By Tomslin Samme-Nlar, Researcher
Very few African states today have developed a national cybersecurity strategy or have in place cybersecurity and data protection regulations and laws. Yet, the continent has made major headway in developing its digital ecosystem, and moreover, it is home to the largest free trade area in the world, which is predicted to create an entirely new development path harnessing the potential of its resources and people.
The world bank believes a digital economy in Africa can boost economic growth on the continent by up to two percentage points per year and reduce poverty by one percentage point per year in Sub-Saharan Africa alone. But not even such great predictions and clear solutions to poverty alleviation have convinced the continent’s leadership to work towards ensuring that once the digital ecosystem (an ecosystem so critical to the continent’s success and future) is developed, it should be protected and kept stable. Such laxity explains why according to a survey carried out by the African Union Commission (AUC), out of the 55 African states, only 8 countries have a national strategy on cybersecurity, only 13 with a Computer Emergency Response Team (CERT) or Computer Security Incident Response Teams (CSIRTs), 14 with personal data protection laws, and only 11 with cybercrime laws. A similar report by Deloitte expresses similar concerns.
While the individual governments on the continent seem to be very slow to appreciate the importance of the concept of cyber safety, the regional political body, the African Union seems to be making some gains in raising awareness and advocating for better cyber safety, well, at least to the continent’s ministers of Information and Communications Technology. On September 20, 2018, The African Union Commission (AUC) put out a call for experts to join its African Union Cyber Security Expert Group (AUCSEG), based on a resolution by its Executive Council earlier in January of the same year to create an Africa Cyber Security collaboration and coordination committee to advise the AUC and policymakers on Cyber strategies, with the following specific tasks:
Advising the AUC on cybersecurity issues and policies, such as capacity building initiatives;
Proposing solutions to facilitate the ratification and domestication of the Malabo Convention into national laws;
Sharing best practice on critical and Internet infrastructure security and how to mitigate current and new threats;
Identifying areas of research needed for the formulation of policies, guidelines, etc., which can be general or sector-specific, for instance, cybersecurity for smart grid technologies in the electric power industry, for financial systems, and for equipment monitoring tools;
Identifying ways to support Computer Security Incident Response Teams (CSIRTs), in the area of capacity building and information sharing at the regional and African Union level;
Encouraging close collaboration among the AU Member States and stakeholders, including in responsible and coordinated disclosures;
Proposing ways to increase the skills of information systems and cybersecurity professionals in Africa (e.g., by fostering trusted certification programs);
Supporting AUC in formulating strategies for cybersecurity and capacity building programs;
Supporting AUC and Member States on international cooperation matters regarding cybersecurity, personal data protection and combating cybercrime.
The group was formed and held its inaugural meeting on December 10, 2019. They have, through its chair, been asking African experts to submit their personal assessments of the state of cybersecurity in the continent, especially as it pertains to what the continent has done right and what it can do better.
To answer that call, I would say I think the adoption of the African Union Convention on Cyber Security and Personal Data Protection in 2014 is amongst some of the things that Africa has done right in this area, even though most countries are yet to ratify the convention. Even with the challenge in ratification, it remains a major step forward towards increasing awareness amongst the ministers and administrators from member states. Then there was the piece of work that was done to develop and launch the Privacy and Personal Data Protection Guidelines by the African Union Commission in partnership with Internet Society (ISOC). That was also an important milestone towards secure cyberspace in Africa.
However, and as I’ve written before, it is disappointing to see that continent-wide and regional initiatives like the Continental Free Trade Area (CFTA) do not embed cybersecurity considerations and concepts at their conception phases and when such projects are developed. In light of current technological trends and in line with progress being made in developing the African digital ecosystem, free intra-regional trade will not only be offline. Rather, we are sure to see a significant amount of the intra-regional trade taking place on the Internet. Digital trade generally requires a great deal of free movement and flow of personal data, as data is the lifeblood of the digital economy. A continent-wide digital trade involving consumers cannot occur without the collection and movement of personal data like names, email addresses, and billing information across borders. In order for such a market to be efficiently regulated, the region will need to look into unifying implementations of cybersecurity and data protection regulations across the continent. The best way to do that (in my opinion) would be for African states to adopt the African Union Convention on Cyber Security and Personal Data Protection or at least align their national cybersecurity legislation with it. Current disparate implementations of data protection regulation (where they exist) make it a very tedious task for multinational businesses or any company carrying out business with partners in multiple countries in the region to lawfully transfer data across borders as part of their operations. Non-compliance with the different data protection regulations may preclude companies from potential business exploits in the region.
