Africa’s participation in international processes on cybersecurity and cybercrime
Cybersecurity: UN GGE and OEWG
At the UN level, matters related to cybersecurity have been discussed within two groups of governmental experts, both falling under the First Committee of the UN General Assembly (UNGA).
The UN Group of Governmental Experts on advancing responsible state behaviour in cyberspace in the context of international security (GGE) (initially known as GGE on developments in the field of information and telecommunications in the context of international security) was convened six times: 2004–2005, 2009–2010, 2012–2013, 2014–2015, 2016–2017, and 2019–2021. The UN GGE can be credited with two major achievements: outlining the global agenda and introducing the principle that international law applies to digital space.1Geneva Internet Platform [GIP]. (n.d.). UN OEWG and GGE. Digital Watch observatory. Eight African countries participated in GGE work over the years: Egypt in GGE 2012–2013, GGE 2014–2015, and GGE 2016-2017; Ghana in GGE 2014–2015; Kenya in GGE 2014–2015, GGE 2016–2017, and GGE 2019–2021; Mali in GGE 2004–2005; Mauritius in GGE 2019–2021; Morocco in GGE 2019–2021; Senegal in GGE 2016–2017, and South Africa in GGE 2004–2005, GGE 2009–2010, and GGE 2019–2021.
In 2018, the UNGA established an Open-Ended Working Group (OEWG) on developments in the field of information and telecommunications in the context of international security (later renamed OEWG on security of and in the use of information and communications technologies), tasked with continuing to develop the rules, norms, and principles of responsible behaviour of states, discussing ways for their implementation, and studying the possibility of establishing regular institutional dialogue with broad participation under the auspices of the UN. Unlike the GGE, which was composed on the basis of ‘equitable geographical distribution’, the OEWG is open in the sense that all interested UN members can participate in its activities. The first OEWG concluded its work in March 2021 and was followed by a new OEWG for the period 2021–2025.
With the GGE concluded, we focus here on contributions to OEWG work.
In the OEWG 2019–2021, 16 African countries participated: Algeria, Botswana, Cameroon, Côte D’Ivoire, Egypt, Ethiopia, Ghana, Kenya, Malawi, Mauritius, Morocco, Mozambique, Nigeria, South Africa, Uganda, Zimbabwe. These 16 countries made 69 interventions (out of 719 interventions). Out of the eight focus countries, the following have contributed to OEWG work: Côte d’Ivoire, Ghana, Kenya, Nigeria, and South Africa. These 5 countries made 27 interventions (out of 719 interventions). What follows is an overview of their positions/main interests.
In discussions on norms, rules, and principles, Ghana and Kenya called for greater awareness, operationalisation, and implementation of the existing norms incorporated in the 2015 GGE report.
On international law, Kenya pointed out the need to clarify how these laws can be invoked and applied in relation to cyberthreats, including attribution challenges in cyberwarfare and proxy situations, as well as in the context of autonomous, automated, and AI cyber actors. According to Kenya, the interpretation and application of international law must be consistent and should not discriminate along the digital divide.
Ghana called for the establishment of a global repository of existing confidence-building efforts at regional and sub-regional levels, and of a global list of points of contact. The country suggested that the OEWG should become a repository for concrete and practical confidence-building measures (CBMs) on an effective response to threats to critical information infrastructures, and to reduce the risk of misperception and possible conflict and maintain a safe and secure cyberspace. It further suggested that national points of contact of focal institutions and networks should be created under the OEWG. Kenya similarly underlined that capacity building is a key CBM. CBMs cannot have the intended results if some countries lack the capability to detect, identify, investigate, defend, contain, or counter existing and potential cyberthreats.
When it comes to capacity building, Ghana noted that many developing countries lack enough capacity in cybersecurity, cybercrime, data protection and development, international security and cyber hygiene practices, incident response, and the overall protection of critical information infrastructure. However, the risks and challenges of cyberattacks are not confined to one country, group, or region. Kenya stressed the need for an evidence-based approach and metrics to ensure the effectiveness of capacity building initiatives and mentioned bridging the digital divide as a principle of capacity building and its primary task. According to Kenya, the UN is uniquely positioned to coordinate capacity building at a global level. The UN could start with initial coordination steps, such as creating a registry of existing capacity building measures and their contact points, and available lessons learned. This registry should then be used to determine a baseline for the measurement of the minimum cybersecurity level necessary for global security and allow countries to perform self-assessments.
In discussions on regular institutional dialogue, Ghana noted that the OEWG can best serve as a global platform to promote dialogue and exchanges of best practices, awareness raising, facilitate cooperation and consultation among states, and provide information on capacity building in cyberspace, which are essential constituents of CBMs. Ghana suggested that the OEWG become the repository of CBMs and points of contact.
