Regulating Cyber Security: CSA cautions the public against dealing with unlicensed establishment || The Law

The Multimedia group

Regulating Cyber Security: CSA cautions the public against dealing with unlicensed establishment || The Law with Samson Lardy Anyenini (10-9-23)  https://www.myjoyonline.com/ghana-news/  Subscribe for more videos just like this:  https://www.youtube.com/channel/   Facebook: https://www.facebook.com/joy997fm Twitter: https://twitter.com/Joy997FMInstagram:   https://bit.ly/3J2l57  Click to this for more news: https://www.myjoyonline.com/

Transcript

00:00 These days, we literally live on the cyberspace.

00:07 What that means is that it has to be a space that is regulated, else we are in danger.

00:17 Even when regulation is introduced, so many people are falling victim to all sorts of

00:25 scams in the cyber world.

00:30 This afternoon, we will help you hear on the law, which is your legal light and your health

00:37 law, on how to watch out and what exactly is the authority doing to see to your interests.

00:49 I'm Samson Ladiyanyanini.

00:50 We'll be right back.

00:51 [MUSIC PLAYING]

01:04 You're welcome back.

01:05 This is the law.

01:06 It's your legal light.

01:07 It's your health law.

01:10 Starting October 1, certain things will happen within the cyberspace.

01:18 If you are a cyber security service provider, cyber security establishment, cyber security

01:28 professional, you must keep your dials here.

01:35 And we must also pay attention so we know how we are affected or what happens after

01:45 the 1st of October.

01:48 Discussing regulating cyber security.

01:53 Cyber security authority cracks the whip for safety.

01:59 Joining me in the studio are Jennifer Mensah, who is lead legal and compliance of the authority,

02:07 and Benjamin Ofori, who is also an officer in the authority.

02:15 Ladies and gentlemen, good afternoon and welcome to the law.

02:18 Good afternoon.

02:19 Good afternoon.

02:20 Great.

02:21 So even before we get into what I clearly have put people on some tenterhooks about

02:30 and they're wondering what is it, 1st of October, what's going to happen, let's begin to appreciate

02:37 when we say the cyberspace and the question of regulating it, literally what are we dealing

02:44 with, what are we talking about?

02:50 So basically when we talk about the cyber security space, you know, we live today in

02:59 a digital age which is characterized by the usage of computer system, electronic devices.

03:08 We use the internet.

03:09 There are billions and billions of devices connected to the internet.

03:13 And basically even if you think about Ghana's socio-economic development is underpinned

03:20 by digital technologies.

03:23 And that basically forms the cyberspace.

03:27 And this digital age brings a lot of opportunities to mankind in terms of there is improvement

03:36 in our social life, people are able to connect with each other, communicate with each other

03:42 across borders.

03:44 Using their mobile phones and electronic devices, it has brought a lot of, you know, generated

03:50 a lot of wealth for the world's economy and Ghana as well.

03:55 And given another platform for people to actually enjoy their human rights, rights to information,

04:02 freedom of expression and so forth and so on.

04:05 Like every new innovation, it also, every new innovation we know comes with its own

04:11 kinds of risk.

04:13 And the cyberspace also comes with its own, you know, kinds of risk, cyber threats, you

04:19 know, because there are malicious people out there who would want to, you know, take advantage

04:25 of this new technology that we are enjoying.

04:29 And so although we have the opportunities, cybercrime is also on the rise.

04:34 And it's very important that a space and the technology is secured for us to harness the

04:42 benefits that it brings.

04:44 And that is where the Cybersecurity Authority comes in here to, you know, regulate the cybersecurity

04:52 space, prevent and manage and respond to cybersecurity incidents and cybersecurity threats.

05:00 So that's businesses, children, public institutions, Ghana can enjoy the benefits that the digital

05:08 age brings.

05:09 Thank you very much.

05:11 And that's elaborate.

05:12 And if you have followed us here on The Law, we have taken you through the various threats

05:17 on the cyberspace and what to look for, particularly the scams and the fraud that goes on there.

05:26 These days people are able to clone all sorts of things.

05:30 You are buying and you're using just your mobile phone.

05:34 You're doing a lot of things just on your mobile phone or your tablet.

05:39 You want to make sure it's secured.

05:42 So when we say cybersecurity, Ben, what exactly are we talking about and why should I be concerned?

05:52 Thank you.

05:53 Thank you, Samson, for first of all having us in your studios today.

05:56 We're excited to be here.

06:00 When we say cybersecurity, it sounds a big technical term.

06:05 You're right.

06:06 But to demystify the term, I would say it's just being aware of how your phone is protected

06:16 or how you as an individual should be very careful in using digital devices.

06:25 And to maybe duff it a little bit into Jennifer's answer, the cyberspace starts from your phone.

06:32 It starts from the tablet you use in the house.

06:35 It starts from the baby monitor that you can connect to the Internet.

06:38 It starts from nowadays your TV and fridges that has the Internet connections.

06:44 And everything in between, all the way to the telco tower.

06:48 So the security that revolves around these devices, technology, and the waves and all

06:53 of that is what we're talking about here.

06:57 But that requires that our government is keeping a keen eye on this by regulating the space.

