Written by:
Don Okereke
President
Goodluck Jonathan recently launched a MasterCard-branded Nigerian National
Electronic I.D Card amidst pomp and pageantry.
The
project is expected to gulp a whooping N30
billion! Tritely, there were cheers and allusions of how the e-I.D card project
is one of the best things that has ever happened to Nigeria. Another
transformation agenda, they tell us. Hear Mr. Jonathan, ‘’the card is not only
a means of certifying your identity, but also a personal database repository
and payment card, all in your pocket’’.
The
National I.D Card Management Commission (NIMC) which happens to be the project
leader is partnering with MasterCard which provides the payment technology;
Unified Payment Services Limited functions as the payment processor and
CryptoVision acts as the public key infrastructure and trust services provider.
Subtly
suggesting a progression towards a ‘Big Brother State’, an ambitious NIMC says
it is ‘’working with other government agencies to harmonize all identity
databases including the Drivers, Voter registration, Health, Tax, SIM Card and
that of the National Pension Commission into a single, "hared" services platform’’. A ‘’Shared’’ services platform means these partners and most probably
the Security agencies and other stakeholders (Nigerian Banks are currently
obtaining biometrics data from their customers) will also have access to this
humongous database. This I.D Card claptrap is coming on the heels of a $40 million "Wise Intelligence Technology (WIT) System’’, an
Open Source Intelligence Monitoring contract secretly awarded to Elbit Systems,
an Israeli firm and also a bungled SIM Card registration exercise that gulped N6 billion. Prior to SIM Card
registration, proponents bandied figures suggesting that the project is the
panacea to the unprecedented Boko Haram miasma and wanton kidnappings stifling
Nigeria. Notwithstanding SIM Card registration, kidnapping, terrorism and
insurgency continue to trend in Nigeria.
For
the record, this writer advocates doing all that is rational and justifiable to
protect Nigerians and Nigeria from internal, external aggression and wanton
criminality. The notion and objective of the national electronic I.D Card looks
good in theory but there are far-reaching, critical national security and
fraud-related loopholes which this essay aims to highlight which must be
appreciated and sorted if the purpose of the ID Card must be achieved.
There
is a consensus in the global cyber security community that keeping personal information
out of the reach of cyber criminals is increasingly becoming a mirage. Lilian
Ablon, a security researcher with RAND Corporation contends that, ‘’the ability
or plausibility of a cyber attack certainly outpaces the ability to defend.
Cyber criminals are extremely conversant with the
jeopardy, loopholes inherent in the cyber world and are exploiting these
vulnerabilities, employing a mishmash of technology (reverse engineering) and
social engineering craftsmanship in order to short-circuit desired outcomes. In
this age of "big data", BYOD (Bring Your Own Device), data breaches,
proliferation of hacking, whistle blowing, cyber warfare/terrorism and
espionage by State and non-state actor’s, the consequences of concentrating and
sharing the private information (names, dates of birth, addresses, passport
photos, fingerprints) of Nigerians with MasterCard et al and also outsourcing
an internet surveillance contract to an Israeli firm no matter how
well-intentioned will directly or indirectly have multiplier-effects. Edward
Snowden and Bradley Manning are classic lessons that these days, insiders, not
necessarily hackers are the biggest threat to data breaches.
Nigeria
is currently struggling to rein in a rag-tag Boko Haram Sect whose masterminds
and domicile are known. Contrast it with an unknown enemy, an insider (a cyber
criminal or cyber terrorist) armed with just a laptop and internet connection,
ensconced within our territory or in some remote part of the world. Cyber Terrorism/Warfare transcends physical
boundaries and is increasingly tasking to forestall.
With or without an electronic I.D Card, adherents of criminality and terrorism
will still engage in their trade. Masterminds of the September 11 terrorist
bombing in the United States had official I.D cards, Passports or other
identifying documents but they still managed to pull their stunt. I.D Cards no
doubt aids investigations after an incident but it does not necessarily prevent
the incident. No wonder ‘’the Australian Parliament shelved the prospect of
issuing a national I.D Card after research showed that identification cards
would not assist crime prevention
because the police have more trouble finding evidence linking crimes with
perpetrators than identifying criminals’’.
To help us appreciate the dire national security,
fraud implications of a not-foul-proof national e-I.D Card system, let’s
explore recent prominent data breaches and cyber attacks in the world.
A recent BBC headline goes thus:
"South Korean ID system in disarray". The report asserts that the ID
numbers and personal details of some 20 million people, including South Koreas
President Park Geun-hye, have been victims of a data theft from three credit
card companies. Experts believe that South Korea's national identity card system
may need a complete overhaul sequel to the aforementioned massive data thefts
and rebuilding the system could take up to a decade.
