When it comes to Ugandans, there is a general feeling that Internet crime is an advanced type of crime that has not yet infiltrated the country. The happy-go-lucky nature of the Internet in which anybody publishes anything at any time poses a serious security threat for any nation.
Cybercrime can be defined simply as any form of misconduct committed on the internet or computers with a main aim of defrauding or stealing from users. This can range from emails scams, cyber bullies, and social media frauds to large scale crimes like bank accounts hacks and illegal online transfer of funds. Cybercrimes can have a direct impact on peoples’ lives where data is lost, money is stolen or a person’s privacy is infringed upon.
Past cases of cybercrime
Cybercrime in Uganda has been mainly happening through email and website scams in which people are swindled huge amounts of money to buy non-existent products or in promise of some future returns. For example in July 2004, Grace Muwanguzi lost a passport and $500 to a fake company arranging visas, free transport and accommodation in Canada. The company camouflaged under an HIV/AIDS project of Trainer of Trainers course by the Ministry of Health where officials were to travel to Toronto. Grace viewed their website over the internet with details of the conference, and met the requirements. On the expected day of returning passports and visas the perpetrators disappeared.
However, these scams have not been limited to individuals alone. A few years ago, New Vision, the country’s biggest newspaper reported that MTN lost millions from its Mobile Money Network account by way of scam while Centenary Bank had to issue new ATM cards to its customers to minimize fraud.
In January 2005, various media outlets reported that Andrew Zzimwe Kasagga together with two Congolese were wanted by Interpol (Kenya) for involving in a multi-million dollar scam. They were accused of masterminding bank robbery when they engaged in fraudulent intranet bank transfer between Standard Charted Bank, Nairobi and Barclays Bank Kampala. The Kenyan Standard Chartered Bank staff wired $5million in three instalments to separate bank accounts in Kampala. Suspected conmen got the Nairobi based bank to wire one million dollars to Zzimwe’s Barclays Bank account in Kampala and another $2 million from Kenya was intercepted at Crane Bank. It had allegedly been sent to another suspect, Kampala lawyer, Paul Kalemera. While further investigations and trials were being conducted, another $3 million being swindled from Kenya was detected before it was sent to a forex bureau via a DFCU bank in Kampala.
Laxity or lack of knowledge?
Despite all the available evidence to the presence of cybercrime, it has been noted with concern that there is an absence or at best minimal recognition of a cybersecurity mindset within most of the government agencies and private sector agencies. Most government agencies do recognize the need for raising awareness on cybersecurity but that is not the norm yet. IT experts within government departments are aware of cybersecurity, but most employees are not aware.
Many businesses have minimal recognition of the need for creating a cybersecurity mindset in the work or business environment. The private sector is progressively becoming more aware of the need for cybersecurity but usually it’s only a handful of people in the organization who might be focusing on or driving Cybersecurity issues. Financial institutions such as banks have prioritized creating a cybersecurity mind-set at work places. A number of SMEs are aware of Cybersecurity risks and threats, but don’t know the right mechanisms to address the risks identified. Society-at-large has embraced a cybersecurity mind-set, but inconsistently. Privacy settings are available online and people might know how to create a password, but that does not mean that they have a cybersecurity mind-set.
Legal framework against cybercrime
Keeping in mind the above risks, it’s only logical to think that Uganda just like other countries has stringent laws against cybercrime. This however is not the case. Uganda introduced a statutory law to address cybercrime which was introduced in 2011 called the Computer Misuse Act.
a) The 2011 Computer Misuse Act
The 2011 Computer Misuse Act was enacted by the Parliament with the aim to, amongst other things, prevent unlawful access, abuse or misuse of computers. It provides for definitions of cybercrimes, related penalties and some procedural measures that law enforcement authorities can use in their fight against cybercrimes. The Act specifies cybercrime in the following types which include, crimes that target computer systems, electronic fraud, and the production or distribution of child pornography.
In addition to the Computer misuse act 2011, Uganda has a number of legislations in place, which address Internet misuse these include the Electronic Signatures Act, The Electronic Transactions Act, Electronic Misuse Act, the Access to Information Act and the Regulation of Interception of Communications Act 9.
b) Data Protection and Privacy Bill 2015
The Ministry of Information and Communications Technology in concurrence with Ministry of Justice and Constitutional Affairs, Uganda Communications Commission and National Information Technology Authority (NITA-U) of Uganda jointly coordinated the drafting of the Data Protection and Privacy Bill 2015, which will therefore buttress data protection in Uganda when it is passed into law.
Uganda has not ratified the AU Convention on Cyber Security and Personal Data Protection. With only 16 countries in Africa that have enacted Privacy and Data Protection laws, Uganda remains amongst the majority without safeguards in place to regulate the collection, storage and use of data. The publication of a draft bill three years ago was therefore a milestone.
The Parliament of Uganda called for submissions on the Draft Data Protection and Privacy Bill, 2015 and this has given an opportunity for stakeholders to provide input to ensure that the law, when enacted, measures up to internationally acceptable standards of data protection.
Uganda has no official document on Uganda national cybersecurity strategy. Instead, Uganda has a National Information Security Policy and a National Information Security Strategy. NITA-U brought together different stakeholders for consultation to develop both documents.
To make matters worse, there is no centralized budget for cybersecurity. Every Ministry allocates its budget separately and depends on previous experience and future plans to allocate budget for cybersecurity. Law-enforcement cooperates with NITA-U and Uganda Communications Commission (UCC) the telecommunications regulator in Uganda.
Cybercrime in a monetary perspective
A while back, the Uganda Police Force formally established a Cyber Crimes Unit charged with the responsibility of mitigating cybercrime in the country. This move was rather more criticized than welcomed as many believed that the establishment of this unit is intended to scare off online expression given the shifting trends from the use of traditional media to online. The police seeks to legitimize the illegal surveillance it has for a long time been undertaking through profiling citizens’ social media accounts like Facebook, Twitter, blogs among others. This will enable the police to commence investigations and prefer charges among which of terrorism and involving in subversive acts that threaten the state.
The cybercrime landscape evolves year over year as criminals alter their operating strategies, develop new tools and techniques, and take advantage of changes in consumer and business behavior. Mobile continues to remain vulnerable to cybercriminals as its popularity as a banking and e-commerce channel grows and more services become available via mobile apps. Cybercriminals are also jumping on the internet of things (loT) bandwagon by exploiting poor password practices to take over loT devices for their own purposes.
Way back in 2013, the Annual Police Report 2013 stated that cybercrime cost Uganda about UGX.18 billion. Another figure released by the Kaspersky Labs put the figure at UGX. 25 billion both figures were within the range that was released by the auditing firm, Deloitte.
The reports in 2016 indicated that the country’s monetary loss to cybercrime was UGX. 122 billion. Fast forward to 2017, cybersecurity researchers revealed that Uganda lost close to UGX. 15 billion ($42m) to cyber criminals in 2017 alone. In the period under review, 95.6% of cyber security incidents went unreported or unresolved and only 4.4% of the reported cases were followed through to a successful prosecution.
The Uganda Cyber Security Report also revealed that 90% of Ugandan organizations operate below the cyber security ‘poverty line’. For an organization to have in place a semblance of cyber defense they will have to incur costs of UGX. 5,550,000 ($1500) to invest in monitoring, detection and prevention tools.
With such conditions, it’s sad to say that the future of cybersecurity in the country is in a dire state. It has been noted that in the past few years, attacker knowledge has increased while user/victims knowledge has reduced. Unless solid steps are taken to bridge that gap, cybercrime is most likely to increase.