In a joint contribution to OEWG work, the African Group reiterated support for the establishment of an action-oriented mechanism under the UN to promote the responsible use of ICTs by states, as well as for the development and implementation of norms and rules to govern global cyberspace. The group also highlighted its hope that the OEWG process would lead to the emergence of a legally binding and rules-based order regulating the use of ICT by spaces.
In the OEWG 2021–2025, 20 African countries have participated up to July 2022: Algeria, Botswana, Cameroon, Côte d’Ivoire, Democratic Republic of the Congo, Djibouti, Egypt, Ethiopia, Ghana, Kenya, Malawi, Mauritius, Morocco, Nigeria, Senegal, Sierra Leone, South Africa, Tanzania, Togo, Uganda. These 20 countries made 79 interventions out of 894 interventions made at the OEWG 2021–2025 to date. Out of the eight focus countries, the following have contributed to OEWG work: Côte d’Ivoire, Ghana, Kenya, Nigeria, and South Africa. These five countries made 34 interventions out of 894 interventions made at the OEWG 2021–2025 so far. What follows is an overview of their positions/main interests.2This overview is based on OEWG session reports produced by a team of GIP rapporteurs and transcripts produced by Diplo’s AI and Data Lab.
On matters related to norms, rules, and principles, South Africa agreed that the previous UN GGE and OEWG reports, including corresponding UNGA resolutions adopted by consensus, build an acquis for further discussions on the position, role, and implementation of the voluntary norms. South Africa would like the states to exchange their views on the need for further development of norms through evaluating, updating, and refinement of the existing non-binding norms, rules, and principles of state behaviour in cyberspace. South Africa also supports the use of the national survey of implementation of norms as proposed by Australia, Mexico, and other countries.3Joint Proposal by Argentina, Australia, Canada, Chile, Denmark, Estonia, France, Indonesia, Kenya, Mexico, the Netherlands, New Zealand, Pacific Island Forum member states, Poland, and South Africa to OEWG, 16 April 2020.
Kenya suggested the creation of a working group to facilitate the sharing of best practices on how existing norms, rules, and principles can be contextualised and translated into national policies.
Nigeria underlined the need for legalising the already agreed-upon norms in order to ensure responsible behaviour. Côte d’Ivoire stressed that the application of optional and non-binding norms of responsible behaviour of state could contribute to increasing the safety and security of the use of ICTs and help prevent harmful uses of ICTs.
In discussions on international law, Kenya noted that it is important to consider how the normative framework will be effectively applied in future. The country called for additional efforts towards capacity building in the areas of international law and national legislation and policy in order to enable states to enhance the applicability of international law to the use of ICTs within their specific context.
South Africa noted that existing international law complemented by voluntary non-binding norms is sufficient for addressing issues related to state use of ICTs in the context of international peace and security. The country also suggested that the question of sharing national positions and exploring how international law applies in cyberspace should be referred to the International Court of Justice and the International Law Commission to establish their views on the matter.
Senegal stressed that all principles of international humanitarian law should apply to cyber-operations conducted in armed conflicts.
Côte d’Ivoire underlined the applicability of international law in cyberspace, including the UN Charter, international humanitarian law, and international human rights law.
Ghana highlighted that international cooperation and CBMs in the field of ICT are key to maintaining stability in cyberspace and achieving sustainable development. Côte d’Ivoire was in favour of appointing a national contact point to facilitate communication and exchange of information. On the issue of national points of contacts, Senegal called for consideration of the fact that some countries face difficulties in setting up such structures.
Kenya stressed that CBMs need to be inclusive of all relevant stakeholders involved in cyberspace, as a way to facilitate collaboration between state and non-state actors in devising and implementing strategies and policies to address challenges encountered in cyberspace.
According to South Africa, raising the general level of states’ ICT capacities would also raise their overall resilience to cyberthreats. South Africa called for the OEWG to discuss appropriate institutional arrangement and special programmes for capacity building. The country also suggested that the OEWG is used to achieve a common understanding of existing and potential threats in cyberspace, and to share practices and measures to combat them. Côte d’Ivoire underlined the importance of implementation of capacity building mechanisms for countries with assistance needs so they can address their vulnerabilities and guarantee safe use of digital technology.
Kenya drew attention to the important role that regional and sub-regional organisations (could) play in promoting responsible state behaviour and conducting related capacity building programmes. Both Kenya and South Africa made reference to the role of these organisations in supporting the implementation of norms of responsible behaviour.
