Implementation of the Cybersecurity Act, 2020 will be challenging

0
Cubed background in different sizes and blue colors aligning to a row of glowing information security icons surrounding the word cybersecurity 3D illustration

a look at the governance structure

I have read the Cybersecurity Act, 2020 (Act 1038), and in my view its implementation will be challenging. I intend to give my opinion on various aspects of it in three separate articles. The Governance Structure (sections 2 to 20 of Act 1038), the Licensing of the Cybersecurity Providers (sections 49, 100 and the First Schedule of Act 1038), and the Cybersecurity Standards, Enforcement and Education as well as Accreditation and Certification of Cybersecurity Professionals (sections 57 to 61 of Act 1038).

This first article is about the governance structure which I find politically biased and in control of the Executive arm of government instead of being institutionalized. This is likely to compromise the operational independence, perceived or real, of the Cyber Security Authority. My approach will be to say what the law says about a subject area under the governance structure and give an opinion. First let us start with an appreciation of what cybersecurity is all about.



What is Cybersecurity?

I do not intend to give a definition but the word “cyber” brings to mind an interconnection of computer networks by way of hardware, software and communication technologies as well as the internet that facilitate digital data exchange. In effect there needs to be a form of remote access, usually through the internet, to the connectivity of where the computers are physically located. The environment as described above is basically what we mean by cyberspace. Once you are able to remotely access any such computer network or environment then you can be said to be in cyberspace. Cybersecurity therefore is securing the environment of cyberspace. Nothing to scare you.

It follows then that any attempt to secure all forms of data, including non-public information, sensitive personal, industry and national data in that environment, relates to an aspect of cybersecurity. This may be data storage security, data protection and privacy policies, hardware and software solutions.

Any attack in cyberspace is a cyber-attack and this can affect an individual, a company, public corporation or national information systems. This could be from malwares, denial of service, virus and phishing.

Cybersecurity therefore encompasses various information technology risk management tools both technical such as a simple anti-virus software and non-technical such as denial of physical access controls to a data center that is connected to the network.

  • Board Composition

The Act establishes a Cybersecurity Authority to amongst others regulate cybersecurity activities and to promote the security of computers and computer systems in the country as well as advise the Government and public institutions on all matters related to cybersecurity in the country. The Authority has a thirteen-member Board made up of four Ministers that is Communication, Interior, National Security and Defence Ministers. Also the President is to nominate three other persons. In effect seven of the Board members are from the Executive and this excludes the Director-General. The quorum for Board meetings is seven and decisions are of course by majority of members present. The Act is not clear on the ministry under which the Authority operates but states that “ The President shall nominate the Minister as chairperson of the Board”. Also Minister under the Act means “one of the Ministers specified under subsection (1) of section 5 assigned responsibility for cybersecurity matters”. This could then be either the Communication, Interior, National Security or Defence Minister. In terms of policy directives, the Act states that “ the Minister may give directives in writing on matters of policy to the Board and the Board shall comply” .

In my opinion, this structure makes the board highly political and ineffective once there is a change in government. If cybersecurity is that critical why should we not have continuity even when governments change, now that in the ruling of the Supreme Court in the case of Theophilous Donkor v AG , the Director-General cannot be removed when there is a change in government under the Presidential Transitional Act. With a quorum of seven members, the political appointees who are seven in number can meet to take a decision that may be more politically motivated. Even when a full board is constituent, the seven political appointees being in majority will carry the day. If it takes three months for a new Board to be constituted should there be a change in government, what happens to the cybersecurity environment in the Country?

With the Board top heavy with all these Ministers, I foresee a power struggle and conflict with respect to who is a Cabinet Minister, who is closer to the President or who the supervising Minister is since that person becomes the chairperson of the Board. The Act gives the President the prerogative to assign who the supervising Minister will be at any point in time and how will this help industry players including the Authority itself?  I find it a complex arrangement that the nominated Minister is also the chairperson of the Board and has the power to give policy directives that shall be complied with by the Board. It gets more complicated if the nominated Minister is not senior to the other Ministers on the Board by way of Cabinet status or even political clout. Recipe for disaster if you ask me.

