The GCSCC conducted the CMM review in Ghana in partnership with the World Bank, KISA under the Korean-World Bank Partnership Facility and the Norwegian Institute of International Affairs (NUPI). At the invitation of the Ministry of Communications (MoC), the team travelled to Accra in January 2018. Representatives from the US Department of State and MITRE Corporation joined the review as observers.
Key observations from the review:
- At the time of the assessment, Ghana had a National Cybersecurity Policy and Strategy, which had been drafted in 2016 and led by the MoC. However, the implementation was still at a very early stage and, before commencing new initiatives, the government’s plan was to align and coordinate the programmes and initiatives outlined in the five-year strategic plan for 2016–20, with already ongoing projects.
- Particular attention was paid to the launch of the National Cyber Security Centre, the implementation of coordinated awareness campaigns across the country, the equipment of the National Computer Emergency Response Team with the required budget and human resources, and the establishment of systematic processes and mechanisms to enhance information sharing between Critical National Infrastructure owners.
- The CMM concluded that Ghana does not yet have a cyber-conscious culture. Participants described Ghana’s culture as generally very trusting, with users not very aware of the risks associated with the use of the Internet. Cyber awareness in the government and in the private sector, with the exception of large international companies, was described as minimal. In response to these findings, the government took several steps to develop a cybersecurity culture, including events such as National Cybersecurity Month in October 2018 and the implementation of a nationwide programme to address cybercrime-awareness gaps in cooperation with UNICEF.
- In December 2018 Ghana acceded to the Budapest Convention after the CMM report had identified ad-hoc informal and formal cooperation mechanisms and limited capacity of prosecutors and judges to handle cybercrime cases and cases involving digital evidence.
- This gap was further addressed by the continuation of training for judges and prosecutors as part of the Council of Europe’s GLACY+ Project.
These initiatives provide evidence for the increasing maturity of Ghana’s cybersecurity capacity and the steps taken by the government show that the issue has become a priority. The CMM review helped to identify areas for prioritisation and continues to provide a benchmark for further areas for action.
More about the lessons learned from the CMM review can be seen on Cybil.