A project of the Centre for Internet and Society, India
Supported by Omidyar Network India
In the sixth instalment of the Digital ID Dispatches from Africa series, we have our third piece from a country partner who used the CIS Evaluation Framework to examine digital ID in Nigeria. In this piece, Babatunde Okunoye, fellow at the Berkman Klein Centre for Internet and Society at Harvard University, examines the importance of (digital) security for safeguarding citizens’ and the public sector’s data in digital ID programmes.
Many governments across Africa have begun implementing digital identity schemes in line with UN’s Sustainable Development Goal 16.9, which aims to ‘’provide legal identity for all, including free birth registrations’’ by 2030. More than 40% of those lacking IDs live in Africa. This bars them from fully participating in national life in civic duties such as voting, and also from accessing services such as banking and government social transfers. The numerous government-sponsored digital identity programs in Africa, such as Nigeria’s, attempt to solve these problems and provide routes to inclusion in national life for millions of people.
But many of these programs have been implemented without adequate consideration for digital security and privacy. Digitising citizens' data, which makes up digital identity, and storing them in centralised databases (as with the case of Nigeria and many other African countries), increases the risk of cybersecurity breaches of digital identity databases. The planned linking of the foundational digital identity number of citizens with all other functional identities such as driver’s license, health insurance, voter’s registration and bank verification number in countries such as Nigeria only increases the value of the foundational digital identity, increasing the risk of cybersecurity breaches. In the event of a cybersecurity breach, data stolen in this context can be used to authenticate transactions, or used in phishing attacks. In more brazen exploits, ransomware attacks can be implemented to hijack data to be released only after the payment of fees.
Cybersecurity breaches are now regular occurrences in our world. In May this year, following a pattern of significant global cyberattacks in the past five years, hackers breached the computer network of Colonial Pipeline, which runs the major petroleum supplying the east coast of the United States (US). Using ransomware to cut off the customer data of the utility, which prevented Colonial from correctly billing its customers, they demanded a significant ransom that was allegedly paid. More pertinently however, hackers have developed a liking for government databases. In 2015, hackers breached the Office of Personnel Management (OPM), the human resources department of the US federal government. Personal data of up to 21.5 million government employees, contractors and their families and friends was compromised. Similarly in the US in 2015, a database of 191 million voters was exposed. This breach exposed the personal information including names, dates of birth, party affiliations, emails, addresses, and more – of voters in all of the US. The aftermath of such large data breaches usually includes years of footing the bill for identity theft and credit monitoring for the victims. In Africa, we cannot afford that bill.
Although some digital identity projects such as Nigeria’s report global certifications, the Global Cyber Security Capacity Centre (GCSCC) reports a cybersecurity maturity model for Nigeria that is largely formative in most of its maturity estimates. This suggests a stage of national cybersecurity maturity where capacity has begun to grow and be formulated, but may be ad hoc, disorganised, poorly defined or simply new. This formative status might be reflected in some flawed implementations of the digital identity scheme – such as the mobile phone USSD code, which permitted anyone with the surname and date of birth of a Nigerian to access their National Identity Number (NIN) from a mobile phone. This security lapse was only rectified following litigation by civil society. Similarly, many Nigerians reported problems with an earlier version of Nigeria’s digital identity mobile app – which brought up data on other people rather than the real owners of the digital identity.
Potential cybersecurity breaches of digital identity databases are not limited to the institutions that manage these identities. Citizens and residents who use digital identities are sometimes not aware of the cybersecurity risks associated with the identity, which can include identity theft and phishing attacks. The GCSCC Maturity Model for Nigeria estimates the country’s level of national cybersecurity education as established. (This means that the indicators of this aspect dealing with cybersecurity and knowledge capabilities are in place, and functioning. However, there is no well thought out consideration of the relative allocation of resources.) Earlier this year, following the directive from government that all NINs be linked to phone numbers in Nigeria, several fake websites and apps appeared on the Internet offering this linkage as a service in exchange for sensitive personal information. In reality, they were created by hackers to steal sensitive information for use in cyberattacks.
Some of the most brazen cybersecurity breaches of government databases (some explored above) have occurred in countries that are world leaders in cybersecurity. For example, it is reported that the US’ OPM repels 10 million attempted digital intrusions per month. As national identity schemes in Africa mature and become more integrated with public and private services, as envisaged, it will be a matter of when, not if, they are targets of cyberattacks. As shown in Nigeria’s EndSars protests of October 2020, governments’ digital assets will come under attack in conflicts with other actors.
For data as sensitive as digital identity for millions of citizens, a cyber exploit would cause unimaginable damage, disrupting the lives of millions of people and paralysing key government services. Digital identity for all in Africa can only be realised within the context of a sound cybersecurity framework and active practices such as ensuring that the cybersecurity procurement mechanisms meet international cyber security (open) standards, regular staff re-training and cybersecurity penetration testing. It is imperative that considering the rapid implementation of digital identity programs across Africa, more investment is made to ensure the digital security of data entrusted to government.
The opinions expressed in this article are those of the author(s) and do not necessarily reflect the views of SAIIA, or CIS.