07:05 And that's where the cybersecurity authority comes in.

07:09 And we had the boss of the cybersecurity authority on the show, particularly right after the

07:20 law that establishes the cybersecurity authority and that seeks to provide a lot of protection

07:27 for all of us was passed into law.

07:30 We had him here and we discussed quite a bit in respect of the Cybersecurity Act 2020.

07:38 But what would you tell our audience is your mandate as a cybersecurity authority?

07:49 What's your mandate?

07:50 What do you do?

07:53 And once again, how does that concern me?

07:59 So basically, as rightfully said, we passed the law in 2020, an act of Parliament, the

08:07 Cybersecurity Act, which establishes the cybersecurity authority and confers on the authority the

08:14 mandates to regulate cybersecurity activities and to promote the development of cybersecurity

08:21 in this country.

08:22 Now, if you move into section three of the act, it throws more light on what exactly

08:28 this means by spelling out what the cybersecurity needs to do in order to regulate cybersecurity

08:35 activities.

08:36 One of the things the cybersecurity authority needs to do is to prevent, manage, and respond

08:42 to cybersecurity incidents and cybersecurity threats.

08:47 As explained earlier, we live in the digital age and to harness the benefits, we have to

08:52 secure and garner digital transformation and make the digital economy much more resilient.

08:59 And the cybersecurity steps in here so that it comes up with measures to prevent cybersecurity

09:08 incidents from occurring.

09:10 And if those cybersecurity incidents should even occur, the cybersecurity authority coordinates

09:17 response to those cybersecurity incidents, working with various stakeholders.

09:23 >> There have been many times we have seen secularists released from the cybersecurity

09:31 authority.

09:32 You can call them allets.

09:34 And that seeks to educate us about, you know, some scam, some security threat that we all

09:41 have to pay attention to, what we should not give in to, if people send us certain emails

09:48 or they send us certain WhatsApp messages.

09:51 You actually issued one very recently, right?

09:56 >> There are many we issued, so maybe we should specifically issue one.

10:01 >> So I was just going to get to this particular one.

10:04 I'll bring it up and then we'll look at it.

10:08 What is this that is going to happen from the 1st of October that we should all be concerned

10:14 about?

10:15 Beginning with you, Jennifer.

10:16 >> Yes.

10:17 As part of the mandates of the cybersecurity authority, the cybersecurity authority is

10:22 responsible for regulating cybersecurity service providers and cybersecurity professionals.

10:29 And if you look into the act again, the functions of the authority, the cybersecurity authority

10:34 is responsible for issuing out licenses for the provision of cybersecurity services, developing

10:41 standards for the provision of cybersecurity services, and developing and maintaining a

10:46 national register of licensed and accredited persons who perform cybersecurity activities.

10:54 And therefore, in line with its mandates, the cybersecurity authority commends the licensing

11:00 and accreditation regime on the 1st of March and calling for persons who are providing

11:09 cybersecurity services to obtain a license from the cybersecurity authority.

11:14 Because section 49 mandates any person who is providing cybersecurity services to obtain

11:21 a license from the cybersecurity authority.

11:26 And therefore, we have to give some grace period from the 1st of March until 30th of

11:31 September calling all cybersecurity service providers to come and regularize their operations.

11:39 They need to come and obtain their license so that they are in compliance with the law.

11:43 And so the grace period ends on the 30th of September.

11:48 So from the 1st of October, your question is what was going to happen?

11:53 From the 1st of October, we'll start enforcing the law.

11:57 Section 49 says if you do not have a license and you are providing cybersecurity services,

12:03 you are liable to pay administrative penalties to the authority.

12:08 And so from 1st of October, we shall be imposing those administrative penalties on persons

12:20 who are in violation of the law.

12:23 Has the accreditation of cybersecurity professionals, establishments, and so on, has it begun?

12:32 Yes.

12:34 So how do I know it has begun and I have to make sure I'm compliant?

12:40 How do I know?

12:41 Right.

12:42 So if I may come in maybe from the first question you asked, besides the mandate that Madam

12:50 Jennifer talked about, this cybersecurity thing we're talking about, by its nature,

12:57 is very intrusive.

12:58 Intrusive in the sense that if you ask a service provider to come into your environment, say

13:05 your company, for them to come in and offer you services, because of the way that's happening,

13:12 they have access to very sensitive information.

13:16 And then if you ask, besides the organization, just a regular professional, when they come

13:21 in, they have access, again, to sensitive information.

13:25 All data is revealed to these people by the way they act.

13:30 So the authority, by its establishment, is mandated by the sections you talked about,

13:36 4K, 57, and 59 maybe, to make sure that these service providers are licensed so that the

13:43 people they're even bringing in to do the service, they're competent people.

13:47 They have a certain solid credibility by some background check that we help do in the registry

13:53 or the database you just mentioned.

13:56 So I mean, just to buttress that point there.

13:59 Also to add on to what's been said, there are actually businesses and some public institutions

14:06 who may not have the capability of determining who is a competent cybersecurity professional,

14:13 who is a credible cybersecurity service provider.

14:17 So that if the cybersecurity authority is able to produce that national register, those

14:22 businesses, small, medium, you know, businesses--

14:25 You can easily check.

