May 15, 2019

How MDAs compromise national security with offshore data hosting

data security

data security

By Prince Osuagwu, Hi-Tech Editor & Juliet Umeh

Stakeholders in the Information and Communications Technology, ICT, sector are worried that the Nigerian government appears to see the national security question from only military invasions and Boko Haram angles alone, leaving out the most deadly –  cyber attacks.

data security, data hosting

data security

Their worries were informed by recent revelations that majority of the Ministries, Directorates and Agencies, MDAs of government, still host databases containing sensitive information, outside the country.

This is despite directives that all MDAs must accord priority to local content in both technology acquisitions and data hosting.

The National Information Technology Development Agency, NITDA’s local content guideline on Information and Communications Technology, ICT, states emphatically in Section 14.1.2 that “Data and Information Management Firms shall host government data locally within the country and shall not for any reason host any government data outside the country without an express approval from NITDA and the SGF.”

14.2. of the same regulation tasked MDAs to: 1. Promote as mandatory the presence of system logs and other computer data logging technologies to aid in the effective troubleshooting and forensic investigation of events in government and civil service systems 2. Be responsible for ensuring that reasonable care is taken to adequately secure the data and information of government and civil service that is created, transferred and stored in digital formats. 3. Ensure that all government data is hosted locally inside the country within 18 months from the publication of these guidelines.

NITDA has argued, on several occasions that the progress made in the adoption and utilisation of ICT in both the public and private sectors of the economy makes hosting data and information inevitable, but regretted that both public and private sector organisations still host data offshore, despite having highly reliable Tier III Data Centres, certified by various international organisations and guaranteeing almost 100 per cent availability as well as multiple layers of security.

Part of the gains of hosting data locally include, guaranteed reduction in cost and capital flight, digital job creation, increased security, and increase in tax revenues to boost the local economy.

However, at a Data and Cloud roundtable hosted by Cyber Africa in Lagos recently, Regional Head, Lagos, Galaxy Backbone, Mr. Temitope Dele-Oni admitted that surprisingly, even the Ministries, Directorates and Agencies of the Federal Government are still hosting data offshore, contrary to guideline against such action.

This was corroborated by Sidmach Technologies Limited which also admitted that it hosts 90 per cent of its data offshore purely on security considerations.

Head, Sales of Sidmach, Mr Charles Billyfrank said his company secures sensitive information of its clients abroad because it could not trust the local hosts.

READ ALSO: Nigerian Army warns media against unverified information

His words: “On cloud scalability, at Sidmach, we currently host 90 per cent of our data offshore through our cloud partners. We are only able to host 10 per cent locally, based on security reasons. “The fact is that we are custodians of very sensitive data that have been in existence for 25 years, like NYSC of 15 years, JAMB of 10 years and WAEC of up to 15 years. Those data are very sensitive and it’s not what we can leave in the hands of mediocre data centres. We are storing them with reliable and proven partners with understanding and experience in the business”.

However, for Dele-Oni, the danger in offshore data hosting is that in case of a breach, the laws that apply to data protection in those countries will not apply to the local data which will surely be regarded as foreign data and the host may not be liable for the compromise.

He said: “We need to encourage our own local providers because we know ourselves, we can protect, we can escalate, reengage any legal means to ensure that we protect ourselves.

Going abroad does not protect us; it exposes a lot of uncertainty.

Discussing Nigeria data economy in the fourth industrial revolution, a software architect, Mr. Rock Adote, called on the Federal Government to enforce the local content regulation, if only to call the MDAs to order.

Adote frowned at the actions of the MDAs and called for enactment of law to support existing guidelines that will ensure they comply.

He warned companies to critically review their security reasons for offshore hosting because although it may be cheaper to host data offshore due to adequate facilities, the national security angle should not be ignored.

For him, “there is a concern specifically about what these people do with the data stored in their country, because once a data goes outside Nigeria, local laws applies. These laws surround the way those data are used.

“Look at what happened in Facebook, if not for the investigation, who could have believed that such a popular platform could handle customer data poorly?

“So there are really concerns of when Nigerian’s data are in the hands of a foreigner and I think government should do well in enabling local data centre providers to ensure that data generated locally here, are also locally stored.

But the President, Centre for Cyber Awareness and Development, CECAD, Dr Bayero Agabi, sees the issue of national security as it concerns data governance differently. According to Agabi, one does not control what he knows not the origin. Nigeria should revamp its industrial base and become truly manufacturers of data aggregating equipment before aiming at controlling local data.

Agabi’s point is that “First, all ICT equipment used in Nigeria are either made in the east or west; none is made in Africa or Nigeria. Every digital equipment including the mobile phones, has International Mobile Equipment Identity, IMEI, number, which enables the manufacturers have control over the equipment.  So, if the manufacturers have access and control of their equipment, they would also equally have access to the data.

“Again, Nigeria buys servers from Europe and  data capturing machines for elections, from China, how smart does it sound to say the Data captured during elections are safe and  secure?. There’s a lot of confusion around this issue of controlling data for national security sake. When Google can track what we do with our phones and TV sets, how much more access can we deny it from our national database or even personal information?

The truth is that we are paying the price of fast development. We leapfrogged straight to the mobile ecosystem without ownership or control of the backbone ecosystem.  Some developed economies are now sceptical of who deploys 5G networks for them because they know that who owns the technology controls it. They banned the Over the top, OTT service providers because they have alternatives. So, for Nigeria to truly control its national security, in this digital society, it must develop the skills, own the infrastructure and advance the lawmaking process to complement them” he added.