Cybersecurity, cybercrime, and child online protection in Africa: National approaches and elements of foreign policy
Cybersecurity is among the digital challenges that African countries need to address. In 2020, Africa ranked as the region with the highest exposure to cyberattacks per country, in the Cybersecurity Exposure Index.1PasswordManagers. (2020). Cybersecurity Exposure Index (CEI) 2020.
According to the ITU Global Cybersecurity Index, only 7 African countries – Mauritius, Egypt, Tanzania, Ghana, Tunisia, Nigeria, and Morocco – are among the top 50 countries with the highest cybersecurity indices.2International Telecommunication [ITU]. (2021). Global Cybersecurity Index. The index maps countries’ cybersecurity commitments across five pillars: legal measures, technical measures, organisational measures, capacity development measures, and cooperation measures. Morocco is the only African country that made it to the top 50 on the National Cybersecurity Index (October 2022) – which measures the preparedness of countries to prevent cyberthreats and manage cyber incidents (Table 11).3eGovernance Academy Foundation. (2022). National Cyber Security Index.
Table 11. Ranking of focus countries in the Global Cybersecurity Index and National Cybersecurity Index.
Cybersecurity strategies and elements of foreign policy
Many countries around the world have adopted national cybersecurity strategies (NCSs) establishing institutions, initiatives, and priorities, setting out roles and responsibilities, and outlining elements of international cooperation on cybersecurity issues.
Africa, however, is lagging behind in developing and implementing NCSs (Figure 35). All eight focus countries have approved or drafted NCSs. Besides dedicated strategies, cybersecurity-related aspects are sometimes also covered in other national strategies, policies, and plans.
Figure 35. Countries with national cybersecurity strategies.4Based on International Telecommunication Union [ITU]. (2022). National Cybersecurity Strategies Repository. The repository includes approved and draft NCSs, be they in the form of a single or multiple documents, or as an integral part of a broader ICT or national security strategies.
Kenya’s NCS has among its guiding principles the facilitation of international cooperation on cybersecurity matters. Noting that cyberthreats are cross-cutting and transnational, the strategy outlines the government’s commitment to work with international partners to improve the country’s cybersecurity posture. Kenya’s participation in the development and implementation of international laws, agreements, treaties, policies, norms, and standards on cybersecurity is highlighted as an action line.5National Computer and Cybercrimes Coordination Committee Secretariat, Republic of Kenya. (2022). National Cybersecurity Strategy. Enhancing international cooperation on matters of cybersecurity – at the regional and global levels – is also envisioned in Kenya’s Broadband Strategy and National Digital Master Plan. Moreover, the broadband policy sets the country on a mission to ‘build global alliances and promote the application of international law in cyberspace’, while the master plan talks about Kenya’s commitment to promoting a secure, stable and peaceful cyberspace, while upholding international cybersecurity norms. Concluding bilateral and multilateral agreements on sharing information on information security and collaborating with international CIRTs and threat intelligence research hubs are other goals outlined in the master plan.
The Nigerian NCS has an entire section dedicated to international cooperation, with goals and priorities ranging from accelerating efforts to cooperate in combatting cyberthreats to strengthening information sharing with global partners. The strategy highlights the country’s commitment to cooperate with other countries and multinational organisations ‘to garner consensus in cyber law enforcement, threat intelligence sharing, adoption of collective cyber norms and cybersecurity best practices, policy and strategy formulation and implementation, technology exchange and capacity development, including cyber defence’. It further talks about the importance of ‘coordinating the responsibilities of domestic cybersecurity stakeholders within the countries to enhance international engagement’. To support such coordination efforts, the government will facilitate capacity development in the areas of international cyber law and cyber diplomacy. At a regional level, Nigeria intends to lead the creation of new initiatives, forums, and mechanisms to enhance regional cooperation in cybersecurity, including when it comes to developing capacity to improve cross-border law enforcement and enhancing information sharing.6Government of Nigeria. (2021). National Cybersecurity Policy and Strategy.
