Implementation of the Cybersecurity ACT, 2020 (ACT 1038) will be challenging:
… A look at the licensing of the cybersecurity providers
I have read the Cybersecurity Act, 2020 (Act 1038), and in my view its implementation will be challenging. In my first article I looked at the Governance Structure of the Cybersecurity Authority and its political orientation that could compromise the operational independence and affect the continuity of the role of the Authority should there be a change of government. An institutionalized Board under a specified Ministry to take care of government policy directives would have been preferable.
This article will look at the Licensing of the Cybersecurity Providers (sections 49, 100 and the First Schedule of Act 1038), which requires that a person shall not provide a cybersecurity service unless that person obtains a license issued by the Authority in accordance with the Act.
I find the implementation of this licensing regime to be complex taking cognizance of the broad and not too clear meaning given to cybersecurity services and cybersecurity service provider.
My approach will be to state certain concepts as given by Act 1038 relating to cybersecurity and especially what the Act means by cybersecurity services, then deduce how the licensing regime of the Cybersecurity Providers would be challenging in practice. Invariably, it looks like anybody that deals with computers be it by way of software or hardware that will be connected to cyberspace would have to be licensed.
MEANING OF TERMS
- Cybersecurity Services
A service provided for reward that is intended primarily for or aimed at ensuring or safeguarding the cybersecurity of a computer or computer system belonging to a person. This includes services related to assessing, testing or evaluating cybersecurity, conducting forensic examination, detecting cybersecurity threat or incident. It also includes designing, selling, importing, exporting, installing, maintaining, repairing or servicing of cybersecurity solutions. Monitoring of cybersecurity and scanning information that is stored in, processed by or transmitted through a computer or computer system falls under cybersecurity services. Maintaining control by effective management, operational and technical controls for the purpose of protecting the computer or computer system against any unauthorized effort to adversely affect its cybersecurity. Assessing or monitoring the compliance of an organization with the cybersecurity policy. Providing advice on cybersecurity programme, threats, solutions or risk management of cybersecurity as well as proving or assessing training or instruction in relation to any cybersecurity service.
I really do not understand what the Act was trying to say or do. Basically the above will include anybody who imports or sells an antivirus or firewall software or a network hardware; anybody who is using a tool to scan information stored in a computer or computer system; anybody assessing the vulnerability of a computer to cyberattack; anybody giving advice on how a computer or computer system can be protected from cyberattack such as the use of firewalls, antivirus and password usage; anybody (auditor) monitoring an organisation’s compliance to its own cybersecurity policy; anybody training staff on information security techniques; anybody who installs a software meant to protect a computer or computer system from cyberattack such as an antivirus; anyone providing operational management controls to computer systems for the purpose of safe guarding the system from cyberattack such as advising on forced password changes.
The services as described in the Act relating to cybersecurity are normal Information Technology (IT) services that are provided by so many IT experts be it programmers, hardware engineers, software engineers, lawyers specializing in IT and IT management consultants. Adding the word “cybersecurity” seems to want to give it some unique and exotic service to bring it under the Act. Obviously, with the internet being an integral part of our daily lives every IT service will have to deal with some form of connectivity. The programmer developing an HR software will have to make sure it can be accessed remotely and must put in certain cyber controls which is a form of cybersecurity to protect the data. Must that programmer be licensed according to the Act?
The state in which a computer or computer system is protected from unauthorized access or attack for the purpose of ensuring its availability, integrity and confidentiality of the information stored.
What readily comes to mind when one hears cybersecurity is some form of technological solution to protect information, networks and applications that has some remote access connectivity from attack electronically as in a cyberattack. The unauthorized access or attack is usually electronic and that should have been made clear. The use of the word “state” by Act 1038 in the meaning of cybersecurity is so ambiguous and can easily include a security man physically guarding a computer or computer system. Is a security man guarding the server room where the servers are connected to the internet providing a cybersecurity service? Must he be licensed?
- Cybersecurity Products
This includes a computer, computer system, computer programme or computer service designed for or purported to be designed for, ensuring or enhancing the cybersecurity of another computer or computer system. The Cybersecurity Authority is mandated to certify all cybersecurity products and technology solutions.
Does the above mean the providers of the above products must be licensed as well since their product or service is related to cybersecurity? Does it mean anyone who writes a software that has any connectivity tool that secures a computer from cyberattack must be licensed and the product certified. Even if this has to be done, is the Ghana Standards Authority only for Bitters? We can get a unit to do that.
- Cybersecurity Service Provider
Any person licensed under the Act to provide cybersecurity service.
Under the transitional provisions, a person who provides cybersecurity service before the coming into force of the Act must within three months on coming into force of the Act, apply to obtain a licence or pay an administrative fine. I am confused as to who must apply to obtain the licence.
The services relating to cybersecurity are so diverse as in the Information Technology space that almost every IT professional, software or hardware engineer, will have to be licensed since their work cannot avoid some form of protection against cyberattack even if it entails mere installation of an antivirus or firewall. I have no doubt that it will even be a challenge for the Cybersecurity Authority as to who falls under their licensing regime looking at the plethora of IT service providers and professions. Again as I asked in my earlier article, are some styled cybersecurity experts, creating a niche role for themselves? I just hope the regulations to follow the Act will bring some clarity.
The author holds an EMBA (IT Management) an LLB and LLM (IT & Telecommunication) (visit : Kofianokye.blogspot.com;