In a contribution to OEWG’s July 2022 session, the AU Cybersecurity Expert Group highlighted priority areas where capacity building is needed for Africa: governance, policymaking, technical tools and infrastructures, digital access, and research. The group noted that African actors need ‘greater capacity’ to be able to contribute effectively to UN processes such as the OEWG and other global cybersecurity initiatives. It also called for Africa not to be excluded from cybersecurity confidence-building initiatives.4African Union Cybersecurity Experts Group. (2022). Input on the occasion of the third substantive session of the Open-ended Working Groups on ICTs (OEWG) – 25 to 29 July 2022 at the United Nations Headquarters in New York.
Cybercrime: UN Ad Hoc Committee
In 2019, the UNGA established the open-ended Ad Hoc Committee to elaborate a comprehensive international convention on countering the use of information and communications technologies for criminal purposes, under the auspices of the Third Committee. The Ad Hoc Committee was proposed by the Russian Federation and 27 co-sponsors; among them there were 9 African countries: Algeria, Angola, Burundi, Egypt, Eritrea, Libya, Madagascar, Sudan, and Zimbabwe.5United Nations General Assembly [UNGA]. (2019). Draft resolution on countering the use of information and communications technologies for criminal purposes.
After two sessions on organisational matters held in May 2021 and February 2022, the committee held three substantive sessions between February and September 2022. Nineteen African countries participated: Algeria, Angola, Burkina Faso, Burundi, Cameroon, Egypt, Eritrea, Ghana, Kenya, Madagascar, Mali, Morocco, Namibia, Niger, Nigeria, Senegal, Sierra Leone, South Africa, and Tanzania.
Of the eight focus countries, the following have contributed to the committee’s work: Ghana, Kenya, Namibia, Nigeria, Senegal, and South Africa. What follows is an overview of some of their positions/main interests.6Identified based on written contributions and transcripts of discussions held during the committee’s first three substantive sessions. The transcripts – where meeting recordings were available – were produced by Diplo’s AI and Data Lab.
Joint contributions by the African Group highlighted, among other issues, the need for the convention to have strong provisions on international cooperation and ensure that these provisions are aligned with existing international instruments. Individual countries, including Kenya, Nigeria, and Senegal, noted that existing international and regional instruments – such as the UN Convention against Transnational Organized Crime, the UN Convention against Corruption, the Malabo Convention, and the Budapest Convention – could be used as tools to assist in the development of the draft convention. South Africa further added that complementarity would need to be ensured between the new convention and other relevant instruments, while Ghana suggested that the convention should include provisions defining its relationship with other treaties, agreement, and arrangements.
One of the key questions in negotiations is whether the convention should create new categories of cybercrime offences, with states submitting their national positions on this issue and suggesting what new cybercrime offences can be added.
South Africa proposed the following criminal offences to be included in the convention:
- Offences against confidentiality, integrity, and availability of information systems (e.g. illegal access).
- Illegal interception of data.
- Illegal data interference.
- Illegal system interference.
- Fraud cyber forgery.
- Production and distribution of child abuse content.
For Ghana, some of the specific issues that the convention should tackle include:
- Conduct against confidentiality, integrity, and availability of computer systems.
- Cyber dependence crimes (such as hacking).
- Crimes against national information and infrastructure.
- Cyber enabled crimes against children, and online gender-based crimes such as revenge pornography.
Nigeria stated that the convention should also define substantive criminal law provisions with an emphasis on the cyber-enabled crimes, such as, among others:
- Cyber fraud forgery.
- Online child sexual exploitation.
The African Group noted that human rights and principles of sovereignty and reciprocity should always be respected. This point was reinforced in contributions from individual states.
Kenya suggested that countries make commitments towards upholding international law and treaties on human rights, and ensure that such commitments are followed by action. Nigeria noted that data protection safeguards need to be provided for in the convention, whereas South Africa argued that requirements for protection of personal data and privacy are embedded in national law, and the convention should not duplicate this. Senegal called for express provisions to be included in the convention to ensure that international cooperation instruments respect individual rights and freedoms. A similar point was raised by Ghana, which noted that provisions are needed to establish appropriate conditions and safeguards to ensure the adequate protection of human rights and fundamental freedoms.
South Africa indicated that it does not support the inclusion of a specific provision on international cooperation for carrying out electronic surveillance and covert investigations techniques, as those are best to be left to domestic laws. Namibia had an opposing view, being in favour of such a provision.
Several countries reiterated the point made in contributions by the overall African Group that the convention should strengthen international cooperation and facilitate mutual legal assistance when it comes to combatting and prosecuting crimes across jurisdictions. Other provisions on international cooperation could cover issues such as law enforcement cooperation, joint investigations, confiscation, return and disposal of assets, as well as cooperation with service providers (including across borders) (Ghana, Kenya, Namibia, Nigeria, South Africa, and Senegal). Senegal further suggested that it could be useful to create a mechanism for joint investigative teams.
