As a progressively digitized continent, Africa is experiencing rapid development. The significant expansion of infrastructure projects across the region, together with growing cyber dependency, frame the continent’s development outlook. This is set against a backdrop of ongoing conflicts, increasing extremism and a struggle between global powers for resources, influence and military footprints.
These dynamics create a challenging framework for policy makers and should signal a need to prioritize the formation of robust cyber defence. For Africa’s people, cyber operations, which are inherently destabilizing, pose a threat to some of the world’s most vulnerable populations and fragile States. Experts have warned that cyberattacks against critical infrastructure are a ‘humanitarian crisis in the making’.
As in other regions of the world, Africa’s energy, water and healthcare networks together with other critical infrastructure are already at risk of cyber disruption. This may cause substantial economic loss, physical damage and affect the delivery of essential services, as seen in the attack this week on a major hospital group in South Africa just as the country witnessed a rapid spike in COVID-19 cases. To address this growing threat, a more resilient cyber posture from African States is required, together with an enhanced sense of agency, particularly within multilateral international organizations.
The digital demographic dividend
Africa is home to 54 countries and abundant natural resources. Despite persistent developmental challenges, it is a fast growing and dynamic economic market with the globe’s youngest population, some 1.3 billion people. The rapid growth of internet penetration has fired up private sector innovation and access to resources such as education, mobile banking and healthcare. The youth dynamic in the region has aided the enthusiastic adoption of mobile technologies and platforms, enabling people to rapidly transcend barriers created by ineffectual governance.
There has been a significant upscaling of foreign investment and operations. Aligned with economic and population growth is an increasing dependence on critical infrastructure in the energy, health, transport, communication and water sectors. Networked information technology systems, operating together with industrial control systems, underscore the need for robust, internationally standardized cyber security measures. This applies to all levels of government as utilities and services are now being increasingly targeted. A recent cyberattack on Johannesburg’s City Power purchasing platform left consumers with no means of buying electricity for three days.
Within Africa, there is an almost total dependence on imported hardware and software. This, together with the harvesting and offshore storage of the personal and biometric data of millions of Africans by tech companies, has fed into a growing sense of disquiet and an emerging narrative of ‘digital colonialism’. Typically, this concern is vocalized by the intelligentsia and civil society organizations, whereas for the most part Africa’s leaders have been largely absent from the discussion. This echoes a wider sense of State stasis pertaining to matters of national cyber defence and cyber security in general.
The importance of digital platforms in providing services and commerce to African communities cannot be overstated. The road density network in sub-Saharan Africa has actually declined in recent years, leaving millions of people at risk of degraded service delivery and being bypassed by growth opportunities. Information and communication technologies promise huge potential in terms of delivering health services, banking, communication, educational resources and e-government services. However, for digital development to be effective and resilient, robust cybersecurity efforts need to match and support these efforts.
The Cyber Poverty Line
The Cyber Security Poverty Line equates to a scarcity of allocated resources relative to the scale of threats faced. The ITU Global Cyber Security Index supports the assertion that, with the exception of Kenya, Mauritius and Rwanda, and possibly South Africa, most countries in sub-Saharan Africa display weak levels of cyber maturity. This pertains to the entire spectrum of indices, from a governance level through to response and capacity development. The potential cyber threat posed to African countries is ostensibly shaded by more immediate kinetic threats and other pressing requirements for resources from strained national budgets.
This places already exposed populations at risk of potentially devastating consequences in the event of a major cyber incident. Key concerns are the consequences of a cyberattack on the growing number of nuclear energy sites or attacks on water storage and hydroelectric entities. Africa is one of the world’s hardest hit regions in terms of climate change, and drought has become an ever-present phenomenon. Any loss of water or contamination will thereof have dire consequences, notably disease and famine. Digital money platforms also present a high value target as these drive the remittances from the African Diaspora to home countries and annually push billions of dollars to some of the world’s most impoverished and underserved communities. In many instances such platforms have replaced cash and formal banking and are critically reliant on zero internet redundancy. They also represent a prime fundraising target for the terrorist networks operating within Africa’s Arc of Instability.
Of specific concern to Africa is the sheer scale of massive infrastructure projects underway across the continent. This includes both physical and digital projects. Frequently implemented from end to end by a foreign entity and sometimes with overlapping infrastructure, this could potentially create backdoors and vulnerability pathways. The net result is the possible future loss of de facto sovereign control of communication, energy, transport or water infrastructure.
What, then, is the best way forward? Some of the challenges lie in a lack of strategic direction within both the public and private sectors. This is intensified by a prevailing lack of awareness and resilience within the general populace. The need for a rethink and reboot at the highest level on how to build and resource cyber capacity is crucial. Constrained technical capacity is currently hampering efforts, and to this end a departure from prevailing African governance models is required, as Public/Private Partnerships are vital to cyber development. A key recognition is that national level cyber security is not an end in itself, but that governments are obliged to create a resilient cyber ecosystem, which protects and enables their economies and citizenry.
