Cybersecurity and cybercrime in Africa: Continental and regional policies
Cybersecurity features as a flagship programme under the African Union’s (AU’s) Agenda 2063, as ‘a clear indication that Africa needs to not only incorporate in its development plans the rapid changes brought about by emerging technologies, but also to ensure that these technologies are used for the benefit of African individuals, institutions or nation states by ensuring data protection and safety online’.1African Union [AU]. (n.d.). Flagship projects of Agenda 2063.
Cybersecurity and cybercrime are also given a prominent place in AU’s Digital Transformation Strategy, which includes several policy recommendations and proposed actions in these two areas. While most of them are related to strengthening cybersecurity at the national and continental level, there are also a few elements related to international processes. One recommendation is for the AU and its member states to ‘support the UN-led process for the establishment of the Global Cybersecurity Framework under the UN’.2African Union [AU]. (2020). The Digital Transformation Strategy for Africa.
In 2018, the AU decided to establish a Cybersecurity Expert Group (AUCSEG) tasked with advising the AUC and policymakers on cybersecurity-related issues. The group, which started working in 2019, is also expected to support the AUC and member states on matters of international cooperation regarding cybersecurity, personal data protection, and combating cybercrime.3African Union [AU]. (n.d.). African Union Cyber Security Expert Group – Terms of Reference.
At the core of AU’s cybersecurity initiatives lies the 2014 Convention on Cyber Security and Personal Data Protection (Malabo Convention). The instrument covers more than cybersecurity and cybercrime and includes provisions on electronic transactions and personal data protection. This gives the Malabo Convention a unique and innovative character among cybersecurity-related regulations and policies. It is, however, also the reason for some of the challenges regarding its ratification.
The convention contains several provisions related to international cooperation. It encourages state parties to conclude agreements on mutual legal assistance in dealing with cybercrime and to enable the exchange of information on cyberthreats and vulnerability assessments through institutions such as computer emergency response teams (CERTs). Countries are also mandated to use international cooperation mechanisms – be they based on private or public partnerships – when it comes to responding to cyberthreats, improving cybersecurity, and stimulating multistakeholder dialogue.
The convention has not come into effect yet. Out of 55 AU members, 14 have signed the convention, and 13 ratified it and deposited instruments of ratification with the AU (as of March 2022).4Countries that have ratified the convention: Angola, Cabo Verde, Republic of the Congo, Ghana, Guinea, Mozambique, Mauritius, Namibia, Niger, Rwanda, Senegal, Togo, Zambia. Countries that have signed the convention: Benin, Chad, Comoros, Republic of the Congo, Ghana, Guinea-Bissau, Mozambique, Mauritania, Rwanda, Sierra Leone, Sao Tome and Principe, Togo, Tunisia, Zambia. African Union [AU]. (2022). List of countries which have signed, ratified/acceded to the African Union Convention on Cyber Security and Personal Data Protection. This falls short of the 15 instruments of ratification required for the convention to come into force.
Some observers underscore the fact that the Malabo Convention is an important instrument supporting continental e-commerce and urgently needs to be ratified, while others warn against over-regulation.5ITWeb. (2021, September 10). African countries urged to ratify Malabo convention. ITWeb blog. While the convention is significant given its scope, this lack of ratification takes away from its potential impact.6Greenleaf, G. & Georges, M. (2015). The African Union’s Data Privacy Convention: A major step toward global consistency? Privacy Laws & Business International Report 131, pp. 18-21. This rather slow pace of ratification may be explained by multiple reasons: from political ones (rooted in the region’s political, cultural, and historical diversity),7Internet Governance Forum [IGF]. (2021). IGF 2021 Workshop #18 Cyber diplomacy in Africa and digital transformation. to lengthy processes within countries, limited awareness among policymakers on the importance of cybersecurity and its relevance for national security, and limited capacity within the countries to take up and conclude the necessary processes.8Amazouz, S. (2019). International cyber security diplomatic negotiations: Role of Africa in inter-regional cooperation for a global approach on the security and stability of cyberspace. Master thesis presented to the Faculty of Arts in the University of Malta. It remains to be seen whether countries will overcome these and other challenges and follow up on the commitment they have taken at the March 2022 Cybersecurity Summit to sign and ratify the convention as an important step towards the ‘development of a safe African cyberspace’.9Cybersecurity Summit – Lomé 2022. (2022, March 23–24). The Lome Declaration on cybersecurity and fight against cybercrime.
There is an overlap in membership between the Malabo and Budapest Conventions. The Budapest Convention is the Convention on Cybercrime of the Council of Europe, and it focuses on defining cybercrime, related legal provisions, and cross-border cooperation. Twelve African countries are parties, signatories, or have been invited to accede to the Budapest Convention: Cabo Verde, Ghana, Mauritius, Morocco, Nigeria, and Senegal are parties to the convention; South Africa signed the convention; while Benin, Burkina Faso, Côte d’Ivoire, Niger, and Tunisia were invited to accede.10Council of Europe [CoE]. (n.d.). The Budapest Convention and its protocols. Of these countries, Cabo Verde, Ghana, Mauritius, and Senegal have signed or ratified both the Malabo and the Budapest Conventions (Figure 38).
