C3SA's Publications

By Laban Bagui, PhD

The EU founded Cyber4Dev hosted, in partnership with the Republic of Mauritius, the African Cyber Resilience conference at the Ebene/Cybercity district between 25th *- 28th April 2022. COVID-19 related regulations in the country meant that the gathering could only accommodate 50 representatives. The event was a momentous occasion to show case an African commitment to cyber resilience in the face of growing local and global cyberthreats and risks.

The people in the attendance

The African Cyber Resilience conference was attended by Ambassadors and Ministers of the EU, Mauritius, Rwanda, and Kenya marking the high-level commitment to tackle cybersecurity threats and risks on the continent. There were also cybersecurity experts and practitioners from public and private sectors from Africa and other places around the world: Botswana (BOCRA, eBoto Cyberspace), the Dominican Republic (CNCS), EU (Cyber4Dev and EU Cyber Direct ), Estonia (E-Governance academy), Kenya (MICT), Malawi (MACRA), Mauritius (MICT, CERT-MU, Harel Mallac Technologies), South Africa (C3SA), Mozambique (NIICT), Rwanda (NCSA Rwanda), Sri Lanka (CERT-CC), AfricaCERT. They shared experiences, knowledge and marked the event as a starting point of fructuous collaborations for African cyber resilience.

The themes and the activities

The African Cyber Resilience conference was organised to include ministerial and high-level decision-making statements of posture and commitments, technical policy and practitioner discussions, and some practitioner and decision makers’ training courses.

Ministers and high-level decision makers highlighted the urgency of action considering the criticality of vulnerable assets to countries and citizens, the potential scale and severity of the impact of threats and risks from the cyberspace, and the paucities in existing cybersecurity measures. A call for cooperation was put forward in matters of strategy, policy, incident response organisation, regulation, cybercrime, awareness raising, skills development, cyber diplomacy, and cyber defence.

Technical discussions highlighted challenges and opportunities in the journey of achieving cyber resilience in Africa. C3SA presentation of its SADC Cybersecurity capacity maturity 2021 emphasised that legal and regulatory frameworks as well as awareness raising, and skills development were the Achilles weakness of the region. AfricaCERT keynote address doubled down on the issue with skills across the continent. Experts from CERT-MU and Mauritius ICT ministry showcased the country’s achievements in strategy and policy, legal and regulatory frameworks, awareness raising and skills development, standards and best practices alignment as well as technology acquisition. Decision makers from MACRA and CNSA highlighted progress made in building cyber resilience in Malawi and Rwanda. The Dominican CNCS EU Cyber Direct made a case for a charter on cyber values and international collaborations. The e-Governance academy presented best practices in cybersecurity awareness raising in Europe. While eBotho CyberSpace presented their delivery of the CyberSmartBW in Botswana.

Reflexions on urgencies

The African Cyber Resilience conference identified aspects of cybersecurity requiring urgent action for a continental resilience attuned to the sophistication and reach of emerging cyber threats and risk, technological innovation, international standards and best practices, international regulation, and latest geopolitical events. These aspects included strategy and policy making, awareness raising

and skill development, incident response and risk management, implementation of legislative and regulatory frameworks, metrics and evaluation of programs, international cooperation, cyber diplomacy, and cyber defence.

The need for resources

African countries, especially those that are south of the Sahara, tend to lack the resources needed to devise, implement, and evaluate development strategies in general; cybersecurity comes as an added burden. There is a need for political will, finance, time, knowledge, skills, technological infrastructure, adequate regulations, appropriate and industry relevant procedures and guidelines, and international collaboration. Some attendees raised the idea of a predetermined percentage of national budget to be allocated to cybersecurity, while others emphasised the need for accrued aid, while some others emphasised the role of entre-aid amongst African countries. The 3 propositions hold and should be combined including the private sector and the civil society, to help reduce the burden and allow for a quick establishment of cybersecurity capacity.

