Does Africa risk being left behind in the digital security debate?
By Karen Allen is, Consultant and Senior Research Advisor on Emerging Threats in Africa at the Institute for Security Studies ISS
The digital revolution has opened up a universe of new possibilities for the global south, enabling borders to be bridged to gain access to a wealth of expertise from Ed-Tech, to Fintech to E-medicine, E-evidence and a raft of humanitarian tools which in theory, should assist in forecasting crop yields, flagging up potential conflicts before they emerge and bearing witness and documenting wrongs and injustices with the aim of holding power to account. It also is an enabling environment for skills development and opening up new markets for African entrepreneurship. But there are unintended consequences for human security which the “fetishization” of tech risks obscuring. These include the misuse of digital technology as a tool – i.e. the weaponization of technology, as well as the risk of a new digital arms race developing in the absence of agreed regulation of how states behave in cyberspace.
Digital security in its broadest sense includes the protection of cyber technology against attacks by states or nonstate actors such as commercial entities, hacktivists, criminal networks or terrorists. As well as protecting digital infrastructure, increasingly states are under an obligation to protect the personal information of their citizens. However, what is evident is that the capacity and political will to introduce new legal protections across the African continent in the face of rapid digitization, varies enormously.
At regional level the African Union’s Convention on Cyber Security and Personal Data Protection (Malabo Convention 2014) is an attempt to develop an Africa wide response to a growing threat of digital abuses. It aims to harmonize legislation, regulation and governance strategies across Africa and establish ”institutions that share information on cyber threats and vulnerabilities” i.e. rapid response teams or CERTS ( Computer Emergency Response Team). Only a handful of states have developed such tools. It also seeks to bolster mutual legal assistance arrangements and takes as a reference point, the Council of Europe’s Budapest Convention on Cybercrime, which is open to non-European States parties. Yet only a handful of the AU’s 55-member states have ratified the Malabo convention (Ghana, Guinea, Mauritius, Namibia, Senegal), with some including South Africa preferring to advocate for a UN wide treaty instead. This is despite warnings by some commentators who question how long such a treaty would take to become a reality, and whether the process would be hijacked by China and Russia in order to stifle domestic dissent. States such as South Africa are developing their own legislative frameworks to deal with the emerging threat, so too are Ghana, Kenya, Mauritius, Nigeria, Senegal. However, data from 2016 indicated that only about 20% of states on the continent have some basic legal framework in place to protect against cyber attacks.
As the continent acquires more internet users, data networks and digital hardware, the potential for Africa to become a significant “theatre” for malevolent cyber operations cannot be understated. The spread of mobile phone subscriptions across Sub Saharan Africa is expected to rapidly increase reaching 930 million by the end of this year, according to industry projections. Furthermore, SABRIC the South African Banking Risk Information System, reports that the use of malware on mobile phones has risen dramatically since the end of 2018. South Africa has experienced an increase in negative cyber events - reportedly 570 attacks are carried out every hour according to the cyber analytics firm Kapersky Lab. Not all of these may be intentional cyber attacks designed to cause harm. Nevertheless, the proliferation of “infected” computers and phones in use across the continent poses significant risks. An estimated 80% of Personal Computers used across Africa in 2010 were found to have been infected with viruses according to researchers, and the extensive circulation of unlicensed software has prevented users from downloading updates to protect themselves from malicious activity.
While at the moment only 1% of reported digital attacks originate from Africa, internet proliferation and tougher regulations elsewhere, are likely to see criminal networks displaced and expanding in a continent considered to be a safe haven for criminal activities unless more attention is focused on building resilience. South Africa’s National Prosecuting Authority has confirmed in a number of public events that several “cyber-criminal syndicates” are known to be operating in the country, available for hire to whoever is prepared to pay the right price. Their services are available for use by terrorist organisations or other non-state actors and states seeking to influence the internal dynamics of potential adversaries or rivals. Even if countries such as South Africa consider themselves as having no obvious “enemies” the potential for states to be used as proxies to attack other global powers is clear.
Furthermore, big data generated by rapid digitization is also increasingly being traded globally according to the UN office of Drugs and Crime. The use of so called “offensive tools” to compromise computer networks and mobile phones, turning them into listening devices, gives the user the capacity to meddle in elections and undermine democracy, use valuable data to distort; deprive and blackmail; or seek ransom funds. The high value targets include governments, utility providers, the military, manufacturing and commercial players. For emerging democracies where institutions are still fragile, vulnerability to manipulation must be actively considered.
Yet resource constraints and competing priorities have led to a chronic shortage of personnel equipped to build defences against cyber-attacks in Africa. South Africa’s President Cyril Ramaphosa in his 2019 State of the Nation address pledged to create two million more jobs – many of them in the tech sector – for South Africa’s unemployed youth to address precisely the commercial demand and the resilience issue. A recent study by the International Finance Corporation found that by 2030 over 230 million jobs in sub-Saharan Africa will require digital skills “creating 650 million training opportunities” in the future with Ghana being a key target country for skills development. Whilst the commercial drivers for more private sector involvement in digital skills development are clear, as shall be argued below, there is a strong argument for the private sector to help states build resilience to digital threats.
