How African states can tackle state-backed cyber threats

Election officials work at computers at a tallying center in Nairobi, Kenya.

At first glance, the ability of most African states to prevent or respond to a cyberattack by state-backed hackers would appear limited. African countries tend to have low levels of cyber maturity and possess limited offensive and defensive cyber capabilities. Virtually all rely on foreign actors to supply critical information infrastructure and manage data using cloud technologies. This limits sovereign control over the electronic information produced by African citizens and renders tech stacks in countries across the continent vulnerable to compromise. African governments and regional organizations have already been targeted by some high-profile state-sponsored attacks, including Chinese espionage at the African Union and North Korea’s 2017 Wannacry Ransomware attack. 

Though few African states can compete with the world’s major cyber powers, the region is not inherently more susceptible to state-sponsored cyber threats. Like other regions, Africa faces its own series of opportunities and challenges in the cyber domain. For now, low levels of digitization limit the exposure of many countries in comparison to the world’s more connected, technology-dependent regions. As internet-penetration rates increase, African states can draw on established good practices, international partnerships, and regional cooperation to identify, prevent, and respond to state-sponsored cyber espionage or sabotage of critical infrastructure.

The benefits of late digitization

A defining feature of cyber power is its asymmetric nature. The most digitized and networked states are most dependent on information systems, and therefore the most vulnerable to cyberattack. The most devastating state-sponsored cyberattacks, from Russia’s attacks against Ukraine’s power grid to Iran’s suspected cyberattack against Saudi Aramco, have been against states with high rates of internet penetration and cyber-dependent critical infrastructure. Across much of Africa, by contrast, large swathes of the population still lack basic internet access. Many nations do not possess the level of digitally vulnerable power, water, transportation, and energy infrastructure found in more industrialized countries. This is a major issue from a development perspective. But, in cyber jargon, it means that many African countries have a limited “attack surface,” reducing the potential fallout of a successful state-sponsored attack.  

In fact, states at an early point of digital development can benefit from limited legacy ICT infrastructure by adopting established good practice as they build out their tech stacks, allowing them to “leapfrog” more cyber-mature countries. Less digitized countries are not burdened with what is known as “technical or security debt,” which refers to “legacy code, older and integrated software architectures, third-party libraries and dependencies” that are completely insecure or contain widely exploited vulnerabilities. The near absence of security debt—embedded in SCADA systems, for example—is a one-off opportunity to design and implement cyber security strategies and governance policies that bake in security from the outset. New secure cloud infrastructure projects, such as the EU’s GAIA-X, offer African states and regional bodies the opportunity to learn from more digitized countries’ practices in building online services.

Africa’s numerous states reflect substantial differences in infrastructure, technology adoption, and development. Nevertheless, a relative lack of infrastructure diversity and a predisposition towards monopolies in the utility sector has created significant vulnerabilities in many countries and regions. The African attack surface is dotted with a number of major single points of failure, or critical national infrastructure that is not replicated or easily replaced by additional plants, installations, or networks. Eskom, for example, is a public utility that supplies most of South Africa and much of southern Africa with electric power. The failure of such a system as the result of a cyberattack would likely have major public-health, safety, and economic consequences, not just in South Africa, but across the entire region. The gravity of such systemic threats underscores the necessity of advancing cyber capabilities across the continent.

International cooperation and engagement

Many African states are vulnerable in part because they rely on a limited number of partners to build out their tech stacks. For example, 70% of 4G base stations in Africa are made by one Chinese company, Huawei, which is also poised to dominate the 5G market. This is a significant problem: It gives control over critical information infrastructure to an external power that could theoretically shut that infrastructure down or introduce hard-to-detect exploits and other vulnerabilities through the supply chain. Rather than rely on a single foreign partner to supply end-to-end critical information infrastructure, African countries should utilize a diverse slate of foreign tech suppliers, ensure the co-location of data centers, and support local tech innovation. This can reduce reliance on any one system or supplier and provide African governments with leverage over their partners as they seek to develop local capacity and build threat detection, monitoring, and response capabilities.