The importance of international cooperation on cybersecurity-related issues is also underscored by Nigeria’s National Digital Economy Policy and Strategy.
Similarly, involvement in regional and international cybersecurity work is stipulated as one of the strategic aims and priorities of Senegal’s NCS.7Ministry of Communications, Telecommunications, Post and the Digital Economy, Republic of Senegal. (2017). Senegalese National Cybersecurity Strategy. Sub-regional, regional, and international cooperation on cybersecurity issues is also envisioned in the Digital Senegal Strategy.
The National Cybersecurity Strategic Plan of Rwanda defines the establishment of a National Cyber Security Agency which will, among other things, promote regional and international cooperation, R&D in the field of cybersecurity. Other strategic actions related to international cooperation include membership with regional and international CERTs, international cooperation in response to cybercrime, and international information sharing.8Republic of Rwanda. (2015). National Cybersecurity Strategic Plan.
Rwanda’s ICT Sector Strategic Plan also outlines the objective of promoting regional and international cooperation, research, and development in the field of cybersecurity. It further talks about the importance of ensuring that ICT-related legal and regulatory frameworks comply with international cybersecurity standards and best practices. Establishing partnerships with international organisations for capacity building in cybersecurity is envisioned in the ICT Hub Strategy. Notable is the country’s goal of becoming a regional hub for security, through building a sustainable cybersecurity industry (ICT Sector Strategic Plan) and ensuring a secure and resilient cyberspace (Smart Rwanda Master Plan).
The National Cybersecurity Policy Framework for South Africa is intended to provide a holistic approach to cybersecurity and sets out the promotion and strengthening of local and international cooperation on cybersecurity as one of the country’s priorities. To this end, the document envisages South African participation in regional, AU, and international fora on cybersecurity-related matters to advance the country’s position, establish bilateral and multilateral partnerships through various instruments, and join relevant international organisations to promote a coordinated response to cyberthreats and keep abreast of developments in the field of cybersecurity.9South Africa Government. (2015). National Cybersecurity Policy Framework for South Africa. Aligning with global developments in the field of cybersecurity is highlighted as a goal in the country’s broadband policy.
Ghana’s National Cyber Security Policy and Strategy calls for the country’s active participation in all relevant international cybersecurity bodies, panels, and multinational agencies.10Ministry of Communications, Republic of Ghana. (2015). National Cyber Security Policy and Strategy. Final draft. In 2020, the Ghanaian parliament passed the Cybersecurity Act which includes several provisions related to international cooperation. The act mandates the Cybersecurity Authority of Ghana to implement and enforce international treaties on cybercrime and cybersecurity endorsed by the country, to cooperate with international agencies, and to establish a cybersecurity incident point of contact that would facilitate international cooperation on cybersecurity matters.11Parliament of Ghana. (2020). Cybersecurity Act.
Côte d’Ivoire’s NCS was outlined in a communication adopted by the government in December 2021. The 2021–2025 strategy, whose overarching goal is to better secure cyberspace in support of the country’s digital transformation efforts, also envisions a leadership role for Cote d’Ivoire in cybersecurity, at a continental level.12Republic of Côte d’Ivoire. (2021). Communique du Conseil des Ministres du Mercredi 22 Décembre 2021 (Communique of the Council of Ministers, Wednesday 22 Decembre 2021) In addition, the National Digital Development Strategy outlines objectives related to reinforcing international cooperation on cybersecurity matters, together with specific action lines related to active participation in the FIRST network and in the ITU Cyberdrill initiative.
For Namibia, the National Cybersecurity Strategy and Awareness Raising Plan 2022–2027 includes elements related to advancing international cooperation on cybersecurity-related issues.13Namibia Media Trust. (2021). Review of Namibia’s National Cybersecurity Strategy & Awareness Raising Plan 2022–2027. Some sources note that the strategy was approved by the government in March 2022, while others indicate that, as of October 2022, the strategy was yet to be finalised.