14:26 They can just go on our website and they know who is credible, who is competent, who can

14:31 I trust with my environment.

14:33 That's right.

14:34 Yes.

14:35 Great.

14:36 It's perhaps like the job of a lawyer.

14:40 If I don't have a license, I don't have the opportunity to practice.

14:44 And if you don't have a license, you are quack, it's easy to find you out.

14:48 Correct.

14:49 Right.

14:50 I'm coming back to you on the-- I have asked this, but we can look at it from a different

14:59 perspective.

15:01 What the state of the country's cybersecurity space without these regulations will be.

15:10 But let's first begin to establish who are these stakeholders that you're seeking to

15:17 regulate as in a credit.

15:18 When we say cybersecurity professional, cybersecurity establishment, who are we talking about?

15:28 But before we get to that, I was saying earlier, one of the Alert You issues, which was on

15:36 August 22nd of August 2023, it came public alert from the cybersecurity authority and

15:45 it said, "Malicious data harvesting links impersonating National Identification Authority."

15:55 And this was useful to all of us, particularly people who needed to do their registration

16:04 for their Ghana card and so on and so forth.

16:07 But sometimes this is what you do to put us on the alert.

16:13 And you told us that, "Be cautious of links that are unsolicited, even if they appear

16:20 to come from someone you know.

16:23 Verify with the sender before clicking on any link."

16:27 Sometimes we easily fall for this.

16:29 We don't verify, we just see there's a link that's popped up, then we just click.

16:35 And thankfully, you gave us a number of links that we're circulating, that we have to be

16:42 careful about.

16:43 They were circulating on WhatsApp, Facebook Messenger, Instagram, Telegram, among others.

16:50 You said, "Avoid clicking on links in suspicious or unexpected messages and emails."

17:01 I'll tell you what.

17:02 So this actually got me to be a lot more alert.

17:06 Around the time I was getting some messages.

17:08 And when I read this, it got me to relax when I see any such thing and not to be in a hurry

17:16 to check what it was.

17:19 So back to my issue.

17:21 Who is a professional?

17:23 Who is the establishment, the stakeholders that you are seeking to regulate for our safety?

17:29 Who are they?

17:30 >> So basically, a cybersecurity service provider is a person licensed under the Act Entity

17:37 A to provide cybersecurity services.

17:40 And the Act defines a cybersecurity service to be a service provided for a reward primarily

17:47 aimed at securing the cybersecurity of a computer system or computer network.

17:53 So what this means is that any person who is providing some kind of service that seeks

17:59 to protect computer systems, computer network, and is doing that on a commercial basis, taking

18:06 reward, that is a cybersecurity service provider within the meaning of the law.

18:11 If you check Section 97, the interpretation section, it explains it.

18:15 And basically, a cybersecurity establishment is a facility within an organization that

18:22 is primarily responsible for conducting cybercrime investigations and responding to cybersecurity

18:29 incidents.

18:30 So when you go to some organizations, you find that they have things called like security

18:34 operations center, digital forensic laboratory.

18:38 And these facilities are responsible for maybe scanning the network, finding out are there

18:47 any weaknesses that we need to put measures, remediation measures in place to secure our

18:53 environment.

18:55 That is the cybersecurity establishment.

18:57 And those facilities are very, very important when it comes to securing Ghana's digital

19:02 infrastructure.

19:03 And 59 of the acts indicates that such facilities must have in place technology and processes

19:18 in line with international best practice.

19:20 And the authority must develop standards and ensure that such facilities are compliant

19:28 with those standards.

19:29 Very critical.

19:30 And the professionals, the law defines them to be persons accredited under the act to

19:36 provide cybersecurity professional functions.

19:41 So if you are performing cybersecurity professional functions and you are accredited under the

19:47 act, you are a cybersecurity professional.

19:49 Ben, would you like to add to that?

19:52 How do I cybersecurity professional?

19:56 Who is he?

19:57 Who is he?

19:58 I'm looking for who is she?

19:59 So that not long ago, we had a cybersecurity expert, so to speak, on the show educating

20:10 our audiences on how to avoid fraud.

20:14 So I would know that this person is accredited.

20:20 So it could be as basic as a trainer, somebody who is giving awareness.

20:28 Because most of the time, these guys are well knowledgeable in technicalities.

20:33 So that person should be able to even educate in simple terms the market person using their

20:39 phone for mobile transaction.

20:42 And coming back to the link you're talking about, if you're using your phones to do transaction

20:47 online and you have to say you're asked to use your national ID or certain sections,

20:55 say you are DVLA even, to do something like that, that link, you can fall for that link.

21:01 But that trainer who is giving you that basic information should be able to tell you, these

21:05 links are not right.

21:07 They're bad links.

21:09 That's what some of the works that the cybersecurity authority does, where our computer emergency

21:15 response teams can the whole ecospace and release alerts like that when it comes to

21:21 situations.

21:22 So you can have as high as the professional who is hired to come in by a licensed company,

21:28 a professional who's accredited, right, in this case, to come in and do compliance work

21:34 for, say, a telco company or, say, a bank.

