August 25, 2021
The 5×5—Cyber capacity and conflict in Africa
Countries in and out of Africa are investing heavily in critical infrastructure projects across the continent, whose population is expected to double by 2050. These infrastructure investments, many of which are in the information and communications technology (ICT) sector, are aimed at increasing connectivity and progressively digitizing economies across Africa, which have historically lagged those of Europe and Asia. But, according to the World Bank’s 2020 Future of Work in Africa report, digital skills still vary widely within and between countries and more must be done to improve cyber capacity and security overall.
The adoption of new technologies and digital transformation will require proportional investments in the cybersecurity, resilience, and workforce needed to secure these investments. In 2013, the African Union released its Agenda 2063, a fifty-year plan to transform the continent, with cybersecurity—including data protection and online safety—as a flagship project. According to INTERPOL, despite the continent’s lower levels of connectivity, criminal organizations have increased their online activity in Africa, resulting in an outsized rise in cybercrime over the past decade. Moreover, terrorist organizations based on the continent, such as Boko Haram, have a history of hacking government infrastructure. These activities, combined with poor cybersecurity and resilience, threaten the range of physical and digital infrastructure investments in Africa, and thus the growth potential of the continent.
We brought together a panel of contributors with various perspectives on the region to break down the state of cybersecurity in Africa and explore where investments in cyber capacity could go the furthest.
#1 What targeted investments would go furthest in building cyber capacity across Africa?
Aleksandra Gadzala Tirziu, senior fellow, Africa Center; head of research, The Singularity Group:
“One of the biggest challenges that African countries face is a lack of cohesive and enforceable cyber policies. For this, investments in bilateral or multilateral partnerships that could guide African governments in their adoption of multi-stakeholder cyber policies and legal frameworks are key. Much of Africa’s cyber expertise and human capital lies in the private sector, which needs to be brought to the table in a meaningful way. Equally, the tendency of African governments to adopt heavy–handed approaches in information environments should be mitigated. Achieving these objectives will require significant learning from diverse, strategic, and trusted global partners. This, in my view, is the first and most critical step toward building cyber capacity in the region.”
Noelle van der Waag-Cowling, cyber program lead, Security Institute for Governance and Leadership in Africa, Stellenbosch University, South Africa:
“Sovereign clouds and local data centers. African governments and businesses, would benefit enormously from the security benefits of adopting cloud technologies and partnering with providers to build out secure networks and leverage their quantum of their expertise and experience. Key obstacles here are affordability and access to fiber optic and 5G telecommunications connectivity, which is a prerequisite for such architectures. If these investments could be paired with skills development, the benefits would be immeasurable. Africa’s cybersecurity skills pipeline is fiscally constrained but equally importantly not geared towards channeling employment or internships for new talent. Affordable training pathways coupled with work placements, and mentoring are critical to Africa’s future cyber capabilities.”
Laban Bagui, senior research fellow, Cybersecurity Capacity Centre for Southern Africa (C3SA), University of Cape Town:
“The African continent lags behind in many aspects related to cyber capacity, but there is a great need of investments in cybersecurity awareness raising initiatives, cybersecurity education and training, and collaboration on cyber defense and combating cybercrime.”
Bright G. Mawudor, founder, Africahackon:
“The best investment will be in people. The culture of cybersecurity across the Africa region is changing drastically and so many people are becoming more aware. The younger generation is taking part in cybersecurity challenges across the globe (e.g., DEF CON Red Team Village Capture the Flag) and emerged in the top twenty out of over eight hundred participants. Investing in growing cybersecurity talent will change the landscape in the long run.”
Enrico Calandro, co-director, Cybersecurity Capacity Centre for Southern Africa (C3SA), University of Cape Town:
“Africa needs to build capacity on many levels. While novice internet users might be considered the weakest link and the most vulnerable to cyberattacks, both the private and public sectors lack the necessary technical, organizational, and strategic skills to tackle increasing cyber threats. Investment is needed at all levels, starting from empirical research to inform how better to invest limited funds. At C3SA, we are approaching cyber capacity building holistically, drawing from cyber maturity assessments. We are developing research to design a cybersecurity framework for primary schools in rural areas in South Africa; increasing awareness of cyber risks for internet users through a series of public webinars; and developing specialized cyber policy skills through educational programs and cyber policy competitions for students.”
#2 How are China and Russia shaping the cybersecurity landscape in Africa?