An overarching message that spans all the strategies and policies outlined relates to the importance of advancing international cooperation on cybersecurity-related issues. This sought-for cooperation is not only about sharing information and working together with partners to identify risks and mitigate threats but also about capacity development initiatives aimed to strengthen national cybersecurity capabilities. Developed countries and international organisations – especially those that look into strengthening their relations with African countries, including on digital topics – should respond to these calls and support African governments in their efforts to enhance their readiness to respond to cyberthreats.
Offensive cyber capabilities
Incidents of cybersabotage or cyberespionage have accelerated cyber armament. Some countries have declared ‘cyber’ to constitute the fifth military domain (after land, sea, air, and space). Many countries have established significant budgets for building military cyber capabilities – both offensive and defensive. A Geneva Internet Platform mapping of publicly available documents, such as national strategies, military doctrines, official statements, and credible media reports, presents evidence and indications that offensive cyber capabilities (OCCs)14OCCs are understood as the capabilities of state institutions to conduct cyberattacks against the information security of other parties, including through access to or impact on, their digital systems, information and resources, or by making such systems unavailable. exist or are being built in over 50 states (Figure 36).15Geneva Internet Platform [GIP]. (n.d.). Cyberconflict and warfare. Digital Watch observatory. Among them are four African countries: Kenya, Nigeria, South Africa, and Sierra Leone.
Figure 36. Offensive cyber capabilities.
South Africa’s Department of Defence has underscored the need to protect the country’s cyber-domain through, inter alia, a comprehensive information warfare capability focused on six areas: network warfare; electronic warfare; psychological operations; information-based warfare; information infrastructure warfare; and command and control warfare. These are defined as follows:
- Network warfare (Netwar): To exploit or use the information systems (offensive) of an adversary and to protect all defence information systems (defensive) to ensure use for own forces.
- Electronic warfare: To exploit or use electromagnetic energy to determine, exploit, reduce, or prevent hostile use of the electromagnetic spectrum while retaining its friendly use.
- Psychological operations: To conduct planned psychological activities in peace, conflict, and war to create attitudes and behaviour favourable to the achievement of political and military objectives. These operations include psychological action and warfare activities designed to achieve the desired psychological effect.
- Information-based warfare: To enhance situational awareness at the operational and tactical levels as well as to degrade that of an adversary.
- Information infrastructure warfare: To protect its own information infrastructure and to attack or exploit an adversary’s information infrastructure.
- Command and control warfare: To conduct information warfare on the battlefield by causing a disjuncture between an adversary’s command structure and its commanded forces.16Department of Defence, Republic of South Africa. (2015). South African Defence Review.
The country also appears to have developed a Cyber Warfare Strategy covering offensive information warfare actions.17Martin, G. (2017, September 26). Department of Defence aims to beef up cyber security. defenceWeb.
In 2016, Kenya’s Cabinet Secretary for Information, Communication and Technology at that time was noting that the Kenyan government was committed to developing comprehensive and offensive cyber-capabilities.18Korir, C .(2016, November 29). Government to curb cyber crimes. Ministry of ICT, Innovation and Youth Affairs. In 2018, Nigeria appears to have commissioned a Nigerian Army Cyber Warfare Command with the goal ‘to empower the Nigerian Army with the capabilities to protect its data and network against cyberattacks and hostile elements’.19Erunke, J. (2018, October 16). Army takes terror war to cyber space, launches command. Vanguard.
Sierra Leone’s National Cyber Security and Data Protection Strategy 2017–2022 states that the country ‘shall have the means to respond to cyberattacks in the same way as we respond to any other attack, using whichever capability is most appropriate, including an offensive cyber capability’.20Government of Sierra Leone. (2017). National Cyber Security and Data Protection Strategy 2017–2022.
Cybercrime policies: International dimensions
As Africa increasingly embraces digital transformation processes, the region is also becoming more and more vulnerable to cyberthreats. According to Interpol, the most prominent cybercrime threats identified across Africa are online scams, digital extortion, business email compromise, ransomware, and botnets. Research carried out by Kenya-based cybersecurity company Serianu indicates that the cost of cybercrime in Africa has increased from US$0.5 billion in 2015 to US$3 billion in 2020.21Global Cyber Alliance. (2021.) Serianu partners with the Global Cyber Alliance to reduce cost of cybersecurity.
