By Bruce McConnell
Securing cyberspace is a multi-player endeavor. Because of cyberspace’s complexity and its disrespect for boundaries of all kinds, cyberspace security requires cooperation among multiple stakeholders. No single government, company, or civil society organization can solve this problem on its own. While companies must work harder to increase the security of their products and services, governments remain the most critical players when it comes to reducing the level of cyber attacks on a global basis. Governments have the responsibility of catching and prosecuting cyber criminals. Governments also are the perpetrators of some cyber attacks. Cooperation among the major government and industry parties is increasing, and this is good news for everyone, especially the developing world. This article describes the state of cooperation with particular attention to Africa’s cyber ecosystem.
The Group of Governmental Experts
Some major international developments in cyberspace security policy are occurring under the umbrella of the United Nations (UN). The UN has been working on cybersecurity for over 20 years, primarily through a group of governmental experts (GGE), focused on reducing conflict in cyberspace. This group originally involved only a few nations but it expanded a few years ago to 25 nations. All the major powers are involved, along with other countries. The last session of this GGE included four government representatives from the African continent: Kenya, Mauritius, South Africa, and Morocco.
The GGE’s principal accomplishment has been to develop some rules of the road for state conduct in cyberspace. It is an attempt to recognize the fact that nations are using cyberspace as a domain of conflict and to manage the cyber arms race and the unregulated use of cyber weapons. It is unfortunate that such a group is even needed. Ideally, cyberspace should be a declared a zone of peace and nations would agree not to use it for attacking each other. If that was accomplished, there would still be cybercrime to deal with, but that is a smaller and more manageable challenge.
However, no declaration of peace is forthcoming in cyberspace so the next best outcome is limiting what states can legally do to each other, just like we have rules of conventional warfare – for example protecting hospitals. These rules are set out in treaties like the Geneva Convention, the Chemical Weapons Convention, limitations on nuclear weapons, etc. Not everyone obeys all these rules, but without them the prospects of weapons proliferation and use would be much worse.
Cyberspace does not have any treaties. The GGE has only produced a set of non-binding norms of behavior. These are not binding rules - they are more like suggestions – but they represent a start. The two most important ones are:
Nations should not attack each other’s critical infrastructure using cyber weapons.
When one nation is being attacked from servers in another country, the country hosting those servers has a responsibility to turn off the malicious activity upon request of the first country.
As for not attacking critical infrastructure, this goes immediately into the problem of attribution. It is not that difficult to hide one’s identity in cyberspace, and attackers are good at disguising their identities. Considering the examples of some the big attacks in the U.S. and elsewhere like Solar Winds and NotPetya, some countries have accused others of being behind those attacks on critical infrastructure. The accused countries have denied responsibility, and as there is no objective international body to determine attribution, the attacked countries have to resort to sanctions and other responses without international agreement on who is at fault.
The second norm has been relevant even recently. At the recent meeting between U.S. President Joe Biden and Russian President Vladimir Putin, they discussed requests for take-downs that the two countries have sent each other over the past few years. The challenge is that simply identifying the location of a malicious server does not define who is responsible for the attack. Most cyber attacks globally come from servers based in the United States, because that is where the most servers are. The U.S. Department of Homeland Security regularly receives and addresses requests from other countries to stop malicious activity coming from U.S. servers.
The Open-Ended Working Group
In addition to the GGE, there is a second, larger UN cyber group — the Open-Ended Working Group —which is more inclusive and invites all 193 UN Member States to participate. In addition to the African countries mentioned earlier, Cameroon, Nigeria, Senegal, Zimbabwe, Algeria, and Egypt have taken a more active role and made statements during the OEWG. The OEWG is only 3 years old and included consultations with the private sector and civil society, making it in general a more representative group. It has endorsed the work of the GGE and underscored some important points.
During the OEWG, the African Group (representing the 54 African UN Member States), laid out the following priorities:
It has called for an end to the digital arms race, stressing that developing countries are the most vulnerable in this context.
The Group has expressed support for a process leading to emergence of legally binding and rules-based order regulating the use of ICTs by states.
It has advocated for language that the use of ICTs to disrupt, damage or destroy critical infrastructure, including critical information infrastructure, violates international law and the UN Charter.
It has also expressed concerns about the integrity of global supply chains and the stockpiling of vulnerabilities.
A final point made by many smaller countries has been that it makes no sense to have two groups running in parallel. There is a shortage of capacity in global cyber policy everywhere, but particularly in smaller and developing countries. There is some hope the groups may be consolidated in the future. This is the state of progress in these international deliberations.
Emerging Cyber Norms in Africa
An ongoing project of ORF America, the Global Cyber Policy Dialogues, seeks to amplify the voice of stakeholders from developing countries in international cyber policy discussions. It aims to improve cyberspace governance and cooperation by bringing together stakeholders on a regional basis to improve trust and cooperation. The project convenes regional meetings in Southeast Asia, Central and Eastern Europe, Africa, and Latin America around key cyber challenges such as cyberspace governance, emerging technologies, and public-private partnerships.
On October 27, 2020, the Cyberspace Cooperation Initiative at the Observer Research Foundation America (then with the EastWest Institute) co-hosted the Global Cyber Policy Dialogues: Southern Africa meeting. Participants explored challenges and opportunities for building an inclusive, secure, safe and resilient cyberspace in the Southern African region around three pillars critical to stability and growth in the digital realm: sustainable development, peace and security, and governance.
