Updated Briefing on the development of the Common African Position on cyber security in Africa

Updated Briefing on the Development of the Common African Position on Cyber Security in Africa; Presentation of the Draft ToR of the PSC Sub Committee on Sanctions; Draft ToR of Ministerial Committee on Terrorism; and Draft Manual on Modalities for Enhancing Coordination Between the Peace and Security Council of the African Union and the African Members of the United Nations Security Council

Date | 23 August 2023

Tomorrow (24 August) the African Union (AU) Peace and Security Council (PSC) will convene its 1170th Session. This session will cover a range of important topics, including a briefing on the development of the Common African Position (CAP) on cybersecurity in Africa, the presentation of the Draft Terms of Reference (ToR) of the PSC Sub-Committee on Sanctions, a Draft ToR of Ministerial Committee on Terrorism and a Draft Manual on Modalities for Enhancing Coordination Between the PSC and the African Members of the United Nations Security Council (UNSC).

The session is expected to begin with the opening remarks by Willy Nyamitwe, the Permanent Representative of Burundi and Chairperson of PSC for the month of August. This will be followed by a statement from Bankole Adeoye, the AU Commissioner for Political Affairs, Peace and Security (PAPS). Dr. Guy Fleury-Ntwari, Legal Counsel of the AU and Director of Legal Affairs and Prof. Mohamed Helal, a member of the African Union Commission on International Law (AUCIL) and Special Rapporteur on the Prohibition on Intervention in the Internal and External Affairs of States, are also expected to give a presentation. In addition, Tapiwa Masunungure Zimbabwe’s Committee of Experts member, who chaired the retreat of the Committee of Experts that considered the three documents will deliver a presentation.

Tomorrow’s session on the update briefing by AUCIL is a follow-up to the decision of the 1120th session of the PSC and the request in its subsequent 1148th session. During the 1120th session, which was dedicated to the inaugural engagement of the PSC with the AUCIL, the PSC recognized the need for the development of a CAP on the application of international law on cybersecurity. It was the first time the PSC approached the issue of cyberspace for peace and security from the perspective of regulating it with the rules of international law. The session emphasized the importance of cybersecurity and the need for adequate regulation. Additionally, discussions were held on the management and regulation of cyberspace in order to prevent activities that threaten international peace and security, including the emergence of cyber-weapons and the manipulation of cyberspace for political influence.

Most importantly, during the session, the PSC acknowledged the applicability of international law to cyberspace, and called on AU Member States to adopt a CAP and emphasized the need for Africa to actively engage in the process. To this end, the Council tasked the AUCIL, in collaboration with the AU Commission, to organize consultations with relevant stakeholders on the application of international law to cyberspace. In its most recent 1148th session on cybersecurity, the PSC requested ‘the AU Commission on International Law to expeditiously complete, and submit to the Peace and Security Council, the draft statement of a Common African Position on the Application of International Law to Cyberspace.’

In response to PSC’s assignment from its 1120th session, the AUCIL collaborated with the AU Commission and organized  a series of capacity-building training sessions for AU member states. These sessions aimed to equip participants with the knowledge and skills necessary to effectively contribute to the formulation of the CAP regarding the application of international law to cyberspace.

The first session was held online on 29 and 30 March 2023, while the second session took place in Addis Ababa from 12 – 14 June 2023. The third and final part of the capacity-building program took place in New York from 19 – 21 July 2023. The program was attended by experts representing AU Member States who are responsible for following multilateral processes. The third session of the training aimed to strengthen the capacities of AU Member States in cyberspace and international law in order to empower them in multilateral processes like the Open-Ended Working Group on Cybersecurity and the UN General Assembly’s 6th Committee. It also aimed to assist in the process of reviewing and enriching the draft CAP statement.

It is therefore expected that the PSC will receive a progress report and a presentation on the CAP statement in tomorrow’s session. It may be of interest for members of the PSC to know whether the draft statement identifying the rules of international law applicable to cyberspace being presented to the PSC was considered and reflected upon by the AUCIL and updated based on such reflection and whether it covers rules on responsible state behavior in cyberspace. The PSC may also consider whether the statement would benefit from consideration and input of the AU Special and Technical Committee on Justice and Legal Affairs for it to receive strong support and ownership on the part of Member States and the AU broadly. The PSC may also consider how the statement can help in informing the development of a regional legal framework and strategy for promoting the rules of international law governing cyberspace for addressing threats to peace and security arising from cyberspace.

