As the world moves from words to action on cyber diplomacy and the international community focuses on implementing a cyber stability framework, Africa is still several steps behind. But with its vibrant digital ecosystem and potential for growth, Africa is an important element in the global cyber diplomacy puzzle. Its unique context and needs have to be better addressed within the current processes.
African countries have been largely absent from the evolving UN processes on cybernorms development over the last two decades. Partly due to the region’s specific Internet ecosystem and partly due to other competing policy priorities, cybersecurity was never a priority in many African countries. This situation has translated into limited participation from African stakeholders in UN cybernorms development processes. Since 2004, only nine African nations have held membership in the UN Group of Governmental Experts (GGE). Notably, Egypt, Kenya and South Africa held theirs for three mandates.
But the situation is changing. As more people are getting online, digital safety and security are becoming both priorities and vital elements in the continent’s development. As of April 2020, 15 African countries out of 54 still lacked specific legal provisions to fight cybercrime and deal with electronic evidence. However, initiatives such as the pan-African 2014 Malabo Convention on Cybercrime and Data Protection and the 2019 commitment in the African Peace and Security Council to develop a Continental Cyber Security Strategy, together with a growing number of cyber capacity initiatives, suggest a new direction. And other countries – notably in Europe – have demonstrated a growing interest in engaging with Africa on digital transformation. Two main factors are driving this international interest in Africa: its potential as a trading partner and its growing role as a theatre of geopolitical competition – regarding both votes at the UN level and in terms of governing cyberspace more broadly.
Is Africa Ready to Implement Cybernorms?
From an international cybersecurity perspective, the norms endorsed by the UN General Assembly in 2015, while global in ambition and feasible in principle, are not all grounded in national perspectives or realities. They do not always sufficiently reflect the particular challenges of resource-constrained nations with different levels of ICT development. Considering that only 14 African countries have developed cybersecurity strategies, most norms encouraging substantial cooperation may prove tricky. For instance, norms on assessing and reporting on ICT incidents and vulnerabilities require states to have the technical capacity to do so. But according to AfricaCERT, only 22 African countries (13 of which are FIRST members) have national Cyber Security Incident Response Teams (CSIRTs). Moreover, sharing information about ICT vulnerabilities or the lack of concrete capacity may place resource-constrained nations even in a more vulnerable position, especially countries without sufficient technical ability or structures to prevent or respond to cyber incidents. Similarly, unclear institutional arrangements, resulting in unenforceable legal frameworks and low cyber maturity, make norms regarding the prosecution of criminal and terrorism-related use of ICTs unworkable.
The continent’s limited institutional and technical capacity also means that norms related to responsible behaviour of states with cyber offensive capability are largely theoretical in an African context. No state-sanctioned cyberattacks on critical infrastructures have originated from Africa. The only African state-sanctioned cyberattacks recognised by the Council on Foreign Relations’ Cyber Operations Tracker originated in Ethiopia and Uganda and were spyware campaigns targeting political dissidents (in foreign nations in the case of Ethiopia and domestically in Uganda). As many African countries do not have the capacity to develop offensive cyber tools, they are at risk, directly and indirectly, from attacks by states with more mature economies. Recognizing this, Nigeria suggested during the second substantial session of the OEWG that member states should refrain from militarisation and offensive use of ICT.
Another notable norm promoting responsible behaviour calls for states to respect the Human Rights Council and UNGA resolutions to promote and protect the enjoyment of human rights on the Internet. However, the democratic assumptions about human rights, freedom of expression, privacy and security that underpin the international human rights framework and principles of good governance often collide with the political economy of relatively new independent states. These states’ under-resourced institutions often lack the technical skills, capacities and financial resources to effectively implement cyber legislative measures.
Are Cybernorms Fit for Africa?
The question thus becomes whether Africa is not fit for current cybernorms or whether current cybernorms are not fit for Africa. This question is hard to answer given the context described above and the limited participation of African nations in the cyber-related processes at the United Nations. In the past, limited opportunities and the closed nature of the cyber-related debates might have served as a good excuse for African states’ limited engagement, but no longer. The establishment of the Open-Ended Working Group (OEWG) provides a good opportunity for all countries to express their views. This opportunity has been taken up by a few states, including Algeria, Botswana, Cameroon, Egypt, Ethiopia, Ghana, Kenya, Malawi, Mauritius, Morocco, Nigeria, South Africa, Uganda and Zimbabwe – all have actively contributed to the OEWG discussions. Most focused on capacity building and norms, rules and principles. Egypt and Kenya, a former and a current member of the GGEs, were notable exceptions, engaging across all the themes, including international law. The former has been a vocal proponent of binding norms on cybersecurity, as has Zimbabwe. Both Egypt and South Africa have expressed concerns about stockpiling of ICT-related vulnerabilities by state actors. And the African members of the Non-Aligned Movement (NAM) would have been privy to its submission to the pre-draft OEWG report, which stressed the importance of transparency surrounding and responsible reporting of ICT vulnerabilities. It also urged member states to “consider the exchange of information on ICTs related vulnerabilities and/or harmful hidden functions in ICT products and to notify users when significant vulnerabilities are identified”.
