Africa is now home to some of the world’s fastest growing economies–the terms “Africa rising” and “lions on the move” have both been used in recent years to capture the positive economic outlook for the continent. In tandem with this new economic boom, countries in the African Union (AU) have experienced explosive growth in the use of technology and the spread of information and communication technology (ICT) infrastructure over the past decade and a half. About 300 million users have been brought online since 2000 due to the liberalization of telecommunications markets across African countries and the increasingly widespread availability of mobile technologies. For Africa, the technology age is booming– and shows few signs of slowing. The rapid turnaround from being a continent essentially offline in 2000, with only 4.5 million Internet users, to this level of connectivity has left African leaders scrambling to implement adequate cybersecurity policies and regulations.
In spite of the breathtaking growth of ICT use, the development of national cybersecurity legislation has been relatively stagnant in the region. Mauritius, which has legislation addressing cybercrime, e-commerce, data protection, and privacy as well as an established Computer Emergency Response Team (CERT), remains a distant outlier on the continent. Countries such as Chad, Guinea-Bissau, and Gabon, which have minimal-to-no legislation addressing cyber issues, are much more typical. The AU faces the challenge of developing a common continental cybersecurity policy, which requires not just the harmonization of legislation across several economic regions but also encouraging national policy development in a majority of member states. Attaining this level of political cohesiveness–in a regional organization that consistently faces criticism of ineffectiveness–is a steep hurdle to overcome.
Africa is experiencing a unique state of vulnerability due to the absence of national legislation and international cooperation available to handle growing cyber threats. Despite this very real challenge, cybersecurity is inherently intertwined with more general trade and economic development in Africa, creating space for cooperation and consensus. The growing global recognition of the necessity for ICT and cybersecurity policies has been intertwined with AU economic policy since the early 2000s. Additionally, partnerships with the European Union (EU) and United Nations (UN) that have been tied to broad regional economic development have been integral to driving both regional and national cybersecurity initiatives. If it strengthens these partnerships, the African continent has real potential to create a robust and secure cybersecurity environment.
The African Union
Compared to other international organizations, the AU is relatively new. It was established in 2002 as a successor the 1963 Organization of African Unity (OAU) in order to address the socio-economic and political challenges facing the continent in the twenty-first century. Unlike the OAU, the AU has the power to interfere with some sovereign prerogatives of states and can mobilize peacekeeping missions in the region. While the OAU was established to support African independence movements during the 1960s, the AU addresses what was seen as a need for regional economic integration.
Every country of continental Africa, except for Morocco, is a member of the AU, bringing the membership to a total of 54 states and over one billion people. This is roughly twice the size of the EU, which has 28 member states and a population of 508 million. The diversity across the continent is reflected in language (the AU has five official languages), religion, development levels, and governmental systems. The political systems range from monarchies to functioning democracies to “presidents for life.” There are five different legal families in African jurisdictions, from common law systems to traditional Napoleonic code. The Human Development Index (HDI), which is a measure of achievement in dimensions of human development, ranges from .348 (Niger) to .548 (Kenya) to .736 (Algeria). In comparison, the US is ranked eighth in the world with an HDI of .918. Reconciling the diverse traditions, histories, and aspirations of these 54 countries to bring about political and economic progress has been a consistent challenge for the AU.
The general challenges of developing consensus across the AU is mirrored in the realm of cybersecurity. The rapid expansion of ICT across the African continent over the past decade has led to increased economic prosperity, increased reliance on mobile technology, and increased vulnerability to cybercrime and cyberattack. Mobile devices are now used by individuals to access a diverse array of services across Africa–from mobile banking to e-government initiatives–but legislation has, for the most part, not kept pace with technological innovation.
The lack of regulation and legislation regarding cybersecurity in a majority of African countries has left the continent, and the world, alarmingly vulnerable to significant security risks. While the continent is comprised of many diverse regions and countries, several trends rise out such has rising rates of cybercrime and a lack of public awareness regarding cybersecurity. Factors such as these then lead to low incident report rates and a lack of political willpower, an insufficiently trained ICT workforce, and the absence of comprehensive legal frameworks.
