By Jacob Mutisi
According to the Internet Corporation for Assigned Names and Numbers (ICANN), Zimbabwe is one of the countries that uses the .co.zw domain extension which is administered by the Zimbabwe Association of Internet Service Providers (Zispa).
ICANN is a US multi-stakeholder group and non-profit organization responsible for coordinating the maintenance and procedures of several databases related to namespaces and digital spaces of the Internet, ensuring the stable and secure operation of the network.
The .co.zw is a domain extension that is used by individuals and private businesses which include banks. Even our central bank, the Reserve Bank of Zimbabwe, has a .co.zw extension (www.rbz.co.zw). Yet she and all the banking institutions don’t know where the servers are and how they work.
I am the president of Zispa and I was not granted access to the servers by those who had access without the permission of the Zispa board.
This is a serious national security issue that must be addressed urgently. We have a government that does not have control over one of the most important .co.zw domain extensions. There is a need for the Office of the President and the Cabinet to bring stakeholders together in a roundtable and discuss the .co.zw registry as an issue of concern.
How can Zimbabwe have a cybersecurity and data protection bill when relevant stakeholders have no idea where a state national asset as important as our stations is located? television and radio which are guarded by our security forces, 24 hours, seven days a week, is it kept?
The reason why this is now more vital than ever is that on Tuesday 14 December 2021 Zimbabwe woke up to a cyber attack on the Zispa server which administers all .co.zw. This attack would shut down all domains with the .co.zw extension. The Zispa team was able to fight the attack and protect the attacked server.
Based on our research, the attack was believed to affect Apache Log4j versions 2.0-beta9 through 2.14.1. This Log4j is an open source Java logging library developed by the Apache Foundation. It is widely used in many applications and is present in many services as a dependency. This includes business applications developed within an organization, including custom applications, as well as many cloud services.
An application is vulnerable if it consumes untrusted user input and passes it to a vulnerable version of the Log4j logging library.
Imagine if the attack had succeeded the impact it would have had on Zimbabwe’s financial services system? Zimbabwe is a cashless society, with 96% of its transactions carried out through scanning, mobile money, wire transfers and other electronic methods. Zimbabwe has the Posts and Telecommunications Regulatory Authority (Potraz) whose role is to protect consumers, among others. Potraz should play a leading role in ensuring the nation and businesses know how cyberspace is protected and who protects it.
The .co.zw registry is now a national trademark and any attack on its servers is a national security threat that must be protected and its assets must be accounted for.
- Mutisi is the CEO of Hansole Investments (Pvt) Ltd and the current President of Zimbabwe Information & Communication Technology, a division of Zimbabwe Institution for Engineers.