Ghana, Kenya, Namibia, Nigeria, and South Africa noted that the convention should include a provision that establishes a 24/7 network of points of contacts to facilitate immediate assistance for investigations, proceedings, or the collection of evidence. Nigeria further noted that it would be useful to encourage synergies between such a network and existing networks.
The African Group noted that building capacity is a prerequisite to fighting cybercrime, and the convention should create a framework that enables the provision of long-term capacity building and training programmes to strengthen national capacities to detect and investigate cybercrime. The group also underscored the importance of predictable and stable funding for technical assistance for developing countries, and the need for an efficient utilisation of such resources to ensure sustainability in the implementation of the future convention. Individual countries listed several areas of capacity development, including (but not limited to) data collection, exchange of information, investigation techniques, law enforcement, and protection of human rights.
Kenya noted that the convention could make reference to cybercrime and cybersecurity-related education and awareness campaigns being collaboratively conducted by states party to the convention. Senegal pointed out that technical assistance and capacity building efforts should be guided by the principles of state sovereignty, confidence, transparency, and good governance. South Africa and Nigeria added that such capacity building and technical assistance should be demand-driven, context-specific, and tailor-made to meet the evolving needs of developing countries. Ghana proposed that a provision be included regarding the establishment of a conference of parties to be responsible for the development of mechanisms to improve the capacities of countries to counter the use of ICTs for criminal purposes. Such a conference of parties should tap into the expertise of civil society organisations, academia, and the private sector.
Kenya, Senegal and South Africa noted that the private sector and civil society are/could be important contributors to capacity building and resource mobilisation efforts. South Africa further pointed out that the ICT industry has insights that can be used to identify and analyse malicious activities. Nigeria stated that the convention should include flexible language encouraging member states to adopt whole-of-society approaches enabling public-private partnerships in tackling cybercrime.
Processes focused on child online protection
When it comes to engagement in international forums on issues related to child online protection, 20 African countries participate in the multistakeholder WeProtect Global Alliance to develop policies and solutions to protect children from sexual exploitation and abuse online. These are Angola, Burundi, Central African Republic, Ethiopia, Ghana, Guinea, Kenya, Lesotho, Malawi, Namibia, Nigeria, Rwanda, Senegal, Sierra Leone, South Africa, Sudan, Tanzania, Uganda, Zambia, and Zimbabwe. The AU, as well as several NGOs based in Africa, are also part of the alliance.
In addition, between 2019 and 2022, Nigeria held a vice-chair position within the ITU Council Working Group on Child Online Protection. The group – which is open for participation to all ITU member states and Sector members – serves as a platform to discuss risks and vulnerabilities facing children and youth in cyberspace, provide recommendations, and seek to propose mechanisms for creating synergies among national, regional, and international efforts in this field.
International multistakeholder processes
Besides governmental involvement in UN processes, there is also some participation from Africa in multistakeholder processes and initiatives such as the Global Forum on Cyber Expertise (GFCE) and the Paris Call.
At the GFCE, established in 2015 to ‘strengthen cyber capacity building and coordinate existing international efforts more effectively’,7Global Forum on Cyber Expertise [GFCE]. (n.d.). About the GFCE. 20 African governments are members: Benin, Botswana, Cameroon, Côte d’Ivoire, Ethiopia, Gabon, Gambia, Ghana, Kenya, Lesotho, Liberia, Mauritius, Morocco, Nigeria, Republic of the Congo, Rwanda, Senegal, Somalia, Tanzania, and Tunisia.
Regional and continental organisations – including the AU, the AU Development Agency-NEPAD (AUDA-NEPAD), the AU Mechanism for Police Cooperation (AFRIPOL), the Economic Community of Central African States (ECCAS), the Economic Community of West African States (ECOWAS) – are also GFCE members. In addition, several civil society groups and technical organisations from across Africa contribute to GFCE work as partners; among them are African Civil Society on the Information Society, African Capacity Building Foundation, AfricaCERT, Africa Cybersecurity Resource Centre, Africa Cybersecurity and Digital Rights Organisation, African Network Information Centre (AFRINIC), the Cybersecurity Capacity Centre for Southern Africa, Registry Africa Ltd, the West and Central African Research and Education Network, and ZA Central Registry.
The Paris Call for Trust and Security in Cyberspace, launched in 2018, brings together state and non-state actors in a commitment to working together to adopt responsible behaviour and implement within cyberspace a series of key principles: protect individuals and infrastructure, protect the internet, defend electoral processes, defend intellectual property, non-proliferation of malicious software and practices intended to cause harm, lifecycle security, cyber hygiene, no private hack back, and promote international norms.8Paris Call. (n.d.). The 9 principles. Eleven African governments and several other stakeholders from across the region had joined the call by August 2022 (Figure 39).
Figure 39. Supporters of Paris Call (August 2022).