Cybersecurity: Telecom operators counter-attack

“Dear valid customers, your SIM card will be temporarily blocked within the next twenty-four hours due to the consistent use of unassigned data.” This is the enigmatic text message received by MTN’s 60 million subscribers in Nigeria on Sunday, 16 June. In this West African country, the South African operator’s largest market, one third of the population was deprived of mobile communication for a full day. Omasan Ogisi, MTN’s public affairs officer in Nigeria, denies that the firm was the victim of a cyber attack. But the suspicions are such that the operator nevertheless referred the matter to the office of the Nigerian Economic and Financial Crimes Commission (EFCC) to investigate an alleged cybercrime offence. In just two hours, the incident would have cost MTN N700m ($194,000).

Trouble for telecoms

A cyber attack is perhaps the worst thing that can happen to telecom operators, whose marketing speeches boast about secure data transmissions. “For companies and individuals alike, operators have become real trusted players, as were banks at one time,” confirms Jean-Michel Huet, a partner at BearingPoint and specialist in the sector on the continent. In Nigeria, however, according to a study by the firm Kaspersky, 37% of mobile phone users were victims of attacks in 2018.

The most populous of African countries is not the only one affected by this scourge. In 2017, the Kenyan consulting firm Serianu, which specialises in cybersecurity, estimated the annual cost of this crime at $3.5bn for the continent. A figure that is not expected to decline any time soon: “As everywhere, Africa is exposed to international digital crime. And the threat continues to increase as uses become more democratic, IT skills progress and services are digitised,” said Emmanuel Cheriet, Orange Cyberdefense’s director for Morocco.

A growing market

The French operator Orange has clearly understood the opportunity. Cybersecurity, defined as a strategic pillar of the group, is already an activity that represents no less than 1,500 people and €350m ($393m) in revenue worldwide, housed in its Orange Cyberdefense division, independent of the regional operational divisions, including Orange Middle East and Africa. Together with others, the 130 million-subscriber industry giant on the continent is looking at an African market that, according to a Marketsandmarkets study, will reach around €2.3bn in 2020. Orange Cyberdefense opened a hub in Casablanca in October 2018, which is due to employ around 50 people by 2021 and from which it wishes to manage all its operations for Africa.

In addition to this strategic Moroccan location, the French group’s cybersecurity division has a production centre in Cairo and has been present in Cape Town and Pretoria since its acquisition in February 2019 of the British company SecureData for €50m. “We aim for growth of more than 50% per year over the first four to five years,” explained Cheriet. To achieve this, its team focuses primarily on large private and parastatal companies in banking or industry as well as administrations in countries where the operator is already present, such as Senegal and Côte d’Ivoire. Its services range from a simple two- or three-day audit invoiced for a few thousand euros to more sophisticated consulting and implementation services, which can reach up to a million euros. “The objective is to create a critical mass by making tailor-made solutions. Subsequently, we will deploy a range of […] services aimed at SMEs. All in the form of a standardised package,” says the Orange manager.

Western operators are one step ahead

The French company has opted for the development of internal expertise within the group, but this is not the choice of many of its competitors. Since May, Vodacom has also been offering cybersecurity solutions. To do this, the African branch of the British giant Vodafone has chosen to work with the US-based specialist BlackFog. The same strategy applies to the Moroccan operator Inwi, which has surrounded itself with California-based Palo Alto Networks for its firewalls, Arbor Networks for its solutions to combat denial of service (DoS) attacks, Symantec for its security operations centre installed in May in Casablanca, and finally Ineos for solution integration.

“Western operators are one step ahead of the continent, as their business customers have been demanding security services for decades. African or Middle Eastern players, such as MTN or Etisalat, are less well positioned in this niche, particularly because they are more oriented towards a mainstream audience,” explained Jean-Michel Huet of BearingPoint. Nevertheless, telecom operators are far from being the only ones on the market: “They are legitimate, they have their place, but they are not the main players”, added Huet, recalling that IT and digital giants, such as France’s Atos and the US-based Palo Alto Networks – which claims to be the world leader in cyber security – are also well established on the market.

Consumers are more targeted than businesses

“The services of European operators are based on what they have already done in their home countries and do not take into account the African context, where mobile is the first medium used,” noted James G. Claude, managing director of Global Voice Group, which specialises in IT solutions for regulatory authorities. In fact, cybersecurity solutions sold by a telecom operator such as Orange are mainly used to comply with international standards or to establish a partnership or joint venture between two structures – one African, the other international – when one is better protected than the other. So it responds above all to the needs of Western companies, which want to prevent the continent from becoming – as may be the case in some Eastern European countries – the weak link in their protection against cyber attacks: “A pirate is opportunistic. African companies can be seen as a gateway via the information systems of their international customers,” warns Nicolas Arpagian, Orange Cyberdefense’s strategic and public affairs director.

Yet, according to Lacina Koné, CEO of Smart Africa, an initiative supported by the African Union and 24 sub-Saharan countries to bring new technologies to the continent, “cyber attacks actually weigh much more on individuals than on companies. According to him, about 90% of digital crimes in Côte d’Ivoire are committed by users of mobile-banking services. A proportion similar to that mentioned by Global Voice Group’s Claude for other regions of the continent. However, in order to protect consumers of mobile-pay services from various frauds – and in particular identity theft – African states will have to be vigilant on the subject and to pass laws to encourage massive investment in this field.

“The subject of cybersecurity has not been addressed in a majority of countries. However, international groups active in the digital world bring with them European or US standards, which do not correspond to African environments. We must avoid fraud, the law of the jungle, but also digital colonisation,” says Koné, who calls on African policy-makers to defend more vigorously, through regulation, the interests of African companies and consumers by encouraging the various digital players – in conjunction with telecom operators – to invest more in cybersecurity better adapted to local needs.

This article was first published in Jeune Afrique