1

Cyber Defence East Africa 2018 Preparing for Cyber Crisis

Conference report

6-7th August 2018

Kampala, Uganda

2

Contents:

Cyber Defence East Africa conference – the idea 3

Executive Summary 4

Policy Day 5

Practical Sessions 13

Uganda’s Cyber Threat Landscape 16

The Organizers 17

3

Cyber Defence East Africa conference – the idea

Cyber-attacks, targeting both private and public sectors, are becoming

bigger and more aggressive in terms of the effect and cost they have.

2017 saw one of the greatest cyber-attacks of all times that affected

organizations in various countries all around the world, including East

Africa Region. Therefore, nations should be ready to deal with large scale

cyber-attacks and have effective crisis management mechanisms at

organizational, national and international level to reduce the damage

and spill-over effects across national borders.

Cyber Defence East Africa (CDEA) conference has been organized for the

6th time in East Africa region and for the 3rd time in Uganda. The annual

event is intended to work both as a meeting point for key cyber security

stakeholders as well as the platform for collaboration and new

initiatives. During the 2017 event the Declaration on strengthening cyber

security in financial sector was signed among key cyber security

stakeholders in financial sector. The act infused the urge for

collaboration and as a result continuous cooperation among Uganda’s

banking sector representatives has started.

2013, Tanzania 2014, Tanzania 2015, Tanzania

2016, Uganda 2017, Uganda

4

Executive Summary

Cyber Defence East Africa 2018 conference was co-organized in Uganda

by NRD Cyber Security and NITA-U and was dedicated to effective

preparation for cyber crisis. The event focused on readiness (i.e. how to

ensure maximum cyber incident visibility, training and preparation, etc.)

and reaction (i.e. immediate actions, incident handling, crisis

communication, etc.).

Once again it gathered CEOs, CIOs, CTOs, heads of IT departments, IT

managers, Infosec professionals together with policy-makers, law

enforcement officers, CERT and Central Bank representatives. In this

report you will find the main ideas, issues and suggestions that were

raised and shared during the Cyber Defence East Africa 2018 conference.

CDEA 2018 conference took place in Kampala, Uganda

5

Policy Day

The Policy Day was aimed at those closer to the strategy and policy

making with an emphasis that cyber security is first and foremost – a

management issue. Therefore, the day featured high-level keynote

speeches and panel sessions on cyber security threats and focused on

strategic aspects of cyber crisis management- how to prepare for and

handle cyber crisis so that it does not lead to national crisis. The day was

concluded by reviewing the effects of the Declaration on strengthening

cyber security in financial sector which was signed during the 2017

conference.

The Policy Day sessions was opened by Peter Kahiigi, head of E-

Government Services at NITA-U. In his welcoming speech, Mr. Kahiigi

highlighted the importance of continuous effort to prepare for cyber

crisis:

“As Uganda and the whole East Africa Region advances with technological

development, more people are using mobile money and online services -

we all become interconnected and as we know cyber threats have no

boundaries or borders. Hence, cyber-attacks can only be handled if we

prepare for them in synergy.”

6

Policy Day

Keynote by Dr. Vilius Benetis

The first keynote of the conference was delivered by NRD Cyber Security

CEO Dr. Vilius Benetis who shared his company’s experience and

knowledge of cyber security threats around the world and gave an

overview of cyber threat landscape, especially focusing on East Africa

Region. He compared the speed at which the attacks are spreading with

the average response and reaction time and put particular emphasis on

critical infrastructure:

„Then it comes to a sector that is in particularly vulnerable to any cyber

incident, like energy, finance, public health care, etc., the line between

cyber and national crisis can be really thin. The attacks are becoming more

sophisticated in both method and scale.”

He also highlighted the attackers are motivated both by financial gain

incentives as well as idea of creating chaos and disruption (which come

both from personal and political motives).

