Insights on the Peace & Security Council - Mitigating the threat of Cyber Security to Peace and Security in Africa

Cyber Security

Date | 19 May, 2019

Tomorrow (20 May), the African Union (AU) Peace and Security Council (PSC) is scheduled to hold a session on cyber security as one of the emerging threats to peace and security in Africa. The Committee of Intelligence and Security Services of Africa (CISSA) and the International Telecommunication Union (ITU) are expected to brief the Council. The Directorate of Information and Communication and the Department of Infrastructure and Energy of the African Union Commission (AUC) may also deliver statements.

The main objective of the session is to highlight the threats associated with the expanding use by government agencies, businesses, individuals and other sectors of society of information and communication technologies (ICT). The growth of ICT has enhanced interconnectedness, e-commerce, efficient delivery of services and information sharing. However, this development was also accompanied by the threat of cybercrime which has brought about a number of private and public security challenges. The increased use of ICT by state and non-state actors for undertaking a wide range of economic, social and private activities has heightened cyber risks and vulnerabilities. As a result, government agencies, businesses, individuals, financial institutions and critical facilities operating on the basis of ICT continue to be exposed to cyber crimes and attacks. These threats also pose great risk to national, regional and international peace and security.

Thus while acknowledging the critical importance of ICT, the session will also look into the challenges of how weak networks and information security systems and lack of effective regulation and preparedness have exposed the countries of the continent to cyber security threats.

Although cyber crime is a global concern, African countries like many parts of the developing world, remain particularly vulnerable. Despite the growth of the ICT sector in Africa and increasing dependence of various sectors of African economies and increasing number of people, the readiness and possession of the required technology and know-how for addressing cyber security threats remains weak. There is no adequate awareness and appreciation of the scope and forms of vulnerabilities and the nature, manifestations and sophistication of cyber crimes. Additionally, many countries in Africa do not possess specific cyber legislation and this has made the countries vulnerable to cybercriminals.

Moreover, even already existing cyber laws are not strictly implemented and enforced and there is a general lack of awareness about cyber security measures which all have created the space for cyber crime in the continent. With limited resources most African countries would struggle to effectively tackle cyber crime.

Tomorrow’s session envisages to examine the state of the current legal regime for dealing with cyber security at the regional level and articulate mechanisms and actions through which the nature of this emerging threat is adequately identified and it can effectively be addressed. At the continental level the AU has adopted the African Convention on Cyber Security and Personal Data Protection in 2014 at the 23rd AU Summit. The Convention is a broad framework that offers clear guidelines and principles on the management of electronic transactions, on safety systems of personal data and measures to promote cyber security. However, the Convention has not yet entered into force. To date only thirteen countries have signed and four have ratified. As a way of enhancing the digital governance structure the session may call for renewed commitments in ratifying and implementing the provision of the continental legal instrument. The Convention itself tasked the AUC Chairperson to establish a monitoring mechanism that encourages the implementation of cyber security measures, collects and shares information, offers advice to member states and regularly report to the decision making organs of the AU on the implementation of the Convention. The Council may also follow up on the steps taken by the AUC as per the responsibilities articulated in the Convention.

In 2018 the Executive Council endorsed the decision of the Specialized Technical Committee (STC) on Communication and ICT to establish an Africa Cyber Security Collaboration and Coordination committee. The committee which is also known as the AU Cyber Security Expert Group (AUCSEG) has the central role of advising and providing guidance to decision makers on cyber security policies and strategies. The AUCSEG is also expected to facilitate information sharing and cooperation among AU member states. The session may review if steps have been taken to the operationalization of AUCSEG and other related activities.

Despite the steps taken at the continental level, the level of readiness do not match the multifaceted threat of cybercrime. One of the characteristic features of the cyber space is that individuals and groups with expertise in ICT can use it for organizing, mobilizing, or perpetrating criminal acts ranging from identity theft to using malware for attacking businesses and government agencies. Apart from how the internet has been used by groups such as Al Shabaab and Boko Haram for recruiting and mobilizing funds, the cyber space has become a site for circulating false information and inciting division and violence. In this context, the 812th session of the PSC stressed ‘the need to counter the use of ICT technologies by terrorist groups, whether in their fundraising, narrative promotion, and recruitment of others to commit terrorist acts’.

