOGY; Brazil Becomes a Cybercrime Lab. The New York Times. https://www.nytimes.com/2003/10/27/business/technology-brazil-becomes-a-cybercrime-lab.html
South Africa is under attack. (2021, October 28). Converged Group. https://mybroadband.co.za/news/security/324989-south-africa-is-under-attack.html
TeleGeography. (2021). Submarine Cable Map [Map]. https://www.submarinecablemap.com
Trân Dai, C. (2015). La cybersécurité au Viêt Nam: Formulation et mise en œuvre d’une nouvelle stratégie. Hérodote, 157(2), 126. https://doi.org/10.3917/her.157.0126
Zerucha, T. (2021). Kaspersky Report Parses African Cybercrime Trends. Crowdfund Insider. https://www.crowdfundinsider.com/2021/07/178155-kaspersky-report-parses-african-cybercrime-trends/