IMPLEMENTATION OF THE CYBERSECURITY ACT, 2020 (ACT 1038) WILL BE CHALLENGING: A LOOK AT THE ACCREDITATION OF CYBERSECURITY PROFESSIONALS AND PRACTITIONERS

 

INTRODUCTION

I have read the Cybersecurity Act, 2020 (Act 1038), and in my view its implementation will be challenging. In my first article, I looked at the Governance Structure of the Cybersecurity Authority and its political orientation that could compromise the operational independence and affect the continuity of the role of the Authority should there be a change of government. An institutionalized Board under a specified Ministry to take care of government policy directives would have been preferable.

In my second article, I highlighted how complex the implementation of Licensing of the Cybersecurity Providers under Act 1038 will be considering the broad, vague and all-encompassing meaning given to what a cybersecurity service is, which in my opinion may include anybody that deals with computers be it by way of software or hardware with connectivity to cyberspace.

My last article on Act 1038 article will look at the Accreditation of Cybersecurity Professionals and Practitioners as well as Cybersecurity Standards, Enforcement and Education. An area that is likely to be in conflict with the National Accreditation Board, University Faculties and other Professional Bodies such as ISACA. Accreditation of cybersecurity professionals and practitioners as well as setting standards for cybersecurity training and education will be tricky due to the dynamic and diverse skill set needed in such an industry. How is this going to be implemented?

My approach for this article will be simple. State what the Authority is supposed to be doing and how feasible that is in practice.  

ACCREDITATION OF CYBERSECURITY PRACTITIONER AND PROFESSIONAL

According to Act 1038, a Cybersecurity Practitioner is an individual or a firm that protects a computer system or digital service and a Cybersecurity Professional is a person accredited under this Act to perform a cybersecurity-related professional function. The Cybersecurity Authority under the Act shall establish a mechanism for the accreditation of cybersecurity professionals and practitioners”

There are professional bodies like ISACA that award certifications such as CXS-P to people who have undergone a rigorous training and education in cybersecurity as professionals and practitioners. A professional I believe is basically a person who belongs to a professional body or performs an activity as its main source of income.  In the corporate world the distinction between an academic qualification and that of a professional one is that the latter belongs to a professional body. The professional is more of a master in a particular field and need not be a practitioner. We can therefore have Chartered Bankers Medical Doctors or Lawyers who are professionals but not practitioners. There are universities that award degrees in cybersecurity and even LLM in cybersecurity. There are so many Information Technology (IT) certifications from accredited institutions that has to do with protecting computer systems or digital services. Now what does the Authority want to do? Are we saying all these people until they have been accredited by the Cybersecurity Authority cannot support any organization or put their expertise to use?

The use of the word “shall” makes it so imperative for the Authority to give the accreditation and not surprised it also says “establish mechanism” because it is a herculean task for an Authority to do this in such a dynamic environment. Let us take the banking industry for example, there are Chartered Bankers who are professionals and those who are working in banks as practitioners and call themselves Bankers. The regulator is the Bank of Ghana but does not give accreditation to the professional Banker or the practitioner Banker. What a regulator can do is specify the type of education or training required by certain roles in the industry they regulate especially at the executive level. Is Act1038 saying that an ICASA certified CXS-P for example or someone with a degree in cybersecurity cannot be a cybersecurity professional or practitioner until accredited by the Authority and should the person touch anything cybersecurity a fine must be paid?

In my opinion, there is nothing complex about cybersecurity that cannot be handled by the those who know how with the needed knowledge, technical tools and cybersecurity risk management practices. I think cybersecurity has been blown out of proportion by a few so called experts so they can earn their living and may be the legislatures being cyber phobic have bought into it. 

 

CYBERSECURITY STANDARDS AND ENFORCEMENTS

Under the Act, the “Authority shall develop, establish and adopt for cybersecurity the following:

        i.            Education and skills development

       ii.            Hardware and software engineering

     iii.            Governance and risk management

     iv.            Research and development

Also the Authority shall develop a qualification and competency framework for

        i.            persons offering training in cybersecurity programmes and

       ii.            educational institutions offering cybersecurity programmes.

In my opinion, the use of “shall” is too imperative and should have been more of a facilitating or collaborative role. Does this mean the Authority is responsible for developing curriculum for the universities and professional bodies involved in cybersecurity training and education? Who are going to be working at the Authority and what will their competency levels be in the development and design of such competency frameworks. Well the frameworks already exist anyway. Why does the Authority want to get involved in for example hardware and software engineering? Are they going to review what institutions such as NIIT are teaching? Must these institutions seek accreditation from the National Accreditation Board as well as the Authority? The cybersecurity standards and enforcement could be in conflict with other educational standards and accreditation due to the dynamic and diverse skill set needed in such an industry. What about educational institutions outside the country? Should anyone who has acquired a qualification in Cybersecurity outside the country seek validation from the Authority before working in Ghana to make sure it meets the standards? I guess so because by the Act, you cannot even touch cybersecurity without being accredited by the Authority anyway. I wonder how this will be accomplished.

