How African states can improve their cybersecurity

The owner of an internet cafe in Congo stands at the door of his business.

The COVID-19 pandemic has accelerated digitalization around the world, but as life has shifted increasingly online, cybercriminals have exploited the opportunity to attack vital digital infrastructure. States across Africa, where digital capacity continues to lag behind the rest of the world, have emerged as a favorite target of cybercriminals, with costly consequences. In early October 2020, Uganda’s telecoms and banking sectors were plunged into crisis due to a major hack that compromised the country’s mobile money network, usage of which has significantly increased during the pandemic. At least $3.2 million is estimated to have been stolen in that incident, in which hackers used around 2,000 mobile SIM cards to gain access to the mobile money payment system. In June, the second-largest hospital operator in South Africa was hit by a cyber-attack in the midst of the COVID-19 outbreak, paralyzing the 6,500-bed private healthcare provider, forcing them to switch manual back-up systems.  

In light of increased attacks, institutions such as the Central Bank of Nigeria and national cyber-response organizations in Tunisia, Ivory Coast, Morocco, and Kenya have sounded the alarm to businesses and citizens, urging them to improve security measures. But states across Africa still lack a dedicated public cybersecurity strategy. As a result, cybersecurity initiatives related to COVID-19 have been mostly led by the private sector, especially professional and sectoral federations. These are rarely enough, as it’s a long, hard grind for most companies just to cope with the business impact of the pandemic on their day-to-day activities.

Addressing these vulnerabilities in the context of heightened cyberattacks requires a coordinated and dedicated commitment to cybersecurity at a time when governments and organizations are already be strained by the health and economic consequences of the COVID-19 pandemic. African states and regional bodies have taken initial steps toward implementing a continent-wide strategy to improving cyber-resiliency, but the vulnerabilities exposed by the COVID-19 pandemic requires these efforts to be accelerated by building the institutional and coordinating mechanisms to better mitigate cybersecurity threats.

Policy tools for African governments

In order to strengthen cybersecurity, African governments can take a number of steps to improve their capacity to prevent and respond to cybersecurity vulnerabilities. First, it is essential that policymakers define a medium and long-term cybersecurity policy and strategy to integrate cybersecurity into government initiatives and to specify the resources needed to achieve them. This requires setting up national authorities or agencies with sufficient financial resources to implement the strategy and strengthen the country’s cyber-resilience. Additionally, governments must promote a responsible societal cybersecurity culture in order to strengthen the confidence of citizens and organizations in the cyber economy, digital services, and the broader internet. States must set up awareness-raising and training programs in cybersecurity for the public, private, academic, and civil society sectors in order to equip them with the skills and knowledge necessary to respond to cybersecurity risks. Governments must also establish the legal frameworks that are key to regulate the use of cyberspace and to sanction cybercrimes.

Fortunately, governments in the region have made some promising steps on these issues. The African Union, as part of its “Agenda 2063” for transforming Africa, has identified cybersecurity as a key priority to ensure that emerging technologies are used for the benefit of African individuals, institutions, and nation-states and to guarantee data protection and safety online. This project is guided by the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention), which was drafted in 2011 but only adopted in June 2014. The convention’s purpose is to establish a “credible framework for cybersecurity in Africa through organization of electronic transactions, protection of personal data, promotion of cyber security, e-governance and combating cybercrime.” But as of June 2020, the convention has only been ratified by 8 out of 55 AU members (Angola, Ghana, Guinea, Mauritius, Mozambique, Namibia, Rwanda and Senegal), while 14 countries have signed but not ratified it. The AU Cybersecurity Expert Group, formed in 2018, must provide leadership and momentum for the convention’s ratification and deployment. The need for progress on this issue is urgent: The International Telecommunication Union’s Global Cybersecurity Index assess in its 2018 report that African countries are the world’s least committed to cybersecurity.

To improve resiliency, African states must urgently define response plans to be deployed in the event of a major attack on their critical infrastructure. These plans should describe what immediate nation-wide actions would be taken, as well as digital fall-back alternatives, to ensure that government and organizations would still be able to operate even with a sudden loss of digital tools and networks. National and regional stake holders should be involved in the response plan, and the nation’s cybersecurity maturity and capability levels should be taken into account, in order to adapt the response to the local context and to available financial, human, and technology resources. This context-dependent response is particularly important, as Africa is home to many low-income countries and lacks cybersecurity specialists with the required skills to help carry out timely and adequate responses to cyber-attacks. Given that cybercrime has no borders, international and cross-stakeholder collaboration and coordination, as well as cooperation between public and private sector leaders, will be of great importance here.

National cyber-response plans can be strengthened through the establishment of well-resourced and fully functional regional and national Cyber Emergency Response Teams (CERTs) throughout Africa. As of early 2019 only thirteen African countries had stood up such organizations. Regular drills should be performed to assess plans and improve them, for example by participating in the national or regional cyber-drills carried out by the International Telecommunication Union (ITU).

Cybersecurity capacity building (CCB) provides the basis for countries to both improve their digital economies and boost their resilience against cyber threats. Many global CCB initiatives are already underway in African institutions and states. These include the Global Cyber Security Capacity Centre (GCSCC) with its Cybersecurity Capacity Maturity Model (CMM) as part of the Commonwealth Cyber Program, the Global Forum on Cyber Expertise (GFCE), and the International Telecommunication Union with the GCI (Global Cybersecurity Index), just to name a few.These initiatives promote international cooperation, which is key to global and national cybersecurity. They also provide a benchmark and reference for governments building their national cybersecurity policies and strategies. There are several frameworks available for capacity building initiatives, with the Cybersecurity Capacity Maturity Model (CMM) from the GCSCC being the most comprehensive one. This model suggests that the five following dimensions are crucial to building a country’s cybersecurity capacity: policy and strategy, culture and society, education and training, legal and cooperation, standards and technologies. Capacity building is a long-term objective that needs to be well planned, adequately resourced, and regularly monitored in order to be achieved with efficiency. Greater state capacity enables better policy and cybersecurity implementation.

Good progress has been made to improve African countries cybersecurity posture. Mauritius is often cited as a reference on the continent in terms of cyber capacity, because of its legal and technical infrastructure, its national cybersecurity agency (CERT-MU), its national training and awareness initiatives, and the involvement of public and private actors in these efforts. Mauritius ranks first among African countries and 14th globally, in the most recent ITU Global Cybersecurity Index (GCI) report from 2018. It has set up a National Disaster Cybersecurity and Cybercrime Committee that includes both public and private sectors and facilitates the monitoring, control, and transmission of decisions during cyber crisis situations. Mauritius is one of the eight African countries to have ratified the Malabo, with which their Computer Misuse and Cybercrime Act is aligned, along with the Budapest convention on cybercrime. Mauritius has built a centralized portal to report cyber incidents and a security operations center to detect and monitor malicious traffic in real-time to enhance the country’s cyber threat preparedness.           

African states, institutions, and civil society must not only demonstrate their commitment to cybersecurity, but also work in close collaboration and partnership toward the shared objective of protecting citizens, businesses, and organizations in the digital era. This will be imperative to prevent more damaging cyber-attacks, which on the heels of the COVID-19 pandemic could have devastating impacts.

Landry Signé is a senior fellow at the Brookings Institution, a distinguished fellow at Stanford University, and a professor and senior director of the Fourth Industrial Revolution and Globalization 4.0 Center at the Thunderbird Global School of Management.

Kevin Signé is an information security senior fellow at the Global Network for Africa’s Prosperity.