Efforts to elevate complex issues like climate change could provide pointers for inspiring urgency on cybersecurity.
With global attention on the United Nations (UN) Climate Change Conference (COP27) in Sharm-el-Sheikh, the question of how to make long-term, complex and multi-dimensional issues matter to policymakers in Africa has emerged. A second question is how to inject a sense of urgency to ensure governments respond.
As with climate change, cyberspace may seem remote in many parts of Africa where unemployment and poverty compete for policy attention. Yet the way climate resilience has been elevated may offer lessons in trumpeting the cyberspace agenda.
The KwaZulu-Natal floods that prompted a World Weather Attribution initiative study linking the heavy rainfall to climate change may have been a salutary reminder to South Africans of the realities of global warming.
Similarly, last year’s ransomware attack on the South African state logistics company Transnet should have stopped policymakers in their tracks and pushed cybersecurity up the agenda. The country is ranked third worldwide for the highest number of cybercrime victims, and ransomware incidents are rising.
But have South Africa and the continent stepped up cybersecurity discussions and practices in the wake of the Transnet attack? Many observers fear not.
At a recent Africa cyber dialogue workshop hosted by South Africa’s international relations department and The Netherlands’ foreign affairs ministry, some parallels were drawn between the complex issues of climate change and cyberspace. If left unaddressed, both have existential consequences for Africa’s economic development.
Cybersecurity in Africa can sometimes feel like an optional extra for governments
The coining of the phrase ‘climate emergency’ by lobbyists has imbued the issue with a sense of urgency. Clear messaging can be a powerful catalyst for action. That urgency is also needed in addressing cybersecurity in Africa, but arguably the language isn’t there yet.
This may be partly because the focus is on the developmental benefits of digitisation for Africa. These potential gains have dominated narratives as part of the Fourth Industrial Revolution agenda and the African Union’s Digital Transformation Strategy.
Yet cybersecurity and good cyber governance are vital to harnessing the benefits of our new digital reality. Cybersecurity in Africa can sometimes feel like an optional extra for governments. As a result, there are vast disparities in the levels of cyber preparedness, as the Global Cybersecurity Index attests.
The public sector – as the biggest employer and, in many cases, the biggest consumer of information and communications technology (ICT) – is particularly at risk of cybercrime in Africa. Some efforts are underway, including new cybercrime legislation in countries such as South Africa and others in the Southern African region. But concrete action, a human-focused approach to cyberspace and rapid implementation of new laws are needed to build resilience.
To tackle pressing cybersecurity issues at an international level, we need global cooperation including conventions based on binding and voluntary rules of the road that determine states’ roles and obligations. To date, 11 voluntary norms or ‘soft laws’ on responsible state behaviour in cyberspace have been agreed internationally. They deal with cooperation, international law in cyberspace, protection of critical infrastructure and preventing the misuse of ICT in a state’s territory.
ECOWAS is leading the charge with the establishment of regional cybersecurity response systems
Cyberspace is increasingly a tool of geostrategic competition and a facilitator of transnational organised crime including human trafficking, pharmaceutical smuggling and terrorism. This was highlighted at a recent Interpol meeting in Benin. Building systems to mitigate the risks and damage caused by such digital intrusions requires cooperation between neighbouring countries and committed action at an international, regional and local level.
The Economic Community of West African States is undoubtedly leading the charge in this regard with the establishment of regional systems called computer security incident response teams. These are a gold standard requirement under international cybercrime conventions.
In matters of cyberspace, the global north holds the balance of power. It also has important political leverage based on its ability to deploy its cyber offensive capabilities – something most African states don’t have. So the continent could lose out if it lags behind in developing cyber resilience measures and asserting Africa’s needs. Much of these concern resources and large-scale investment in human knowledge and skills.
A few African countries are already active through mechanisms such as the UN’s Group of Governmental Experts and Open-Ended Working Group. More are participating in the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technology for Criminal Purposes.
But more practical grassroots efforts are needed. States should harness the knowledge and skills of the private sector, academia and civil society to build the capacity (people, processes and systems) required to cyber-proof Africa’s future in a timely manner.
Cyber resilience should be hard-wired into governments’ DNA and absorbed into daily operations
These same players must also urge governments to see the internet as a way to deliver development rather than a threat to be securitised and punished with shutdowns. Hence cyber resilience needs to have a human rights focus. This needn’t be a foot-dragging requirement if it is baked into the process from the start, as digital constitutionalists argue.
‘Resilience also means developing the glue that enables different parts of government to work together on cybersecurity,’ argues Anriette Esterhuysen of the international Association for Progressive Communications. It means making cyber preparedness the business of every government department and ensuring it isn’t ‘stalled by politics or changes in administration.’
Cyber resilience must become hard-wired into governments’ DNA, so it’s absorbed into daily operations. That means adhering to the basics like ensuring software is updated systematically – akin to recycling bins in the workplace, which have largely become a norm. The recent call for South Africa’s constitution to provide for a cyber commissioner to ‘strengthen cybersecurity capabilities in the public sector’ is a nod towards this.
The private sector in Africa is leading the way in boosting strategic capabilities against cyber threats, according to a recent KPMG survey. But closer public-private partnerships are needed to harness knowledge and build resilience.
And just as the UN General Assembly has passed a historic resolution that clean air is a universal right, digital rights and opportunities should be more urgently articulated and mainstreamed at every level of government. Otherwise Africa risks being left exposed as a digital wasteland.
Karen Allen, Consultant, ISS Pretoria