The meeting featured speaker contributions on the three pillars of the dialogue and included opportunities for exchange with representatives from governments, businesses, civil society organizations and universities from Southern Africa and beyond. In total, over 70 attendees from twelve Southern African countries and nine countries outside the region participated in the dialogue.
The meeting focused on inclusiveness, equity, safety, security, and resilience, and included a broad geographic base of attendees. There were many similarities in the challenges outlined by speakers such as skills gaps, lack of Internet access, digital divides, and missing infrastructure investment, as well as the potential for development and digitalization to lead to bigger challenges if carried out without due regard for ensuring cybersecurity, improving the knowledge of users, and mitigating potential threats to freedom of expression, privacy, and safety. While each of these has their own solutions, one key theme that emerged throughout the presentations was the need for international cooperation to tackle cyberspace’s complex challenges.
The benefits and threats of cyberspace cannot be viewed separately from larger questions of global peace and sustainability. Any discussion about digitalization in Southern Africa needs to take place within this context as well as one of inclusion, accessibility, and usability. Poverty, inequality, and unemployment are key challenges in the Southern African region that cyber excellence could help mitigate if the principles of the Fourth Industrial Revolution are embraced. Cyber development is a shared responsibility to be taken up by governments, the private sector and civil society together; one that is necessary to fully achieve the Sustainable Development Goals. Because security must accompany development, all governments must remain engaged in the existing governance mechanisms to build partnerships that transcend existing national and regional boundaries. Quite importantly, The African Union Convention on Cyber Security and Personal Data Protection, adopted on 27 June 2014, remains an important regional initiative.
Wanted: Access, Skills, and Safety
COVID-19 has amplified the demand to bridge the digital divide in Southern Africa and has resulted in rapid digitization efforts in order to keep economies afloat, particularly in urban areas. The increase in mobile phone ownership has improved Internet penetration and consequently strengthened voices demanding equality through social media. Digital innovation is also creating opportunities for social mobility and autonomy, especially for young people and women, but some capacity challenges still remain.
There is a pressing need for skills training to allow the entire population to take advantage of the Internet, not only as a tool of empowerment, but also for economic reasons. In many areas, especially rural ones, there is a need for improved infrastructure to provide more Internet bandwidth. However, competition policies must be carefully crafted to avoid monopolistic practices by the companies investing in that infrastructure. There also needs to be a focus on online safety: as social media supplants real, human connections, the psychosocial and emotional consequences of cyber bullying, revenge porn and reduced self-confidence, particularly for women, often prevent equal participation.
There is widespread agreement among cyber experts and other stakeholders in Southern Africa on three priorities for addressing the needs on the ground. First, governments should keep the Internet on. Free speech should be protected and digital citizenship must be built in a way that respects privacy and the protection of personal information, and governments that shut down the Internet must be held to account. Second, investments in digital skills training and capacity building should be focused at the grassroots level and carried out in ways that support local innovation and autonomy. Third, policymakers and implementers should collect and disaggregate data on ICT access and use, and digital policies should take into account the specific challenges that marginalized and vulnerable groups (e.g. young people, persons living with disabilities, and women) face in joining the digital economy.
Other peace and security threats in the cyber ecosystem include information operations, mobilizing social media platforms by malicious actors, and the weaponization of drones. Social media platforms have already been used to manipulate elections in South Africa, Madagascar, and Kenya, and hate groups have tapped these platforms to gain access to larger audiences and activate real world consequences on touchstone issues.
Emerging Economies in an Emerging Cold War
A critical observation has been made by Moctar Yedaly, the former Head of the Department of Information Society at the African Union Commission: Digital transformation is a requirement for the survival of Africa, but also remains a geopolitical challenge. It will happen whether African countries desire it or not. Digitization will touch many sectors and it is important to have cross-sector conversations to prepare for it.
The race for data collection will inform the economy of the future. African leaders must know that the industries of the future will be artificial intelligence, advanced life sciences, the development of algorithms for behavioral manipulation and especially big data. Data has become the geography of future markets, and these markets must be mastered. Because of this it must also be acknowledged that, whether it is morally good or reprehensible, any data that can feasibly be collected, likely will be.
The current geopolitical climate is often characterized as a new Cold War. While the European Union is looking for new positions in its alliances with Africa and contests international technology companies, the U.S. and Russia are seeking to counterbalance their strategic retreat through domination of the Internet economy and tools of destabilization respectively. This new Cold War is based on the tools of cyber warfare, but states are losing power as networks are increasingly controlled by large corporations. Players who have emerged from this new economy, such as data centers and smart manufacturing, are racing to see how much they can control. Most of these companies and platforms are non-African and they are motivated by profits on the continent. If Africans wish to stay out of this race, they must create safeguards.
African leaders need to act swiftly to avoid digital colonization by enhancing their capacity and reducing knowledge gaps. To this end, the African Union has been pushing for the ratification of a convention on cybersecurity, electronic transactions, and personal data protection as well as advocating for the adoption of cybersecurity strategies and the creation of Computer Emergency Response Teams (CERTs) to respond to cyber incidents in each African country. Although there has been considerable progress in increasing capacity and cybersecurity in Africa, many challenges evidently lie ahead.
Bruce W. McConnell is a distinguished fellow at ORF America’s Cyber Cooperation Initiative and former Deputy Under Secretary for Cybersecurity at the U.S. Department of Homeland Security.