Lately, a massive breach
affected about 83 million customers of JPMorgan Chase. Personal information
such as - names, addresses, phone numbers and email addresses of customers were
compromised in this cyberattack. A while ago, Russian cyber crime
syndicate was said to have amassed the largest known collection of internet
data- encompassing 1.2 billion user names, password combinations and more than
500 million email addresses. In 2010, a programme dubbed ‘’Stuxnet’’ recorded a
phenomenal feat when it was used to attack, penetrate and disrupt Iranian
nuclear power programme. Not forgetting the streak of cyber attacks accredited
to the Syrian Electronic Army. Bring to mind that a malware attack by cyber
criminals on United States retail giant – Target led to the loss of 40 million
credit, debit card and personal records of customers. It also emerged that another
retail giant – Home Depot was attacked by cyber criminals with initial reports
suggesting it may be higher than that of Target. In Denmark,
900,000 social security numbers were leaked by mistake. A group that
goes by the moniker- Lizard Squad claimed it was responsible for a DDoS
(Distributed Denial of Service) attack that took down Sony PlayStation’s
network leading to loss of millions of data loss. In December 2006, 94 million
Credit Card information of TJX Companies Inc was stolen by hackers. In 2005,
hackers broke into CardSystems Database, one of the top payment processors for
Visa, MasterCard, and American Express and stole 40 million credit card
accounts. The United States Secret Service say more than 1,000 U.S businesses
may have been compromised by a Point of sale (POS) malware attacked dubbed
‘’Backoff’’. If the so-called advanced countries and
world-class establishments are not immune to data breaches and cyber attacks,
envisage the plausible scenario in Nigeria. In Nigeria, we were told a while ago that
the names, addresses, bank account details etc of some serving and retired
personnel of Nigeria’s State Security Service was leaked online. Nairaland.com,
Nigeria’s popular online forum suffered a malicious attack this year in which
millions of users’ information was compromised.
Eugene Kaspersky, co-founder of Kaspersky Lab, an
antivirus software firm asserts ‘’the amount stolen from banks, financial
institutions, companies and individuals could be at least double the $100bn
initially estimated three years ago’’. Analysts are of the opinion that many
data breaches are but precursors to identity theft and identity cloning. A
report from www.identitytheft.info suggests that approximately 15 million United
States residents have their identities used fraudulently each year with
financial loss totaling upwards of $50bn.
Let’s mull over the MasterCard financial
transaction function of Nigeria’s electronic I.D Card. Having a MasterCard logo
inscribed on Nigeria’s e-I.D Cards, a country of about 170 million people is
surely a plus, a good marketing and publicity bargain on the side of
MasterCard. However there is frenzy in Nigeria that ATM/electronic fraud is on
the upward swing. Nigerian financial institutions are said to have lost about N2 billion to electronic fraud during the
first and second quarter of 2014. Just few days ago, the EFCC declared one
Godswill Oyegwa Uyoyou, an IT Staff of
new generation bank, wanted in connection with a case of Criminal
Conspiracy, Obtaining Money under False pretence and Electronic Transfer of
Fund. Mr. Godswill is alleged to have fraudulently connived with some scammers
and hacked into his bank’s database and obtained the sum of Six Billion and
Twenty-Eight Million Naira (N6.28b). Recall that most Automatic Teller Machines
are powered by Microsoft’s Windows XP Operating System which is vulnerable to
hacking more so since Microsoft has stopped issuing security patches, updates
for bugs in Windows XP Operating Systems.
Discerning and informed Nigerians are
genuinely concerned with an arrangement which entails sharing biometric and
sensitive personal information of Nigerians with local and foreign private
foreign firms especially in this age of ‘Big Data’, moreso given the cache of
top secret documents released by Edward Snowden revealing massive global metadata surveillance,
eavesdropping, interception of radio, telecommunications, internet traffic
monitoring and information sharing
programs such as ‘’PRISM’’ with Microsoft as a partner, ‘’XKeyscore’’,
‘’Tempora’’, ‘’Muscular’’, ‘’Project 6’’, ‘’Ironavenger’’, ‘’Quantum Insert’’,
by the intelligence agencies of the ‘’Five Eyes’’ namely -Australia (ASD),
Britain (GCHQ), Canada CSEC), New Zealand, United States (NSA) and a mishmash
of international collaborators such as – Denmark (PET), France (DGSE), Germany
(BND), Italy (AISE), Norway (NIS), Switzerland (NDB), Spain (CNI), and Israel’s
(ISNU).