21:38 Because to take it from a different angle, who some of the stakeholders we are engaging

21:43 or these licensing companies or accredited professionals are working for, Ghana went

21:49 ahead and designated almost 200 institutions or owners who are known as the critical information

21:56 infrastructure owners by Section 35 of the Act, right?

22:01 And these owners cut across 13 sectors of our economy.

22:06 So to have somebody who is a professional to come in to do such work, they need to be

22:11 accredited.

22:12 That's right.

22:13 And these are some of the professionals we're talking about, people who do penetration testing.

22:18 I'm trying to find the lowest of the terms so people can understand this.

22:23 But somebody who is coming to do just regular compliance checks to make sure some controls

22:29 that you have to put in place as an organization who provide critical services to the market

22:35 seller, those controls are well implemented.

22:39 So it varies.

22:40 But it could be as low as a trainer to hire somebody who does compliance checks in, say,

22:47 a telco company.

22:49 If you are just joining us, this is the law.

22:52 It's your legal light.

22:53 It's your health law.

22:54 And we are looking at regulating cybersecurity, the Cybersecurity Authority cracking the

23:00 whip for safety.

23:03 And we have here in the studio Jennifer Mensah and Benjamin Ofori, all from the Cybersecurity

23:12 Authority, helping us to appreciate what is going on and for you not to be left behind.

23:20 So I was in a hurry when I mentioned 1st of October.

23:30 So as we speak, are we in that grace period for the service providers and establishment

23:38 and professionals to align with the regulations?

23:42 Is that where we are?

23:43 Yes, we are still in the grace period.

23:46 And within this period, how are you making sure that somebody doesn't become a victim

23:56 because they were not informed or something of the sort?

24:00 So one of the ways we're doing this is by public awareness.

24:04 And our latest release is one of those public awareness.

24:09 We do a lot of public engagements, capacity building, awareness creation.

24:14 They come on radios.

24:15 There are three programs that some of our officers attend to try to explain to the ordinary

24:22 man on the street.

24:24 But March to September ending, there's been a lot of activities going on.

24:31 We started with registration of these companies and these individuals or professionals alike.

24:38 I think the key activity is, well, if you identify yourself as a professional, it's

24:43 just start the registration.

24:46 This is a dynamic industry.

24:49 And the authority is known to collaborate a lot.

24:53 So once they've been set a timeline, although it's etched, maybe not etched in stone, but

25:01 it's there, we expect that people comply.

25:04 And then afterwards, we'll know what to do.

25:06 But we need to start building the ecospace securely and resiliently.

25:11 Of course, the fear that from the 1st of October, you have no option but to find yourself in

25:16 difficulty means that people will want to comply.

25:21 But I'm concerned about the reach.

25:27 You know, it is said that ignorance of the law is no excuse.

25:32 But once you are implementing something like this, there ought to be a situation where

25:37 somebody doesn't get to suffer because you didn't make them aware.

25:44 What is the registration process like?

25:48 How easy is it?

25:49 That's quite easy.

25:52 Yeah, so if one of the ways we're doing this is by publishing everything on our website.

25:58 If you go to csa.gov.gh, the information is all broken down for you, from the requirements

26:05 gathering to you registering.

26:08 And then we have our offices online that you can reach by phone, by email, and they will

26:15 consistently attend to you.

26:18 But I think where there's been some laudable efforts by the authority is where we do a

26:23 lot of public engagements.

26:25 You know, we're part of the security architecture of the country.

26:28 So sometimes our work--

26:30 Because the security has actually moved from the ground to cyberspace.

26:36 So you guys have a lot of work to do.

26:38 Yes, we recognize that.

26:40 But we are not noisy.

26:43 But we do those capacity building engagements, we like the face-to-face approach.

26:50 There's been a lot of companies we've been speaking to, especially these CI owners I

26:54 was telling you about.

26:56 We go to their offices, we do online engagements, just because they are the ones who need the

27:01 professionals the most.

27:03 Because to break it in simpler terms, somebody who needs to do that pen testing, that intrusive

27:11 work for a telco is needed there to check to make sure that that control is indeed put

27:19 in place.

27:20 So that the person at the bottom, say that coca seller using their momo to make a transaction

27:26 is protected.

27:27 So there's a trickling down effect when it comes to the benefit.

27:31 And that's why we focus right at the top all the way to the bottom.

27:37 So you say it's easy, one can simply check on csa.gov.gh and they'll see the portfolio,

27:46 what is required to go through the registration process.

27:50 Yes, Jennifer wanted to say something.

27:53 Yeah, to add to what Sir Benjamin said, actually in our media and stakeholder engagements,

27:59 we take the stakeholders through the requirements.

28:03 We have guidelines for license and cybersecurity service providers, accrediting cybersecurity

28:09 establishments and accrediting cybersecurity professionals.

28:12 So we've engaged even cybersecurity professional bodies, cybersecurity service providers, industry

28:18 regulators, and we sit down and walk them through the requirements in the guidelines.

28:25 And they have the opportunity to also ask questions.

28:29 Now even prior to the first of March, building this license and accreditation regime, we

28:37 have involved industry players.