Also worth mentioning for the PSC is whether and how the draft statement took account of and built on the various decisions of the PSC relating to cyberspace and peace and security. Although the PSC has not regularized the decision of its 850th session dedicating a session on this theme on an annual basis, it has since then convened a number of sessions highlighting its increasing engagement and concern about the peace & security implications of cyberspace. Of direct relevance for tomorrow’s session, among other critical points, the 1097th session drew attention to the need for enactment of necessary legislations and regulations at national, regional and continental levels to govern issues related to cyberspace. Most recently, the PSC considered the issue of cybersecurity during its 1148th session last April under Tunisia’s Chairship of the PSC. As the PSC pointed out, its focus on this subject is informed by ‘the growing threat to peace, security and stability in the Continent emanating from the increasing cyber-attacks, malicious use of information and communication technologies (ICTs) and incidents of unethical and hostile cyber-activities undertaken by both, state and non-state actors, including the targeting of government institutions and public infrastructure; the spread of misinformation and disinformation, subversive activities and interferences with national government processes, as well as the promotion of ideologies of hate and hate speech.’

In addition to the CAP statement on cybersecurity, the PSC is expected to receive a presentation on three documents. It is to be recalled that these documents were finalized during the Committee of Experts (CoE)’s retreat that was held from 18 – 22 May 2023.

One such document is the draft TOR of the PSC Committee on Sanctions. During the Reflection Forum on Unconstitutional Changes of Government (UCGs), which was convened in March 2022 in Accra, Ghana, one of the recommendations was to reactivate the PSC Sanctions Committee. Subsequently, the PSC held a session on sanctions and enforcement capacities in the deterrence against UCGs and called for the full operationalization of the PSC Sub-Committee and the development of the requisite technical capacities to ensure its effectiveness. During this 1100th session, the Council also instructed the CoE to develop the ToRs for the PSC Sub-Committee on Sanctions. It is important to note that the CoE was initially established in 2009 by the PSC’s 178th session communique, but it has never been operational. During the CoE retreat in May, the CoE identified certain issues, such as the composition of the Sub-committee and the level of its chairship that require the guidance of the PSC with respect to the Sanctions Sub-Committee.

The second document is the draft ToR of the Ministerial Committee on Terrorism. One of the key outcomes of the 16th Extraordinary Summit of the AU Heads of State and Government on UCGs, which was held in May 2022 in Malabo, Equatorial Guinea, was the establishment of the Ministerial Committee on Counter Terrorism. This committee is meant to coordinate, monitor, evaluate and follow-up on the mechanisms of the implementation of the decisions made during the summit. In this regard, it was expressed in the PSC’s 1107th session communique that the PSC looks forward to the first meeting of the Ministerial Committee on Terrorism. Since the decision of the Malabo Summit was for the AU Commission to prepare the ToR of the Committee, in tomorrow’s meeting the CoE may propose that the draft ToR be referred to the AU Commission for finalization and presentation to the minsters. The ToR is expected to outline the purpose, goals, scope, working arrangement and composition of the ministerial committee.

Lastly, the PSC will consider the draft manual on modalities for enhancing coordination between the PSC and the African members of the UNSC. The development of this manual is in line with the request made by the PSC during its 1056th session that considered the Conclusions of the 8th High-Level Seminar on Peace and Security in Africa. The session also requested for the manual to be considered and adopted by the 9th Annual High Level Seminar on Peace and Security in Africa on 18 January 2023. Accordingly, the draft manual was presented to the participants of the Seminar and it was requested to circulate the draft to all AU member states for inputs before submitting it for the consideration of the PSC. Following its update during the CoE meeting last May, the representative of the CoE is expected to propose the adoption of the manual by the PSC during tomorrow’s session.

What is expected following the presentations of these three documents is that the PSC will take the required steps including the adoption of the documents and/or clearing of the documents that may require adoption at a different forum or level.