Cybercrime has become a burgeoning part of the informal economy in many African countries due to the lax regulatory environment and low risk of prosecution. Cybercrime losses in the region have been on the rise as broadband connectivity increases. In 2013, Kenya lost an estimated $36 million to cybercrime (0.05% of GDP), which rose to $150 million in 2015. South Africa reached third in the world for the highest number of cybercrime victims in 2012, with approximately 70% of South Africans experiencing cybercrime. South Africa also suffers more cybercrime attacks than any other country in Africa. The cost of increasing cybercrime is two-fold, as it not only results in an economic loss but also indicates a risky investment environment and the potential loss of future investors. At a time when expanding and upgrading ICT infrastructure is vital to African economies, this perceived investment risk could prove dangerously detrimental.
Malware also poses a large threat to regional cybersecurity, as mobile devices increasingly become the new target for malware attacks. In a survey of 275 Kenyan organizations, it was found that all of them had been exposed to malicious software that had bypassed their security systems, and that about 68% of the malware detected during their study was uniquely customized for Africa. According to the Microsoft Security Intelligence Report, which tracks the computers cleaned per mille (CCM) rate for Algeria, Angola, Egypt, Kenya, Morocco, Nigeria, Senegal, South Africa, Tanzania, Tunisia, and Uganda, every African country tracked was well above the worldwide average for malware infection rates- typically exponentially higher. For example, the world average in 4Q15 was 16.9 CCM, compared to 62.6 in Algeria, 60.2 in Egypt, 40.8 in Nigeria, and 40.3 in Zimbabwe.
It is in this environment that many governments across the continent are spearheading e-government initiatives to increase transparency and the delivery of services. Angola, Kenya, South Africa, Ghana, and Senegal, among others, have had various government-related websites hacked or taken down in the last few years, highlighting the vulnerabilities that a shift to e-government could create. In the Kenya Cyber Security Report 2015, the public sector was identified as the sector facing the highest cyber security risk, ahead of the financial sector.
Lack of Public Awareness and ICT Workforce Preparation
Both the lack of an adequately skilled workforce and a widespread absence of public awareness about cybersecurity impose great challenges to many African countries. The dearth of public awareness campaigns in African countries regarding cybersecurity and Internet safety generate an environment of lax information security, making the barriers to cybercrime relatively low. This lack of knowledge also extends to knowledge of cyber-law enforcement mechanisms at the national level, with victims of cybercrime either unaware or unwilling to report incidents to relevant bodies (when they exist). In turn this creates a low threat of prosecution, further magnifying the challenge of addressing cybercrime.
Educating both the general public and the ICT workforce on best practices in cybersecurity remains a long way off in most countries of the AU. A 2015 UNESCO report on the level of ICT education in Sub-Saharan Africa found that “the use of ICT in education is still at an embryonic stage in most countries.” This means that even when countries have national legislation regarding cybersecurity, the workforce charged with creating and implementing the legislation- politicians, judges, law enforcement–often do not understand the content or application of the laws, and they thus go unenforced.
Absence of Legislation
Compounding the threat of creeping cybercrime is the lack of legislative and regulatory frameworks regarding cybersecurity issues in many of the AU member states. Considering the diversity in government and legal systems across Africa, it is unsurprisingly that there is also a diverse range in the stage of national cybersecurity initiatives. 30 of the 54 AU member-states have no cybercrime law on the books, 12 have a partially implemented cybercrime law, 11 have cybercrime laws in place.
Even countries such as Nigeria or South Africa, which have passed a comparatively substantial amount of cybersecurity legislation–in the form of privacy laws, consumer protection laws, and e-commerce laws–suffer from a lack of awareness, reporting, and enforcement, leading to a negligible level of prosecution regarding cybercrime. In turn, this fosters a passive encouragement of cybercrime. The lack of a sufficiently trained and knowledgeable workforce renders national legislation inept because it cannot be adequately implemented.
Given the disparities in legislation levels between members of the AU, it is difficult to imagine the effective implementation of a regional policy being successful in the near future. It is impossible to harmonize cybersecurity legislation across the region in the absence of existing national law in so many countries.
African Union Cybersecurity Initiatives
African leaders have been advocating for regional ICT and cyber policy since the early 2000s, when it became evident that the continent was beginning a technological revolution. Preparations for the World Summit on the Information Society summits in 2003 and 2005 sparked the beginning of region-wide ICT initiatives aimed at tackling issues of legislation, education, and harmonization across the continent. These initiatives were heavily referenced in the founding documents that paved the way for the development of the AU Convention on Cyber Security and Data Protection (the Convention), which was adopted in July 2014.