28:40 At the onset, we actually established a committee that had representation from cybersecurity

28:45 service providers, cybersecurity professional bodies, academia, who contributed to what

28:52 is really, should be the requirements that prospective cybersecurity service providers,

28:58 professionals and establishments need to satisfy in order to obtain a license or accreditation.

29:04 When we got the first draft, we held a public consultation that had a cross-session of industry

29:10 players, academia, law firms, businesses, public institutions.

29:16 We had over 90 people in attendance, and that was actually also broadcasted on various media

29:22 channels where we sought inputs into the guidelines.

29:26 And from the first of March, as we started rolling out, we've had these media and stakeholder

29:31 engagements, explaining the requirements to the stakeholders.

29:38 Thank you very much.

29:39 If you're still here with us, we are engaging the officers from the Cybersecurity Authority,

29:46 helping us to appreciate the regime of, if you call it licensing, accreditation of professionals,

29:55 and there's the one other, you see?

29:59 Service providers?

30:00 Service providers, right, and professionals, so that you are sure you are setting that

30:07 those who are attending to your cybersecurity needs have the requisite accreditation to

30:15 do so.

30:17 And we will be opening the phone lines, as we always do, because this show is about and

30:24 for you.

30:25 This is the law.

30:26 It's your legal right.

30:28 It's your health law.

30:30 So from the 1st of October, if someone is seen to be not compliant, they come under

30:44 sanctions.

30:45 You refer to the specific provisions.

30:49 Is there a potential of some, you know, pardoning from that point, at least?

30:57 Or we should get there before?

31:00 Thank you for saying that.

31:01 I think we should get there before.

31:04 But if you look at the engagements we've been doing, right, one of the things we haven't

31:08 been able to publish yet is the fees and charges for the licensing and accreditation.

31:17 The authority is working with Parliament.

31:20 It's a process that's undergoing to be able to finally release the fees and charges.

31:26 So the provisional period is where we're in now, up until the end of September.

31:35 So people who are registering and getting accredited and being issued licenses, especially

31:42 the companies, because the fees are not there yet, it will be hard for us or for our legals

31:49 to come in and say, "Hey, you're not in compliance, so we're holding you."

31:52 But again, we're not making that decision here.

31:57 It's just the right thing and the best thing to get ready.

32:02 You don't have to wait.

32:04 Our normal attitude, we are always caught by time and then we're pleading, "Can we

32:10 have an extension?"

32:11 So what would you say to those who need to comply now?

32:16 You need to comply now because it is an obligation in the law.

32:24 I would want to encourage everybody to take opportunity of this grace period and apply

32:33 for the license and the accreditation.

32:36 Otherwise, come 1st October, we're going to impose administrative penalties.

32:43 Also, we're going to put on our website the persons who have been licensed and accredited

32:50 and a caution will go to the general public to refrain from people who are unaccredited

32:56 or unlicensed because you can't trust the oppressions.

32:59 It's actually unwise for anybody to want to deal with any person or entity within such

33:08 a sensitive industry and they are not accredited.

33:16 So that's sort of the caution to you.

33:19 I think all of us should be aware of this.

33:22 It's clearly not in your interest to do such a thing.

33:26 Therefore, from the 1st of October, we are going to see the register up.

33:32 Is that going to happen?

33:33 That's going to happen.

33:35 I think it's important.

33:37 Let me bring another angle to this.

33:40 Ghana, in 2017, entered into a ranking and assessment system by the International Telecommunications

33:48 Union where it measures or assesses a country's readiness for cyber security.

33:55 At the time, Ghana was ranked 10th in Africa and 87th in the world by a score of 32.6%,

34:09 something like that.

34:11 Three years onwards, Ghana moved from 10th in Africa to 3rd behind Mauritius and Tanzania

34:20 and then 87th to 43th in the world with a score of 86.9%, something like that.

34:27 So you can see the progress Ghana is making because we are in a digitalised economy, right?

34:33 But the baby steps that the authority has been taking is drawing international attention

34:40 because this cyber security thing we are talking about is a global commodity.

34:45 So there are huge benefits to these accredited professionals.

34:50 These licensed companies.

34:51 That's where I was going to go to now.

34:53 So let us know, even though those who are in the field ought to be familiar with this,

35:00 what are the benefits?

35:02 What do I lose?

35:03 First of all, I know what you lose, but what do I lose?

35:06 What are the benefits?

35:07 Hey, Madam Jennifer, you can start with this.

35:10 The benefits that comes with a license and an accreditation regime, I believe every cyber

35:15 security service provider would wish to have their business progress.

35:22 And so once we put up that national register, it gives visibility to cyber security service

35:28 providers, cyber security professionals, cyber security establishments.

35:32 When people want to procure services of cyber security service providers, they get on the

35:37 website of the cyber security authority.

35:40 They see who is licensed.

35:42 And that will actually open business opportunities, job opportunities for the cyber security professionals

35:49 once we have the national register up.

35:53 Also the cyber security authority plans to engage what we call the independent assessors.

36:00 Once you are an accredited cyber security professional, the cyber security authority

36:06 shall engage such professionals in supporting the work of the cyber security authority.