The outcome of the session is expected to be a Communiqué. It is expected that the PSC will reiterate the urgent need for a Common African Position on the application of international law on cyberspace, as well as the need for Africa to actively engage in the process. It is also expected that it will commend the work of the AUCIL in working towards appraising representatives of AU Member States of the latest developments in the field of the rules of international law applicable to cyberspace. It may also emphasize on the importance of capacity building and the need to continue such efforts. The Council may also welcome the draft CAP statement on cyberspace for peace and security. The PSC may recommend that it is presented to relevant AU bodies such as the STC on Justice and Legal Affairs for wider input and build on and reflect the relevant decisions of AU policy organs including those of the PSC. The PSC may request the AU Commission to use the statement in the development of a regional legal framework and strategy for promoting the rules of international law governing cyberspace for addressing threats to peace and security arising from cyberspace.

Additionally, the PSC may welcome the work of the CoE in developing the three documents presented to it. It may also adopt the Terms of Reference of the PSC Sub-Committee on Sanctions with clarification of the issues presented to it for its guidance. The Draft Manual on Modalities for Enhancing Coordination Between the PSC and the African Members of the United Nations Security Council is expected to be adopted by the PSC. The PSC may also refer the Draft ToR of the Ministerial Committee on Terrorism to the AU Commission for its updating and submission for adoption by AU Ministers.

Cyber Security – Impact on Peace and Security in Africa

Cyber Security – Impact on Peace and Security in Africa

Date | 13 April 2023

Tomorrow (13 April), the African Union (AU) Peace and Security Council (PSC) is expected to convene its 1148th session to discuss the impacts of cyber threats to peace and security in Africa.

The session opens remarks by Abdelhamid Elgharbi, Permanent Representative of Tunisia and Chairperson of the PSC for the month of April followed by a statement of AU Commissioner for Political Affairs, Peace and Security (PAPS), Bankole Adeoye. The AU Mechanism for Police Cooperation (AFRIPOL); the Committee of Intelligence and Security Services of Africa (CISSA); the AU Department of Infrastructure and Energy; AU Office of the Legal Counsel and the United Nations (UN) International Telecommunication Union (ITU) are also expected to participate in the session.

It was at its 850th session that the PSC, recognising the growing relevance of cyberspace in Africa and the importance of ensuring the safety and security of this space, decided to commit an annual meeting on cyber security. Although this decision hasn’t been regularly implemented, the PSC has dedicated various sessions to the theme, including the 1097th session which last addressed concerns related to cyber security in Africa. Among other critical points, the 1097th session drew attention to the need for enactment of necessary legislations and regulations at national, regional and continental levels to govern issues related to cyberspace. Tomorrow’s session serves to follow up on efforts being deployed to mainstream cybersecurity in all peace and security mechanisms of the AU, Regional Economic Community and Regional Mechanisms (RECs/RMs) and member states.

This session is coming against the background of the major cyberattack against the AU cyber infrastructure. Early in March, the AU was forced to suspend various operations following a massive cyberattack on its data centre, compromising various IT assets and user devices. This attack has led to not only the disruption of the ordinary functioning of the AU but also the loss of data. As a clear illustration of the susceptibility of African infrastructure to cyberattacks and the enormous costs that such attacks occasion, it would be of interest for members of the PSC to seek information on the source of the attack, the scale of damage caused and the measures required for rebuilding and instituting protective measures to address the vulnerabilities in the AU system that were exploited for orchestrating the attack.

There is also anecdotal data that the extent of threats to the cyberspace in Africa is increasing. This is mostly on account of the weak cyber security arrangements. According to the International Criminal Police Organization (INTERPOL)’s 2021 Africa Cyber Threat Assessment Report, over 90 percent of companies in Africa operate without the necessary cyber security protocols.  Many African institutions and businesses have also come under cyberattack over recent years and continue to be susceptible to the perpetration of various cybercrimes.

The impacts of this are multifaceted. One of the many negative consequences of unprotected cyberspaces is that they result in considerable financial loss as well as data theft, including those related to intellectual property and protected business information. At a larger scale, such form of cyber threats manifest in the form of infrastructural sabotage affecting critical social and economic activities, including trade and commerce. Reports have indicated that in recent years, such form of sabotages have particularly been escalating in the continent, specifically targeting national banks and maritime infrastructures. Ultimately, this will have an adverse impact on Africa’s endeavours to advance economic development.  As emphasised by the PSC at its 850th session, a secure cyberspace is a necessary precondition for ‘reaping the dividends of the digital transformation of Africa and the world and for promoting economic development throughout the Continent’.

