The Nigeria signed National Cybersecurity Policy & Strategy (NCPS) document has been a document of discussion. While the generality of the document is a necessity many believe that it may just be one of the numerous documents that the government will sign but fail to implement.
Although the document also contains an implementation framework. However, the Nigerian populace has seen better implementation documentation without the willpower to carry out the designed implementation.
The 2021 NCPS document was a review of the 2014 version, which also has its implementation plan but was never implemented. Although the implementation plan of the 2014 NCPS was an aftermath of an addendum as the Office of the National Security Adviser (ONSA), who is responsible for the development, coordination, and implementation of policies in line with the security and protection of Nigeria cyberspace may have failed in its responsibility. Many believed that the major reason while the 2014 NCPS was not implemented was because of the change in the political domain in 2015. Unfortunately, it took us additional 7years to review and sign another National Cybersecurity Policy & Strategy.
Hopefully, the 2021 NCPS implementation details are well documented and I strongly believe that it will be implemented accordingly. From the implementation plan, it should take us another 4years to fully implement the policy and strategy as documented. That is to say, we should be hopeful of a fully implemented policy by the end of 2025. As important as the implementation of the National Cybersecurity Policy & Strategy is, we should also keep in mind that the importance of understanding the document itself. So, I have taken note of some very important points and policies that the document made provisions for.
First is the establishment of a Coordinating Center that will be known as the National Cybersecurity Coordinating Center (NCCC). They will be the sole coordinator of any cybersecurity-related activities within the Nigeria cyber domain. It is the establishment of another agency under the Office of the National Security Advisor. They will liaise with other international cybersecurity agencies to develop and implement policies that will secure and protect Nigerians in the cyber domain. They will also liaise with local security and regulatory agencies such as NAICOM, PENCOM, NITDA, CBN, Nigeria Police Force, Military & Paramilitary for the development and implementation of different cybersecurity industry frameworks.
Another very important policy in the NCPS document is the establishment of Sectorial-CSIRT and Private-CSIRT coordinated by the Nigeria Computer Emergency Response Team (NgCERT). Sectoral Cyber Security Incident Response Team are a team of cybersecurity expert equipped with the skill in preparing for an attack, detecting, containing, and responding to an attack. The Sectorial-CSIRT will be established by the regulatory body of any industry and they will be the first point of contact in the case of a cyber-attack. Some of the sectoral-CSIRT will come from the 13 identified sectors in the Critical National Information Infrastructure Plan (CNIIP) and they are oil & energy, banking/finance & insurance, health, public administration, education, water, iT, science & technology, defense & security, transport, food & agriculture, safety & emergency services, industrial & manufacturing, mines & steel. The Private-CSIRT will comprise of private organization owned CSIRT and Managed CSIRT Provider. Managed CSIRT providers will offer the CSIRT service for business to other private organizations that may not have the capacity to develop their CSIRT team.
According to the Cybercrime Act 2015, only the President can determine what is considered to be a Critical National Infrastructure. This policy document prepared by the Office of National Security Adviser and signed by the President has identified and out-listed sectors operating under the Critical National Information Infrastructure (CNII). A Critical National Information Infrastructure (CNII) are information and communication systems, networks, or any infrastruture that the nation depends on for economic development, commerce & financial transaction, social interaction, public safety, power & water supply, medical & health, government operation, national security, and defense. The CNII will have a Critical National Information Infrastructure Protection Plan (CNIIP) and a Trusted Information Sharing Network (TISN) that will enable operators and businesses under the CNII to identify, detect and respond to specific cyber attacks.
A very necessary aspect of the NCPS document is the establishment of the National Cybersecurity Training Institute (NCTI) that will be responsible for the development of skilled professionals through standardized skill acquisition, certification courses, and programs in the cybersecurity industry. They will also coordinate other cybersecurity training centers.
The NCPS document also made provision for the implementation of a detecting technology known as the Cybersecurity Emergency Monitoring System (CEMS). CEMS is an infrastructure that may be deployed at Internet Service Provider’s end and internet exchange point location to prone every traffic coming into the Nigeria Cyberdomain for a possible anomaly. This system will monitor all traffic to identify and detect possible cyber attacks and raise alarms. This will enable the coordinating center to know the target and respond accordingly.
This document has many other outlined planned policies, such as the National Cybersecurity Crisis Response Plan that will help in a national cyberattack situation. It also has the National Cyber Defense Plan, which is for military integration of the cyber domain battle. Then there is the Child Online Abuse & Exploitation Combating Strategy (COAECS) that will help to protect children in cyberspace.
While this document is comprehensive enough, and a good step in the right direction, however, as earlier mentioned, the fear of true implementation is still a concern for many Nigerians. Notwithstanding its implementation, the document will need constant review as the cybersecurity industry is a dynamic industry that will require dynamism.