Some African countries are actively pursuing what analysts call “partner diversification” strategies in building up their tech stacks. In South Africa, which has a mature ICT sector, there is substantial product and partner diversity. Ethiopia initially developed most of its telecommunications infrastructure with the support of Chinese firms but recently awarded a major telecommunications license to a U.S.-backed consortium led by the Kenya-based Safaricom. The inclusion of Safaricom reflects a growing trend of African countries electing to invest and support the growth of African technology partners.

The strategic use of partnerships to develop local capabilities played an important role in helping African actors identify, respond, and recover from the most widely known instance of a state-sponsored security breach on the continent to date. In 2018, it was revealed that China had compromised the IT systems of the African Union headquarters and exploited the infrastructure it had helped to construct to access sensitive servers and information systems. Analysts who have written about the breach usually interpret the incident as an indication of Africa’s vulnerabilities to foreign cyber influence. However, the affair also illustrates how the development of local threat detection capabilities and partner diversification strategies can make state-sponsored cyber espionage more challenging. Indeed, African IT engineers first realized that the AU had been compromised and took steps to mitigate the threat by replacing servers and hardware. They were tipped off to a second breach by Japanese security researchers.

Regional cooperation

African states can benefit from enhanced regional cooperation to further mitigate the threat of state-sponsored cyberattacks. Compared to other regions of the world, the African continent has a well-developed regional security architecture and strong representation in key global institutions, such as the United Nations. African countries should develop and adopt Common African Positions (CAPs) with respect to some aspects of the state-sponsored cyber threat. Virtually all African countries, for example, share an interest in preventing civilian casualties from military cyber operations and in monitoring, sharing information, and deterring cyberattacks against critical infrastructure. For other important but politically fraught issues, such as data sovereignty and accountability for social media operators, African countries should seek to increase the representation and participation of leading, innovative countries and thought leaders. This will increase African agency and continental alignment at fora such as the U.N. Government Group of Experts on Responsible State Behavior in Cyberspace, the International Telecommunications Union, and the Open-Ended Working Group.  

African actors are increasingly prioritizing cybersecurity at a continental and regional level. The African Union—as part of its “Agenda 2063” for transforming Africa—identified cybersecurity as “a key priority to ensure that emerging technologies are used for the benefit of African individuals, institutions, and nation-states.” Informed by experts, the AU is working in collaboration with the Regional Economic Communities to spearhead a continental cybersecurity agenda, adopt a region-wide cybersecurity strategy, promote benchmarked standards and practices, and align the approaches of member states on data privacy and cyber incident response. Regional cybersecurity bodies might develop further, including through the creation of a body similar to the European Network and Information Security Agency, as the South African Institute of International Affairs recently proposed. With a more formalized relationship with the regional security architecture, Africa-CERT could be a platform for such an institute.

Taking advantage of a critical juncture

Many African states are at a turning point in their journeys towards cyber maturity. As internet penetration rates grow rapidly, so too will vulnerabilities to state-sponsored cyberattacks and the urgency of building robust cyber security capabilities.

The good news is that while African countries are at risk, they are not uniquely vulnerable. The continent’s comparatively late digitization offers opportunities to adopt tried and tested practices and standards and to choose trusted suppliers. Strong regional institutions are underrated sources of resilience and if properly leveraged, can help African states overcome deficits in relative capabilities and reliance on foreign technology. If the continent’s leaders are willing to prioritize cybersecurity, African states could find themselves in a strong position to monitor, deter, and disrupt malicious state behavior in cyberspace.

Nathaniel Allen is an assistant professor with the Africa Center for Strategic Studies at National Defense University and a term member of the Council on Foreign Relations.
Noëlle van der Waag-Cowling is a lecturer in the Department of Strategic Studies at Stellenbosch University, where she leads the cyber program at the Stellenbosch Institute for Governance and Leadership in Africa (SIGLA).