36:13 For example, if we have to conduct some monitoring and compliance exercise, we can reach out

36:20 into a pool of accredited cyber security professionals and engage them to provide that support.

36:26 And that goes to build the cyber security workforce and help progress the profession

36:34 of cyber security professionals.

36:37 And if I may buttress that point, talking about the workforce, you know, lawyers and

36:44 doctors and Mr. Samson, you know you cannot be paid below a certain rate, right?

36:51 Correct.

36:52 Because the industry is not regulated, people do all jobs here and there, and sometimes

36:58 they are underpaid.

37:00 If these regulations are rolled out and we have accredited professionals, they are going

37:04 to be respected in that form, they will be paid well.

37:07 I think that is very important because one of the silent issues that is going on that

37:13 nobody is seeing now, you know you hear of nurses going out of the country.

37:18 But our cyber security professionals who are even helping themselves develop themselves,

37:22 they are being encroached and pushed away in the Western world.

37:27 So if there is a certain balance of fees and charges as to how much a professional should

37:32 be paid, it might help stem the tide to be able to retain some professionals in the country

37:39 who can provide these protective services to our critical information infrastructure

37:44 and things alike.

37:46 Thank you very much.

37:47 And as we do always, it is now time for us to open the phone line so that you can join

37:52 us, particularly you, the professionals, practitioners.

37:56 It doesn't matter, you don't have to be a professional or a practitioner.

37:59 If you need the cyber security authority officials to answer or respond or react to anything

38:07 that is on your mind or explain anything that you want explanation to, please call us now.

38:16 The phone lines are activated now and this is the law.

38:21 It's your legal rights.

38:22 It is your health law.

38:24 And we are engaging the officers of the Cyber Security Authority of Ghana, Jennifer Mensah,

38:31 who is lead legal and compliance, and Benjamin Ofori as well.

38:38 So you can join us now and share your views with us.

38:43 There's the release that you issued earlier.

38:50 And I want to see if I can share it with the public and they can also, this was in March

38:56 1, 2023, in respect of this matter and it was titled, "Cyber Security Authority Begins

39:03 the Implementation of Line System and Accreditation Today, March 1, 2023."

39:09 This is how far it goes, when it started.

39:14 And then you mentioned the consequences of noncompliance.

39:18 It said, "Cyber Security Service Providers who engage in the business of providing cyber

39:24 security services without a requisite license after September 30, 2023, shall be in contravention

39:33 of the Cyber Security Act 2020, Act 1038, and shall be liable to pay administrative

39:42 penalties.

39:43 However, a cyber security provider, service provider, who applies for a license by September

39:51 30 may continue to provide its service until a decision on the application has been made

39:59 by the Cyber Security Authority.

40:02 A license or accreditation granted is valid for two years from the date of issuance as

40:07 provided for in Section 53(1), Subsection 1 of the Act.

40:15 Two years.

40:17 What informs that?

40:18 Why is the regime or the period for the license or accreditation two years?

40:25 [laughter]

40:26 >> I think the drafters of the law found it plausible to give that time frame because

40:34 of the nature of the whole work.

40:38 And maybe I can't delve much too much into it.

40:41 But you hold on.

40:42 Let's hear Prince before.

40:43 Hello, Prince.

40:44 >> Good afternoon.

40:45 >> Good afternoon.

40:46 Let's hear you.

40:47 >> Good afternoon.

40:48 My name is Prince.

40:49 You can hear me from my voice.

40:50 Yes, my question is, what are the classifications of cyber crime?

40:51 I mean, I want to know the thing that falls under cyber crime when you talk about cyber

40:52 crime.

40:53 And what are the classifications of cyber crime?

40:54 I mean, I want to know the thing that falls under cyber crime when you talk about cyber

41:16 crime.

41:17 >> I'm going to start with you.

41:23 >> Okay.

41:24 >> So cyber crime is a crime that is not a crime.

41:35 It is a crime that is not a crime.

41:57 You are not doing any activity and yet you can see that, you know, your bundle is reducing.

42:04 Is that it?

42:06 Okay.

42:08 Thank you, Prince.

42:11 My next caller is -- hello, Mensah.

42:15 Let's hear you.

42:16 You're calling from Aladjo.

42:17 >> Hello.

42:18 Good afternoon.

42:19 My question goes to -- I want to find out from the cyber authority, the lady and the

42:37 gentleman.

42:38 One of the challenges that we are facing is that during registration, when you encounter

42:39 problems, the numbers that they provide, when you try to contact them, it's very difficult

42:40 to get in touch with them.

42:41 And then secondly, so how are they going to address that?

42:42 And then thirdly, how are they going to address that?

42:43 And then secondly, you see, they said to complete the registration, the company that you are

42:56 working for, they are supposed to give you accreditation or something.

43:01 And the company does not see the importance of you because they feel that you working

43:07 with them, it is your problem, it's not their problem.

43:10 So how are they going to help individuals to be able to complete the registration without

43:17 getting in touch with the company?

43:20 >> Mensah, hold on for me.

43:22 You say that the contacts that they give for you to report, when you call, it doesn't go

43:29 through, is that it?

43:30 >> Yeah, it doesn't go through.

43:33 >> Which of these numbers do you have?