Working Towards a Convention
The Convention is the product of a highly contentious development process that began formally in November 2009 with the Oliver Tambo Declaration, which built upon the momentum of several different projects and organizations calling for the development and implementation of reference frameworks for ICT and cyber legislation, and set into motion the process for establishing an AU Cybersecurity Convention. The legal process leading up to the drafting stage was largely uncontroversial, and proceeded quickly. In January 2010 at the AU Summit, the resolution was formally endorsed by the AU Assembly, which is comprised of heads of state. Seven months later, the movement towards a convention was confirmed by the Abuja Declaration, which called upon the AU Commission to “joint finalize with the UNECA within the framework of the African Information Society Initiative (AISI), the Draft Convention on Cyber Legislation and support its implementation in Member States by 2012”.
The drafting process, set into motion by the Abuja Declaration, incited controversy and produced significant public backlash with regards to the initial contents and phrasing of the Draft AU Convention on the Confidence and Security in Cyberspace (AUCC). After the initial draft, the AU hosted a series of three regional workshops with government stakeholders in order to collect feedback for improving the draft and developing an instrument of consensus. The process largely lacked transparency and there was little involvement from civil society organizations, the private sector, and privacy advocates in the initial drafting process; instead, only government stakeholders were consulted. Subsequently, after the text of the AUCC Draft was released in 2013, major concerns were voiced from a broad spectrum of ICT stakeholders in Africa regarding infringement on right of privacy and freedom of speech as well as unchecked judiciary powers.
Despite general recognition of the need for a regional cybersecurity Convention, many in the internet community vocally opposed the AUCC draft. The Centre for Intellectual Property and Information Technology Law (CIPIT) in Kenya started an online petition opposing the ratification of the AUCC, saying it would “have substantial negative effects on online economies and social cultures across Africa.” The Executive Director of DotConnectAfrica called for deeper involvement of civil society organizations in developing the Convention, urging for inclusivity in “a debate that cannot be just concluded and accepted without involving all stakeholders.” Other organizations, notably The Kenya ICT Action Network, ISOC Kenya, ISOC Uganda, and CIPESSA, all spoke out against the AUCC drafting process and voiced concerns over the content’s human rights implications.
Passing the Convention and Looking to the Future
Pressure from the private sector initiative to reform the AUCC succeeded in delaying the adoption of the AUCC, which was scheduled to pass in January of 2014. As a result of the calls for inclusion and submission of concerns and feedback from ICT stakeholders, the AUCC was tabled and revised in May 2014. The text of the final draft was not released to the public before it was passed as the AU Convention on Cyber Security and Data Protection with little fanfare in July 2014, making it impossible to determine whether concerns raised with the AUCC draft had been appropriately addressed.
A lack of transparency throughout the drafting process, as well as the limited involvement of stakeholders outside of government circles, has made it difficult to garner support for the ratification of the document. No country has yet undertaken the ratification process in the two years that have passed since the Convention was adopted. So far 8 countries have signed, but not ratified, the Convention: Benin, Guinea-Bissau, Mauritania, Congo, Cape Verde, Sierra Leone, Sao Tome and Principe, and Zambia. In order for the Convention to enter into effect, 15 countries must ratify it. This means that AU efforts for regional harmonization with regards to cybersecurity are effectively stalled for the time being. The longer the Convention goes without ratification, the more likely it is to fail to come to fruition. As it stands, adopted but not ratified or implemented, the Convention is acting as an impediment to the harmonization of African cybersecurity policies.
The prolonged delay of the Convention’s implementation diminishes its prospects for spurring national cyber policy development and subsequent the harmonization of regional policy. In the absence of the implementation of the Convention, it may fall upon the smaller regional economic communities (RECs) to agitate change, splintering the opportunity for continental harmonization. AU-level legislation has the potential to spur the development of national laws, as well as provide a guiding framework for content, but only if it can generate the necessary support to be implemented. The RECs in Africa have achieved harmonization to some extent, and have shown promise for fast-tracking legislation that otherwise would have languished in draft stages for years. However, while this may accelerate development and harmonization efforts within the smaller regional groupings in Africa, it complicates region-wide harmonization across the AU.