Should firms be forced to report when hacked?

The days of dramatic, violent, gun blazing robberies are long gone. Bank crimes are now so soft, so subtle and barely noticeable. Not even a fly gets hurt in the process.

66

BY BARNABAS ONYONKA

If you were to count the gains banking has made from technology on your palms, you will run out of fingers. The great technological advancements that have occurred in the past decade or so have entirely revolutionized banking.

Mobile banking has transformed banking from a 9am- 4pm thing to a round-the-clock activity. Rare is the day you would have to wait in line for ages to be served. The usual long queues at the banks are getting shorter by the day and will soon become extinct. Thanks to technology, knowing an individual’s credit status has never been easier; all it takes is logging onto the Credit Reference Bureau (CRB) Kenya portal and you are good to go.

Positives aside, technology has given bank related crimes a shot in the arm. The days of dramatic, violent, gun blazing robberies are behind our backs. Bank crimes are now so soft, so subtle and barely noticeable. Not even a fly gets hurt in the process.

Though scarce in theatrics, the magnitude of cyber related bank crimes is overwhelming. In the past the amount of money a thief would be able to get away with, say in a robbery, was limited because of the logistical problems of handling large amounts of money. The case is different with technology, logistics is no longer a constraint; once someone has got access into a system there is no limit to the amount of money they can get away with. Cybercriminals proved this point all too well when they made away with a whopping $81 million from the Central Bank of Bangladesh in 2016.

Locally, not so long ago Kenya Revenue Authority cried foul of having lost almost Sh4 billion in a cybercrime. Such a huge amount of money being lost by such a significant organization is in itself baffling. But it is not the only disconcerting detail of the KRA ordeal. The amount of time KRA’s systems were interfered with is every bit as disturbing. According to the tax body, the suspect allegedly interfered with their systems between March 2015 and March 2017(two years). This revelation illustrates how imperceptible cybercrime can be. If hackers were able to secretly meddle in the systems of such a reputable institution for two years and get away with Sh3, 985, 663, 858 then everyone of us has enough reason to be very worried of being a cybercrime victim.

There is something about the KRA hacking revelation that didn’t quite catch our attention but is worth looking into. The investigations that lead to the exposure of the hacking was a result of “complaints to the police by various banks and institutions that were losing money through malicious transactions,” reported a local paper. What happened to the other complaints? Is it that the state investigators were able, of all the complaints, to only pin down the KRA hackers?

Alternatively, and most probably, the institutions that were affected sought oblivion once the investigations were done and chose to strengthen their weak points. This is of course because of obvious reasons. Imagine the negative publicity that a bank, for example, will get if it is revealed that it was hacked.

Maybe the reason why only the KRA ordeal made it to the public’s attention is because the tax body doesn’t need public confidence. Whether or not you trust the security systems, you will pay your tax.

Banks and other institutions on the other hand want to maintain a spotless public image. Hence, most institutions suffer cybercrimes in silence just for the sake of keeping a clean image. Otherwise, coming out clean and pressing charges against the suspects would put them at a risk of losing one of their most valuable assets – customers. Their silence is not helping us in any way because we have to keep guessing the magnitude of cybercrimes.

Much as the banks are the major victims of cybercrime, they don’t stand alone. Their customers get a sizable share of the damage but in a slightly different way- while banks lose money customers lose data. Money isn’t the only valuable commodity to hackers, data is equally precious. Once they obtain the data of a customer, they can use it to hack the individual’s accounts on other platforms.

Businesses have not been spared either. Accusations of stolen business secrets through cybercrime are increasingly becoming commonplace. In 2014, the United States charged five Chinese officials for coordinating cyber-attacks against six American companies. According to the Department of justice, hackers got information on solar power technology, nuclear power plant technology, and inside information on U.S business strategy, alongside other sensitive information. Small wonder why one of the world’s most famous business secrets, the Coca-Cola recipe, is stored in a vault and not in a computer.

The case is hardly different for governments. Earlier this year, Le monde, a French newspaper published an investigative piece, which said that servers at the African Union headquarters were being tapped by China. This was possible because China had financed and built the $200 million headquarters in a noble act of benevolence back in 2012. The Chinese foreign ministry, through a spokesperson, refuted the report terming it as “nonsense and groundless accusations.” African leaders have on their part dodged the question. When asked about the issue, Nigerian President Muhammadu Buhari said he had not read the Le monde report. When the new AU leader Paul Kagame was probed on the same he cunningly avoided answering the question directly and instead said he wished Africans had built the AU headquarters themselves.

As the common adage goes, a dime of prevention is worth a dollar of cure. Authorities have realized the seriousness of the risk that is cybercrime and have come up with measures to ensure that industry players are safe. The central bank, for instance, advised banks to come up with a cyber-security policy in the aftermath of the KRA hacking. However, technology is fast changing and very sporadic. When it comes to safety, many organizations have to play catch up, that is they adjust once they have seen a weakness in the system. Of course there is no such thing as a foolproof system but when it comes to technology all systems are in some way ‘fool-prone’. There is always a way to get into a system. As a solution, many organizations are embracing a method of security where they hire experts to hack into their systems as a way of exposing faults. Also, many companies are starting to embrace ethical hacking by rewarding persons who have managed to find flaws in their systems.

Still, even as authorities keep on adjusting, hackers remain ahead of the curve by a long shot. Cybercrime is getting organized and increasingly structured by the day. The typical cybercriminal is no longer a lone ranger in some dark basement. Cyber criminals now operate in a professionalized, business like way. They are guns for hire who exchange their services for pay in the dark web, operating in an expert way complete with departments and, surprisingly, even customer service agreements.

Ironically, deadly as the threat of cybercrime is, it is often taken lightly; this is largely because of the lack of awareness and the subtle nature of cybercrime. It is high time the Kenyan government took cyber security seriously by passing and implementing laws in this space. For example, several states in America have enforced ‘reporting laws’ which necessitate that companies report when they are hacked. The government can also set up a special police wing that specializes in cyber security.

Otherwise, without goodwill from the government coupled with user awareness and vigilance, cybercrime will continue to be the deadly blow that you never see coming until it’s too late.