43:35 >> I don't have them offhand.

43:38 >> You can call or text 292, are you familiar with that?

43:43 >> No, I'm not familiar with that one.

43:48 >> 292, you can call or text 292.

43:53 You can WhatsApp 050-1603111, 050-1603111.

44:08 These are reliable contacts.

44:11 So I have answered your second question for them.

44:16 Who is next on the line?

44:19 So let's try and take some answers before, okay, so Prince says he wants to know about

44:27 the classifications of cybercrime, for whatever purpose, I don't know.

44:32 But he says again that he's bundled and the bundle reduces even though he's not using it.

44:39 What should he do?

44:41 I can see NCA matters here.

44:43 >> All right, so with the classification of cybercrime, there are basically two types

44:49 of cybercrime.

44:50 We have cyber-enabled crime and cyber-dependent crime.

44:56 >> Cyber-enabled, cyber-dependent.

44:58 >> So cyber-dependent crimes are really like new crimes that have been introduced as a

45:04 result of computer systems, you know, coming into the world.

45:08 For example, unauthorized access, what is called hacking, you know.

45:14 Unauthorized interception, system interference in the sense that there may be a malicious

45:21 person who hack into a system and cause it to malfunction and legitimate users can't

45:27 have access to it.

45:28 That is what is called a cyber-dependent crimes.

45:32 And there's cyber-enabled crimes, which are crimes which scale, scope, and speed have

45:37 increased as a result of the Internet.

45:41 So you can have things like cyberbullying or you can have things like child sexual exploitation

45:46 and abuse material because of the Internet.

45:52 There's a widespread, you know, if you are bullying people on the Internet, you are sharing

45:59 a poster, you shouldn't share, billions and billions of people see it.

46:03 And so the computer has, you know, increased the scale and the scope of those crimes like

46:09 cyber fraud.

46:11 And so those are the two classifications when you are looking at it from the legal point

46:15 of view, cyber-enabled, cyber-dependent.

46:17 >> All right.

46:19 Let's hold on a bit.

46:20 >> Sure.

46:21 >> Godwin.

46:22 >> Okay.

46:23 >> You are calling us from Medina.

46:24 Let's hear you, Godwin.

46:25 >> All right.

46:26 So -- >> Godwin, go ahead.

46:31 >> All right.

46:34 So I had the chance to screen, unless you have the -- I've been screened under Dr. Albert

46:42 as the -- >> Dr. Ntubwe Siaku.

46:45 >> Yes, sir.

46:46 >> Okay.

46:47 >> So that was back in 2018.

46:50 I had a cyber security certification and also I also had a network security defense from

47:01 information institution.

47:02 So the question is, would I still consider myself a cyber security professional because

47:09 I have done some screening for some rural banks and also communities.

47:16 And right now on the cyber security authority, the place where you have to show the professional

47:23 certificate, I want to know if I can still consider myself based on this achievement

47:28 or have to still write maybe an international certification like the one I'm about to write

47:34 right now, that's self-analysis.

47:36 So I want to know if I can still be considered a professional.

47:40 Thank you.

47:41 >> Okay.

47:42 Thank you very much.

47:43 Hello, Godwin.

47:44 Okay.

47:45 So I got Godwin's question, but I wanted to be sure if he meant in addition that he is

47:53 liable to registering or not.

47:56 But I'm sure you understood him clearly.

47:58 But before we go to Godwin, you have talked about the --

48:02 >> Classifications.

48:03 >> The classifications, enabled, independent.

48:06 >> Right.

48:07 >> And then Prince had an issue also with his bundle.

48:10 >> Yeah.

48:11 >> Yeah, who should he report to?

48:12 Where should he report to?

48:13 Can he report to you?

48:14 >> I think that's a telco issue.

48:17 But you know, the interesting thing is that because of that reliability of that 292 and

48:23 those WhatsApp numbers you mentioned, we get all kinds of reports and issues which are

48:28 sometimes not even cybersecurity.

48:30 So it's amazing.

48:32 I think the record of that is about 40,000 for some period of time now.

48:37 Sometimes it's funny how security experts provide psychological services.

48:42 >> Okay.

48:44 >> So yes, I think it's a telco issue.

48:47 But if he's in doubt, he can still call us.

48:51 >> All right.

48:52 Thank you.

48:53 And I think Mensah's major issue was the reporting, the difficulty getting through with the numbers.

48:59 And I gave him those two numbers.

49:01 He's happy to have them.

49:03 Yes, you want to add.

49:04 But hold on.

49:05 Who is on the line?

49:08 Hussein, quickly.

49:09 Let's hear you, Hussein.

49:11 >> Good afternoon, Samson.

49:12 >> Good afternoon.

49:13 >> Please, I have a question.

49:17 What are the requirements for a professional?

49:21 What documents would they require to be presented for the application or the presentation?

49:29 >> Okay.

49:30 Thank you very much.

49:31 What will be the criteria?

49:34 Thank you.

49:35 I think we can hold on with the call so we can take the answers.

49:37 >> Sure.

49:38 >> Right.

49:39 >> So you were going to add something to the bundle issue, is it?

49:44 Or which one was that?

49:45 >> The contact.