7

Policy Day

Effective cyber crisis management by Akvilė Giniotienė

Mrs. Akvilė Giniotienė, NRD Security Governance Expert, in her

presentation reviewed the roles and responsibilities for effective cyber

crisis management. Mrs. Giniotienė said that nations should really

evaluate the scale the organizational disruptions affect a country or even

a region as disruption inside the body can jeopardize economical,

infrastructural or political situation. Hence, it is vital to know what to

watch out for:

„For a country to have a clearer picture of how a national crisis would look

like, it is essential to know what constitutes national level risks. A National

Risk Assessment where a number of risks is reviewed and evaluated as

threatening country‘s stability, can help to have a more constructive view

of the most significant, yet vulnerable areas. This exercise enables the

country to identify what type of crisis should be dealt with at national level,

and which should be the responsibility of certain organizations or their

clusters. “

Mrs. Giniotienė also drew attention to how important it is to consider

cyber-attacks as a national threat, especially when thinking about

objects that belong to critical infrastructure:

“Contingency planning is the key and there are many stakeholders involved

as crisis usually doesn’t have borders. Many bodies, organizations and

disciplines need to be involved in national crisis handling. Preparation for

crisis should be taken as a unified approach as the vulnerable organizations

should be building their resilience capacity – in cyber security area this

could be done by establishing cyber security incident response teams,

training and establishing knowledge sharing practices to access the latest

information about cyber threats and their effective handling.”

8

Policy Day

Panel discussion: Effective cyber crisis management –

who needs to be involved and how?

The presentation Akvilė Giniotienė delivered worked as an intro to a

panel discussion with Emmanuel Mugabi, Information Security

Operations Manager at NITA-U, Noah Baalessanvu, Chairman at National

Information Security Advisory Group and Andrew Walusimbi, Lead

Implementer at Uganda Bankers Association. The discussion explored

how could cyber incident response team should prepare and be

prepared. Mr. Emmanuel Mughabi said that an effective CSIRT should be

prepared both at technological and staff level:

“Great tools and equipment are just one part of the puzzle, but skilled

people and continuous training is a must.”

Mr. Andrew Walusimbi added that it is great to see that Uganda’s

banking sector is treating cyber security seriously, but there are still

great challenges ahead:

“Financial services are amongst most heavily targeted and the awareness

level about cyber threats and their potential damage in many financial

institutions is high – most of them are already budgeting for cyber security.

However, a great issue continues to be skilled cyber security professionals

– the budget allows to acquire great tools, but the competencies to use

them properly in many cases are just not there. Hence, it could be of value

to outsource the skillset.”

Mrs. Giniotienė encouraged the participants to consider whether in

Uganda cyber security is seen as a shared responsibility amongst

different organizations and what is a fair share. Mr. Baalessanvu

highlighted the importance of collaboration amongst organization that

are part of critical infrastructure:

“It is vital not only to have reliable measures for threat intelligence in

individual organizations but approach it as a common issue – i.e. share

knowledge, information, insights and sometimes - even resources.

Currently this is not done enough. Harmonizing the use of same tools and

equipment can bring economic benefit.”

Mr. Walusimbi, representing Uganda Bankers Association, added:

“In theory many organizations know that they should be establishing cyber

security measures and have a way to monitor, analyze and handle cyber

incidents, yet still there is a lot of reliance on government.”

9

Policy Day

Communication during cyber crisis by Živilė

Nečejauskaitė

This year the conference explored the topic of communication and its

role in preparation for and handling cyber crisis – the presentation was

delivered by NRD Cyber Security Marketing and Communications Expert

Živilė Nečejauskaitė.

• Very few organizations have PR crisis management plans and if they

do, rarely it is updated regularly to reflect changes in organizational

structure;

• If PR crisis management plan is absent, a formula could be used to

prevent cyber security crisis evolving into public relations (PR) crisis;

• In preparation for cyber crisis the organization should consider the

three ingredients:

o Clarity – putting a mechanism in place that allows to gather the

facts and figures as soon as possible;

o Core team – who should be notified about the crisis first;

o Speed – knowing the communication chain, i.e. having a clear

overview of all the layers of people involved in passing on

information from top management to casual staff and vice versa.

