(Ecofin Agency) - Over the past few years, thanks to its cyber safety actions, Benin has become an example in Africa. The intensification of its fight against online scams in recent months made national and international headlines, showing the country’s resolution to fight cybercrime. During the Cyber Africa Forum (CAF) held in Abidjan, Côte d’Ivoire, last April 24-25, Ouanilo Medegan Fagla, the director of the cybersecurity department of the country’s IT development agency ASIN enlightened Ecofin Agency on some of the cybersecurity challenges facing Benin.
Ecofin Agency: Mr. Ouanilo Medegan Fagla, you are the Director of the cybersecurity department of Benin’s IT development agency. As an expert in the digital sector, how would you describe the cybersecurity landscape in Benin?
Ouanilo Medegan Fagla: To put it simply, I can split the Beninese cybersecurity landscape into two segments. The first segment is the central part, concerning the State or the government’s digital assets. I would say that this is our direct scope because there are several initiatives like a national club that monitors e-government services daily and provides a certain level of security. All the initiatives prescribed are implemented by state agencies, institutions, and ministries. A great deal of work is being done in line with the government’s IT security policy. I think that in a few more months we will no longer have to worry even if we have to always be alert.
The second segment has an indirect scope and concerns individuals and businesses. Here, there’s still much to be done because even though ASIN makes cyber safety recommendations, its actions don’t necessarily reach businesses. Nevertheless, we hope that with the actions we are taking to dynamize the cybersecurity ecosystem, we would be able to fill the gap left.
EA: What are the major challenges facing IT security professionals in the country currently?
OMF: We basically have two challenges that boil down to one thing: leaders. Again, at the central level, we're fortunate to have leaders that enable, understand, and provide the resources. However, this is not the case at every level because if we are to implement cyber safety measures for a company, we can’t do so without the approval of leaders [or executives] because they will need to support the measures decided and even provide the resources needed. Sometimes, the measures do not even require huge resources because, they are tailored to the type of activity, strategy, and size of the business. The fact is that some businesses see cybersecurity as a cost item and think it is a sort of insurance against something that will never happen to them because they are too small and not much popular. But, hacking is an opportunistic thing, before being targeted. So whether or not you have a strategic or financial value, you can still be hacked. So it is this lack of support from executives that cause cybersecurity to be misrepresented, leading to one of the major problems we face.
EA: What are the measures taken by ANSI to protect citizens and businesses against cyber threats?
OMF: In Benin, over the past few years, we have been implementing the national cybersecurity strategy which aims to create a secure cyberspace to make the digital economy attractive [for investments] and boost the [digital] sector. The strategy focuses on five axes, namely the protection of information systems and critical infrastructures, the fight against cybercrime, the promotion of digital confidence, the development of skills and awareness, international cooperation, and national coordination. The aim is to secure [our] cyberspace and protect people. Concerning internet fraud, we take joint actions with the Central Office for the Repression of Cybercrime (OCRC), the Court for the Repression of Economic Crimes and Terrorism (CRIET), and all the investigative units to support the investigations carried out by the cybersecurity department. Awareness campaigns are also organized, for the population. Last year for instance, we launched the PARE (Protect, Alert, Empower, and Educate) campaign which took place mainly on social networks, on several channels, and in several languages in a rather playful format designed to call on the population to protect children against cyber threats and all sorts of scam.
EA: Are you working with international organizations to enhance cybersecurity in the region and ensure effective cyber safety worldwide?
OMF: We have had very good relationships with various international entities. One example is our membership about two years ago in FIRST (International Forum of Computer Security Incident Response Teams), which provides an extensive network in all countries where you can get help and skilled support when you are attacked or when you need information for an investigation. We work a lot with organizations such as the Council of Europe, INTERPOL, ECOWAS, and we also have some bilateral agreements with Burkina Faso, Tunisia, and even China, which allow us to have real-time information, on attacks coming from those countries. We have the AfricaCERT membership, the African-wide gathering of computer security incident response teams.
We also plan to ratify international conventions on mutual assistance in the fight against cybercrime, such as the Malabo Convention or the Budapest Convention, of which Benin is already a signatory for one and an observer for the other.
EA: How would you describe companies' and public institutions’ preparedness against cyberattacks in Benin?
OMF: As I said earlier, there are different levels, so it would be difficult to give an answer for every segment of the Beninese society. I told you what I think of the central part, that concerns the government. We have two policies at that level. The first is the security of information systems and its policy in that regard is being implemented by 300 public entities, with a strong emphasis on 40 of them that will be fully compliant with standards within two years and be prepared against cyberattacks. The second is the protection of critical infrastructure which aims to protect vital infrastructure that is tech-dependent in the country. We will enforce even stricter rules to ensure they are protected and the country as well.
EA: So, can we say that at the national level, Benin is proactively preparing itself against cyberattacks?
OMF: Absolutely. However, the measures need to reach every sphere, company, and sector.
EA: What do you think can be improved in Benin’s fight against cyber threats?
OMF: On April 20, we organized a workshop to review the national cybersecurity strategy. Participants included actors and international consultants who discussed how the strategy could take into account current challenges in the changing context. The three-year strategy was nearing its expiry date so, we decided to extend it for another two years and add new actions that will align it with current challenges. The said challenges include the emergence of new actors in the cybersecurity ecosystem, the intensification of the fight against cybercrimes, and the efforts needed to ensure that every entity complies with enacted policies.
EA: How do you see the future of cybersecurity in Benin?
OMF: Benin is already one of the cybersecurity leaders in the sub-region. Many countries are following its example. We are regularly mentioned because we have taken the right actions, at the right time and with the right support, including financial support. Truly, I can’t say that cybersecurity is guaranteed in Benin since it always depends on decision-makers. Nevertheless, I think that currently, with actions like the adoption of the digital law, cybersecurity is on a good path and can prosper in our country. Moreover, with our emerging talents that usually hit the Top 5 of international competitions every year, I believe we are on a good path with Benin keeping its leading position in terms of government initiatives and talent pool.
EA: Do you think that new technologies, such as the Internet of Things (IoT) and artificial intelligence, will have a major impact on IT security?
OMF: Yes, they will. I think the impact will come less quickly than people might think. Those technologies are already being used without being very noticeable. So the drastic paradigm shift that we are promised in cybersecurity is not necessarily going to happen right away I think. But I could be wrong. What actors need to do is to be prepared for these new contexts. The simplest example is post-quantum cryptographic attacks. Nowadays, passwords or encryptions that would have resisted decryption attempts for hundreds of years no longer hold up for 15 minutes against quantum computers. So the question now is how to avoid being left behind on these things, how to ensure that AI does not lead us to make bad decisions because of fake or poorly sourced data. We have to prepare ourselves right away to be ready to face these challenges.
Interview by Moutiou Adjibi Nourou and Muriel Edjo