The Board structure is problematic since it comes across to me it was done with Executive political control and influence, may be for fear of the unknown rather than cyber industry development and protection in mind. The Board composition should have been majority of institutional representatives by the industry players with government oversight through the supervising ministry. After all the Act obliges the Board to comply with directives from the Minister. I do not think the Minister should chair the same Board who must comply with her policy directives as the Supervising Minister for the Authority. The Supervising Minister can be said to be the mouth piece of the Government and as chair the Board the Authority, the mouth piece of the Authority. Meanwhile, one of the functions of the Authority is to advise the Government on matters relating to cybersecurity.  Where is the independence of thought? How can the Authority assist the Minister with the technical knowledge in cybersecurity?

  • The Director General

The Act requires that the Director-General (DG) has expertise in Cybersecurity. The function of the DG is to implement the decisions of the Board and responsible for the day to day administration and management of the Authority.

In my opinion, there is no need for the DG to have expertise in cybersecurity? This is nice to have but not necessary since the qualification needed in cybersecurity is diverse and need not directly be linked to the word “cybersecurity”. A lot of areas in Information and Communication Technologies come together to address cybersecurity from administrative, technical and legal. What expertise are we talking about? Why do I have the notion that some people who may be part of drafting the Act tried to create a job for themselves, creating an exclusive role for themselves? It beats my mind why we seem to ignore administrative and leadership expertise in such roles as if they come naturally when you have technical expertise. It is like saying to be appointed an Electoral Commissioner one must have expertise in conducting elections. There is too much fuss about cybersecurity. My observation is technical people do not necessarily make good administrators, leaders and managers in their field, mostly because they become fixated in what they think the solution is, wanting to implement their technical view of issues and not allowing divergent opinion. They end up being overly autocratic which then affects the organization.

  • Joint Cybersecurity Committee

The Act establishes a Joint Cybersecurity Committee (JCC) to collaborate with the Authority and sectors or institutions represented on the Committee for the implementation of relevant cybersecurity measures. The JCC is made up of eighteen members and is answerable to the Board. The various heads of National Information Technology Agency, National Communication Authourity, Data Protection Commission, Bank of Ghana, Financial Intelligence Center, Bureau of National Security, Economic and Organised Crime, Criminal Investigation Department of the Ghana Police Service, National Security Council Secretariat, Bureau of National Communication, Immigration Service, External Intelligence, Ghana Armed Forces, Public Prosecutions Division of the Office of the Attorney General, Ghana Domain Name Registry. The heads may also nominate a representative with the requisite knowledge and skills in cybercrime and cybercrime matters to the JCC. Also a member is a Justice of the Superior Court of Judicature with requisite knowledge and skills in cybercrime and cybercrime matters.

Once the Board is that political, this Committee should have been more of a technical committee for strategy formulation instead of an implementation committee. Well not surprised since the DG with expertise in cybersecurity would be the knowledge base. How helpful will this JCC be to the Board? What will the Governor of the Bank of Ghana for example be doing?

The JCC would be more effective if the representatives were those with requisite knowledge and skills in cybercrime and cybercrime matters but the Act gives that option to the heads of the institutions to either be on the JCC or choose a technical representative. Let there be a course in the UK and you will see who would attend. For continuity technical staff from the institutions would have been preferable. Imagine what would happen to the Authority should there be a change of government. The Board is gone and the JCC goes with it once the various heads are changed. Not too good an arrangement.

My other concern to is with the fact that the Justice of the Superior Court of Judicature must have requisite knowledge and skills in cybercrime and cybercrime matters.  It is nice to have but not necessary. Judges are trained to adjudicate cases relating to oil exploration, medicine, aerospace and many technical disciplines ad need not have any special knowledge or skills in those areas. Why this fetish about cybercrime that is requiring everybody to have knowledge in it? Most of the traditional off-line laws apply in the on-line world and even the specific laws relating to the on-line world have been written and can be interpreted. This is no big deal. In any case, where are we going to find the Judges? Are we trying to create a niche for cybersecurity professionals who end up doing law and join the bench? I would not be surprised if it was mostly technical cybersecurity professionals who were deep into drafting the Act.

  • Secretary to the Board

Under the Act, a person shall not be engaged as Secretary to the Board unless that person has by virtue of an academic qualification, or as a member of a professional body, is considered by the Board as capable of performing the functions of the Secretary.