• When the crisis strikes, first the organization should acknowledge it.

Clear signs of a crisis are when the situation can have any of the

following consequences:

o Damage organization’s functional and/or financial

performance;

o Harm the health and well-being of customers;

o Employees, surrounding community and environment;

o Destroy public’s trust in the organization.

10

Policy Day

Panel discussion: Communications during cyber crisis:

What to communicate?

Mrs. Nečejauskaitė was later joined on stage by Steven Kirenga,

Marketing and Communications Lead at NITA-U, and Danny Craig, a

Consultant at Summit Consulting. They explored how to avoid

disinformation and confusion during cyber crisis. Mr. Craig stressed the

importance of stakeholder management:

“During a crisis it is essential to avoid wasting energy on false enquiries that

result due to incorrect communication choices. Identification and mapping

out of key stakeholders, drafting the messages they should get and

agreeing which channels to choose for communication can significantly

improve the effectiveness of crisis management.”

Mr. Kirenga added that avoiding communication can have disastrous

effects:

“The worst of all is to say nothing at all, especially to your internal

stakeholders. This way the organization is only encouraging rumours and

distortion of the facts.”

11

Policy Day

Cybercrime trends in East Africa by Joseph Mathenge

Mr. Joseph Mathenge, Chief Operating Officer at Serianu, reviewed

„Africa‘s Cyber Security Report for 2017“ which was conducted in

collaboration with 850 African organizations in both public and private

sectors. The report findings suggest that organization’s vulnerability to

cyber-attacks is increasingly dependent on internal factors. As more

organization in Africa automate their processes and more data is

accessible by various stakeholders from different devices, more security

measures must be in place to protect both the organization and the end-

user. Hence, it is important to have a holistic approach towards cyber

security.

Mr. Mathenge once again stressed that financial institutions and

organizations remain one of the most targeted and especially drew

attention to Uganda’s banking sector which suffers from the highest

number of cyber threats in the country.

Panel discussion: EAC efforts to address cybercrime

Mr. Mathenge was later joined on stage by panel discussion participants

Jimmy Haguma, IT Commissioner at Uganda Police Force, Herculs Bizure,

President at ISACA Kampala Chapter and Martin Karungi, Analyst at

Uganda National CERT/CC – NITA. The participants shared the

collaboration methods that are currently used by various organization in

Africa, especially in East Africa region. Mr. Haguma highlighted how

collaboration amongst interconnected organizations can simplify

processes:

“Prosecution and police already do training sessions together and we are

trying to bring other jurisdictions on board. It helps to ensure that cyber

threats are handled with the same manner and common issues are

promptly resolved.”.

Other speakers

During the conference, Goran Oparnica, general manager of INsig2, the

leading European company in the field of digital forensics, gave an

overview of the latest trends on handling modern cybercrime.

12

Policy Day

Mrs. Giniotienė addressed the Declaration on strengthening cyber

security in financial sector which, on behalf of all participants, was signed

by Permanent Secretary at Ministry of ICT & NG, NITA-U, Bankers

Association and Financial Intelligence Authority in 2017.

2017 Declaration

Every financial organization needs to establish effective governance structures with clear responsibilities for cyber security. Cyber security is Management issue and not a technological one. Effective response to cyber incidents is paramount to the stability of financial sector across East Africa. Board of directors of every financial institution must act without delay:

• Cyber-conscious organizations are to update their org-charts identifying a role, responsible for cyber secure operations of the organization, entrusted with clear mandate, responsibilities and budget.

• Cyber-conscious organizations are to ensure that the member of staff appointed to Cyber security role will report directly to the top management. Reporting to Head of IT keeps cybersecurity as purely technological issue and is not sufficient.

