The Nigerian cyber threat landscape is very interesting. It is almost a free for all environment where seasoned cyber criminals shamelessly advertise their services and capabilities to upcoming fraudsters. The army of bad guys, otherwise known as the “Gee Boys”, is growing at a rate that the good guys can only dream of, yet organizations in Nigeria are hardly taking these threat actors, and indeed, cyber defense seriously.
On the other hand, organizations all over the globe recognize the danger coming out of the Nigerian cyberspace and typically develop specific countermeasures into their cyber security programs. The threat is so real and potent that over the last 4 years, some of world’s biggest names in endpoint protection and cyber threat intelligence have conducted comprehensive studies into the activities of Nigerian cyber criminals. Eight of such studies were covered in my presentation at cybersecurenigeria 2019.
In the second part of the session, cyber threat intelligence data gathered, analyzed and transformed into insight, was presented about unnamed Nigerian organizations who are currently getting by in the under-regulated cyber threat environment. This data was mostly obtained from the darkweb.
Nigeria is Africa’s most populous country, biggest economy, and undoubtedly, cyber fraud capital. This is because thousands of unemployed (and under-employed) Nigerian youths continue to participate in cybercriminal activities. The impact of these activities is being felt, more than ever before, across the globe. The number of Nigerian graduates supplied to the labor market every year is almost equal to the entire population of Jamaica. Some of these young people end up pursuing a career in cybercrime, and these category of people, who continue to grow in number, pose significant threats to local and global organizations. They typically cite lack of gainful employment opportunities and corrupt government as their reasons for perpetrating cybercriminal activities. While it is difficult to argue with this, it remains an unacceptable excuse, and appropriate punitive measures should always be meted out to those caught in the act.
With that said, regulators and several arms of government in Nigeria remain largely accountable for malicious activities originating from within its cyber space therefore they cannot afford to continually turn a blind eye to this menace. This situation, which continues to get desperate by the day, needs to be arrested as soon as possible. One way of doing this is by creating an enabling environment for these young individuals to thrive. Some of the cyber fraud schemes created and operated by these criminals are testaments to their ingenuity. The energy and brainpower of these young individuals can be harnessed to create wealth for the country.
This is exactly what Bill Gates was alluding to in 2018 while addressing Nigeria’s leaders. He stated that “the most important choice any government can make is to maximize its country’s greatest resources.” In this case, Nigerians are Nigeria’s greatest resources, and everyone connected with the country is losing out right now because the government is largely failing in its responsibilities to its young people.
Among other factors contributing to the cyber fraud menace in Nigeria are the country’s weak cybercrime law and under-resourced law enforcement agencies. The Nigerian Police and the Economic and Financial Crimes Commission (EFCC) are really the main authorities fighting cybercrime in the country, and they are well and truly under-resourced.
In terms of cyber laws and regulations, not much has been done since the cybercrime act was passed into law in 2015. Given the constant evolution of the cyber threat landscape, current gaps in the act make it unfit for purpose. Attempts made over the last few years to improve the quality of this act have so far yielded no positive output. For instance, the bill to repeal and re-enact the Cyber Crime Act 2015, sponsored by Senator Buhari Abdulfatai has yet to move beyond first reading since 2017.
The reputational damage done to Nigeria and Nigerians home and abroad by the unfortunate reality of cybercriminal activities of some of the country’s young men and women is immense. As an example of negative impact, those seeking to provide legitimate remote IT services to individuals and organizations outside of Nigeria often miss out on potentially life changing opportunities due to trust issues.
Recognizing the danger coming out of the Nigerian cyberspace, organizations across the globe typically develop specific plans to mitigate the threat. Ironically, however, organizations in Nigeria have yet to fully come to terms with the threats posed to their businesses by cyber attackers.
Nigerians generally abhor traditional thieves but there seems to be some level of resignation in the Nigerian society that cyber fraudsters are a symptom of a dysfunctional system for which the government is responsible. Reactions to the armed robbery operation recently carried out by five of their citizens in the United Arab Emirates against a bureau de change epitomize how objectionable Nigerians find physical thieves even though the amount of money stolen (about 626,000 USD) pales in comparison to how much Nigerian cyber thieves are stealing everyday. For example;
- Between June 2018 and January 2019, the Australian Competition and Consumer Commission (ACCC) put total financial losses related to Nigerian scams at $674,000 USD;
- Secureworks’ counter threat unit (CTU) researchers estimated that between June 2017 and January 2018, GOLD GALLEON, a Nigerian cyber threat actor group, attempted to steal a minimum of $3.9 million U.S. dollars from maritime shipping businesses and their customers;
- In fiscal year 2017, the FBI reported that nearly $1 billion ($969 million, to be precise)was “diverted or attempted to be diverted” from real estate purchase transactions and wired to “criminally controlled” accounts.
A lot of these illicit activities are perpetrated by Nigerian cyber fraudsters who continue to remain “unnamed and unshamed”.
Through ongoing intelligence gathering and painstaking analysis, Digiss continues to gain extensive knowledge of the tactics and techniques of these threat actors, who continue to cause significant financial losses to organizations (mostly in the US, UK and Canada) in the Banking, Telecommunications, Retail, Entertainment, and Consumer Services industries among others. The rate at which these individuals and groups are developing and adapting is alarming, and unless the Nigerian government pays close attention to this menace, the impact will continue to be felt the world over. Through collaboration with some foreign law enforcement agencies, the EFCC wins some battles but the fact remains that it is losing the war against cyber fraud because it’s largely playing a game of whack-a-mole.
As Sun Tzu stated, the supreme art of war is to subdue the enemy without fighting. To have a chance of winning the war against cyber fraud, the Nigerian government needs to create an environment that enables its vastly energetic and talented youths who account for over 65% of its population.
For Nigeria, the establishment of an apolitical National Cyber Security Center with clear mission, vision and objectives is well overdue.