Many African countries – 39 in total, including Côte d’Ivoire, Egypt, Ghana, Kenya, Morocco, Nigeria, Rwanda, Senegal, and South Africa – have dedicated cybercrime laws (Figure 37), which typically outline elements related to international cooperation in tackling cybercrime. Cybercrime is sometimes also mentioned in legislation dealing with electronic transactions and data protection, as is the case with Ghana. In many cases, cybercrime is covered in broader cybersecurity strategies.
One of the strategic goals stipulated in the national cybersecurity strategy of Côte d’Ivoire is to enhance international cooperation in two ways: by continuing its participation in international and regional initiatives, and by ratifying international conventions on cybercrime (Budapest and Malabo). Compliance with international laws and treaties is also mentioned in the cybersecurity strategies of Senegal and Rwanda.
International cooperation in dealing with cybercrime matters (e.g. in detecting and deterring cyberespionage and responding to cybercrime) is highlighted in national cybersecurity policies of Rwanda and Nigeria, as well as in Kenya’s cybersecurity law. An entire section of Nigeria’s Cybercrime Act is dedicated to international cooperation on jurisdictional issues and law enforcement.23National Assembly, Nigeria. (2015). Cybercrimes (prohibition, prevention, etc) Act.
For international cooperation, the Cybersecurity Authority of Ghana should, according to the country’s Cybersecurity Act, designate and maintain a 24/7 contact point to tackle cybercrime. The role of the contact point is to provide technical advice to other contact points, preserve data and evidence, provide information on the detection of suspects and related matters, as well as the immediate transmission of legal requests in accordance with applicable laws and treaties.
South Africa’s National Cybersecurity Policy Framework highlights the need for participation in regional, continental, and international fora to advance the global cybersecurity agenda, combat cybercrime, and build confidence and trust in the secure use of ICTs.
International cooperation with respect to research and training also features in several policy documents. Rwanda’s cybersecurity policy mentions participation in international research projects and the exchange of experts in cybersecurity, whereas the Nigerian cybercrime act stresses the need to organise training and capacity development programmes for officers responsible for the prohibition, prevention, detection, investigation, and prosecution of cybercrimes. In addition, Senegal’s strategy encourages law enforcement authorities and courts to work with their partners bilaterally and multilaterally to strengthen their work in investigating, preventing, and prosecuting cybercrime.
Child online protection
The issue of child online protection (COP) appears across various national policy documents and strategies, both general and cybersecurity-related. Kenya’s National ICT Policy from 2019 calls for a global partnership on COP by, among others, developing a framework of engagement between local and international organisations and law enforcement authorities. The importance of international cooperation (with industry, criminal justice institutions, international organisations, etc.) is further highlighted in the country’s National Plan of Action to Tackle Online Child Sexual Exploitation and Abuse, adopted in 2022.24Ministry of Public Service, Gender, Senior Citizens Affairs and Special Programmes, Republic of Kenya. (2022). National Plan of Action to Tackle Online Child Sexual Exploitation and Abuse in Kenya, 2022–2026.
Global cooperation on COP is also mentioned in Rwanda’s dedicated Child Online Protection Policy, which calls, for instance, for the establishment of formal cooperation frameworks with regional and global COP communities. To strengthen domestic legal and regulatory frameworks related to COP, Rwanda needs to identify and ratify COP-related international treaties and protocols and strengthen and amend the relevant criminal laws in line with international standards and best practices.25Ministry of ICT and Innovation, Republic of Rwanda. (2019). Rwanda Child Online Protection Policy.
Compliance with international mechanisms such as ITU’s Industry Guidelines on Child Online Protection is stipulated in Kenya’s draft Industry Guidelines for Child Online Protection and Safety.26Communications Authority of Kenya. (2022). Industry Guidelines for Child Online Protection and Safety. The Ghanaian Cybersecurity Act has an entire section dedicated to COP. The country also has a dedicated COP policy.