Jurisdiction and sovereignty

Another important issue are matters of jurisdiction were the lack of treaties or other international agreements limit the capacity of African countries to protect African data, investigate cybercrime, apprehend, and punish perpetrators. Sub-Saharan African community members are already participating in the global online market through their cyber involvements either via social media, e-commerce website, or for educational purposes. The problem is that whenever they are online most of their transactions are taking place on platforms belonging to entities registered in overseas countries. African data is basically crossing the globe without any form of identification and protection or is just appropriated and exploited in machine learning farms.

Conference attendees highlighted the need for greater international cooperation, and tighter collaboration between neighbouring countries, in addition to legislation and regulation alignment. International conventions such as the Council of Europe Budapest convention on cybercrime and the African Union Malabo convention on cybersecurity and personal data protection, not to forget the model laws such as the ITU model laws (i.e.: HIPCAR, ICB4PAC, HIPSSA), the relevant commonwealth model law, the world bank-OECS model law, are being embraced even though at a slow pace while implementations are taking time to materialise. This is an important area that requires important resources in time, skills and infrastructure for implementation and evaluation to follow the passing of legislations. Basically, the courts and the magistrates are caught by surprise by the whole cybercrime thing. Digital forensic labs are very scarce; lab technicians are even scarcer; investigators and the police, prosecutors and magistrates are still reading the books to try and catch up; the organisation of judicial procedure need re-engineering; and existing bilateral and multilateral treaties need renegotiation and rewriting. As a remedy, attendees at the conference pointed at the crucial role of cyber diplomacy in assisting in establishing treaties with these foreign states so as to extend cybersecurity reach of African countries all over the world.

Metrics and assessments

Attendees also stressed the issue of metrics and assessments. Most African countries that have set priority and are implemented various cybersecurity programmes, be they strategy, awareness raising, skills and knowledge development, regulatory frameworks or standards, have not devised context relevant metrics and are not busy measuring the impact and progress of their initiatives. This is a problem because it is hard to make progress when there is no way to ascertain that investment has actually born fruits. There are broad assessments performed by the African Union Development Agency – New Partnership for Africa’s Development (AUDA – NEPAD) and by regional institutions. In

addition, continental wide entities organisations with a stake in cybersecurity such as AfriCERT, AFRINIC, or AFRIPOL are also generating some data on activities they are monitoring and supporting.

Vision and development The latest report on The African Union Agenda 2063 for “the Africa we want” presents progress made towards the transformation of the continent around, amongst the most pressing topics, inclusive social and economic development, continental and regional integration, democratic governance and peace and security. The aim of Agenda 2063 is to reposition Africa as a dominant player in the global arena. Cyber Security is a flagship of that vision, but the buy-in is taking too long to materialise. As an example, since its adoption in 2014, the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention) has only seen 11 ratifications out of the 15 required to be adopted as a requisite for all 55 AU member states. Furthermore, structural continental projects such as the African Continental Free Trade Agreement – ACFTA, the Pan-African E-Network, the Single African Air Transport Market – SAATM, are all very slow may be too slow in the making. With the tremendous growth of e-commerce, mobile banking, ease of travel, global supply chains, as well as the entrenchment of international values of peace, democracy, human rights, innovation, and diversity in the minds of African youth. The African youth seems to want to walk in the world projecting confidence, integrity and capability at dignified and equal footing, as a worthy actor in the events of the human journey. Failing them by not doing enough cannot be an option.

Sub-Saharan Africa is the area with the lowest internet usage rates; yet it is the region with one of the highest rates of cybercrime. As of 2019, internet usage in the least developed countries (LDCs) was only 19% while the internet usage of developed countries was close to 87% (ITU, 2019). The estimated costs of cybercrime have soared to $550 million for Nigeria, $175 million for Kenya and $85 million for Tanzania. Read more

This short paper describes our experience navigating the challenges and opportunities of the pandemic, and what we learnt from this real disruptive global threat. We make recommendations to move forward to reap the benefits of virtual team meetings, research processes, and methodologies, while still striving to maintain the high standards and quality for which GCSCC and its partners are recognised. Read more

The review of 16 SADC countries found that the region as a whole is at a lower maturity level compared to the rest of the world on all dimensions. While this is not good news, these findings provide a clear basis for prioritizing the building of cybersecurity capacity across the region. Read more

