By Laban Bagui, PhD
The EU founded Cyber4Dev hosted, in partnership with the Republic of Mauritius, the African Cyber Resilience conference at the Ebene/Cybercity district between 25th *- 28th April 2022. COVID-19 related regulations in the country meant that the gathering could only accommodate 50 representatives. The event was a momentous occasion to show case an African commitment to cyber resilience in the face of growing local and global cyberthreats and risks.
The people in the attendance
The African Cyber Resilience conference was attended by Ambassadors and Ministers of the EU, Mauritius, Rwanda, and Kenya marking the high-level commitment to tackle cybersecurity threats and risks on the continent. There were also cybersecurity experts and practitioners from public and private sectors from Africa and other places around the world: Botswana (BOCRA, eBoto Cyberspace), the Dominican Republic (CNCS), EU (Cyber4Dev and EU Cyber Direct ), Estonia (E-Governance academy), Kenya (MICT), Malawi (MACRA), Mauritius (MICT, CERT-MU, Harel Mallac Technologies), South Africa (C3SA), Mozambique (NIICT), Rwanda (NCSA Rwanda), Sri Lanka (CERT-CC), AfricaCERT. They shared experiences, knowledge and marked the event as a starting point of fructuous collaborations for African cyber resilience.
The themes and the activities
The African Cyber Resilience conference was organised to include ministerial and high-level decision-making statements of posture and commitments, technical policy and practitioner discussions, and some practitioner and decision makers’ training courses.
Ministers and high-level decision makers highlighted the urgency of action considering the criticality of vulnerable assets to countries and citizens, the potential scale and severity of the impact of threats and risks from the cyberspace, and the paucities in existing cybersecurity measures. A call for cooperation was put forward in matters of strategy, policy, incident response organisation, regulation, cybercrime, awareness raising, skills development, cyber diplomacy, and cyber defence.
Technical discussions highlighted challenges and opportunities in the journey of achieving cyber resilience in Africa. C3SA presentation of its SADC Cybersecurity capacity maturity 2021 emphasised that legal and regulatory frameworks as well as awareness raising, and skills development were the Achilles weakness of the region. AfricaCERT keynote address doubled down on the issue with skills across the continent. Experts from CERT-MU and Mauritius ICT ministry showcased the country’s achievements in strategy and policy, legal and regulatory frameworks, awareness raising and skills development, standards and best practices alignment as well as technology acquisition. Decision makers from MACRA and CNSA highlighted progress made in building cyber resilience in Malawi and Rwanda. The Dominican CNCS EU Cyber Direct made a case for a charter on cyber values and international collaborations. The e-Governance academy presented best practices in cybersecurity awareness raising in Europe. While eBotho CyberSpace presented their delivery of the CyberSmartBW in Botswana.
Reflexions on urgencies
The African Cyber Resilience conference identified aspects of cybersecurity requiring urgent action for a continental resilience attuned to the sophistication and reach of emerging cyber threats and risk, technological innovation, international standards and best practices, international regulation, and latest geopolitical events. These aspects included strategy and policy making, awareness raising
and skill development, incident response and risk management, implementation of legislative and regulatory frameworks, metrics and evaluation of programs, international cooperation, cyber diplomacy, and cyber defence.
The need for resources
African countries, especially those that are south of the Sahara, tend to lack the resources needed to devise, implement, and evaluate development strategies in general; cybersecurity comes as an added burden. There is a need for political will, finance, time, knowledge, skills, technological infrastructure, adequate regulations, appropriate and industry relevant procedures and guidelines, and international collaboration. Some attendees raised the idea of a predetermined percentage of national budget to be allocated to cybersecurity, while others emphasised the need for accrued aid, while some others emphasised the role of entre-aid amongst African countries. The 3 propositions hold and should be combined including the private sector and the civil society, to help reduce the burden and allow for a quick establishment of cybersecurity capacity.
