Africa is becoming increasingly vulnerable to cyber threats as the continent adopts digital transformation processes. A Cybersecurity Threatscape of African Countries 2022–2023 Report by Positive Technologies indicates that social engineering attacks rank among the most common cyberthreats that affect organisations and individuals in Africa and globally. According to the report, in order to increase their chances of success, attackers use automated tools, phishing, and spam bots. According to Cybersecurity Ventures’ 2022 Official Cybercrime Report, by the end of 2023, the yearly worldwide cost of cybercrime will reach US$8 trillion. This is made worse by the growing cost of damages related to cybercrime which is predicted to reach US$10.5 trillion by 2025. Artificial Intelligence (AI) has also presented new challenges, such as automated hacking and phishing attacks using AI to generate fake emails. Deepfakes are being developed, producing realistic audio and video that can be used for fraudulent purposes through impersonation attacks. AI-powered bots are being used for data poisoning and to institute distributed denial of service attacks.
According to the DigWatch Geneva Internet platform, cyber sabotage or cyber espionage incidents have accelerated cyber armament, leading to some countries declaring ‘cyber’ as the fifth military domain. In Africa, countries like Kenya, Nigeria, South Africa, and Sierra Leone are now developing Offensive Cyber Capacities. There is now a proliferation of offensive cyber capabilities, which presents risks and challenges commitments to protect openness, security and stability in cyberspace, with most strategies ranging from long-term disruptions of physical infrastructure to malware and limiting freedom of expression, thus undermining the safe and secure functioning of the internet. The world commemorated Cybersecurity Awareness Month in October and throughout the year, it remains important to discuss the challenges that Africa is faced with and strategies for what can be done to achieve cyber resilience.
Analysis of Cyber security policy challenges in Africa
Many countries worldwide have adopted national cybersecurity strategies and policies, establishing institutions to combat cybercrime, setting up initiatives and priorities, and outlining elements of international cooperation on cybersecurity issues. According to the United Nations Conference on Trade and Development, 39 nations in Africa had legislation explicitly addressing cybercrime in 2021. In the SADC region, Zambia, Botswana, Tanzania, Malawi and Zimbabwe among others, have enacted cybersecurity laws as part of their internet governance frameworks. However, a report by the Media Institute for Southern Africa indicates that cyber security laws in the SADC region are being weaponised against privacy and used as vehicles to legitimise surveillance in the name of ‘national interests.’
In 2020, Africa launched the ten-year African Digital Transformation Strategy. The strategy highlights the need to create awareness and counterbalance Cyber Security and Personal Data Protection and Privacy issues as part of its objectives. The Strategy states that African governments are responsible for providing an environment conducive to digital transformation across foundational pillars, critical sectors and supporting the digital ecosystem through cross-cutting themes such as cyber security.
In 2014, the African Union Commission adopted the African Union Convention on Cyber Security and Personal Data Protection (the Malabo Convention) to provide fundamental principles and guidelines to ensure cyber security, adequate protection of personal data, and the creation of a safe digital environment. The Malabo Convention provides a framework for guaranteeing cybersecurity in Africa through regulating electronic transactions, protecting personal data, and policing cybercrime. The Malabo Convention creates a uniform cyber governance system, ensures unified regulatory approaches between the African Union Member States and promotes cyber resilience in the region. The Convention encourages AU member states to recognize the need to protect ICT infrastructure, tackle cybercrime and promote free flow of information through a unified regulatory framework on cybersecurity.
Despite the objectives of the African Digital Transformation Strategy calling for the entry into force of the Malabo Convention by 2020, the Convention entered into force in June 2023. The slow uptake and ratification of the Convention by African member states – noted by only 15 ratifications after nine years of its adoption – means that Africa remains without a uniform system of cyber governance as most countries still need to adopt it. While some countries in Africa are placing cybersecurity at the top of the agenda, others still regard cybersecurity as a nonfactor, as depicted by the reluctance of African States to ratify regional and international conventions such as the Malabo Convention.
In 2022, the Economic Commission for Africa (ECA) launched the Guideline for a Model Law on Cybersecurity of African Union Member States during the 17th Internet Governance Forum (IGF). The model guideline, also known as the Lomé Declaration on Cybersecurity and the Fight Against Cybercrime in Africa, provides a set of guiding principles that African Member States may follow as they set out to establish standards for ensuring cybersecurity. The law also seeks to synergize an intercontinental cyber norm that enables African member states to take proactive measures in countering cyber threats and ensure cybersecurity takes top priority at the highest level of governance. The Guidelines are a welcome development as they provide Africa with a united cyber governance Agenda.
