I am often asked about cyber security on WiFi networks for international development projects in rural Africa. My response is usually a laugh, as I find it hard to believe that anyone would have both the cunning and the desire to go wardriving through northern Uganda.
But then I was told about smart Nigerian hackers who were breaking encryption at Lagos HIV clinics in hopes to find out anyone important who has AIDS. This has me thinking, is data security now an issue in ICT4D?
I still maintain that for the vast majority of technology deployments, especially in schools and community centers and rural locations, basic security measures are enough.
Require user accounts for each person, use WPA2 on WiFi links of importance, and if you want to have unsecured WiFi for the community, use a separate Internet router.
Its only in high-risk settings, where the data could be a serious privacy issue that you need to worry about data security, encryption, and the like. Health and banking implementations like digital health and microfinance, or urban settings where ICT skills and knowledge exist in enough abundance to be an issue.
Yet what do I know? What’s your opinion on the cyber security needs in rural Africa? Do we really need to be concerned about black hat hackers outside of capital cities?
I don’t think securing WiFi network is so important in Burkina Faso. People need connectivity: and since we are African, we are used to share anything we have. Therefore, let’s open our WiFi networks! But if this network is used professionally, with important data transmission, then you have to secure it.
Interesting question. I feel this is an issue that will only become more important over time and if anything it has to a great extent been ignored till now. As Africa connects per mobile and Internet securing vital data flows is essential. Till now little attention has been given to the issue leaving incredible amounts of information openly accessible. As more and more individuals learn the ways into technology we will see increasing instances of its misuse.
I think this is a very important issue. Encryption and security are trivial additions that should be included and turned on by default. But just as important to technical security layers are the human factors.
In Malawi, we used to ponder what would happen if the president of the country walked into an HIV clinic and demands to know if his rival is a patient.
Someone steals a patient’s identifier (smartcard, barcode, ID card) and goes to the clinic posing as that patient in order to steal drugs, gather information, etc.
We need to equip people on the frontlines of ICTD with knowledge and tools that will help them provide a solid human level of security.
To me, saying that data security is less important in developing African countries than it is in more developed countries sounds a bit like the the “This is Africa” excuse I occasionally hear when local construction contractors want to adhere to lower standards of quality than western customers expect.
If my mother living in the mid-western United States needs WPA2 encryption on her residential router, a school in Rwanda should have it too.
Even if data stored on a system seems unworthy of tight security, potential intruders may be after other network resources.
In a region where bandwidth is scarce and sometimes billed by volume, do you really want to make an expensive VSAT Internet connection available to passersby on the street?
Your hard drive storage and your space on Internet-facing web servers are two other resources African hackers would be glad to put to use…even with minimal technical experience.
Someone doesn’t even have to be a hacker to cause trouble when given more access than they need. An inexperienced user can do plenty of damage to a system while “just looking around.” This causes downtime, frustration, and increased IT support costs.
Developing African countries have already seen some benefits of starting from scratch when building new IT infrastructure. By doing this they “leapfrog” to the most current technology, while developed countries are stuck having to build on top of aging legacy systems.
As we plan network security for ICTD projects in Africa, let’s take advantage of this same leapfrog effect, rather than creating a future riddled with IT security holes.
Encrypt your wireless links, hide SSIDs on point-to-point links, segregate home directories by user, and think carefully about user permissions.
Andris,
I agree with your recommendations – encrypt your wireless links, hide SSIDs on point-to-point links, segregate home directories by user, and think carefully about user permissions – as I feel these are basic standards we should all ascribe to.
Its the hand-wringing about data security, that presumes these steps are not enough, that I am concerned about. Is there a need for more than these steps outside of capital cities today? I think not.
I see your point: that overly complex security should not get in the way of the core missions of rural ICT projects.
If extra security places undue loads on hardware, like utilizing encrypted file systems where they aren’t necessary, I can see making a case for reduced security measures.
I think it is dangerous, though, to design security that is only “good enough” to hold up against non-technical intruders.
Do we really need to be concerned about black-hat hackers and wardrivers in rural Africa? Maybe.
Where there’s a need, people tend to develop skills around it (and the skills to make money from it). Wardriving tools are freely and easily available on the internet, as are tools required to take advantage of numerous other security exploits.
A little knowledge goes a long way when it comes to hacking, and I think the days of assuming someone has to be a computer expert to be a security risk are over.
“I would argue the person who manages to run a successful bot-net from an internet cafe with no-power, no way to actually receive electronic transactions and disproportionately expensive internet costs deserves a prize for sheer ingenuity.”
Jon Gosier on Black Hats on the Dark Continent