Treaties are Not the Immediate Answer
While there is agreement that international law applies to cyberspace, that is not nearly enough to ensure the implementation of cybernorms. The strength of international rules, laws and norms in cyberspace depends upon the international community’s adherence to them. Without cyber capacity or confidence in international procedures and structures, they will likely remain ineffective in many under-resourced nations. As such, international resolutions on responsible state behaviour in cyberspace remain difficult to uphold or implement in a developing-country context. International treaties are even more challenging to ratify due to capacity constraints and are thus likely to be an ineffective approach to encouraging responsible state behaviour in cyberspace. Regardless, South Africa has called for a “long term view” which includes binding instruments of international law “to hold Member states accountable and assist in the arbitration of grievances”. Nevertheless, global or regional agreements, and the norms that underpin them, are in a sense only influential to the extent to which they can be effectively implemented at a national level, and the failure of ratifying conventions like the Budapest Convention and the Malabo Convention in Africa are evidence of this.
Laboratory for New Cyber Diplomacy?
For most countries, cyber diplomacy is the reserve of the government. Involvement with non-state actors and civil society takes places under the umbrella of multi-stakeholder engagement. But what if part of the solution to Africa’s problems is to make civil society organisations (CSOs) and non-governmental actors not an add-on but rather an integral part of the cyber diplomacy machinery?
Preserving cyber stability is a collaborative effort, and state actors in African countries need to devise cooperative mechanisms to observe and implement norms and include them in their national cyber policy or strategies. Cyber expertise already exists in many countries, and government organisations should aim to cooperate with non-state actors to maintain peace and stability in cyberspace. Through a collaborative approach to norms implementation, the technical community, with its expertise in and experience of day-to-day cyber operations, can help expedite the observation of norms in cyberspace. CSIRTs, network operators, academia and CSOs are usually the first responders to cyberattacks and possible implementers of norms and rules. Therefore, the policy community, including national policymakers and diplomats, should work closely with different groups of stakeholders to encourage and support responsible state behaviour in cyberspace.
It is uncontested that capacity building is needed to support African governments in observing the non-binding and voluntary norms, principles and rules on responsible state behaviour in cyberspace. On that theme, the Non-Aligned Movement recommends that the provision of “capacity building assistance and cooperation should be non-discriminatory, unconditional, demand-driven and made upon request by the recipient state, taking into account its specific needs and particularities”. Yet, research on cyber capacity in a sub-region in Africa called the Southern Africa Development Community (SADC) shows that cyber capacity building efforts have been fragmented, with inconsistent and sometimes adverse outcomes. Better coordination at all levels (national, regional and international) should be a priority for capacity building.
As suggested in the NAM contribution, and also made clear from the consultations with CSOs hosted by EU ISS in New York in December 2019, to be effective, capacity-building efforts and international cooperative measures need to take into account local contexts and involve local expertise. In that respect, the African Union has recently established a Cybersecurity Experts Group to gather experts from the continent to advise and guide the region, sub-regional bodies and national governments on the implementation of cybernorms.
What Form of Digital Cooperation with Africa?
Capacity building and digital cooperation need more than just political declarations, funding and workshops. Cyber capacity needs to be built through a concerted approach, by developing methodologies that link cyber policy dimensions with the principles of development-cooperation. At the same time, as Europe engages with Africa on international cooperation in cyberspace, European thinking about what the continent represents needs to change. So far, cyber capacity building has mostly been implemented as a donor-recipient relationship. But, as emphasised in the second pre-draft of the OEWG report, cyber capacity building should be a “two-way street” and a “shared responsibility”. African priorities can be articulated through empirical research, conducted by local experts and potentially in collaboration with international partners. International cooperation, in addition to focusing on building institutional capacity, should build trust through the creation of fair and just partnerships between European and African stakeholders (including micro, small and medium enterprises, academic institutions and the not-for-profit sector). In this digital ecosystem based on cooperation, local knowledge and expertise are key resources to leverage. That means listening, and learning from each other.
* The analysis is based on a non-paper submitted by Research ICT Africa to the intersessional meeting of the OEWG in December 2019.
Featured image: credits to Larry Li