We must also remember that in most advanced information societies, regulation tends to play catch up to innovation. Technology use led by the private sector should, in theory, be speeding ahead, while government and public policymakers struggle to catch up. But that is not even the picture we see across the continent. Admittedly, there is some technological progress, but not nearly fast enough to transform the continent into an information society. Therefore, we must start asking questions like what the implications are, if the private sector that is meant to lead innovation also suffers from lack of awareness in cybersecurity, just like their public sector and civil society counterparts.
It is often assumed that the key issue hindering progress in the maturity of cybersecurity posture in Africa is the public leaders. In fact, in the request by the chair of the AUCSEG in one of the African policy chat forums — the Free Software and Open Source Foundation for Africa (FOSSFA) telegram channels, the chair asked for “suggestions on how to message cybersecurity/technology and digital trust ideas to analog African leadership.” Yet, in an empirical study on National Cyber Security Awareness in Africa using focus groups, some African stakeholders responded that, “the government realizes that lack of awareness is crucial and recognizes the importance of a multi-stakeholder approach towards this goal.” This raises many questions. Amongst them are questions like — are our assumptions of what seems to be the challenge of advancing the cybersecurity posture on the continent and even the general adoption of technological solutions wrong?
Another pertinent question that comes out of the above statement is, if African governments are aware, or at the very least have an idea of what needs to be done to improve their countries’ cybersecurity posture but no progress is being made on that front, then what exactly is stopping them?
As the new year and decade begin, these are some of the important questions the AUCSEG should be finding answers to, and hopefully propel the continent to a better cybersecurity posture than we find ourselves today. With the right answers, the continent might move from a Start up stage (stage 1) to at least the Established stage (stage 3) of the University of Oxford Cyber Security Maturity Model for Nations (CMM) which assesses the cyber security capacity maturity capabilities of states over five dimensions (Cybersecurity Policy and Strategy; Cyber Culture and Society; Cybersecurity Education, Training and Skills; Legal and Regulatory Frameworks; and Standards, Organizations, and Technologies) with indicators that describes steps and actions that must be taken to achieve maturity in one of the following 5 stages of maturity: 1) Start up; 2) Formative; 3) Established; 4) Strategic; 5) Dynamic.
But if in answering these questions, the AUCSEG finds that it is indeed the ‘analog-ness ‘ of our leaders that is hindering progress in cybersecurity on the continent, then I would recommend the following next steps:
Investing in awareness of the ‘analog’ leaders on how cybercrime and poor or lack-of a national cybersecurity strategy and regulation affect the various state economies and their governments’ legitimacy.
The AUC should invest in trust-building mechanisms between governments and their private sectors and civil society, in order to create channels of communication and trust in local expert advice. It also makes it possible for successful government-private partnerships in national security.
Once these are in place, strategies like a Whole-of-Government (WoG) approach, which is necessary to achieve an efficient and cost-effective national cybersecurity should be recommended to African states. This approach lends to the process of better coordination and the use of existing resources.
And finally, if the AUCSEG is going to support the AUC and member states on international cooperation on matters of cybersecurity and cybercrime as listed on its list of tasks, then it should investigate and advise the AUC on how recognition (or the lack of) of cyberspace as the fifth domain in military warfare could possibly impact the national security of African states. Only one country in Africa, the Republic of South African, has researched and considered the concept of Revolution in Military Affairs (RMA), which is a military concept that proposes that new military doctrines, strategies, tactics and technologies are required for future warfare. Especially in this digital era where more and more public civilian infrastructure is also being targeted both at peacetime and at wartime as legitimate military targets due to the dual-use nature of cyber infrastructure.
While it is understandable that there are financial limitations amongst other things, that limit developing countries from adopting such a concept, African leadership must be aware and well versed with the concept to substantially contribute to current global security and International law (as it relates to cyberspace) discussions and fora, like the United Nations Group of Governmental Experts (UN GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security and the UN Open-Ended Working Group (OEWG) looking at cyberspace norms.