African policymakers need more literacy, capacity, and expertise to develop cybersecurity legislation or strategies. According to the African Centre for Strategic Studies, data from the International Telecommunications Union (ITU) indicates that only 17 of 54 countries have national cybersecurity strategies and only 29 out of 54 African countries have promulgated cybersecurity legislation.
Policy recommendations for addressing cybersecurity concerns in Africa
Africa should seek to establish an enforcement mechanism that strengthens accountability for failure to comply with the Convention. Enforcement mechanisms will encourage the domestication and implementation of regional instruments. Agreements such as the Malabo Convention are not binding among member states. Therefore Africa should learn from strategies in other continents such as Europe, where the European Convention on Cybercrime (Budapest Convention) is a binding international treaty on Cybercrime and this compels governments to comply with its regulations.
There is a need to enhance digital equality by provide an equilibrium in terms of digital capacity and infrastructure. According to the Output document of AfriSIG 2022, African cybersecurity capacity-building priorities should include enhancing the resilience of national Critical Infrastructure Protection (CIP) and Critical Information Infrastructure Protection (CIIP). Such efforts will identify gaps in CIP and CIIP and spur African states to increase investments toward strengthening cyber security systems.
African nations should prioritise building cyber diplomacy to promote African interests in cyber diplomatic processes. African member states should aim to increase their participation in global cyber governance processes by contributing to international strategies and assessing if their applicability to African nations. African countries should actively participate in UN processes on cyber norms development. According to the United Nations Conference on Trade and Development, since 2004, only nine African nations have held membership in the UN Group of Governmental Experts (GGE) and the Open-Ended Working Group (OEWG), yet greater participation in these platforms will ensure that the interests of Africa are well represented at the global stage.
African member states should prioritise international, regional and in-country multistakeholder engagement to ensure that all relevant actors working toward achieving effective cyber governance are collaboratively deciding the cyber-governance agenda, policy propositions and implementation. African nations should utilise PPPs to fight against cybercrime and to build cyber capacity among the general public and specialised industries.
While Africa has developed the African Union Mechanism for Police Cooperation, the evolving cybercrime landscape and skills gaps among law enforcement agencies and prosecutors, especially for cross-border enforcement, present a significant challenge. To address limited cyber capacity, governments can promote cybersecurity literacy and skills by developing cyber curricula which can be administered in tertiary institutions, public institutions, and specialised institutions such as armed forces, law enforcement and judiciary.
As the trend toward AI-supported systems intensifies globally, nations may integrate artificial intelligence into their cyber-resilience frameworks, to enhance automated cyber-threat identification, cyber-attack response and system protection. In this regard, African member states must embrace a human rights-based approach and integrate international human rights norms, principles and standards into the design of cybersecurity policies. As the African Union High-Level Panel on Emerging Technologies is developing the African Union Continental AI strategy, promoting cybersecurity and resilience should be enlisted as a priority. Such an approach will ensure that the proposed legislation takes into account the urgent need to balance cybersecurity needs with the need to protect and promote the fundamental right to privacy, freedom of expression and security online.
While African nations place more focus on the socio-economic integration of the continent, through the implementation of the Africa Continental Free Trade Area Agreement, there is an opportunity for African member states to develop coordinated cross-border systems for payments, ensure harmonisation of data systems and place cyber security at the top of the agenda for economic integration. To realise these opportunities, all African member states should ratify the Malabo Convention which seeks to harmonise laws and policies for cross-border transfer of data among member states. African Governments must strengthen cooperation by implementing policies such as the African Union Data Policy Framework that promote data interoperability and this will enhance cybercrime detection across multiple nations and promote efficient cybersecurity coordination and enforcement.
There is a need for all stakeholders to promote good cyber hygiene and resilience. Paradigm Initiative developed the Ayeta Digital Security Toolkit to build cyber resilience in Africa. The toolkit responds to the increasing concerns of digital rights advocates regarding online security. It seeks to safeguard digital rights defenders, journalists, whistle-blowers, and others working with sensitive information in the global South. The toolkit encourages the general public to take proactive measures to safeguard themselves against cyber threats.
African Member states should develop implementation guidelines for the Malabo Convention so that the legislation does not gather dust, as there is no guiding framework for its implementation. African Member states that have ratified the Convention should also make the Malabo Convention consistent with standards presented in the modernised Convention 108, the Convention for the Protection of Individuals concerning Automatic Processing of Personal Data and the General Data Protection Regulation (GDPR) of 2016 to promote the competitiveness of African companies outside the continent.