Critical Information Infrastructure, Compliance & Responsible Disclosure: The Case of a Transport System called “Tap N Go” – Desmond Israel ESQ

The Launch:
Ghana’s ambitious drive towards digital transformation reached a significant milestone with the introduction of Tap and Go which sought to improve its predecessor the Ayalolo. Spearheaded by Dr. Mahamudu Bawumia, the Vice President of Ghana, the state-of-the-art digital service revolutionising the public transport sector in the country was unveiled on February 19, 2024, amidst much fanfare at the Head Office of Metro Mass Limited in Accra. Tap and Go’s overarching goal is to streamline Ghana’s transport landscape, seamlessly integrating intra and inter-city services, trotros, loading taxi services, and an Uber-like on-demand platform onto a unified digital platform.


Social Media Euphoria and Visible Flaws:
The excitement surrounding the launch was palpable, with social media channels buzzing with updates and snapshots from the event. However, amidst the celebrations, a concerning oversight emerged as certain social media posts inadvertently exposed sensitive Uniform Resource Locators (URLs) and web management interfaces from the system’s control centre. These inadvertent disclosures ignited a wave of discussions regarding data privacy and security. Subsequently, an unauthorised breach of the system, which compromised user records, surfaced on various social media platforms (x.com to be precise), raising further alarms.


Critical Infrastructure and Protected Database:
Ghana’s legislative framework has long recognised the significance of safeguarding critical information infrastructure (CII) as a cornerstone of national security. The Cybersecurity Act, 2020 (Act 1038), meticulously delineates the protective measures for CII, particularly under sections 35 to 40. Prior to this, the Electronic Transactions Act, 2008 (Act 772), had already laid down foundational provisions for safeguarding protected computers, under section 55. Furthermore, on September 22, 2021, a gazette notice issued by the Minister of State designated computer systems in 13 critical sectors, including transportation, as CII.


Compliance- Leadership by Example:
The imperative for compliance with cybersecurity standards cannot be overstated, especially when it pertains to critical information infrastructure (CII) like Tap and Go. The Directive for the Protection of Critical Information Infrastructure mandates a comprehensive approach to cybersecurity risk management. In addition to formulating a robust cybersecurity policy, CII owners are required to comply with specific policy directives approved by the Cybersecurity Authority. Furthermore, the appointment of an accountable officer for cyber governance ensures accountability and oversight in implementing cybersecurity measures. Detailed technical and organizational measures, as outlined in the Directive, encompass a wide array of security protocols, including security flaw mitigation, system monitoring, source code security, business continuity planning, and regular cybersecurity audits. However, the events leading to the writing of this article underscored a notable lapse in adherence to these compliance standards within the Tap and Go system. Despite being a public-private partnership under the Ministry of Transport, the system lacked basic security measures and routine information disclosure, raising concerns about its susceptibility to cyber threats.


Responsible Disclosure:
In the realm of cybersecurity, responsible disclosure is a fundamental ethical principle that underscores the importance of collaboration between security researchers and system owners. The absence of a formal responsible disclosure protocol within the Tap and Go system highlights a critical gap in cybersecurity governance. Responsible disclosure entails cybersecurity researchers notifying system providers of identified vulnerabilities and providing them with a reasonable timeline to remediate these issues before publicly disclosing them. By adhering to responsible disclosure practices, cybersecurity professionals demonstrate their commitment to enhancing cybersecurity posture while mitigating potential risks to critical infrastructure. It is unlawful for anyone to access a CII without authorisation pursuant to section 40 of the Cybersecurity Act which prescribes criminal conviction as a punishment. Despite the absence of a formal protocol, it is incumbent upon cybersecurity researchers to act ethically and responsibly when uncovering vulnerabilities in systems like Tap and Go. Additionally, it is essential for CII owners to foster an environment that encourages and facilitates responsible disclosure, thereby promoting transparency, collaboration, and ultimately, the resilience of critical infrastructure against cyber threats.


Conclusion:
Tap and Go epitomizes both the promise of technological innovation in Ghana’s transport sector and the imperative for robust cybersecurity measures. As Ghana marches towards a digital future, it is paramount to integrate responsible disclosure practices and ensure strict adherence to existing laws and directives. By doing so, we not only fortify critical infrastructure but also foster a culture of transparency, collaboration, and resilience in the face of evolving cyber threats.

Writer:
Desmond Israel ESQ
Lawyer | Data Privacy/Information Security Practitioner
Founder, Information Security Architects Ltd (Rapid 7 Gold Partner)
Adjunct Lecturer (Ghana Institute of Management and Public Administration)
Lead Researcher, X-Reality Safety Intelligence (Guardian Safety Framework), California – USA
GW Law Merit Scholar (The George Washington University)
Technology Policy Researcher (AI, Cybersecurity, Global Data Privacy, Blockchain)