Strategic cyber outlook in sub-Saharan Africa
Current geopolitical realities place Africa in the uncomfortable position of being at the centre of a growing rivalry between large global powers for influence, resources, military presence and access to markets. The deployment of cyber and influence operations as a tool for exercising soft and hard power form part of this rivalry. They can also be a pressure lever on African States to achieve desired outcomes. These range from information operations during elections to espionage and cyberattacks. In addition to this, Africa’s canvas of fragile and failed States has resulted in the presence of numerous non-State actors in many conflicts. Several of these protagonists are also active in cyber space, including insurgent groups, private military companies, transnational terrorist groups and organized crime syndicates. At times some of them act as proxies for States, as do some legitimate multinational companies on behalf of their governments.
From a strategic standpoint, African countries have recognized the need to develop military-grade cyber capabilities, particularly for defensive purposes. Only a handful of States have established cyber forces to date. However, as in other regions, such capabilities are potentially augmented by contractors and private military companies. The activities of these proxy actors pose additional challenges regarding accountability and attribution. These complex security challenges point to an imperative for African States to establish enhanced agency in the global efforts to develop norms and the purview of international law in cyberspace.
The African Union (AU) has been sluggish in providing adequate leadership in the cyber domain and member States even slower to respond. To date, only 14 States have signed the 2014 AU Convention on Cyber Security and Personal Data Protection. The newly formed AU Cybersecurity Expert Group must provide leadership and momentum.
It is possible that regional entities such as ECOWAS and SADC may provide more common ground for cyber cooperation. The shared commitments between such countries would assist in driving cyber capacity and assistance. The impact of a cyberattack on South Africa’s ESKOM energy grid is a case in point – eight countries in the SADC region are reliant on the grid. Experts estimate that in the event of a grid failure, it will take between one and six weeks to restart it; as there is no other power source to bootstrap on to, a black start would be required as South Africa constitutes a ‘power island’. Such an event would be an unimaginable catastrophe for an entire and vast region, demonstrating the interdependence of States and why collective approaches to resourcing and supporting cyber are essential.
Of crucial significance here is the establishment of well-resourced and fully functional regional and national Cyber Emergency Response Teams (CERTs). The current lack of incident response and recovery capability is cause for grave concern. The concept of cyber peacekeeping, which has thus far failed to gain traction elsewhere, may yet find a particular application within Africa, particularly at a regional level in terms of shared assistance and resourcing. Moreover, African States should press for real and authentic capacity building to establish strong cyber security postures. African armed forces’ ongoing experience with persistent irregular conflict could provide a platform for pivoting towards hybrid warfare threats. A young, urbanizing and tech-savvy population must compliment future cyber defence strategies.
Likewise, within the current UN Mandated processes on information and telecommunication security, Africans should endeavour to feature more prominently in the debates and ensure that their strategic cyber interests are heard. For States with weaker cyber security capacities, a strong legal and normative framework is an essential element affording protection from foreign interference and cyber threats. Affirming existing international law, including international humanitarian law, may also shield States against becoming ‘collateral damage’ in cyber operations conducted elsewhere.
Conclusion: a deepened commitment
Africa is too reliant on digital technology and limited critical infrastructure not to ensure that cyber maturity becomes a priority goal within every state. Cyber security has been identified as one of the AU’s Agenda 2063 six flagship projects. States need to ensure strong national Public/Private Partnerships to drive their technology security agendas. They will need to be more forceful in securing a collective cyber space and hardening systems.
Cyber defence is, to an extent, reliant on attackers believing that there is sufficient indication of a State’s ability to respond to attacks. This, is in turn, is reliant on the evidence of cyber capacity, research and development. Essentially, the power of a State lies within the perception of its power. A demonstrated and deepened commitment to advancing continental cyber security efforts is therefore required. The future prosperity of Africa and the safety of her people depend on this.
- Call by global leaders: work together now to stop cyberattacks on the healthcare sector, May 26, 2020
- Kubo Mačák, Tilman Rodenhäuser & Laurent Gisel, Cyber attacks against hospitals and the COVID-19 pandemic: How strong are international law protections? April 2, 2020
- Helen Durham, Cyber operations during armed conflict: 7 essential law and policy questions, March 26, 2020
- Laurent Gisel and Tilman Rodenhauser, Cyber operations and international humanitarian law: five key points, November 28, 2019
- Humanitarian Law & Policy Blog, Human Costs of Cyber – Blog Series, May-June 2019