Jurisdiction and sovereignty
Another important issue are matters of jurisdiction were the lack of treaties or other international agreements limit the capacity of African countries to protect African data, investigate cybercrime, apprehend, and punish perpetrators. Sub-Saharan African community members are already participating in the global online market through their cyber involvements either via social media, e-commerce website, or for educational purposes. The problem is that whenever they are online most of their transactions are taking place on platforms belonging to entities registered in overseas countries. African data is basically crossing the globe without any form of identification and protection or is just appropriated and exploited in machine learning farms.
Conference attendees highlighted the need for greater international cooperation, and tighter collaboration between neighbouring countries, in addition to legislation and regulation alignment. International conventions such as the Council of Europe Budapest convention on cybercrime and the African Union Malabo convention on cybersecurity and personal data protection, not to forget the model laws such as the ITU model laws (i.e.: HIPCAR, ICB4PAC, HIPSSA), the relevant commonwealth model law, the world bank-OECS model law, are being embraced even though at a slow pace while implementations are taking time to materialise. This is an important area that requires important resources in time, skills and infrastructure for implementation and evaluation to follow the passing of legislations. Basically, the courts and the magistrates are caught by surprise by the whole cybercrime thing. Digital forensic labs are very scarce; lab technicians are even scarcer; investigators and the police, prosecutors and magistrates are still reading the books to try and catch up; the organisation of judicial procedure need re-engineering; and existing bilateral and multilateral treaties need renegotiation and rewriting. As a remedy, attendees at the conference pointed at the crucial role of cyber diplomacy in assisting in establishing treaties with these foreign states so as to extend cybersecurity reach of African countries all over the world.
Metrics and assessments
Attendees also stressed the issue of metrics and assessments. Most African countries that have set priority and are implemented various cybersecurity programmes, be they strategy, awareness raising, skills and knowledge development, regulatory frameworks or standards, have not devised context relevant metrics and are not busy measuring the impact and progress of their initiatives. This is a problem because it is hard to make progress when there is no way to ascertain that investment has actually born fruits. There are broad assessments performed by the African Union Development Agency – New Partnership for Africa’s Development (AUDA – NEPAD) and by regional institutions. In
addition, continental wide entities organisations with a stake in cybersecurity such as AfriCERT, AFRINIC, or AFRIPOL are also generating some data on activities they are monitoring and supporting.
Vision and development The latest report on The African Union Agenda 2063 for “the Africa we want” presents progress made towards the transformation of the continent around, amongst the most pressing topics, inclusive social and economic development, continental and regional integration, democratic governance and peace and security. The aim of Agenda 2063 is to reposition Africa as a dominant player in the global arena. Cyber Security is a flagship of that vision, but the buy-in is taking too long to materialise. As an example, since its adoption in 2014, the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention) has only seen 11 ratifications out of the 15 required to be adopted as a requisite for all 55 AU member states. Furthermore, structural continental projects such as the African Continental Free Trade Agreement – ACFTA, the Pan-African E-Network, the Single African Air Transport Market – SAATM, are all very slow may be too slow in the making. With the tremendous growth of e-commerce, mobile banking, ease of travel, global supply chains, as well as the entrenchment of international values of peace, democracy, human rights, innovation, and diversity in the minds of African youth. The African youth seems to want to walk in the world projecting confidence, integrity and capability at dignified and equal footing, as a worthy actor in the events of the human journey. Failing them by not doing enough cannot be an option.
Sub-Saharan Africa is the area with the lowest internet usage rates; yet it is the region with one of the highest rates of cybercrime. As of 2019, internet usage in the least developed countries (LDCs) was only 19% while the internet usage of developed countries was close to 87% (ITU, 2019). The estimated costs of cybercrime have soared to $550 million for Nigeria, $175 million for Kenya and $85 million for Tanzania. Read more
This short paper describes our experience navigating the challenges and opportunities of the pandemic, and what we learnt from this real disruptive global threat. We make recommendations to move forward to reap the benefits of virtual team meetings, research processes, and methodologies, while still striving to maintain the high standards and quality for which GCSCC and its partners are recognised. Read more
The review of 16 SADC countries found that the region as a whole is at a lower maturity level compared to the rest of the world on all dimensions. While this is not good news, these findings provide a clear basis for prioritizing the building of cybersecurity capacity across the region. Read more