Implementation of the cybersecurity act, 2020 (act 1038) will be challenging:

0

….a look at the accreditation of cybersecurity professionals and practitioners

I have read the Cybersecurity Act, 2020 (Act 1038), and in my view its implementation will be challenging. In my first article, I looked at the Governance Structure of the Cybersecurity Authority and its political orientation that could compromise the operational independence and affect the continuity of the role of the Authority should there be a change of government. An institutionalized Board under a specified Ministry to take care of government policy directives would have been preferable.

In my second article, I highlighted how complex the implementation of Licensing of the Cybersecurity Providers under Act 1038 will be considering the broad, vague and all-encompassing meaning given to what a cybersecurity service is, which in my opinion may include anybody that deals with computers be it by way of software or hardware with connectivity to cyberspace.

My last article on Act 1038 article will look at the Accreditation of Cybersecurity Professionals and Practitioners as well as Cybersecurity Standards, Enforcement and Education. An area that is likely to be in conflict with the National Accreditation Board, University Faculties and other Professional Bodies such as ISACA. Accreditation of cybersecurity professionals and practitioners as well as setting standards for cybersecurity training and education will be tricky due to the dynamic and diverse skill set needed in such an industry. How is this going to be implemented?

My approach for this article will be simple. State what the Authority is supposed to be doing and how feasible that is in practice.

ACCREDITATION OF CYBERSECURITY PRACTITIONER AND PROFESSIONAL

According to Act 1038, a Cybersecurity Practitioner is an individual or a firm that protects a computer system or digital service and a Cybersecurity Professional is a person accredited under this Act to perform a cybersecurity-related professional function. The Cybersecurity Authority under the Act shall establish a mechanism for the accreditation of cybersecurity professionals and practitioners”

There are professional bodies like ISACA that award certifications such as CXS-P to people who have undergone a rigorous training and education in cybersecurity as professionals and practitioners. A professional I believe is basically a person who belongs to a professional body or performs an activity as its main source of income.  In the corporate world the distinction between an academic qualification and that of a professional one is that the latter belongs to a professional body. The professional is more of a master in a particular field and need not be a practitioner. We can therefore have Chartered Bankers Medical Doctors or Lawyers who are professionals but not practitioners. There are universities that award degrees in cybersecurity and even LLM in cybersecurity. There are so many Information Technology (IT) certifications from accredited institutions that has to do with protecting computer systems or digital services. Now what does the Authority want to do? Are we saying all these people until they have been accredited protect by the Cybersecurity Authority cannot support any organization or put their expertise to use?

The use of the word “shall” makes it so imperative for the Authority to give the accreditation and not surprised it also says “establish mechanism” because it is a herculean task for an Authority to do this in such a dynamic environment. Let us take the banking industry for example, there are Chartered Bankers who are professionals and those who are working in banks as practitioners and call themselves Bankers. The regulator is the Bank of Ghana but does not give accreditation to the professional Banker or the practitioner Banker. What a regulator can do is specify the type of education or training required by certain roles in the industry they regulate especially at the executive level. Is Act1038 saying that an ICASA certified CXS-P for example or someone with a degree in cybersecurity cannot be a cybersecurity professional or practitioner until accredited by the Authority and should the person touch anything cybersecurity a fine must be paid?

In my opinion, there is nothing complex about cybersecurity that cannot be handled by the those who know how with the needed knowledge, technical tools and cybersecurity risk management practices. I think cybersecurity has been blown out of proportion by a few so called experts so they can earn their living and may be the legislatures being cyber phobic have bought into it.

CYBERSECURITY STANDARDS AND ENFORCEMENTS

Under the Act, the “Authority shall develop, establish and adopt for cybersecurity the following:

  1. Education and skills development
  2. Hardware and software engineering
  • Governance and risk management
  1. Research and development

Also the Authority shall develop a qualification and competency framework for

  1. persons offering training in cybersecurity programmes and
  2. educational institutions offering cybersecurity programmes.

In my opinion, the use of “shall” is too imperative and should have been more of a facilitating or collaborative role. Does this mean the Authority is responsible for developing curriculum for the universities and professional bodies involved in cybersecurity training and education? Who are going to be working at the Authority and what will their competency levels be in the development and design of such competency frameworks. Well the frameworks already exist anyway. Why does the Authority want to get involved in for example hardware and software engineering? Are they going to review what institutions such as NIIT are teaching? Must these institutions seek accreditation from the National Accreditation Board as well as the Authority? The cybersecurity standards and enforcement could be in conflict with other educational standards and accreditation due to the dynamic and diverse skill set needed in such an industry. What about educational institutions outside the country? Should anyone who has acquired a qualification in Cybersecurity outside the country seek validation from the Authority before working in Ghana to make sure it meets the standards? I guess so because by the Act, you cannot even touch cybersecurity without being accredited by the Authority anyway. I wonder how this will be accomplished.

CONCLUSION

Due to the complex mandate given to the Cybersecurity Authority, to implement the Act, the Authority will have to have a diverse skill set of professionals, Researchers, Educators, IT Risk Management, Software and Hardware Engineers, IT Governance experts, IT Auditors. IT Lawyers. I believe they all have to be prefixed with the powerful word “Cybersecurity” to be able to head and work in the various directorates that may have to be established to execute this mandate. These skill sets are abundant in the private sector, industry and academia for which a collaboration would have been more meaningful and easier to implement with the Authority playing a facilitating, inspection and monitoring role.

When you put in too many controls, the system you even trying to protect comes to a halt. Risk in cyberspace can only be mitigated and managed but not eliminated. I must say Act 1038 is watertight in theory and if it is for some requirement to be seen as a country fighting Cybercrime or preventing Cyberattacks then its purpose has been achieved. No doubt.

The Authority seems to have bitten more than it can chew and wondering if an impact analysis of the Act was done before being passed into law. The Regulations to follow the Act must bring clarity to its intent so in practice the implementation will be accomplished.

Let me end by what Chris Reed, a Professor of Electronic Commerce Law said about making laws for cyberspace:

  1. The law must be understandable and it must appear to be possible to comply.
  2. The law must be aiming to achieve a sensible, feasible end.
  • The content of the law must reasonably match the way in which activities are carried out in cyberspace.
  1. The law must be sufficiently future-proof so that that it can adapt to changes in business methods and technological innovation.

The author  holds an EMBA (IT Management) an LLB and LLM (IT & Telecommunication) (visit : Kofianokye.blogspot.com )

Leave a Reply