Determining appropriate strategic responses to cyber threats poses an evolving challenge to all States. As African countries become more digitized, the potential humanitarian impact of cyberattacks on critical civilian infrastructure, including hospitals, is significant. There is a need to ensure that African countries have adequate cyber defence and a more resilient cyber posture to prevent humanitarian suffering caused by cyber operations.
As a progressively digitized continent, Africa is experiencing rapid development. The significant expansion of infrastructure projects across the region, together with growing cyber dependency, frame the continent’s development outlook. This is set against a backdrop of ongoing conflicts, increasing extremism and a struggle between global powers for resources, influence and military footprints.
These dynamics create a challenging framework for policy makers and should signal a need to prioritize the formation of robust cyber defence. For Africa’s people, cyber operations, which are inherently destabilizing, pose a threat to some of the world’s most vulnerable populations and fragile States. Experts have warned that cyberattacks against critical infrastructure are a ‘humanitarian crisis in the making’.
As in other regions of the world, Africa’s energy, water and healthcare networks together with other critical infrastructure are already at risk of cyber disruption. This may cause substantial economic loss, physical damage and affect the delivery of essential services, as seen in the attack this week on a major hospital group in South Africa just as the country witnessed a rapid spike in COVID-19 cases. To address this growing threat, a more resilient cyber posture from African States is required, together with an enhanced sense of agency, particularly within multilateral international organizations.
The digital demographic dividend
Africa is home to 54 countries and abundant natural resources. Despite persistent developmental challenges, it is a fast growing and dynamic economic market with the globe’s youngest population, some 1.3 billion people. The rapid growth of internet penetration has fired up private sector innovation and access to resources such as education, mobile banking and healthcare. The youth dynamic in the region has aided the enthusiastic adoption of mobile technologies and platforms, enabling people to rapidly transcend barriers created by ineffectual governance.
There has been a significant upscaling of foreign investment and operations. Aligned with economic and population growth is an increasing dependence on critical infrastructure in the energy, health, transport, communication and water sectors. Networked information technology systems, operating together with industrial control systems, underscore the need for robust, internationally standardized cyber security measures. This applies to all levels of government as utilities and services are now being increasingly targeted. A recent cyberattack on Johannesburg’s City Power purchasing platform left consumers with no means of buying electricity for three days.
Within Africa, there is an almost total dependence on imported hardware and software. This, together with the harvesting and offshore storage of the personal and biometric data of millions of Africans by tech companies, has fed into a growing sense of disquiet and an emerging narrative of ‘digital colonialism’. Typically, this concern is vocalized by the intelligentsia and civil society organizations, whereas for the most part Africa’s leaders have been largely absent from the discussion. This echoes a wider sense of State stasis pertaining to matters of national cyber defence and cyber security in general.
The importance of digital platforms in providing services and commerce to African communities cannot be overstated. The road density network in sub-Saharan Africa has actually declined in recent years, leaving millions of people at risk of degraded service delivery and being bypassed by growth opportunities. Information and communication technologies promise huge potential in terms of delivering health services, banking, communication, educational resources and e-government services. However, for digital development to be effective and resilient, robust cybersecurity efforts need to match and support these efforts.
The Cyber Poverty Line
The Cyber Security Poverty Line equates to a scarcity of allocated resources relative to the scale of threats faced. The ITU Global Cyber Security Index supports the assertion that, with the exception of Kenya, Mauritius and Rwanda, and possibly South Africa, most countries in sub-Saharan Africa display weak levels of cyber maturity. This pertains to the entire spectrum of indices, from a governance level through to response and capacity development. The potential cyber threat posed to African countries is ostensibly shaded by more immediate kinetic threats and other pressing requirements for resources from strained national budgets.
This places already exposed populations at risk of potentially devastating consequences in the event of a major cyber incident. Key concerns are the consequences of a cyberattack on the growing number of nuclear energy sites or attacks on water storage and hydroelectric entities. Africa is one of the world’s hardest hit regions in terms of climate change, and drought has become an ever-present phenomenon. Any loss of water or contamination will thereof have dire consequences, notably disease and famine. Digital money platforms also present a high value target as these drive the remittances from the African Diaspora to home countries and annually push billions of dollars to some of the world’s most impoverished and underserved communities. In many instances such platforms have replaced cash and formal banking and are critically reliant on zero internet redundancy. They also represent a prime fundraising target for the terrorist networks operating within Africa’s Arc of Instability.
Of specific concern to Africa is the sheer scale of massive infrastructure projects underway across the continent. This includes both physical and digital projects. Frequently implemented from end to end by a foreign entity and sometimes with overlapping infrastructure, this could potentially create backdoors and vulnerability pathways. The net result is the possible future loss of de facto sovereign control of communication, energy, transport or water infrastructure.
What, then, is the best way forward? Some of the challenges lie in a lack of strategic direction within both the public and private sectors. This is intensified by a prevailing lack of awareness and resilience within the general populace. The need for a rethink and reboot at the highest level on how to build and resource cyber capacity is crucial. Constrained technical capacity is currently hampering efforts, and to this end a departure from prevailing African governance models is required, as Public/Private Partnerships are vital to cyber development. A key recognition is that national level cyber security is not an end in itself, but that governments are obliged to create a resilient cyber ecosystem, which protects and enables their economies and citizenry.