This article on cybersecurity in Africa is part of TBI's programme of work on cyber policy. The framing paper, A Safer Net for All: The Opportunity of Cybersecurity, investigates the steps governments around the world should be taking to create a safer net that delivers economic and social prosperity.
“Africa must take full advantage of the digital revolution to empower its citizens and enhance transparency in government and the private sector. This will not happen until data is stored in safe and trusted systems that protect privacy and are difficult for criminals to breach.”
Those were the words of Paul Kagame, Rwanda’s president, in an address to the African Union (AU) and the Economic Commission for Africa (ECA) at the high-level AU-ECA event on digital identity in Addis Ababa, Ethiopia in November 2018. Those words tell a compelling story of self-awareness: one that recognises the importance of a robust cybersecurity framework that doesn't currently exist on the continent. The African Union's Agenda 2063, the continent’s blueprint and master plan for transforming Africa into the global powerhouse of the future, identifies cybersecurity as one of the key programmes and initiatives for accelerating Africa’s economic growth and development. This commentary sets out a plan for leveraging emerging technologies through cybersecurity for the economic and social benefit of Africans.
Africa’s Cybersecurity Gap
According to the International Financial Cooperation and Google, Africa's internet economy is expected to contribute $180 billion to its overall economy by 2025, rising to $712 billion by 2050. To ensure these projections materialise, African governments and their partners are building new initiatives to rapidly connect an estimated 700 million unconnected Africans and address speed and cost concerns for those with access.
But connection without safety is meaningless. Recent cyberattacks and vulnerabilities point to an existing and widening cybersecurity threat landscape in Africa:
It was reported that cybercrime reduced GDP within Africa by more than 10%, at a cost of an estimated $4.12 billion in 2021.
As of June 2020, South Africa had the third-highest number of cybercrime victims worldwide, at a cost of approximately $147 million a year.
It is estimated that one in nine Android mobile phones in Nigeria has malware-infected applications.
Ethiopia, the host country for the African Union headquarters, recently reported a sharp spike in cyberattack attempts.
In 2018, there were also allegations that all of the content on the servers in the African Union’s headquarters was being routinely transmitted to Shanghai between 2012 and 2017. Although China dismissed the allegation as absurd, genuine concerns about African governments' ability to protect its cyberspace remain.
Worse, Africa lacks the talent and resources to deal with its cybersecurity threats. Of a population of about 1.24 billion people, the estimated number of certified security professionals in 2018 was 7,000, representing 1 for every 177,000 people. The continent faces a growing 100,000-person gap in certified cybersecurity professionals, but this number may even disguise the magnitude of the problem as there is no readily available data on African governments' level of investment in cybersecurity. The International Telecommunication Union's (ITU) latest ranking on national global cybersecurity efforts makes it clear: “Africa’s levels of commitment to cybersecurity – as well as capacity for response to threats – remain low compared to other continents”.
A Step in the Right Direction
Positively, there have been some recent commitments to strengthening the cybersecurity landscape in Africa. Countries like Ghana are investing in a robust cybersecurity structure, arguably becoming a model for countries in Europe and other West African countries. Fourteen African states also have a national strategy on cybersecurity with an additional four countries with draft legislation in progress.
Collaborations at the regional and subregional levels on capacity building and development, and the drafting of frameworks also reflect attempts to better position the continent to deal with cyber threats. For example, in 2014, the African Union (AU) adopted the Convention on Cyber Security and Personal Data Protection (Malabo Convention), although, by 2018, only 8 out of 54 African countries had a national strategy on cybersecurity.
In 2019, the AU also hosted the Global Forum on Cyber Expertise (GFCE) in Addis Ababa, Ethiopia. The GFCE is a multi-stakeholder community of more than 140 members and partners from all regions of the world, aiming to strengthen cyber capacity and expertise globally. Through this process, Africa is leveraging an important global capacity development model for cybersecurity capacity-building on the continent.
More recently, in early 2021, the Economic Community of West Africa (ECOWAS) adopted a regional strategy for cybersecurity. The regional body has convened 15 African states and the Council of Europe to harmonise legislation on cybercrime and electronic evidence within the rule of law and with human rights safeguards.
Accelerating the Gains
While existing regional frameworks and national initiatives to address cyberthreats on the continent are commendable, they are not nearly enough. The vulnerabilities in one system, network, agency on the continent, affect all.
African leaders must double their efforts and devote more resources to cybersecurity initiatives towards improved infrastructure, awareness creation, and strategic engagements at the global level. They must also address the concerns and/or reservations associated with the low number of countries ratifying digital policy instruments such as the Malabo Convention and the Budapest Convention.
The AU and other African regional blocs must also prioritise cybersecurity capacity building from a technical and policy perspective. Through these bodies, African countries must continue to collaborate with each other and viable external stakeholders for peer learning and sharing of best practices. As top performers on the ITU’s Global Cybersecurity Index (GCI), countries such as Tanzania and Mauritius can show the way.
Performed together, these actions will strengthen the continent’s path towards the desired prosperous, viable, and cyber-safe Africa, that will consolidate its place as a dynamic force in the international digital arena.