As part of the efforts towards mitigating cyber threats, the PSC may recall its previous 627th session which put forward concrete measures to respond to the challenge. It urged member states to develop national cyber security legislations and to create national and regional computer emergency response teams (CERT) and/or computer security incident response teams (CSIRT).It also supported the creation of a special unit within the Peace and Security Department (PSD), which will be exclusively dedicated to the efforts of prevention and mitigating cybercrime at continental level in close partnership with member states. PSC members may inquire on the progress of such initiatives.

The 749th meeting, held on 27 January 2018, at the level of Heads of State and Government, on the theme: “Towards a Comprehensive Approach to Combating the Transnational Threat of Terrorism in Africa” has similarly welcomed and recalled the need to organize an African Dialogue aiming at combating terrorism online and securing cyberspace. Given that cyber security concerns are broader than national boundaries it is necessary to put in place such kinds of robust and collective defensive cyber mechanisms. It is held that such a dialogue affords an opportunity for facilitating coordination among national and regional CERTs may also play a critical role in creating a continent wide security system. African Dialogue may also serve as a key tool to raise awareness on the threats associated with the use of ICT and on mitigation mechanisms. The PSC may thus wish to request an update on this initiative.

While it is clear from the foregoing that various AU bodies have been seized with the issue of cyber security and they proposed initiatives, their engagement and initiatives lack a common organizing strategy. Beyond and above reviewing the status of the various initiatives, it would be of interest to PSC members to review whether the different initiatives are complementary and the steps required for having a common strategy that ties them all together towards a set of shared objectives leading to a cyber governance and security architecture, anchored on partnership with other regions and international organizations. Also of interest to member states is to identify how to leverage the role of Regional Economic Communities/Regional Mechanisms and AU’s partnerships with the UN and the EU. Additionally, in the light of the legal measures adopted by the EU on data protection, the PSC may review the effectiveness of the personal data protection provisions of the 2014 AU Convention and the implications, if any, of the EU’s General Data Protection Regulation (GDPR).

The expected outcome of the session is a press statement. Previous Executive Council, STC and PSC decisions have already laid out the relevant steps in setting up continental mechanisms and this particular session may provide more guidance on their operationalization and coordination. PSC may wish to offer guidance on ways to spearhead the accelerated ratification of the 2014 Convention on Cyber Security, and more particularly follow up on the work of AUCSEG and its harmonization with the specialized unit within PSD and other relevant AUC departments and organs. Given that cyber security systems require specialized expertise and resources as well as partnerships, the PSC may also put forward recommendations on ways to enhance the capacity of member states and the role of the AU in leveraging their efforts and its partnerships with African and international actors for collective action.


PEACE AND SECURITY COUNCIL 627TH MEETING

Cyber Security

Date | 26 September, 2016

PRESS STATEMENT

The Peace and Security Council of the African Union (AU), at its 627th meeting, held on 26 September 2016, in Addis Ababa, dedicated an open session to the theme: “The crucial role of cybersecurity in the promotion and maintenance of peace and security in Africa”.

Council listened to a statement that was delivered by the Head of the Defense and Security Division in the Department of Peace and Security, as well as to a presentation by the Department of Infrastructure and Energy of the AU Commission. Council also listened to statements that were delivered by representatives of AU Member States, bilateral and multilateral partners, as well as international organizations and civil society organizations.

Council recalled the recommendations of the First Ordinary Session of the Specialized Technical Committee on Communication and Information and Communication Technologies (STC-CICT-1) held in Addis Ababa, Ethiopia, from 31 August to 4 September 2015, in which the AU Commission was requested to follow up on the signature and ratification, by Member States, of the AU Convention on Cybersecurity and Personal Data Protection. Council also recalled that, as part of the same recommendations, Member States were urged to develop national cybersecurity legislations and to create national and regional computer emergency response teams (CERT) and/or computer security incident response teams (CSIRT).

Council and participants highlighted the importance of information and communication technologies (ICTs), in general, and the internet, in particular, in the promotion of socio- economic development. In this context, Council and participants stressed the need for effective internet governance as a matter of strategic importance.