Tirziu: “As far as China is concerned, it is effectively double–dipping in Africa’s cybersecurity landscape. On the one hand, the biggest concerns around cyber espionage in Africa have been linked to China. Arguably the highest–profile incident occurred in 2018, when it was reported that all of the content on the servers in the African Union’s headquarters was being regularly transmitted to Shanghai. There have since been many other incidents both in the region’s public and private sectors. And the risk is far–reaching, at least in part, because of China’s role in providing the region with ICT infrastructure. On the other hand, China is trying to position itself as a partner for African states in the build–up of their cyber capabilities. Beijing has been providing training to African officials in internet management and cybersecurity, with some countries, like Tanzania, for instance, then making a conscious effort to reflect Chinese regulations in their own laws. China is fast becoming an entrenched player in Africa’s cyber landscape which, in my view, makes the need for US and, broadly, Western, engagement all the more pressing.”
van der Waag-Cowling: “China tends to see opportunity in Africa where others may see risk. As a result, China is investing significantly in communications infrastructure and dominating the information technology (IT) and mobile hardware market. Cheap-feature phones that predominate in certain regions pose a risk to users, particularly when accessing digital financial services. Russia makes adept use of social media platforms as a soft power tool in Africa using historical struggles against the West as narrative for building solidarity, as well as more targeted information operations. The growth of ransomware attacks by groups believed to be located in Russia and surrounding regions needs to be addressed at a high level by Africans. Both China and Russia are considered strategic partners in many countries, particularly in Southern Africa. As a result, there are a number of bilateral agreements and initiatives regarding cybersecurity. Their views on internet as sovereign territory may yet have a profound impact on shaping internet futures in some African states.”
Bagui: “Most digital products, services and technologies that are used in Africa are produced or designed in China. Huawei has a strong presence in the development of countries’ ICT infrastructures, while there are other Chinese companies driving online services, applications, and devices on the continent. As a result, Chinese technology has been one of the most important factors in ICT development on the continent. There are Russian entities advising African governments on security, especially in the fight against terrorism. Many European and US entities are doing the same through various bilateral and multilateral commercial and security agreements. These points suggest that China and Russia are more cyber opportunities than threats or risks to Africa, at the moment.”
Mawudor: “The influence of China and Russia has been imbalanced. On one hand—as in the case with China—they provide solutions that are adopted by many corporations. On the other hand, there is massive criticism of cyberattacks originating from China and Russia. Some even accuse them of cyber espionage and also recruiting criminals in Africa to partake in global attacks. The view by many has been working on the basis of trust and differs from country to country.”
Calandro: “Affordable devices and networking infrastructures, which have increased accessibility for most Africans, are largely sourced from China. Therefore, it is probably expected that national technological standards on cybersecurity will be anchored to these suppliers as they support the closure of the usage gap. Some countries are pursuing a Russian approach to data storage, imposing data localization requirements. The majority of African countries have also supported the Russian cybercrime resolution at the United Nations, leading to concerns about African preference for a state-led approach to cyber sovereignty, which might negatively affect the global internet as we know it.”
#3 What level of involvement should the US government have in cybersecurity and cyber conflict in Africa? Are there regions to prioritize from a cybersecurity standpoint?
Tirziu: “Africa has been curiously blessed with delayed digitization, which has in general helped minimize its vulnerability to cyberattacks. Despite notable progress, much of the region’s population still lacks basic internet access, and many nations do not possess the kind of digitally vulnerable power, transportation, energy, and other infrastructures found in more developed countries. The attack surface is so far limited, and it is overall concentrated. At greatest risk is the continent’s critical infrastructure—telecommunications networks, the growing banking industry, and maritime infrastructure. Africa’s maritime infrastructure is at especial and increasing risk, with possible global implications: if Africa’s ports and shipping industries are attacked, this could cause major disruptions in international trade and commerce. Rather than prioritizing regions, prioritizing the region’s critical infrastructures and industries may be a more strategic means of engagement.”
van der Waag-Cowling: “From a US perspective, the obvious answer would be regions where transnational terrorist groups that pose a threat to the United States operate. These regions are growing in size beyond the Sahel and “arc of instability’ due to ISIS-related activities in the Democratic Republic of the Congo and Mozambique. The US government can play an active role in building cyber capacity in Africa in order to promote economic growth and protect critical infrastructure. This will enhance societal stability and, by implication, improve the African Peace and Security Architecture with resultant benefits being security in other regions. Terrorism and insurgency thrive in societies where deprivation is endemic. Large US technology companies like Microsoft, Amazon and Google are already playing a significant role in creating growth and employment. For the United States, dynamic and innovative cooperation can be leveraged from these positive relations. The Achilles heel for the United States is some social media platforms, which are hosting increasingly destructive disinformation operations, ironically sometimes driven by competing powers.”
Bagui: “The US government is a development partner for Africa. As such, in matters of cybersecurity, it might be called upon to assist with strategic capacity building including raising cybersecurity awareness, cybersecurity education and general professional training, cyber defense against terrorism and cybercrime, cyber law-enforcement training, and development of cybersecurity infrastructure, such as digital forensic labs. Central and West African regions should be prioritized to allow them to catch up with Northern, Eastern, and Southern Africa. Except for Nigeria, Ghana, Senegal and to some extent Cameroon, the cybersecurity situation in these regions experience a dire lack of capacity.”
Mawudor: “The US government will best be supportive of the legislative aspects of cybersecurity, including governance, advocacy, and policy adoption. The United States should prioritize regions that include countries that do not have data protection laws enacted or still in the process of adoption.”