The global super powers don’t even trust
themselves as it emerged the mobile phone of German’s Chancellor Angela Merkel
was allegedly tapped by United States intelligence agencies. Renowned
technology firms headquartered in the West such as Microsoft, Apple, Verizon
Wireless, the FaceBook, Yahoo!, Google etc of this world are said to be either
covertly or overtly complicit. This explains why most countries are wary to
award certain critical national security contracts to foreign firms. Aftermath
of the allegations of spying leveled against the NSA, Germany swiftly expelled
CIA’s station officer in Germany and subsequently cancelled its contract with
Verizon Wireless, a US firm. The Germans and some other countries are mulling
the possibility of reverting to manual typewriters to counter hi-tech
espionage. In June 2014, Chinese state-run TV dubbed Windows 8 a ‘security
threat’ over allegations that Windows 8 Operating System is a tool for
espionage. The Chinese contend that Windows 8 harvests private metadata and
sends same back to Servers in the United States. The Chinese government
consequently banned the use of Windows 8 Operating System for Government
Computers. In the same vein, use of Chinese-made Huawei products is banned by
the US government over a similar allegation. Sequel to the NSA spying
revelations, India considered a policy that would ‘’compel companies to
maintain part of their IT infrastructure in-country, give local authorities
access to the encrypted data on their Servers for criminal investigations, and
prevent local data from being moved out of the country’’.
The giant of Africa is going on the reverse
direction. No thanks to two daft #TacticalManeuvers (apologies to
the DHQ) vis-à-vis the internet surveillance contract and the latest e-I.D Card
deal, our "ogas-at-the-top" may have (un)wittingly outsourced
Nigeria's very critical national security databases (names, addresses, phone
numbers, passport photos, fingerprints etc) to two robust partners - Israel and
the United States on a platter of gold. One wonders if Nigeria’s national
security think tanks ever carried out due diligence before these deals were
consummated?
Life is quid pro quo! As they say, to him much is
given, much is also expected of him. If Nigerian citizens must be coaxed into
volunteering their priced personal information on the guise of an e-I.D Card
believing their personal information are in safe hands, it behooves
establishments charged with handling these data ensures their utmost safety.
The South Korean scenario must be forestalled. Hence the National Identity
Management Commission (NIMC) must strictly adhere to Section 5 (g) of the
Commission’s Act which mandates it to, ‘’ensure the preservation, protection,
sanctity and security (including cyber security) of any information or data
collected, obtained, maintained or stored in respect of the National identity
Database. Folks responsible for data security must be well trained to be highly
efficient. Financial institutions and credit card firms must also invest in
cutting-edge softwares that will forestall the aforesaid unintended
consequences.
Granted Section 37 of the 1999 Constitution (as
amended) barely stated that the ‘’privacy of citizens, their homes,
correspondence, telephone and telegraphic communications is hereby guaranteed
and protected’’, one is not aware that Nigeria has a well-defined Data
Protection Law.
In line with international best practices, it is
high time the National Assembly brainstormed, passed a comprehensive Data
Protection Law which must inter alia, stipulate legal, regulatory framework,
guidelines and safeguards for storing, using personal data and also stringent
penalties for defaulters. If the #needful is not done, this may be a national
disaster waiting to happen.
Please we implore the National Assembly to expedite
passage of the National Cyber Security Bill into a law.
Finally, a poser: with an estimated 1,400 or more
illegal entry points to Nigeria and with millions of illegal aliens resident in
Nigeria, any assurance aliens will not obtain the e-ID Card? It's not uhuru yet!
Don
Okereke
(Security Analyst/Consultant,
Writer/Blogger, Change Agent, Ex-Serviceman)
Email: donnuait(a)yahoo.com
Email: donnuait(a)yahoo.com
Twitter: @donokereke
Telephone: +234 708 000 8285
I believe the NICS will benefit Nigeria and its citizens if better managed by NIMC
ReplyDeleteThis comment has been removed by the author.
DeleteHi Balogun, thanks for your contribution. It's agreed the project has the best of intentions if well harnessed but there are unintended consequences that must be addressed to get the desired outcome.
DeleteAs I said in the article, first things first. To hom much is given, much is also expected of him. If they have not done so yet, we expect the Presidency or National Assembly to come up with a data protection act (Law).
Adequate measures, global best practices must be put in place to forestall personal information of citizens getting compromised or been hacked. I believe you saw the coterie examples of data breaches I cited in my essay that played out even in the so-called advanced climes.
Cheers