African governments’ views on cybersecurity are not homogenous and actions that indicate ideals of “net nationalism” continue to emerge in parts of Africa. A politics of net nationalism utterly focused on individual governmental interests will imperil international cooperation, mutual legal assistance and the cross-border flow of information, and may derail international cybersecurity efforts, especially harmful to a region like Africa that undeniably needs digital cooperation to effectively ensure cybersecurity. It is the time for African states to focus on global best practices and strategic cooperation and show interest in multilateral efforts aimed at enhancing cybersecurity and cyber governance.
Africa’s Cyber Governance Situation
Cybersecurity continues to emerge as a policy priority of many governments. The Digital Transformation Strategy for Africa has highlighted the need for greater capacity to detect and mitigate cyberattacks. According to the Strategy, African governments have a fundamental responsibility to create an enabling environment, with policies and regulations that promote digital transformation across foundation pillars, which include cybersecurity. The borderless nature of the Internet, however, presents challenges for states that are accustomed to controlling all activities in their territory.
The increasingly popular attempt by African governments at what may be termed “net nationalism”, based on a national security agenda, has become concerning. The term net nationalism here refers to a nationalism-based agenda as it is applied to the Internet. Definitions related to the term have been based on the idea of political manoeuvring, political activism, self-determination and identity creation, including when in support of the state or the nation. When it involves states, the idea behind net nationalism can be related to state actions such as Internet political manoeuvring, Internet-national identity creation and attempts to nationalise and self-govern the Internet, as well as trying to regulate the Internet through independent and often indiscriminate national laws and policies. Such states also focus on earnestly controlling the Internet activities of their citizens, based on the idea that being a “netizen” must parallel the interest of the government.
African governments’ views on cybersecurity are not homogenous. Unfortunately, the African Union member states have diverging interests and the understanding of cybersecurity in Africa remains diverse. While some are keen to prioritise cybersecurity, others regard it as a non-priority. Many African states still have no national cybersecurity legislation and what look like attempts at net nationalism continue to emerge in parts of Africa. Seemingly, these states’ understanding of cybersecurity is focused on nationalising Internet activities and finding means to quash political dissent on the Internet. This is always done under the guise of ensuring national security, obviously misunderstanding what cybersecurity entails. There have been incidences of African countries rampantly blocking or banning Internet access or restricting cyber activities for citizens, notwithstanding that United Nations experts and high-level officials have affirmed that “blanket Internet shutdowns and generic blocking and filtering of services are considered by United Nations human rights mechanisms to be in violation of international human rights law.” Court decisions in Africa have not served as deterrents.
Net Politics vs. Cybersecurity
In June 2021, the Nigerian Government banned Twitter operations and use in Nigeria after accusing Twitter of having a suspect “cyber” mission in Nigeria, citing “persistent use of the platform for activities that are capable of undermining Nigeria’s corporate existence”. The government also accused the platform of supporting secessionists in the country after Twitter removed a post by the Nigerian President which the social media platform considered offensive and against its rules, following an overwhelming complaint by Nigerians. The Nigerian government thereafter threatened to prosecute any Nigerian found violating the ban, after opining that Twitter should be registered locally in Nigeria and hinting that social media outfits might have to register before operating in Nigeria. The government then moved to tighten regulation of social media over cybersecurity-national security concerns and government spokespersons urged lawmakers to grant full regulatory powers over Internet broadcasting and all online media outfits to the Nigerian government.
At various times, other African governments have acted in a similar manner. The 2021 Zambian elections were held amidst Internet restrictions. The Ethiopian government has become notorious for Internet shutdowns, and has been described as one of the worst in the world for Internet shutdowns. In 2020, Tanzania restricted access to the Internet and social media applications during elections. Uganda followed suit during elections this year. Zimbabwe, Togo, Burundi, Chad, Mali and Guinea also restricted access to Internet or social media applications at various times in 2020. It was reported that in 2019 alone, at least 10 African countries blocked or banned Internet access or restricted cyber activities using diverse measures. Further reports state that “in 2019, there were 25 documented instances of partial or total Internet shutdowns, compared with 20 in 2018 and 12 in 2017”. These moves at controlling the Internet are always touted as cybersecurity-national security measures by these African states.
In 2014, the African Union Commission (AUC) adopted the African Union Convention on Cyber Security and Personal Data Protection (hereinafter the Malabo Convention). The Convention is considered a strategy to ensure unified regulatory approaches between the African Union member states to promote cybersecurity in the region. The Convention is yet to enter into force due to inadequate ratifications. To date, only 10 instruments of ratification have been deposited. Similarly, notwithstanding the cooperation efforts of the Council of Europe in the African region, only an insignificant number of African countries have ratified The Council of Europe Convention on Cybercrime (the Budapest Convention).
Of course, African states are not alone in their attempts at nationalising the Internet. Other countries have also continued to tighten control of Internet activities. However, for African government institutions which often lack the skills, capacities and resources to effectively implement cyber policies and enforcement measures, such net politics agenda may perpetuate cyber discordance and crisis rather than enhance cybersecurity. Obviously, the region’s rampant political instability and interpretations of human rights and security continue to collide with its understanding of cybersecurity.