Calandro: “Considering that US companies have gained an undisputed leadership over operating systems, social media, and cloud computing platforms in Africa, the US government should work harder to protect internet users, both domestically and internationally. This can be done by defining transparent regulatory measures to reduce cyber harm and collaborating with government organizations across the African continent to fight transnational cybercrime. Cybercrime and cybersecurity issues are primarily dealt with at a national level. Therefore, the US government should prioritize member states, while working with regional organizations to coordinate various initiatives.”
More from the Cyber Statecraft Initiative:
#4 What non-state actor(s) are the most influential on the cybersecurity of Africa now? Who will be five years from now and why?
Tirziu: “Rising internet penetration and advances in digital technology are beginning to alter the range and sophistication of non–state actors that are active in Africa’s cyberspace. While in the past decade criminal groups—and especially business email compromise groups based largely out of Nigeria and South Africa—were the most prominent threat, this has since expanded to include terrorist organizations, cyber–mercenaries, and hacktivists. In 2016, for instance, a hacktivist group known as Autonomous Africa launched an attack against the South African Broadcasting Corporation in retaliation for its perceived censorship practices. The Nigerian terrorist group Boko Haram has over the years launched numerous attacks, also with the use of surveillance drones. As emerging technologies like drones, artificial intelligence, and 5G telecommunications continue to proliferate, they will likely increase the sophistication of attacks. And these enhanced tactics will in turn increase the importance of intelligence, precision, and automation in countering the threats they pose.”
van der Waag-Cowling: “Cybercrime syndicates of both domestic and foreign origin. Africa can ill afford the economic loss resulting from cybercrime on the continent. From a more strategic perspective, some of these syndicates also have transactional relationships with insurgent movements, terrorist groups, and organized criminal networks in Africa. The relationship between them is symbiotic and deeply intertwined due to money laundering, human trafficking, and arms smuggling.
In the future, cybercrime threats will persist, but a major additional risk in the future will be cyber mercenary activity. The availability of high-end cyber skills and weaponized software for well-resourced clients is growing. Ongoing conflicts across many regions combined with externally funded insurgencies and proxy activities have an increasingly hybrid flavor. The long history of mercenary activity in Africa gives rise to the proposition that cyber operations may be outsourced to opaque private actors, particularly in states where cyber capabilities are constrained.”
Bagui: “The International Telecommunications Union (ITU) and the World Bank are the most influential non-state cybersecurity actors in Africa. The ITU provides broad technical support in terms of strategy, policy, and infrastructure development, while the World Bank funds these digital development projects and others pertaining to cybersecurity capacity building, such as raising awareness and educational and professional training programs.”
Mawudor: “Companies such as Dimension Data and Serianu are building a lot of capacity. They also have threat intelligence centers that see and analyze traffic to local organizations. Additionally, I founded Africahackon to build capacity in Africa and nurture the next generation of talent in the industry.
Calandro: “African non-state actors are poorly equipped to be influential on cybersecurity for a few reasons. First, African countries are not self-sufficient in technological innovation and development. Many countries import a considerable, if not entire, portion of digital technologies, and local non-state actors do not reach the critical size to be influential on cybersecurity. Second, cybersecurity is mostly dealt with at a governmental level, and engagement with the private sector and CSOs is limited. Suppose in five years from now, African governments do not improve the conditions for the local private sector to flourish. In that case, Africa’s cybersecurity will still be shaped and defined by foreign actors, including states, technology suppliers, and relative security standards.”
#5 Which African countries punch above their weight in cybersecurity?
van der Waag-Cowling: “In no particular order, Senegal, Mauritius, Morocco, Ghana, Rwanda all punch above their weight in cybersecurity.”
Bagui: “Right now, the whole of Africa is doing just that—punching above their weight in terms of cybersecurity. There is a handful few that can take a few punches. These include Egypt, Kenya, Mauritius, Nigeria, South Africa, and Tunisia. They have cybersecurity strategies, policies, legislations, standards, institutions (e.g., cybersecurity regulators and CERT/CSIRTs) and some dedicated infrastructure in place. They are now focusing on scaling-up initiatives to reach every corner and every person within their territories.”
Mawudor: “South Africa, Kenya, and Ghana punch above their weight. These countries have been taking cybersecurity conversations from a purely government issue and making sure the public is aware as well as investing in solutions to address national cyber threats. They have developed cyber incident response teams that respond to attacks and create occasional programs to maintain awareness.”
Calandro: “I believe that all African countries are putting considerable efforts to punch above their weight in cybersecurity. Most African countries are working hard with development organizations and other international partners to build the necessary policy, legislative, and technical skills to tackle hostile online activities and crime. But, as long as the conditions required for a private sector to develop local technologies will not be in place, it will be tough for African countries to keep up with risks of technologies and standards set overseas.”
Simon Handler is an assistant director of the Atlantic Council’s Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security, focused on the nexus of geopolitics and international security with cyberspace. He is a former special assistant in the United States Senate. Follow him on Twitter @SimonPHandler.
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.