Figure 38. Malabo Convention and Budapest Convention across Africa (October 2022).
In August 2022, UN Economic Commission for Africa and the Republic of Togo announced an agreement to jointly establish the African Center for Coordination and Research in Cybersecurity. The centre, to be based in Lomé, is intended as a regional hub for cybersecurity information and intelligence and to contribute to building capacities and frameworks at a national and regional level for assessing and mitigating cyberthreats.11United Nations Economic Commission for Africa [UN ECA]. (2022, August 16). Republic of Togo and the United Nations Economic Commission for Africa sign a memorandum of understanding to establish the African Cybersecurity Center.
Regional economic communities (RECs) have also initiated various cybersecurity-related policies and programmes. In 2021, the Economic Commission of West African States (ECOWAS) adopted its Regional Cybersecurity and Cybercrime Strategy, outlining actions to be taken in particular at national level to strengthen cybersecurity and fight cybercrime (e.g. adoption of national cybersecurity strategies, establishing dedicated authorities, prioritising cybersecurity efforts in the area of critical infrastructures and essential services, enhancing cybersecurity skills development, and building capacity against cybercrime). When it comes to foreign policy issues, member states and the ECOWAS Commission are invited to promote and develop regional and international cooperation through actions such as sharing alerts and cybersecurity information (in particular between CERTs and similar institutions) and ensuring international judicial cooperation on cybercrime and transnational access to digital evidence.14Economic Community of West African States [ECOWAS]. (2021). ECOWAS Regional Cybersecurity and Cybercrime Strategy.
ECOWAS’s Regional Critical Infrastructure Protection Policy proposes preventive, reactive, and proactive measures that countries could take to ensure the protection of their critical infrastructures and essential services. Noting that there are ‘interdependencies between countries’ in relation to telecommunication networks, internet connectivity, and other infrastructure and services, the policy calls on countries to cooperate in identifying transitional critical infrastructures and essential services, exchange information on threats and risks, and harmonise protection measures.15Economic Community of West African States [ECOWAS]. (2021). Regional Critical Infrastructure Protection Policy.
ECOWAS also has a Cybercrime Directive (adopted in 2011); its objective is to ensure that the criminal law and criminal procedures of ECOWAS member states are adequately equipped to address cybercrime.16Economic Community of West African States [ECOWAS]. (2011). Directive C/DIR.1/08/11 on Fighting Cyber Crime within ECOWAS.
The East African Community’s (EAC’s) Model ICT Policy Framework from 2015 encourages member states to establish mechanisms for regional and international cooperation on cybersecurity.
Several RECs have adopted model laws and/or policies on cybercrime and cybersecurity. COMESA has a Cyber Crime Model Bill (2011),17Common Market for Eastern and Southern Africa [COMESA]. (2011). Cyber Crime Model Bill. as well as a model policy, a model bill, and an implementation roadmap for cybersecurity. ECCAS18ECCAS member states: Angola, Burundi, Cameroon, Central African Republic, Chad, Democratic Republic of the Congo, Equatorial Guinea, Gabon, Republic of the Congo, and São Tomé and Príncipe. has a model law on cybersecurity, while SADC has a Model Law on Computer Crime and Cybercrime (2012).19Southern African Development Community [SADC]. (2012). Model Law on Computer Crime and Cybercrime.
Across the continent, cybersecurity and cybercrime issues are also addressed within several other settings:
- AfricaCERT. Focused on assisting African CERTs in improving cyber readiness and enhancing the resilience of ICT infrastructures, and fostering regional and international cooperation on related issues, the forum includes CERTs and CIRTs from 26 African countries; Côte d’Ivoire, Ghana, Kenya, Nigeria, Rwanda, and South Africa are among them.
- African Union Mechanism for Police Cooperation (AFRIPOL). Dedicated to fostering police cooperation at the continental level, AFRIPOL has among its objectives the development and implementation of a harmonised African approach to fight against cybercrime. To this aim, a strategy for the period 2020–2024 outlines four strategic priorities related to strengthening the capacity of AFRIPOL’s and member states’ cybercrime teams, developing harmonious and coherent regulation, and ensuring constant threat assessment. The strategy also envisions the strengthening of cooperation frameworks at regional, continental, and international levels, participation in international bodies such as the International Telecommunication Union (ITU) and the Internet Corporation for Assigned Names and Numbers (ICANN), and coordination on fighting cybercrime with bodies such as Interpol, the UN Office on Drugs and Crime (UNODC), and Europol.20African Union Mechanism for Police Cooperation [AFRIPOL] (n.d.). AFRIPOL Cybercrime Strategy.
- African Capacity Building Foundation (ACBF). Advancing cybersecurity culture and skills and building capacities related to the development and implementation of cybersecurity policies are among the topics tackled by this AU specialised agency for capacity development.
- Several civil society organisations that work on raising awareness and building capacities on issues related to cybercrime, child online protection, and online safety and security. Examples include the Africa Cybersecurity and Digital Rights Organisation and the African Civil Society on the Information Society.