NB* See note at the bottom. This is a republication
The cybersecurity discourse in Africa has been evolving very slowly, notably since 2007 when the regional block started mooting its own approach towards it. However, it still lags behind the region’s technological growth and its attendant challenges to governance and human rights. This has created a chasm between technology uptake and the policy framework that address digital-related challenges. The understanding of cyber-related challenges is embryonic, thus leading to a polarised and esoteric discussion of cybersecurity. As cyberspace is bringing important opportunities and challenges for governance and development in Africa, the region increasingly needs to understand what cybersecurity means to its various constituencies, then adopt relevant supra and national cybersecurity policies in line with this diffusive understanding. Through the African Union (AU), it the needs to leverage opportunities brought by the cyberspace especially to spur growth and extend digital rights. Such measures, in our view, should balance the competing interests of African states, civil society, the private sector including international cooperations who have a stake in this new dynamic environment. Balancing these competing interests towards securing digital rights for all is the challenge the AU faces in taking the cybersecurity issue forward. The Convention on Cybersecurity and Personal Data Protection provides a normative framework within which these developments can sit and find strength.
The adoption of, two years ago, the Convention on Cybersecurity and Personal Data Protection by the AU, signaled the continent’s acknowledgment that the cyber challenges are now deeper than naïve random email scams and chiseling crimes. It also demonstrates the continent’s readiness to adopt a regional grown benchmark. The region has awoken to the realization that cybersecurity threats are real, and some of them are new, for example, criminal gangs are embracing more sophisticated ways to use technology that transcend borders. Yet, despite the current awakening to cybercrime and national security, the cybersecurity discourse needs to move beyond cybercrime and perceived threats to national security. Such a skewed understanding has led to limited interventions, such as the usage of military stingrays in civic spaces and explains the lack of appetite to adopt the Convention. To borrow the text of the 4th amendment to the U.S Constitution, “The right of the people to be secure [including on the internet]” is the heartbeat of cybersecurity. Thus, the conceptualization of cybersecurity in Africa must encompass the broad areas such as privacy, security, freedom of expression and equal treatment of data traffic on the internet: It must secure liberty in changing the digital world. The AU should prioritize this task as it moots the way forward.
In light of the above, what should be the practical way forward for the AU on cybersecurity in the region? In our view there is a need for an audit: First, although consensus may never be reached, there should be a general common understanding of the term ‘cybersecurity’ and what it entails to the various constituencies. This will require a proactive and intentional awareness-raising campaign in the regional internet and other forums. Although the impact of cybercrime on businesses has been looming large in policy discussions, important as that discussion is, it has overlooked the interests of users at risk such as human rights defenders and those in the LGBT community to whom privacy of their correspondence and online activities matter the most. In response to their concerns, the government has insisted ‘If you have nothing to hide what do you fear’. This lax commitment to the privacy and security of users is reflected in the Convention’s questionable human rights clauses which have led to its mixed reception by civil society groups and some international companies. The AU has to create platforms to converge cybersecurity discourses, a first step in engendering confidence in the Convention. So far, the regional Internet Governance Forums have not achieved this as public officials obsess with reducing risks to national security, perceived or actual, and prioritization of domestic crime prevention such as hate crime and child pornography. Kenya, Zambia, and Swaziland are good examples. In the absence of national frameworks that guide law enforcement and national security agencies on such issues, these officials have rarely considered the risks to privacy and the risks to freedom and civil liberties.
Second, the AU needs to examine why there has been a very little appetite to adopt, let alone, ratify the Convention. It seems that geopolitical considerations which motivated its formulation have led to its dormancy. If these considerations are not addressed hook, line, and sinker, they might permanently stall the process. According to Mailyn Fiddler, A Marshall Scholar at Oxford University, the AU’s choice to develop its own Convention instead of promoting African participation in existing cyber treaties, most notably the Council of Europe’s Budapest Convention on Cybercrime (2001) reflects a desire of African states to have autonomy over their response to cyberspace challenges. The AU should therefore seriously consider whether to pursue the Convention or simply encourage its members to request accession to the Budapest one. This step, in our view, requires the AU to set aside it’s over exaggerated concerns with sovereignty issue and approach the issue with dispassionately and with humility. Its current stance has led to a conflation of issues, for example, its perception that accession to the Budapest one equals a loss of political sovereignty. AU Member states’ participation in the Budapest Convention would be indeed a step that acknowledges the borderless nature of the internet and the need for a harmonized international response to digital threats, for example, through universal norms and standards, as opposed to parallel jurisdictions.
If the AU chooses to pursue the Convention as its benchmark on the issue, it needs to take the following steps: elicit the buy-in of the continent’s powerhouses such as South Africa, which played no role in its formulation, and supports multi-stakeholder awareness raising that emphasizes the various dimensions of cybersecurity. Also, the AU should intentionally play an active part in its adoption, in particular, by ensuring that the current national and sub-regional reciprocally harmonization efforts reinforce its own leadership in a ‘bottom-up’ and organic manner. Such an organic process, in our view, would lead to a greater acceptance of the Convention but also the germination of the spirit it embodies, i.e., cybersecurity in its broader sense which encompasses the security of all users who choose to surf the internet for whatever reasons within the confines of the law. In order to engender confidence and trust in such regional institutions, the AU must demonstrate maturity by showing the willpower towards the adoption of the Convention by its member states. It should encourage states to put in place national legal administrative and political frameworks towards compliance with it. So far, only eight of the AU’s fifty-four members have signed the Convention, with none ratifying it. This inertia has gone for two years despite the document being homegrown and also the calls from various quarters to adopt it. For instance in April 2015, Access Now ‘called on member states to ratify the convention as soon as possible’ as we felt it was “it [was] critical for the countries to adopt cybersecurity policies that better protect users while respecting their privacy and other human rights.” We made this call out of our belief that the AU should lead these efforts.
The AU should rally the support of major influential states towards adoption and ratification. According to Fiddler, “influential African states, such as South Africa, Kenya, and Nigeria, played little role in the Convention’s development”. Yet according to Tom Jackson, South Africa and Kenya lead in the cyberattacks figures in Sub-Saharan Africa and “cybercrime is actually most pervasive in South Africa, with security firm Norton saying 70% of South Africans have fallen victim to cybercrime, compared with 50% globally. Also Kenya has the most grotesque policy dissonance between internet growth and the respect for human rights on it. Therefore the AU should engage multi-stakeholders in South Africa, Kenya, and Nigeria to play a lead role in promoting the Convention and the spirit it encompasses. A commitment to discuss its human rights dimension will lead to its traction among users at risk, such as HRDs and their backers. In seeking the normative leadership of the above states, the AU, should balance Francophone and Anglophones influences. For example, although Chad, one of the early Francophone adopters of the Convention isn’t an influential state, the recent election of Moussa Faki from this country as the AU’s Chair Person gives it political leverage.