Cyberattacks on state infrastructure in Africa have not always been in the news. But they happen. Among the latest ones was the one in May last year when Ethiopia said it had thwarted international cyberattack attempts on financial and administrative institutions connected to the Grand Ethiopian Renaissance Dam.
Had it succeeded, explains an official, the consequences would have been far-reaching for the financial institutions and the country as a whole.
One need only look at what happened in Liberia in 2016. An overenthusiastic employee at one of the major telecommunications companies in the country decided to sabotage the network of a rival.
This result was half the country was cut off from bank transactions with serious economic consequences.
But there was more. When Liberia sought help from Western countries to restore its financial networks or arrest the creators of the malware that was used, nobody came to her aid.
Then the same malware was used to disable Deutsche Telecom, the German telecommunications giant. It was then Germany acted.
Even without reading Western malice in the debacle, the moral must be that one can never be sure help would arrive on time should such an attack happen elsewhere in the continent.
The African Union Convention on Cyber Security and Personal Data Protection adopted in June 2014 was supposed to anticipate such attacks. Additional 2017 guidelines emphasised the importance of the multi-stakeholder model and the need for collaborative security in protecting internet infrastructure.
One would think this banding together to be there for one another would elicit African commitment. But of the 54 African states, only 13 countries have so far ratified the Convention. 15 countries are required to have ratified for the treaty to enter into force. In the East African Community, only Rwanda has ratified it.
But all is not lost. Most East African Countries are among the 29 states in the continent that, as of 2020, had passed legislation to promote cybersecurity. And, as reported in the last International Telecommunication Union’s (ITU) Global Cybersecurity Index, Tanzania ranks among the top performers in the continent.
The Index assesses countries’ commitment and cybersecurity actions taken in pillars that include legal measures, as well as technical and capacity measures.
The technical pillar, for example, measures the mechanisms and structures such as a reliable Computer Incident and Emergency Response Team (CIRT or CERT) to deal with cyber risks and incidents. Only 19 African countries had active CERT as of 2020.
This is yet another of low commitment in Africa, compared to other regions such as Europe. Political will must be found to put the necessary cybersecurity measures in place.
Remember that national security has economic implications, and the more countries with the measures in place the better for the continent.
The economic threat cyberattacks pose is both direct and indirect. The direct threat is on a country’s data integrity and business functions. The indirect threat arises from the disruption of logistics chains.
This is amply illustrated in the latest African Cyberthreat Assessment Report by INTERPOL. Cybercrime reduced GDP within Africa by more than 10 per cent, a loss of about USD 4.12 billion in 2021. Many other instances pepper the report.
The lack of an effective cybersecurity mechanism for economic cybercrime may hamper foreign investment just as the Africa Continental Free Trade Area is taking off. It is akin to tying one’s legs just as a must-win race is already in top gear.
The lack of capacity to ensure cybersecurity is however well noted and is an issue the Global Cybersecurity Index flags. Only six countries in Africa have capacity-development incentives for cybersecurity. The capacity development pillar assesses efforts to bridge the digital divide, build institutional knowledge, or address policy awareness limitations and skills shortages for cyber protection.
Not having these measures extensively in place leaves the countries open to attacks by terror groups which have also gone cyber. This includes cyberattacks by pirates against maritime infrastructure. With pirates stealing database logs, experts worry that Africa’s ports and shipping industries could suffer an attack causing major disruptions in trade and commerce.
Policymakers should beware of the varied threats that the continent has to contend with. They range from espionage to critical infrastructure sabotage, to cybercrime and emerging technologies such as drones reshaping the African battlefield – technologies that even the terror groups are becoming adept at.
They also should beware of factors creating a conducive environment for cybercrime in the continent. They include limited public awareness and knowledge regarding the potential risks when using cyberspace, underdevelopment of digital infrastructure, limitations in institutional capacity to coordinate and implement available cybersecurity laws, and an absence of extensive cybersecurity policies.
The views expressed in this article are of the writer.