In my opinion, the secretary to a Board is a very professional job. Section 211 (3) of The Companies Act, 2019 (Act 992) prescribes in terms of best practice who can be a secretary to the Board. This is a person who:

 (a) has obtained a professional qualification or a tertiary level qualification offering company law practice and administration that enables that person to have the requisite knowledge and experience to perform the functions of a Company Secretary,

 (b) has held office, before the appointment, as a Company Secretary trainee or has been articled under the supervision of a qualified Company Secretary for a period of at least three years,

 (c) is a member in good standing of

  • the Institute of Chartered Secretaries and Administrators,
  • or (ii) the Institute of Chartered Accountants, Ghana,

(d) having been enrolled to practice, is in good standing as a barrister or solicitor in the Republic, or

 (e) by virtue of an academic qualification, or as a member of a professional body, appears to the directors as capable of performing the functions of secretary of the company.

 

I wonder why Act 1038 decided to just lift one aspect of Act 992 that is S211 (3e) which seems to give discretion to the Board. In my opinion S211 (3e) of Act 992  should not even have been added to the Companies Act since it defeats the purpose of Sections 211 (3a) to (3d) of Act 992 of making sure only qualified persons are made secretary to Boards and strangely that was what Act 1038 preferred.

What does “..or as a member of a professional body..” mean?  Can it be any professional body? So if I belong to the Chartered Institute of Bankers and the Board considers me capable of performing the function, Both Act 992 and Act 1038 make it legal but is it the right thing to do? The role of a secretary to the Board should not be downplayed as a record keeper. The wrong person puts the members of the Board at risk if you take a cursory glance at the function of a company secretary under S212 of Act 992.  The professional body and qualification should have been specified as in Act 992. On the other hand, would this particular Board care. Majority will be political appointees anyway.

  • Appointment of Inspectors

Under the Act, the President shall appoint inspectors for the Authority with the emoluments being charged to the funds of the Authority. The inspectors appointed are not subject to the direction or control of a person or any authority in the performance of the functions under the Act. The inspectors are answerable to the Board in the performance of their duties with their function including to submit quarterly reports on the outcome of inspections carried out to the Board. An inspector must have knowledge and background in technology and cybersecurity. The function of the inspectors is also to ensure that a production order or interception warrant issued under the Act is used for the purpose for which it was issues and data retained or retrieved in accordance with the Act is used for the purpose.

I appreciate why the inspectors report directly to the Board from the function given to them in the Act. In my opinion, the function of the inspector as given in the Act is misplaced and can easily be under the Audit Department. Internal audit of an Authority is not only about financial aspect of the operations but the mandate as well. What special skill is needed to check that an interception warrant issued has been used for the intended purpose that the internal auditor cannot have? What are computer audit trails for?  Inspectors of an Authority are not to be like internal auditors of the Authority to be reporting to the Board but should be inspectors of the Authority for making sure cybersecurity directives and risk management controls and tools are being adhered to by operators in the cyberspace. Do you need knowledge and background in technology and cybersecurity to report on how a production order or interception warrant has been used?  I think not.

Also even as it stands now, how can the inspectors appointment by the President not be under the direction and control of any person or authority when they are to report to the Board? It is a contradiction since they are under the control of the Board.

The functions of the inspectors should be external to the Authority.  The Board should therefore be allowed to appoint inspectors who really should be an integral part of the Authority. The Inspectors of the Authority should actually be reporting to, under the direction and control of the Director-General. If care is not taken these inspectors having been appointed by the President will grow “wings” and see themselves above the Director-General. I foresee administrative challenges and conflict.

Conclusion

Security is not foolproof either in the physical space or cyberspace and I concede that due to technology ignorance, adapting existing traditional legal standards to cyberspace can be daunting to legislatures and judges who are likely then to use a “belt and braces” approach which may not be workable till the issues are understood.

The general governance structure of the Act is biased towards protection of national critical information systems and networks though the Act is said to also promote the security of both private and public computers as well as computer systems in cyberspace.

An attack on a nation state in the traditional world is even more difficult to stop than an attack in cyberspace. It is more difficult stopping a missile attack in Ghana from another country than a cyberattack. However, it seems fear has been put into the politicians about a “space” they cannot see but only the cybersecurity experts can, thereby creating a cumbersome governance structure by the Act for the politicians to seem to be in control to take the blame, whilst the experts earn a living at the background. The potential organizational dysfunctional conflict and power struggle is high in the governance structure.

The author holds an EMBA (IT Management) an LLB and LLM (IT & Telecommunication) (visit : Kofianokye.blogspot.com)

 

Leave a Reply