• Cyber-conscious organizations are to develop an actionable cybersecurity roadmaps approved and monitored by the top management.

• Financial, law enforcement and other public institutions must embrace the availability of digital data to enhance their decision making and address the threats.

Mr. Walusibi from Uganda Bank Association stated that the declaration

first infused the urge for collaboration. Straight after the 2017

conference a meeting of bank representatives took place to discuss the

common issues and approaches and is being done on continuous basis

ever since. Mr. Emmanuel Mughabi, Information Security Operations

Manager at NITA-U added that a great progress in information sharing.

The conference concluded with remarks about the role and inclusion of

the organizations that are important to country’s cyber security

ecosystem, yet do not belong to critical infrastructure or are not

classifying themselves as part of any sector. Mr. Walusabi said:

„We have already started categorizing small organizations that are

carrying out financial transactions as microfinance and started treating

them as part of the financial sector. Although their impact may not seem

significant, they are part of cyber security ecosystem and are playing a

role.”

13

Practical Sessions

The second day of the conference focused on practical solutions and was

split in two parts:

1. Uganda Cyber Security Assessment and Defining Cyber Landscape for Uganda;

2. Interactive crisis simulation exercise based on role-play.

14

Practical Sessions

Together with key cybersecurity stakeholders National Cyber Security

Index (NCSI) update session was performed. NCSI, developed by the e-

Governance Academy (eGA), works on one hand as a systematic

guidance for the development of trustworthy information society, and

on the other hand as an index, which describes the current situation in

different countries and lets countries to compare themselves with each

other.

After reviewing and submitting missing legal documentation which

proves Uganda’s efforts to create strong legal base for cyber security, in

NCSI ranking the country has risen from 75th to 41st place and now is the

leader in the African region.

15

Practical Sessions

The second session on the Practical Session Day of the conference was

designed to give the participants the taster of the real case scenario. An

interactive crisis simulation exercise, based on role-play was moderated

by Dr. Vilius Benetis, CEO at NRD Cyber Security. Based on a scenario of

a potential cyber-attack in a finance sector, the exercise encouraged the

participants to think how they should deal with various stakeholders,

how they should manage the information flow and how they should

react under pressure.

The participants were split into groups where they all shared the same

issue but had different responsibilities. Some participants acted as

independent stakeholders (such as police, press, central bank, etc.). The

exercise was timed, and the particularities of each group’s decisions

were discussed.

16

Uganda’s Cyber Threat Landscape

During the conference, Uganda’s cyber threat landscape was defined by performing cyber security assessment with all the participants in the conference. A survey was conducted on the frequency of threat-related incidents and their impact on UGANDA. The workshop generated a report which have been shared with the authorities in UGANDA and can be used:

• For national cyber security strategy and CIIP strategy development;

• For cyber risk assessment framework for CIIs;

• By executives, risk managers, auditors and security managers in Uganda.

17

The Organizers

For the third year in the row, the conference is co-organized by NRD Cyber Security and NITA-U. It was endorsed by NRD Companies that have been organizing the conference in East Africa since 2013, together with NRD Cyber Security, NITA-U in Uganda and other partners in Tanzania. NRD Cyber Security is a cybersecurity technology consulting, incident response and applied research company. The Company focuses on the services to specialized public services providers, such as Law enforcement, National Cyber Incident Response Teams (CSIRTs), Security Operating Centers (SOCs), Telecom, National communication Regulators, National Critical Infrastructure, Finance industry and corporates with high data sensitivity. Our mission is creating a secure digital environment for states, governments, corporations and citizens in Central and Eastern Europe, SubSaharan Africa, South Asia and other regions via technology platforms, workflows and processes.

All conference attendees were accredited 14 CPE hours as well as received a certificate of attendance.

18

Gynėjų str. 14, Vilnius, LT-01109, Lithuania Phone: +370 5 219 1919 E-mail: info@nrdcs.lt