Cybersecurity has become a global security priority in recent years. Many African countries have embarked on important efforts to improve their cybersecurity posture in all sectors, including education. The increased use of information communication technologies by educators implies a greater exposure to cyber threats and risks prompting the need for cybersecurity to become a priority for schools. Cyber threats and risks have the potential to disrupt school operations and compromise the safety of learners, educators, administration staff, parents, and the surrounding community. The way respective stakeholders engage with cybersecurity and respond to cybersecurity intervention will, to an extent, depend on their perspective of the phenomena. There is paucity on literature on African educators’ perspectives on cybersecurity as a starting point. This study aims at answering the question: What are perspectives on cybersecurity of educators in resource-constrained schools in South Africa? The study used a qualitative exploratory case study methodology. Data was collected through in-depth and semi-structured interviews from four schools in the Western Cape and Limpopo provinces; these represent an affluent and a rural province. It was analysed using thematic analysis based on the Social Cognitive Theory. Findings suggest that when it comes to cybersecurity, educators’ self-efficacy is low, and their outcome expectancy is negative. Their socio-structural environment does not provide enough support to boost their confidence due to their exposure to ICTs, cybersecurity awareness, and available resources. The more a school is resource-constrained, the less educators prioritise cybersecurity. The study contributes to cybersecurity in education by shedding light on the cybersecurity perspectives of educators in resource-constrained schools in South Africa to pave the way for initiatives that cultivate a culture of cyber safety. Read more

Universities across the globe are experiencing a surge of cyberattacks due to the increased usage of information communication technologies (ICTs). To counteract cyberattacks, universities have implemented cybersecurity measures to ensure that students and the universities’ critical infrastructures are protected. Unfortunately, universities in developing countries continue to face increased cyberattacks despite implementing cybersecurity measures. This study explores the factors that affect students’ compliance with universities’ cybersecurity measures.
The study used a case of the University of Cape Town in South Africa, adopting qualitative research and an interpretive paradigm. We used a deductive approach to theory using Protection Motivation Theory (PMT) as the lens for inquiry. The sample for the study consisted of 40 participants, of which 35 were students and five were staff members of the University. The sample of the study was selected by convenience. We collected empirical data from the participants using semi-structured interviews. The data was then analysed using thematic analysis on NVivo software. The study found that students’ compliance with cybersecurity measures is affected by their perceptions of the seriousness of the threats, the likelihood of the threats happening, their ability to protect themselves against threat, their belief in the effectiveness of the recommended solutions against cyber threats, and the costs associated with compliance to cybersecurity measures. When students perceive the risk as not severe enough to worry about, they do not find it necessary to comply with the University’s cybersecurity measures. Similarly, when the students deem that the recommended compliance actions will not be practical or affordable, they do not adhere to the university cybersecurity measures. Read more

At the beginning of 2020, the world came to a stand-still when governments across the globe decided to enter states of ‘emergency’ or ‘disaster’ over the breakout of the COVID-19 pandemic. The responses to the pandemic included stringent movement restrictions and hygiene advice preventing face-to-face interactions. As a result, many activities, including schooling, working, and shopping were moved online, drastically increasing exposure to cyber threats and risks. It is unclear if and how the rapid increase in internet use corresponded to an improvement in cybersecurity mindset development in countries of the Southern African Development Community (SADC). This paper explores the effect of the increase in digital technology usage due to the COVID-19 pandemic restrictions on the relationship between cybersecurity awareness-raising initiatives and the development of higher levels of cybersecurity mindset in Botswana, Lesotho, and Malawi. These three countries have a similar cybersecurity footprint and an average cybersecurity capacity level for the region. The research applies a comparative multiple case study approach relying on a thematic review of the literature and related documents, supported by in-depth interviews with purposefully selected key informants from the three selected SADC countries. Findings suggest that since the start of the COVID-19 pandemic, awareness-raising programs have gained some momentum in our selected countries, but the cybersecurity mindset has not improved. That was attributed to low frequency and poor quality of campaigns added to the lack of training, education and lived experience. The paper highlights the need to increase the frequency and improve the quality of programmes, for greater impact on the development of local cybersecurity mindsets. Read more.