IMPLEMENTATION OF THE CYBERSECURITY ACT, 2020 (ACT 1038) WILL BE CHALLENGING: A LOOK AT THE LICENSING OF THE CYBERSECURITY PROVIDERS

 

INTRODUCTION

I have read the Cybersecurity Act, 2020 (Act 1038), and in my view its implementation will be challenging. In my first article I looked at the Governance Structure of the Cybersecurity Authority and its political orientation that could compromise the operational independence and affect the continuity of the role of the Authority should there be a change of government. An institutionalized Board under a specified Ministry to take care of government policy directives would have been preferable.

This article will look at the Licensing of the Cybersecurity Providers (sections 49, 100 and the First Schedule of Act 1038), which requires that a person shall not provide a cybersecurity service unless that person obtains a license issued by the Authority in accordance with the Act.  

I find the implementation of this licensing regime to be complex taking cognizance of the broad and not too clear meaning given to cybersecurity services and cybersecurity service provider.

My approach will be to state certain concepts as given by Act 1038 relating to cybersecurity and especially what the Act means by cybersecurity services, then deduce how the licensing regime of the Cybersecurity Providers would be challenging in practice. Invariably, it looks like anybody that deals with computers be it by way of software or hardware that will be connected to cyberspace would have to be licensed.

MEANING OF TERMS

·         Cybersecurity Services

A service provided for reward that is intended primarily for or aimed at ensuring or safeguarding the cybersecurity of a computer or computer system belonging to a person. This includes services related to assessing, testing or evaluating cybersecurity, conducting forensic examination, detecting cybersecurity threat or incident. It also includes designing, selling, importing, exporting, installing, maintaining, repairing or servicing of cybersecurity solutions.  Monitoring of cybersecurity and scanning information that is stored in, processed by or transmitted through a computer or computer system falls under cybersecurity services.  Maintaining control by effective management, operational and technical controls for the purpose of protecting the computer or computer system against any unauthorized effort to adversely affect its cybersecurity.  Assessing or monitoring the compliance of an organization with the cybersecurity policy. Providing advice on cybersecurity programme, threats, solutions or risk management of cybersecurity as well as proving or assessing training or instruction in relation to any cybersecurity service.

I really do not understand what the Act was trying to say or do. Basically the above will include anybody who imports  or sells an antivirus or firewall software or a network hardware; anybody who is using a tool to scan information stored in a computer or computer system; anybody assessing the vulnerability of a computer to cyberattack; anybody giving advice on how a computer or computer system can be protected from cyberattack such as the use of firewalls, antivirus and password usage; anybody (auditor) monitoring an organisation’s compliance to its own cybersecurity policy; anybody training staff on information security techniques; anybody who installs a software meant to protect a computer or computer system from cyberattack such as an antivirus; anyone providing operational management controls to computer systems for the purpose of safe guarding the system from cyberattack such as advising on forced password changes.

 

The services as described in the Act relating to cybersecurity are normal Information Technology (IT) services that are provided by so many IT experts be it programmers, hardware engineers, software engineers, lawyers specializing in IT and IT management consultants. Adding the word “cybersecurity” seems to want to give it some unique and exotic service to bring it under the Act. Obviously, with the internet being an integral part of our daily lives every IT service will have to deal with some form of connectivity. The programmer developing an HR software will have to make sure it can be accessed remotely and must put in certain cyber controls which is a form of cybersecurity to protect the data. Must that programmer be licensed according to the Act?

 

·         Cybersecurity

The state in which a computer or computer system is protected from unauthorized access or attack for the purpose of ensuring its availability, integrity and confidentiality of the information stored.

What readily comes to mind when one hears cybersecurity is some form of technological solution to protect information, networks and applications that has some remote access connectivity from attack electronically as in a cyberattack. The unauthorized access or attack is usually electronic and that should have been made clear. The use of the word “state” by Act 1038 in the meaning of cybersecurity is so ambiguous and can easily include a security man physically guarding a computer or computer system. Is a security man guarding the server room where the servers are connected to the internet providing a cybersecurity service?  Must he be licensed?