Council and participants noted, with deep concern, the increasing global cyber threats and attacks, which constitute a serious threat to national, regional and international peace and security. They also noted that cybersecurity concerns are broader than national security and that they can become a planetary emergency with the potential of amplifying the traditional security threats that include terrorism and violent extremism. Furthermore, they acknowledged that a safe and secure cyber space is a necessary condition for reaping the benefits of the digital transformation of Africa and for ensuring the positive impact of ICTs on human and economic development throughout the continent. In this regard, they stressed the importance of regional and global frameworks for promoting security and stability in the cyberspace.

Council and participants underscored the importance of promoting a culture of cybersecurity among all stakeholders. In this context, they urged governments, public and private enterprises, as well as civil society organizations, to work together in the process of capacity building to combat cybercrimes, as well as sensitizing their citizens in this regard, and exchanging of experiences related to cybersecurity and combating cybercrimes.

Council and participants emphasized the need for the AU Commission to establish mechanisms and platforms, such as the regional forums dedicated to discuss cybersecurity issues, with a view to facilitating an efficient platform for sharing experiences, lessons learnt and best practices related to cybersecurity issues among AU Member States, as well as to further enhance regional and international cooperation in this area.

Council and participants underscored the importance of regional and international cooperation in the promotion of security and stability in the global cyberspace. In this context, Council and participants welcomed the ongoing consultations of the United Nations Group of Governmental Experts (UNGGE) on the establishment of a global cybersecurity framework based on international regulations and responsible state behavior in the cyberspace. Furthermore, they encouraged Member States to take full advantage of the benefits from the different capacity building initiatives organized by the Global Forum on Cybersecurity Experts (GFCE), in which the AU Commission is a member and Co-Chair of its Advisory Board.

Council urged Member States to develop, in collaboration with all stakeholders, national cybersecurity policies and adopt other necessary measures to more effectively secure their cyberspaces. In the same context, Council also appealed to Member States to urgently scale up efforts to effectively combat all kinds of malicious use of ICTs and internet in the African cyberspace. Furthermore, Council stressed the need for formulation of policies and regulatory frameworks to prevent and counter all criminal activities carried out in the internet, with special emphasis on the activities of radical terrorist groups in the cyberspace, including, inter- alia, recruiting new fighters.

In addition, Council emphasized the need for Member States to ensure that all employees, both, in government, the private sector and civil society organizations are sufficiently trained in cybersecurity. Council also underscored the importance of maintaining national statistics and regular reports on the incidences and threats of cybercrime affecting Member States.

Furthermore, Council urged Member States to develop cyber diplomacy capabilities and to actively participate in international meetings and debates on the governance of the internet and cybersecurity issues. Council urged all Member States, which have not yet done so, to sign, ratify and fully domesticate the AU Convention on Cybersecurity and Personal Data Protection.

Council welcomed the proposal to create a special unit within the Peace and Security Department, which will be solely devoted to preventing and effectively fighting cybercrime at continental level, including by coordinating all continental efforts and initiatives to promote cybersecurity related issues and working closely with the relevant ministries in the Member States.

Council welcomed the proposal made by Egypt, Chairperson of the Council for the month of September 2016, to host an African Event to further discuss the Egyptian Initiative previously proposed during the Specialized Technical Committee of Telecommunication and ICT to start an African Dialogue aiming at combating terrorism online and securing cyberspace based on the following pillars:

I. To pave the way for internationalprinciples on how to coordinate and cooperate with the relevant stakeholders in addressing new threats.

II. To raise the level of confidence and security in the use of ICTs and take necessary actions to fight abuses, while promoting mutual understanding between governments and stakeholders to tackle the issue.

III. To discuss protection of infrastructure and networks that might raise security challenges faced by countries.

IV. To prevent the occurrence of any online accident by government authorities at the national, sub-national and regional levels (including the establishment of national Computer Incident Response Teams), and through collaboration with the private sector.

V. To promote and encourage a linkage between the African Computer Emergency Response Teams and exchange information.

Council agreed to remain seized of the matter.