Nation-state borders are no longer the manifestations of sovereignty that they were in the 20th century, something that is made readily more apparent by the mounting reports of inter-state cyber attacks over the last few years. The necessity for established cyber norms and cooperative global governance in the age of information technology requires the United States to engage with the issue of cybersecurity in all corners of the world, especially those previously regarded as peripheral to national interests.
As the African continent has come online over the past two decades, countries have struggled to develop the infrastructure and legislation necessary to adequately regulate new technologies. African countries consistently suffer from high incidences of cybercrime and are highlighted in studies stressing the dearth of cyber preparedness, yet they receive relatively little global attention or support for regional or national cybersecurity initiatives. Within Africa a conversation is occurring centered around business interests and the imperative of tackling rising cybercrime, but it largely lacks contextualization in a larger framework of governance.
The United States has a unique chance to promote the multi-stakeholder approach to cyber governance over an approach that supports government control over Internet use and the freedom of information by engaging with cyber legislation initiatives at the Regional Economic Community (REC) level that are poised to lay the foundation for a harmonized regional framework. Playing an active role in the development of strong cybersecurity legislation in a continent that has historically lacked any can only serve to protect the United State’s national security interests.
Information and communications technology (ICT) has been marketed to African governments as a driver of innovation and economic change, a force of development that will allow countries to “leapfrog” into the future if they harness its potential. This developmentalist approach has been pushed by international interests for decades, and is now an inextricable piece of strategic plans and partnerships spearheaded by groups at the local, national, sub-regional, and regional levels. Many countries lack a specific national information and communication technology or cybersecurity strategic plan, but have these components in their national economic strategic plans. Approaching the topic of cybersecurity in this region from a policy, governance, or national security standpoint without explicitly tying it to economic development is unlikely to produce positive legislative developments.
Coupled with the historical legacy of ICT being packaged with development policy, the top-down policy approach to cybersecurity taken by the African Union (AU) in its drafting and adoption of the Convention on Cyber Security and Personal Data Protection has been mired in controversy over a lack of transparency and allegations of human rights deficiencies. Many of the instances of cybersecurity laws and policies being developed at the national level face the same human rights challenges of eroding privacy protections and criminalizing online speech. When cybersecurity policy in African countries is engaged with from a national security standpoint, it leads to laws that “[throttle] legitimate expression and citizen organising in the name of protecting national security or the public good.” Approaching the development of cyber legislation from a different angle is imperative if human rights are to be protected and considered during the development of these laws.
Accelerating the signing and ratification of the African Union’s Convention on Cyber Security and Personal Data Protection is one path forward in encouraging the proliferation of cybersecurity policy development and implementation in Africa, but it’s an inefficient route to take. The overwhelming majority of AU member states have underdeveloped ICT infrastructures and a lack of institutional capacity for implementing what little legislation exists. In this environment, a top-down approach is unlikely to accelerate the adoption of cybersecurity legislation. In fact, almost two and a half years after the Convention was adopted by the African Union, only 8 countries are signatories, and none have ratified the Convention– a far cry from necessary ratification from 15 countries in order to begin implementation. Rather than acting as a vehicle of change, the Convention has been stalled in a legislative limbo, functioning as an active impediment to harmonizing cybersecurity policy across the African continent.
On a continent as diverse as Africa in languages, cultures, and levels of socio-economic development, engaging at the sub-regional level with the 8 AU recognized Regional Economic Communities (RECs) described as the “building blocks” of the African Union is far more likely to have an on-the-ground impact. Compared to the AU, fostering harmonization at this level has a track record of progress and 5 of the recognized RECs are poised to eventually merge into one regional entity as the African Economic Community (AEC), further accelerating the process. Providing developmental support through workforce education, cybersecurity awareness initiatives, and infrastructure development coupled with technical guidance in setting up CERTs, drafting legislation, and developing cybersecurity strategic frameworks at the REC level will have high impact results compared with engaging with policy at the AU level.
Four RECs have developed regional cybersecurity legislation or frameworks: the East African Community (EAC), the Economic Community of West African States (ECOWAS), the Southern African Development Community (SADC), and the Common Market for Eastern and Southern Africa (COMESA). These frameworks have demonstrated how regional-level initiatives can have relatively high impacts on national legislation development. The EAC developed the Draft Legal Framework for Cyberlaws in 2008 with the assistance and support of UNCTAD, focusing on electronic transactions, data protection and privacy, consumer protection, and cyber crime. While the framework itself was a non-binding agreement and created no legal obligations, it was successful in spurring the drafting or enactment of laws addressing these issues in every member-state. Not only do these regional policies catalyze much needed national legislation, they also establish legislative precedence that other RECs use to develop their own frameworks, harmonizing policy across RECs. COMESA drew heavily from the SADC Protocols to develop it’s own model law, and there “is now essentially little difference in the ICT policy models and regulatory guidelines of SADC and COMESA.”
The United States has an opportunity to be a voice in the crafting of cybersecurity legislation that will eventually govern a continent. Other regional and international organizations, notably the European Union and the United Nations, are already engaged in collaboration with the RECs to help foster ICT growth and guide the development and implementation of cybersecurity legislation. The United States should follow suit, expanding from hosting workshops in collaboration with national governments to developing strong economic partnerships with RECs focused on cybersecurity in the context of development. The lack of attention to cybersecurity in African countries has hinged on a lack of resources and capacity, something that the United States can help mitigate through economic partnerships. By strengthening these partnerships at the sub-regional level, the United States has the potential to shape and accelerate the development of cyber governance in Africa at the national, sub-regional, and regional levels creating economic and political opportunity for U.S. companies.