·         Cybersecurity Products

This includes a computer, computer system, computer programme or computer service designed for or purported to be designed for, ensuring or enhancing the cybersecurity of another computer or computer system. The Cybersecurity Authority is mandated to certify all cybersecurity products and technology solutions.

Does the above mean the providers of the above products must be licensed as well since their product or service is related to cybersecurity? Does it mean anyone who writes a software that has any connectivity tool that secures a computer from cyberattack must be licensed and the product certified. Even if this has to be done, is the Ghana Standards Authority only for Bitters? We can get a unit to do that.

 

·         Cybersecurity Service Provider

Any person licensed under the Act to provide cybersecurity service.

Under the transitional provisions, a person who provides cybersecurity service before the coming into force of the Act must within three months on coming into force of the Act, apply to obtain a licence or pay an administrative fine. I am confused as to who must apply to obtain the licence.

CONCLUSION

The services relating to cybersecurity are so diverse as in the Information Technology space that almost every IT professional, software or hardware engineer, will have to be licensed since their work cannot avoid some form of protection against cyberattack even if it entails mere installation of an antivirus or firewall. I have no doubt that it will even be a challenge for the Cybersecurity Authority as to who falls under their licensing regime looking at the plethora of IT service providers and professions. Again as I asked in my earlier article, are some styled cybersecurity experts, creating a niche role for themselves?  I just hope the regulations to follow the Act will bring some clarity.

 

 

 

Comments

Post a Comment

Popular posts from this blog

LEGAL ISSUES IN E-COMMERCE WEBSITE DEVELOPING IN GHANA: OWNER BEWARE

Introduction Website presence in the new global village will become a “sine qua non” in conducting business if Ghanaians want to take advantage of the digital platform.   The first point of call in wanting to do this is to approach a website designer with some ideas on how you want the site to look like and the features you expect to see. Design functionality and aesthetics most invariably are the issues the developer becomes pre-occupied with but there are legal issues to contend with especially more so when the website is accessible to anybody, anywhere and at anytime. The Electronic Transactions Act 2008(Act 772) however gives directions as to how website developers can resolve these legal issues. I intend to raise the legal issues in website designing and attempt to give some indications as to what functionalities and best practice may be needed to satisfy the law   Legal Issues in Trading Through A Website There are a lot of legal considerations when designing a websi...
Read more

ELECTRONIC SIGNATURES AND DIGITAL SIGNATURES: HAS GHANA GOTTEN IT MIXED UP UNDER THE ELECTRONIC TRANSACTIONS ACT 2008 (ACT772)?

INTRODUCTION In my opinion there is a distinction between an “electronic signature” and a “digital signature” and I stand to be corrected but Act 772 seems to be referring to “electronic signatures” whilst talking about “digital signatures” or vice versa and this gets me confused. My understanding of “electronic signature” is that it is data in electronic form which can be attached to, or logically associated with other electronic data and which serve as a method of authentication. This therefore means that the following may fall under electronic signatures: A hand signed signature in ink, scanned and electronically delivered Electronically typed (Computer) signature and electronically delivered An electronic typed name and electronically delivered An electronic symbol that is electronically delivered The above attached to an electronic document may not be a safe way of authenticating a document but acceptable as long as the signatory accepts having signed the document. After a...
Read more

THE LEGAL ISSUES IN E-MAIL CONTRACTING AND THE ELECTRONIC TRANSACTIONS ACT 2008 (ACT 772) : HAS GHANA GOT IT RIGHT?

Introduction Traditionally an offline contract is formed when an offer made is subsequently accepted and by the acceptance the time or moment and place the contract is formed can be easily ascertained by either the ‘postal acceptance rule’ or the ‘general rule of acceptance’. The Postal Acceptance Rule or Mail Box Rule This provides that a contract is formed when the letter of acceptance is placed in the mailbox. Lord Herschell defined the above rule as: Where the circumstances are such that it must have been made within the contemplation of the parties that …the post might be used as the means of communication the acceptance of the offer, the acceptance is complete as   soon as it is posted. The basic assumption of the postal rule is that : There will be a substantial delay in delivery of the letter, depending on where the letter is to be sent There is a small risk that due to difficulties the message may be delayed further, or not reach its destination at all It is evident ...
Read more