The threats not only include denial of service attacks, ransomware or the theft of personal data but also the manipulation of data – including so called deep fakes, whereby videos generated by algorithms, distort reality. This may result in a real world (military) response against a presumed source, with clear geopolitical implications, wrongful convictions or violence related to the subject of the deep fake, and in time an undermining of the trust of law and public information and media.
Whilst much debate about how to protect societies has centred around teaching children skills such as coding, in order to keep up with the digital revolution (an initiative which President Ramaphosa has promised to introduce in all South African primary schools) there are a growing number of voices who advocate a more philosophical approach. At a recent conference in Stockholm,Izumi Nakamitsi , the UN Under Secretary General and High Representative for Disarmament Affairs, called for the development of “ethical” technology which puts “human values” at its core. Children, she advanced, need to be taught about the “difference between humans and machines”. Between autonomy and responsibility. Dan Smith the Director of the Stockholm Institute for Peace Research defines it in more blunt terms as “putting technology in its place”. This argument for “humanizing” technology also has ramifications for international humanitarian law, which defines how in times of conflict, weaponized digital technology and the digital domain are to be used in conformity with the law. Whilst recognizing that the use of digital technology by non-state actors, (e.g. weaponized drones observed in settings such as Iraq and Syria) and the deployment of digital tools in times of peace not war, complicates matters legally, many practitioners including the International Committee of the Red Cross, argue that emerging technology must fit the existing laws and not the other way around. In practice this must surely mean closer engagement with the private sector and the introduction of codes of conduct and product and operating standards?
In terms of skills development, the private sector clearly has an important role to play across Africa. The African Union has spearheaded a number of joint initiatives including plans for an E-university to accelerate skills development, and the leading tech firms such as Google and Microsoft also have their own industry initiatives. In addition to capacity building there is arguably a role for the private sector to be included in discussions on global governance issues. Self-regulatory pacts such as the Cybersecurity Tech Accord signed in 2018 by 34 ICT related companies, has been broadly welcomed. However there is clearly more work to be done.
Increasingly there is a case for the private sector becoming more open to generating a climate of trust and partnership with governments and society at large, with Africa being seen as an equal player in those discussions and not simply a marketplace for further development of tech. Whilst UN initiatives such as the establishment of a Group of Government Experts and an Open ended Working Group (the two most prominent fora in which cyber norms have been discussed) their focus has been on state to state interactions and have not directly involved the private sector. However, in June 2019, a separate initiative, the UN High Level Panel on Digital Cooperation proposed an Internet Governance Forum Plus model to strengthen digital cooperation among states, businesses and civil society and produce outputs that are more tangible. This indicates a shift in recognising the need to make discussions about norms and regulation more inclusive and expansive.
The private sector also has a critical role to play in public engagement to clearly set out the tradeoffs between security and privacy. For example, more restricted access may be required to accompany more robust security measures to protect personal data.
The private sector also arguably has a role to play in encouraging industry transparency. Whilst in South Africa there are close working relationships between SABRIC (the South African Banking Risk Information System) and the police, there is often resistance on the part of private companies to report cyber security breaches, because of fears concerning the reputational damage that such admissions may cause. Greater industry transparency is needed when vulnerabilities are detected in order to identify weak spots and build countermeasures.
With future horizons shaped by 5G technology, hypersonic weapons which travel five times the speed of sound and greater machine autonomy, the ability of the human brain to make considered, swift decisions and maintain control of the consequences of mass digitization, is being hugely challenged. For parts of the African sub-continent pre-occupied with current human security concerns, this may seem like the stuff of science fiction and a distraction. Yet if UN predictions are correct and a third of the world’s population will reside on the African continent by the turn of the next century, how to tame and live with emerging digital technologies, needs to occupy a central position on the Africa security agenda.
 For a breakdown of legal frameworks across Africa see https://dataprotection.africa
 Peters, A “Russia and China are trying to set the U.Ns rules on cybercrime” Foreign Policy Sep 16 2019
 The Cybercrimes and Cyber Security Bill (2014) is currently making its passage through parliament. The Protection of Personal Information Act (2000)
 Cyber crimes and Cyber Security Trends in Africa “ www.symantec.com
 Ericsson’s Sub- Saharan Africa : Ericsson Mobility Report 2014
 Gady 2010 as cited by Kshetri (2019) Cybercrime and Cybersecurity in Africa, Journal of Global Information
 Cyber Security Trends Report Africa
 ir Kshetri (2019)
 IFC - The study finds that over 230 million jobs in Sub- Saharan Africa will require digital skills by 2030, resulting in almost 650 million training opportunities.
 See Dr Alexa Koenig (2019)“Half the Truth is Often a Great Lie”: Deep Fakes, Open Source Information, and International Criminal Law. AJIL Unbound,113, 250-255. doi:10.1017/aju.2019.47
 Stockholm Security Conference Oct 3 2019 (SIPRI)
 UN High Level Panel on Digital Cooperation. https://www.un.org/en/pdfs/DigitalCooperation-report-for%20web.pdf
Karen Allen joined the ISS in June 2019 as Senior Research Advisor: Emerging threats in Africa, in the office of the executive director in Pretoria.
For the past 15 years Karen was a senior BBC foreign correspondent based in Nairobi and later Johannesburg. She has a particular interest in the relationship between terrorism and global justice, technology and human security.
She is a Visiting Fellow at King's College London in the Department of War Studies. Karen has a Master’s degree in international relations and contemporary war from King's College London.