CONCLUSION

Due to the complex mandate given to the Cybersecurity Authority, to implement the Act, the Authority will have to have a diverse skill set of professionals, Researchers, Educators, IT Risk Management, Software and Hardware Engineers, IT Governance experts, IT Auditors. IT Lawyers. I believe they all have to be prefixed with the powerful word “Cybersecurity” to be able to head and work in the various directorates that may have to be established to execute this mandate. These skill sets are abundant in the private sector, industry and academia for which a collaboration would have been more meaningful and easier to implement with the Authority playing a facilitating, inspection and monitoring role.

When you put in too many controls, the system you even trying to protect comes to a halt. Risk in cyberspace can only be mitigated and managed but not eliminated. I must say Act 1038 is watertight in theory and if it is for some requirement to be seen as a country fighting Cybercrime or preventing Cyberattacks then its purpose has been achieved. No doubt.

The Authority seems to have bitten more than it can chew and wondering if an impact analysis of the Act was done before being passed into law. The Regulations to follow the Act must bring clarity to its intent so in practice the implementation will be accomplished.

Let me end by what Chris Reed, a Professor of Electronic Commerce Law said about making laws for cyberspace:

        i.            The law must be understandable and it must appear to be possible to comply.

       ii.            The law must be aiming to achieve a sensible, feasible end.

     iii.            The content of the law must reasonably match the way in which activities are carried out in cyberspace.

     iv.            The law must be sufficiently future-proof so that that it can adapt to changes in business methods and technological innovation.

 

 

Comments

Post a Comment

Popular posts from this blog

LEGAL ISSUES IN E-COMMERCE WEBSITE DEVELOPING IN GHANA: OWNER BEWARE

Introduction Website presence in the new global village will become a “sine qua non” in conducting business if Ghanaians want to take advantage of the digital platform.   The first point of call in wanting to do this is to approach a website designer with some ideas on how you want the site to look like and the features you expect to see. Design functionality and aesthetics most invariably are the issues the developer becomes pre-occupied with but there are legal issues to contend with especially more so when the website is accessible to anybody, anywhere and at anytime. The Electronic Transactions Act 2008(Act 772) however gives directions as to how website developers can resolve these legal issues. I intend to raise the legal issues in website designing and attempt to give some indications as to what functionalities and best practice may be needed to satisfy the law   Legal Issues in Trading Through A Website There are a lot of legal considerations when designing a websi...
Read more

ELECTRONIC SIGNATURES AND DIGITAL SIGNATURES: HAS GHANA GOTTEN IT MIXED UP UNDER THE ELECTRONIC TRANSACTIONS ACT 2008 (ACT772)?

INTRODUCTION In my opinion there is a distinction between an “electronic signature” and a “digital signature” and I stand to be corrected but Act 772 seems to be referring to “electronic signatures” whilst talking about “digital signatures” or vice versa and this gets me confused. My understanding of “electronic signature” is that it is data in electronic form which can be attached to, or logically associated with other electronic data and which serve as a method of authentication. This therefore means that the following may fall under electronic signatures: A hand signed signature in ink, scanned and electronically delivered Electronically typed (Computer) signature and electronically delivered An electronic typed name and electronically delivered An electronic symbol that is electronically delivered The above attached to an electronic document may not be a safe way of authenticating a document but acceptable as long as the signatory accepts having signed the document. After a...
Read more

THE LEGAL ISSUES IN E-MAIL CONTRACTING AND THE ELECTRONIC TRANSACTIONS ACT 2008 (ACT 772) : HAS GHANA GOT IT RIGHT?

Introduction Traditionally an offline contract is formed when an offer made is subsequently accepted and by the acceptance the time or moment and place the contract is formed can be easily ascertained by either the ‘postal acceptance rule’ or the ‘general rule of acceptance’. The Postal Acceptance Rule or Mail Box Rule This provides that a contract is formed when the letter of acceptance is placed in the mailbox. Lord Herschell defined the above rule as: Where the circumstances are such that it must have been made within the contemplation of the parties that …the post might be used as the means of communication the acceptance of the offer, the acceptance is complete as   soon as it is posted. The basic assumption of the postal rule is that : There will be a substantial delay in delivery of the letter, depending on where the letter is to be sent There is a small risk that due to difficulties the message may be delayed further, or not reach its destination at all It is evident ...
Read more