Another and perhaps more grave consequence of weak cyber security practices in government and non-governmental institutions in Africa is the fertile ground it creates for anti-peace activities ranging from espionage, to organised crimes and the use of digital space for incitement of violence. With little to no measures put in place to secure the cyberspace, anti-peace entities including terrorist organisations will have ease not only in accessing sensitive data and classified government information, but also in diverting finances to fund their activities, plan their attacks as well as recruit and train others to join their network. It also opens the space and creates the opportunity for the spread of misinformation and incitement of violence, particularly in settings characterised by polarised political tension and dissent. Terrorist groups’ usage of cybercriminals to raise funds through cryptocurrencies and exploration of the dark web by human trafficking networks to lure in travellers through fake tour agency accounts are also among the cyber threats in Africa identified by AFRIPOL.

The imperative for a more robust cybersecurity in Africa will only continue to rise as the continent continues to expand its reliance and use of cyber operated technologies not only for socio-economic activities but also for security purposes as the expansion of the use of drones and unmanned aerial vehicles (UAVs) as well as other artificial intelligence (AI) for enhancing military operations shows. As far as the use of such technologies, particularly what are known as autonomous weapons systems (which Africa is not in possession of), is concerned, Africa has the responsibility for promoting the development and strict enforcement of rules that ensure effective human control over and full responsibility of states for how such technologies are used as the surest means for averting not only breaches of human rights and international humanitarian law rules but also damages that may result from hacking of such technologies.

Africa’s internet and telecom market which has experienced a major boost in recent years is only expected to grow significantly in the near future to accommodate the demands of the continent’s massive population. While this creates great opportunities to advance Africa’s socio-economic and developmental aspirations, it also expands further the nature and extent of cyber threats expected to be experienced. If relevant strategies are not put in place well in advance to avert, manage and effectively respond to these threats, the continent may be facing complex peace and security challenges. According to the 2021 Global Cybersecurity Index, only 29 African countries have introduced cyber security legislation while the remaining majority are yet to adopt relevant rules and regulations to deal with this specific area of concern. This indicates the need for heightened awareness among member states of developments in Africa’s cyberspace and their commitment to take solid steps towards securing it, including through the adoption of relevant normative standards to regulate the safe and secure utilisation of cyberspace.

At the continental level, the AU has already adopted key legal instruments and frameworks relevant to the regulation of cyberspace and for ensuring cyber security in Africa, including the AU Convention on Cyber Security and Personal Data Protection (Malabo Convention); the 2020-2030 Digital Transformation Strategy for Africa; the AU Data Policy Framework and the AU Interoperability Framework for Digital ID. In line with the decision of the Executive Council’s 32nd Ordinary Session [EX.CL/Dec.987(XXXII)], the AU has also established the Cyber Security Expert Group (AUCSEG) which is charged with providing advice to the AU Commission on matters related to cyber security. Few member states such as Botswana, Ghana, Lesotho and South Africa have also made commendable strides towards securing the cyberspace through the adoption of Cybercrimes and Cybersecurity Acts. Despite these encouraging developments, the current efforts to respond to cyber threats are largely disproportional to the magnitude of the challenge in Africa.

The expected outcome of tomorrow’s session is a Communiqué. The PSC is expected to express grave concern over the recent cyberattack the AU experienced and commend AFRIPOL and other relevant AU organs for committing the necessary efforts to resolve the issue. It may emphasise that with growing digitalisation and socio-economic development come increasing cyber threats and as such, call on member states to mainstream cyber security throughout all of their digital endeavours. The PSC may take note of the increasing significance of the digital space for trade and commerce in Africa and call on all relevant stakeholders including member states and the private sector to protect transactions by investing on cyber security measures. It may stress the importance of establishing the normative framework for cyber security and urge member states to adopt the necessary legislation to regulate cyberspace in a manner compatible with human rights norms guaranteeing fundamental rights and freedoms. It may urge member states to ensure responsible use of emerging technologies in efforts aimed at enhancing military capabilities and to put in place the necessary cyber security measures to avert hacking and diversion of such technologies. It may also highlight the need to ensure implementation of existing continental legal frameworks for the protection of cyberspace including the Malabo Convention. It may further encourage RECs/RMs to contribute to cyber security efforts through enactment of relevant strategies for enhancing regional collaboration in taking action against cyber threats. The PSC may call on the AU Commission, AFRIPOL, CISSA working with relevant expert bodies to develop guidance for member states, RECs/RMs and AU institutions on identifying vulnerabilities for cyberattacks and instituting effective cybersecurity measures to avoid the kind of attacks the AU experienced recently.

