Critical Information Infrastructure (CII), which is also referred to in some jurisdictions as critical national infrastructure or critical infrastructure, are institutions of a country that, when disrupted, will disturb the economy, livelihood, and security of the citizens of that country. These infrastructures are at the heart of every state, hence any disruptions to them will jeopardize the smooth running of the state.
Due to their importance, they have become a major target for terrorists, hackers and other states as witnessed globally in recent times. According to Jackpotting & Muncaster (2018), out of over 200 responses received from CII organizations in the UK, 70% of them had experienced service outages in the past two years. 35% of these outages were due to cyber-attacks.
According to the World Economic Forum’s 2020 Global Risks Report, cyberattacks on CII (ranked 5th top risk in 2020) is now “the new normal” in the health, energy, and transportation industries.
Ghana’s Cybersecurity Act, 2020 (Act 1038) spells out a number of controls (provisions) for protecting Ghana’s CII. Sections 35 to 40 of the Act are dedicated to protecting these infrastructures. In my view, the Act itself and the inclusion of these provisions is largely influenced by the Ghana National Cyber Security Policy & Strategy document dated March 2014.
In the presentation of the National Cyber Security Advisor at the 17th Knowledge Forum of the Ghana Chamber of Telecommunications (7th July 2021), he mentioned the following 13 sectors as CII of Ghana: education, finance, defence & security, ICT, transportation, health, government, mining, manufacturing, energy, water, emergency, and food & agriculture.
The following sections of this article discuss provisions of the Act related to protecting Ghana’s CII.
Designation and withdrawal of CII
The Minister may upon the advice of the Cyber Security Authority (CSA), designate a computer system or network as a CII if it is deemed necessary for national security, or the economic and social well-being of Ghanaians.
The determination of a CII should consider if the infrastructure is necessary for the security, defence, or international relations of Ghana if it is related to communications and telecommunications, financial services, public utilities, public transportation, public key infrastructure, public safety, public health, international business or communication affecting Ghanaians, the legislature, executive, judiciary, public services or security agencies.
Designated CII shall be gazetted, and a procedure for regulating them shall be established by the Minister.
The Minister may, also upon the advice of the CSA and by a gazette publication, withdraw the designation of a CII at any time if the infrastructure is considered as no longer meeting the defined criteria of a CII.
Registration of CII
The CSA is mandated to register all CII. It shall determine the registration requirements, procedure and any other matter relating to the registration.
Duties of owners of CII
Owners of registered CII shall, within 7 days after a change of ownership, inform the CSA of such change. Contravention of this clause shall result in the payment of administrative penalty between GHS 6,000 and GHS 120,000.
Owners of CII shall report cybersecurity incidents within 24 hours after detection to the relevant sectoral computer emergency response team or the national computer emergency response team. They shall also cause an audit to be performed on their infrastructure and submit a copy of the report to the CSA. Contravention of this clause shall result in the payment of administrative penalty between GHS 3,000 and GHS 120,000.
Management and compliance audit of CII
The Minister shall recommend minimum standards for prohibitions regarding the general management of CII, considered necessary for protecting national security.
The CSA shall conduct periodic audits and inspections on CII to ensure their compliance with the provisions of the Act.
Unauthorized access to CII
A person shall not access or attempt to access a CII without authorisation. Anyone who contravenes this clause can be convicted to a fine between GHS 30,000 to GHS 180,000 or imprisoned between 2 years to 5 years, or to both.
If unauthorized access to a CII results in a serious bodily injury, financial loss or damage to the infrastructure, the perpetrator can be convicted to a fine between GHS 60,000 to GHS 600,000 or imprisoned between 5 years to 15 years, or to both. However, if the unauthorized access is considered to be a terrorist act, the perpetrator can be imprisoned between 7 years to 25 years.
If the unauthorized access is related to an organization, the organization can be convicted to a fine between GHS 300,000 to GHS 600,000. Also, every director, officer, or management of the organization shall be deemed to have committed this offence and can be convicted of a fine between GHS 60,000 to GHS 600,000. However, a person cannot be convicted under this clause if it is proven that he/she exercised due diligence in preventing the commission of the offence, and the offence was committed without his/her knowledge or involvement.
The recent wanton cyber-attacks on CIIs globally give cause to worry as a nation. It is extremely important for CII to cooperate with the Cyber Security Authority to safeguard the security, economy, and safety of Ghana.
Compliance with the stipulations of Act 1038 ought to be taken seriously, irrespective of the sector (Private or public) and industry.
The Cyber Security Authority ought to collaborate with key stakeholders to create more awareness on this Act for the general public, owners of CII, the security agencies, lawyers and the judiciary.
Sherrif Issah (Information Security Governance, Risk & Compliance Professional, and Director of Communications; IIPGH)