Multilateralism and Digital Cooperation for Cybersecurity in Africa
Against this background, it is time for African states to show interest in multilateral efforts aimed at enhancing cybersecurity. Africa remains weak when cybersecurity is measured. Africa’s ability to effectively meet international standards of addressing cybersecurity is also called into question by uncertainties about the effectiveness of existing cybersecurity mechanisms. The International Telecommunications Union’s (ITU) Global Cybersecurity Index reports that many African countries still exhibit weak cyber maturity levels. Not only is Africa the least digitalised region in the world, it lacks the infrastructure required to effectively tackle cybersecurity, making many international cybersecurity efforts futile in the African context. The problems of lack of capacity, lack of expertise and skills and the lack of prioritisation further ripple into the cyber legislation process. While some states are drafting cyber legislation, the capacity for effective cyber legislating is still in question. Such gaps could mean unrealistic cybersecurity policies and strategies. An example is the Nigerian Cybercrime Act, which the Economic Community of West African States (ECOWAS) Court ruled has to be repealed or amended due to provisions that could potentially restrict cyberspace users’ human rights.
The nature of cyberspace makes multilateralism an imperative. Its value for ensuring cybersecurity cannot be overemphasised. The Internet Society notes, however, that the growing need for multilateral cooperation amidst the global pursuit of cybersecurity also makes the Internet susceptible to geopolitical tensions driven by nationalism and related power dynamics. Regional organisations like the African Union are rooted in their respective historical, cultural and political contexts, which further impact their ideologies, mandates and capacities and have implications for dialogues and negotiations over cybersecurity measures. African states therefore continue to insist on exerting control and authority over Internet activities. If every state pursued an agenda of net nationalism, global digital multilateralism efforts for cyber security would all be an exercise in futility. If left unchecked, these moves in Africa may jeopardise cybersecurity efforts by creating negative implications for international cooperation, mutual legal assistance and cross-border flow of information.
The Group of Governmental Experts (GGE) reports have consistently emphasised the increased need for “international cooperation against threats in the sphere of ICT security”. Digital cooperation remains imperative because collaborative approaches engender shared responsibility among states. There have been diverse efforts at ensuring cybersecurity through regional cooperation with Africa. At the core of that agenda have been the efforts of the European Union and the Council of Europe. For the African region, these efforts have included enhancing policy development, capacity building and harmonisation. Africa can also learn from Europe that cybersecurity can be achieved by developing transparent cyber legislation, policies and strategies; building adequate cyber capacities and strengthening cooperation efforts which include multistakeholder partnerships; and ensuring appropriate cyber emergency and incident response mechanisms.
Way Forward For Africa
It has been argued that “preserving cyber stability is a collaborative effort, and state actors in African countries need to devise cooperative mechanisms to observe and implement norms and include them in their national cyber policy or strategies.” The African Digital Transformation Strategy highlighted the need for greater capacity to detect and mitigate cyberattacks. The Strategy states unequivocally that “collaborative ICT regulatory measures and tools are the new frontier for regulators and policymakers as they work towards maximizing the opportunities afforded by digital transformation”.
Politics of net nationalism utterly focused on individual governmental interests will certainly imperil multilateralism and may derail international cybersecurity efforts. A strong pursuit of such individualistic cyber strategies will make it harder to sustain multilateralism for a thriving cybersecurity agenda, especially for a region like Africa that undeniably needs digital cooperation to effectively ensure cybersecurity.
There is no denying that conflicts can be exacerbated through cyber operations that may then undermine security efforts if not managed properly. However, the conduct of African states to date unarguably manifests a misunderstanding of the intersection between cybersecurity and national security. The reluctance of African states to ratify the Malabo and Budapest Conventions is further proof of this. Africa must correctly align its cybersecurity priorities. The 2021 GGE Report reaffirms that “…an open, secure, stable, accessible and peaceful ICT environment is essential for all and requires effective cooperation among States to reduce risks to international peace and security.” It will be impossible for Africa to ensure cybersecurity without cooperation. The importance of cooperation for ensuring cybersecurity will also be recognized by ratifying the Malabo Convention and the Budapest Convention. By ratifying the Budapest Convention, African countries would enhance opportunities to receive international support for promoting cybersecurity. African states must also think of global best practices and the value of strategic regional partnerships. Regional organisations have a key role to play in formulating policies and delivering outcomes for cybersecurity. There must be a reinforced obligation to understand that priority must be accorded immediately to a cybersecurity agenda in Africa.
About the Author
Dr. Nnenna Ifeanyi-Ajufo is a lawyer and a Senior Lecturer of Law and Technology at the School of Law, Swansea University. She is also the Vice-Chairperson of the African Union Cyber Security Experts Group (AUSCEG), a Senior Research Fellow at the African Centre for International Criminal Justice and a member of the Cyber Threats Research Centre (CYTREC) Team at Swansea University. Nnenna holds an LLM in International Information Technology Law, MA in African Studies and LLD in International Law.