Emerging technologies and new media: Impact on democratic governance, peace and security in Africa

Emerging technologies and new media: Impact on democratic governance, peace and security in Africa

Date | 04 August 2022

Tomorrow (04 August), the African Union (AU) Peace and Security Council (PSC) will hold its 1097th session on a relatively new thematic issue on “Emerging technologies and new media: Impact on democratic governance, peace and security in Africa”.

Following opening remarks of the Permanent Representative of The Gambia to the AU and Chairperson of the PSC for the month, Jainaba Jagne, AU Commissioner for Political Affairs, Peace and Security (PAPS), Bankole Adeoye is expected to make a statement. The Director of the AU Commission Department of Infrastructure and Energy, representative of the African Peer Review Mechanism (APRM) and expert on emerging technologies, Thompson Chengeta, will deliver presentations. Representatives of Amani Africa and Institute for Security Studies (ISS) are also expected to make intervention.

While the PSC discussed specific issues relating to emerging technologies and new media, this is the first time that the Council has a dedicated session on emerging technologies and new media in general, with a focus on their impact on democratic governance and peace and security in Africa. This strategically important session helps the PSC to grapple with a theme whose ramifications and significance have been expanding at a pace that continues to widen the gulf between the rate of change of these technologies and media and the response of policy makers.

The use of emerging technologies and new media including access to the internet and mobile technology continue to contribute positively to democratic governance and the promotion of peace and security in Africa, as in other parts of the world. For example, drones have improved the way healthcare is provided in Rwanda as they are being used to deliver blood in remote areas, thus enhancing access by overcoming geographic limitations. Mobile phones and social media also present opportunities to empower citizens and transform their relationship with the state. Real-time photos and videos uploaded to social media can expose government corruption or abuse and increase government responsiveness to citizen concerns. These technologies have also revolutionized people’s ability to organize and coordinate protest movements as well as electoral campaigns.

A case in point is the 2016 elections in the Gambia. According to one study, 92% of people interviewed believed that social media played the most role compared to traditional media. Especially, they affirmed that social media platforms such as WhatsApp or Facebook allowed the population to receive and spread information, even when the then incumbent government closed the access to the Internet. Furthermore, social media allowed locals to get in contact with Gambians living abroad. The interviewees affirmed that WhatsApp and Facebook ‘dominated the transmission of ideas’ and were able to ‘educate a larger number of people about the necessity of change’. In Mali, the mobile application ‘MonElu’ has been utilized as a medium to strengthen citizen participation in governance by facilitating dialogue with elected officials and in the process increasing accountability to citizens. In Kenya, Kenyan civil society successfully deployed crowd-sourcing technologies (Ushahidi) to map out the unfolding post-election violence in the country in 2008 election.

Council has taken note of the contribution of new media in various at its various sessions including the 589th, 791st and 1062nd sessions convened under the theme of “Elections in Africa”. For example, at  its 1062nd session it stressed ‘the important role of … responsible media, both print and electronic, in electoral processes and encouraged these entities to always contribute more positively towards promoting the integrity and credibility of elections and maintenance of peace and stability in Member States, especially by promoting civic education and accurate public information, as well as refraining from inflammatory reporting and miscommunication that may incite violence.’

In terms of the role of new technologies for promoting clean elections and limiting the rigging of elections, there is a need for identifying optimal conditions under which technologies contribute for enhancing the confidence of the electorate in the role of elections for advancing democratic governance in Africa. This is also important in terms of strengthening the quality of AU election monitoring through the use of relevant technologies and new media both for planning and conducting the election monitoring work of the AU.

