By John Walubengo
Last week, Kenya’s cyberspace experienced a cyber attack from a group calling itself ‘Anonymous Sudan’.
However, most cybersecurity analysts believe that the group is not actually from Sudan, but rather consists of hired cyber-mercenaries from developed nations in Eastern Europe.
Just like we have standby armies for hire, one can also rent some standby cyberattack capabilities and deploy them against a target country’s critical information infrastructure – like what happened in Kenya last week.
Critical government and some private sector services hosted online were flooded by a massive avalanche of synthetic user requests. Typically, a server is designed to receive user requests from humans, whose rate of request is manageable and serviceable within reasonable time frames.
However, if the same server is subjected to service requests that are manufactured from other machines, the target server gets overwhelmed as it tries to cope, eventually, it simply trips and shuts down after running out of memory or processing capacity.
Denial of Service Attacks (DoS)
Commonly known as a Denial-of-Service Attack (DoS), the overwhelmed server is given useless, synthetic errands and fails to service the real human user request.
Usually, the easiest and quickest defence against such an attack is to identify,
isolate and block the traffic from the source machine sending the manufactured or synthetic user requests.
Since the attackers are aware of this simple defence mechanism, they make the attack better and stronger by hijacking or colonising different machine sources, then directing them to send the offending traffic from all corners of the country and indeed the globe.
If that happens to your server, you are now squarely under what is known as a distributed, denial of service attack (DDoS). Defending against a DDoS is no light matter, as Kenya learnt the hard way.
It requires a deliberate, long-term, multistakeholder approach as envisioned in Kenya’s National Cybersecurity Strategy.
Whereas our legal frameworks identify and assign key state agencies to come to our cyberspace defence, such as the National Computer & Cybercrimes Coordination Committee, the Office of the Data Protection Commissioner, and the Communications Authority of Kenya amongst others, the hard truth is that none of these agencies owns any infrastructure that if attacked, would send the Kenyan cyberspace into a life-threatening spin.
Multistakeholder approach
Most of the attack surface, or the critical infrastructure that can be attacked to bring Kenya’s digital economy to its knees lies elsewhere.
It lies with parastatals such as Kenya Revenue Authority, Kenya Civil Aviation, Kenya ICT Authority, and Telkom Kenya.
It lies with the private sector, which owns and operates critical infrastructure, such as MPESA, Banks & other financial institutions, Hospitals, Media, Kenya Education Network (KENET), and Kenya Information Network (KENIC) amongst others.
Last but not least, civil society and academia, who focus on training users with important cybersecurity skills, to graduating specialized cybersecurity professionals need to defend our cyberspace form a critical and integral part of any country’s cybersecurity arsenal.
Each of these actors – ministries, regulators, parastatals, private sector, academia, and civil society must appreciate the role they play in securing our digital borders. More importantly, each stakeholder should not imagine that they are more important than the other.
A divided approach makes it easier for attackers to bring down the system with a single DDoS attack.
__________________________________________________________________________________________
John Walubengo is an ICT Lecturer and Consultant. @jwalu.