49:46 >> Reporting, yes, contact.

49:47 >> He can also send an email to compliance@csa.gov.gh.

49:53 >> Compliance@csa.gov.gh.

49:58 Okay.

49:59 He could also do reports@csa.gov.gh.

50:04 That also works.

50:05 Report@csa.gov.gh.

50:08 Okay.

50:09 Thank you very much.

50:10 That's for you, Mensah.

50:12 How about Godwin?

50:14 He's got a professional certificate after being trained by your authority.

50:19 He's very happy about that.

50:21 And he's making a living training others, providing service.

50:25 >> Yeah.

50:26 He should consider himself a professional.

50:30 You know, even students or just graduates just coming out of university,

50:36 they have a place in this.

50:38 The classification of a TS system was introduced here to be able to take care of

50:44 professionals in various categories.

50:46 So even if you're just coming out of university or you're just trained to know

50:50 certain things about cyber security, there's a place for you.

50:53 I think that place is a general requirement.

50:55 But if he's a trainer, there's also a place for trainers.

50:59 So, yes, he should start the registration process.

51:02 >> So there are those who are watching us now and are asking,

51:05 "Godwin got a professional certificate by being trained by your authority.

51:09 I didn't know that your authority trains people who can make jobs."

51:13 >> Yes.

51:14 >> So how --

51:15 >> Let me correct that.

51:16 >> Yes.

51:17 >> I think he said the training was done by e-crime.

51:19 E-crime is not cyber security authority.

51:21 >> Okay.

51:22 >> We don't do training for individuals.

51:25 We do capacity building, awareness creation for organizations, the government space,

51:30 but not individuals like that.

51:31 So I think that one is e-crime.

51:34 That's not us.

51:35 >> Because he mentioned, your boss, that he had been trained by him.

51:39 >> So it could be in his lifetime past.

51:42 He used to manage his own private company.

51:44 >> Because he said that was in 20-something, not actually after the 2020s.

51:49 >> Yes.

51:50 >> Right.

51:51 >> Way back, yes.

51:52 >> Okay.

51:53 >> Before the authority was born, I'm sure.

51:54 >> Right.

51:55 Okay.

51:56 Thank you.

51:57 >> So Hussain, what does he need to present for this accreditation or licensing?

52:03 >> Right.

52:04 Maybe, Malone, you can elaborate a little bit on the requirements.

52:06 >> Yes.

52:07 Well, the requirements, Hussain could, you know, submit evidence of his qualifications

52:13 and experience, his number of experience, you know, number of years of experience as,

52:20 you know, providing the cybersecurity professional functions, recommendation from his current

52:29 or previous employer.

52:31 There's also the need to submit police reports, you know, from the Ghana Police Service.

52:39 If Hussain happens to be a freelancer and he has, you know, choked quite a number of

52:45 years in providing cybersecurity professional functions, there may be the need for -- I

52:51 mean, he's providing freelance services.

52:53 There may be the need for him to, you know, show evidence of cyber insurance and coverage

52:59 among others.

53:00 But I want to encourage Hussain to visit the website of the Cybersecurity Authority and

53:06 register to obtain a copy of the guidelines for accredited cybersecurity professionals

53:12 so that he can familiarize himself with all the requirements.

53:17 >> Right.

53:18 Thank you very much.

53:19 Now, as we wrap up, what would be your final words to our audience?

53:24 Maybe you first.

53:26 >> My final words to our audience is that to our cybersecurity professional service

53:34 providers and establishments, visit the website of the authority and apply.

53:41 Register and apply before the 1st of October.

53:45 It's important that we all promote the development of cybersecurity in this country to sustain

53:52 Ghana's digital transformation.

53:54 And this is good.

53:56 Many cybersecurity professionals and service providers have embraced it.

54:00 And so if you are sitting home and you have not, please, go on the website of the authority,

54:07 register and apply so that you can be in compliance with the law.

54:12 >> Thank you, Jennifer.

54:13 Benjamin?

54:14 >> Thank you.

54:15 You know, when I saw your title about cracking the whip, it got me scared a little bit.

54:21 >> It's important.

54:22 >> Right.

54:23 It is important.

54:24 >> We'll wait until the late -- you wait.

54:25 >> Until we see that from the first, the people who will be knocking on your doors and begging,

54:30 even after we provide them this platform to help.

54:33 >> Yeah.

54:34 Yeah.

54:35 You know, but I understand.

54:36 The CSA also has a listening ear.

54:38 There's a phrase we throw about the authority called the collaborative regulation.

54:43 So we -- our intention is to build the industry.

54:46 >> Right.

54:47 >> You know, before we really crack the whip.

54:50 If you don't have a mature environment, where do you start cracking the whip?

54:55 So they should be comfortable.

54:57 They should reach us for us to be able to work with them effectively.

55:01 >> Thank you very much.

55:02 This has been "The Law."

55:03 It's your legal life.

55:04 It's your health law.

55:05 And my guests have been Jennifer Mensah, who is lead legal and compliance,

55:10 and Benjamin Ofori, all of the cybersecurity authority of Ghana.

55:15 Have a good afternoon.

55:17 [ Music ]

Category

Transcript

Recommended