In terms of positive contribution of emerging technologies for peace and security, the use of these technologies helps in timely exposing risks of violence and crises thereby strengthening early warning capabilities. Increasing use of these technologies by conflict actors also mean that it has increasingly become possible to establish the positions, motivations and movement of conflict actors, thereby enabling the planning of informed policy responses and mediation and peace-making efforts. The use of these technologies in peace processes has not only enabled mediators and peace support operations to have strong situational awareness, but to also engage in public diplomacy. These technologies also contribute to enhancing the legitimacy of peace processes by enabling engagement with various stakeholders. Admittedly, the extent to which AU peace processes, whether in mediation or in peace support operations, are able to harness these positive contribution of these technologies depend on their possession of the requisite skills and capabilities for using these technologies for such ends.

In the light of the foregoing, one issue that would be of interest to the PSC is the need for examining the current state of how AU and Regional Economic Communities and Regional Mechanisms (RECs/RMs) peace processes are using and harnessing the potentials of emerging technologies and new media for their work in conflict management and resolution.

It is clear from the foregoing that emerging technologies and new media have significant actual and potential contribution for the achievement of AU’s Agenda 2063 broadly and those relating to democratic governance and peace and security in particular. But the optimization of their current contributions and the harnessing of their enormous potentials depends on expanding access to these technologies and the technical know-how of and digital literacy for various areas of public life.

Emerging technologies and new media are not however without peril. Indeed, previous engagements of the PSC and recent and current experiences illustrate the adverse impacts of emerging technologies and new media in Africa.

Internet and social media platforms have been misused for spreading misinformation and inciting violence, particularly during election periods, undermining democratic processes and imposing serious risk to peace and security. In this regard, Council’s 653rd and 713th sessions have been particularly critical in drawing attention to the abuse and misuse of the media space by some political actors, which has the impact of undermining the credibility of electoral processes. A relatively newer trend Council may wish to note at tomorrow’s session is also the manipulation of algorisms by social media platforms to shape perceptions of people during elections, with the core purpose of precipitating artificially engineered electoral outcomes.

Aside from the context of elections, the more general abuse of media space for spread of hate speech and incitement of violence has also been a matter of serious concern in the continent. For example, in cases where it is difficult to trace the individual(s) or group(s) engaged in disinformation or misinformation operations, the distribution of content, such as images, memes, videos, and even voice messages, leads to a high level of violence among communities. In Nigeria, images of corpses in mass graves were used to fuel animosity between the Fulani Muslims and Berom Christians, which resulted in violence and killing. The perilous use of these technologies is something that the PSC has addressed, particularly in the context of its thematic agenda on hate crimes and prevention of genocide. At its 761st session for example where Council highlighted how the misuse of social media has the potential of escalating the ideology of hate and genocide and how the abuse of media space can disrupt social cohesion and endanger national unity, it urged member States to set up mechanisms for monitoring the use of media.

The use of new technologies for surveillance and disinformation by state actors has also become a major source of concern as it dampness the positive contribution of these technologies and new media by exposing people with dissenting voices to serious peril. The 2020 titled a roadmap for digital cooperation noted, ‘new technologies are too often used for surveillance, repression, censorship and online harassment’ and that ‘greater efforts are needed to develop further guidance on how human rights standards apply in the digital age.’ The PSC may in this regard welcome the initiative of the African Commission on Human and Peoples’ Rights’ under its resolution 473 on artificial intelligence, robotics and other new and emerging technologies.

Council’s 850th session addressing the theme of “Cyber Security” has highlighted the ‘importance of a safe and secure cyber space for reaping the dividends of digital transformation of Africa’. On the adverse side, a number of PSC’s sessions on terrorism and violent extremism have expressed concern over the growing use of technologies and media by terrorist groups. In addition to emphasising the concerning use of technologies such as UAVs by terrorist groups, as well as the manipulation of internet for purposes of radicalisation and recruitment, it is also important for Council to reflect on the use of new technologies in armed conflicts and the impact thereof. In recent years, the demand for military drones in Africa has significantly been on the rise, driven by a growing number of internal conflicts and counter-terrorism operations. Libya for instance is often even called the world’s largest ‘drone war theatre’, with multiple countries supporting one of the warring parties militarily in the civil war through the delivery of drones. France is deploying armed drones in the Sahel region against militants in Mali, Burkina Faso and Niger, and both US and French air strikes in Africa are notorious for injuring and killing civilians, often without any transparency or accountability regarding civilian casualties.

According to the latest drone study reports, African countries have also increasingly acquired and used (armed) drones themselves in their fights against armed groups. At the same time, armed groups are increasingly putting effort into weaponizing small commercial drones, turning these into surveillance and combat drones, of which Boko Haram is a primary example. These developments make clear that military drones have become an essential tool for armed forces in their operations, but that their use gives rise to questions about clear legal norms, wider military-strategic considerations and improved export controls.

The expected outcome of the session is a Communiqué. Council may recognize the enormous contribution and potential of emerging technologies and new media in addressing the socio-economic, governance and peace and security challenges and for the implementation of AU’s Agenda 2063. It may call for the imperative for enhancing Africa’s participation both in the development of and access to emerging technologies and use of new media for the advancement of the wellbeing of the people of the continent. It may express concerns about the threats posed by actors that use emerging technologies to disseminate malicious online contents that diminish trust for democratic governance. The Council may call for the development of regulatory framework for ensuring that technology firms strengthen their supervisory mechanisms to prevent the use of their technologies for destructive purposes. It may request for greater collaboration between member States, RECs/RMs, the AU Commission, and the Private Sector in promoting the development and responsible use of emerging technologies and new media. Having regard to upcoming elections in the continent, particularly Kenya’s general elections scheduled to take place 09 August, Council may also urge all relevant stakeholder to refrain from misuse of new media and task the AU election observers to pay particular attention to the impact of new media with a view to propose ways of more effectively addressing the increasing adverse use to which new media and technologies are used in tampering electoral processes. It may also call on member States to ensure respect of human rights and international humanitarian law (IHL) standards in their use of new technologies including weapons such as battle drones and UAVs.

Mitigating the threat of Cyber Security to Peace and Security in Africa

Cyber Security

Date | 19 May, 2019

Tomorrow (20 May), the African Union (AU) Peace and Security Council (PSC) is scheduled to hold a session on cyber security as one of the emerging threats to peace and security in Africa. The Committee of Intelligence and Security Services of Africa (CISSA) and the International Telecommunication Union (ITU) are expected to brief the Council. The Directorate of Information and Communication and the Department of Infrastructure and Energy of the African Union Commission (AUC) may also deliver statements.

The main objective of the session is to highlight the threats associated with the expanding use by government agencies, businesses, individuals and other sectors of society of information and communication technologies (ICT). The growth of ICT has enhanced interconnectedness, e-commerce, efficient delivery of services and information sharing. However, this development was also accompanied by the threat of cybercrime which has brought about a number of private and public security challenges. The increased use of ICT by state and non-state actors for undertaking a wide range of economic, social and private activities has heightened cyber risks and vulnerabilities. As a result, government agencies, businesses, individuals, financial institutions and critical facilities operating on the basis of ICT continue to be exposed to cyber crimes and attacks. These threats also pose great risk to national, regional and international peace and security.

Thus while acknowledging the critical importance of ICT, the session will also look into the challenges of how weak networks and information security systems and lack of effective regulation and preparedness have exposed the countries of the continent to cyber security threats.

Although cyber crime is a global concern, African countries like many parts of the developing world, remain particularly vulnerable. Despite the growth of the ICT sector in Africa and increasing dependence of various sectors of African economies and increasing number of people, the readiness and possession of the required technology and know-how for addressing cyber security threats remains weak. There is no adequate awareness and appreciation of the scope and forms of vulnerabilities and the nature, manifestations and sophistication of cyber crimes. Additionally, many countries in Africa do not possess specific cyber legislation and this has made the countries vulnerable to cybercriminals.

Moreover, even already existing cyber laws are not strictly implemented and enforced and there is a general lack of awareness about cyber security measures which all have created the space for cyber crime in the continent. With limited resources most African countries would struggle to effectively tackle cyber crime.

Tomorrow’s session envisages to examine the state of the current legal regime for dealing with cyber security at the regional level and articulate mechanisms and actions through which the nature of this emerging threat is adequately identified and it can effectively be addressed. At the continental level the AU has adopted the African Convention on Cyber Security and Personal Data Protection in 2014 at the 23rd AU Summit. The Convention is a broad framework that offers clear guidelines and principles on the management of electronic transactions, on safety systems of personal data and measures to promote cyber security. However, the Convention has not yet entered into force. To date only thirteen countries have signed and four have ratified. As a way of enhancing the digital governance structure the session may call for renewed commitments in ratifying and implementing the provision of the continental legal instrument. The Convention itself tasked the AUC Chairperson to establish a monitoring mechanism that encourages the implementation of cyber security measures, collects and shares information, offers advice to member states and regularly report to the decision making organs of the AU on the implementation of the Convention. The Council may also follow up on the steps taken by the AUC as per the responsibilities articulated in the Convention.

In 2018 the Executive Council endorsed the decision of the Specialized Technical Committee (STC) on Communication and ICT to establish an Africa Cyber Security Collaboration and Coordination committee. The committee which is also known as the AU Cyber Security Expert Group (AUCSEG) has the central role of advising and providing guidance to decision makers on cyber security policies and strategies. The AUCSEG is also expected to facilitate information sharing and cooperation among AU member states. The session may review if steps have been taken to the operationalization of AUCSEG and other related activities.

Despite the steps taken at the continental level, the level of readiness do not match the multifaceted threat of cybercrime. One of the characteristic features of the cyber space is that individuals and groups with expertise in ICT can use it for organizing, mobilizing, or perpetrating criminal acts ranging from identity theft to using malware for attacking businesses and government agencies. Apart from how the internet has been used by groups such as Al Shabaab and Boko Haram for recruiting and mobilizing funds, the cyber space has become a site for circulating false information and inciting division and violence. In this context, the 812th session of the PSC stressed ‘the need to counter the use of ICT technologies by terrorist groups, whether in their fundraising, narrative promotion, and recruitment of others to commit terrorist acts’.

As part of the efforts towards mitigating cyber threats, the PSC may recall its previous 627th session which put forward concrete measures to respond to the challenge. It urged member states to develop national cyber security legislations and to create national and regional computer emergency response teams (CERT) and/or computer security incident response teams (CSIRT).It also supported the creation of a special unit within the Peace and Security Department (PSD), which will be exclusively dedicated to the efforts of prevention and mitigating cybercrime at continental level in close partnership with member states. PSC members may inquire on the progress of such initiatives.

The 749th meeting, held on 27 January 2018, at the level of Heads of State and Government, on the theme: “Towards a Comprehensive Approach to Combating the Transnational Threat of Terrorism in Africa” has similarly welcomed and recalled the need to organize an African Dialogue aiming at combating terrorism online and securing cyberspace. Given that cyber security concerns are broader than national boundaries it is necessary to put in place such kinds of robust and collective defensive cyber mechanisms. It is held that such a dialogue affords an opportunity for facilitating coordination among national and regional CERTs may also play a critical role in creating a continent wide security system. African Dialogue may also serve as a key tool to raise awareness on the threats associated with the use of ICT and on mitigation mechanisms. The PSC may thus wish to request an update on this initiative.

While it is clear from the foregoing that various AU bodies have been seized with the issue of cyber security and they proposed initiatives, their engagement and initiatives lack a common organizing strategy. Beyond and above reviewing the status of the various initiatives, it would be of interest to PSC members to review whether the different initiatives are complementary and the steps required for having a common strategy that ties them all together towards a set of shared objectives leading to a cyber governance and security architecture, anchored on partnership with other regions and international organizations. Also of interest to member states is to identify how to leverage the role of Regional Economic Communities/Regional Mechanisms and AU’s partnerships with the UN and the EU. Additionally, in the light of the legal measures adopted by the EU on data protection, the PSC may review the effectiveness of the personal data protection provisions of the 2014 AU Convention and the implications, if any, of the EU’s General Data Protection Regulation (GDPR).

The expected outcome of the session is a press statement. Previous Executive Council, STC and PSC decisions have already laid out the relevant steps in setting up continental mechanisms and this particular session may provide more guidance on their operationalization and coordination. PSC may wish to offer guidance on ways to spearhead the accelerated ratification of the 2014 Convention on Cyber Security, and more particularly follow up on the work of AUCSEG and its harmonization with the specialized unit within PSD and other relevant AUC departments and organs. Given that cyber security systems require specialized expertise and resources as well as partnerships, the PSC may also put forward recommendations on ways to enhance the capacity of member states and the role of the AU in leveraging their efforts and its partnerships with African and international actors for collective action.