Lions logging on
Lacklustre policies on cyber security on the continent may jeopardise Africa’s development
Perceptions of Africa in global political, societal and economic discourse are changing. There are doubtless enormous challenges to overcome — armed, often internecine conflict, poverty and growing food insecurity as a result of climate change. Nonetheless, the vibrant optimism palpable in cities from Cape Town to Casablanca; from Lagos to Nairobi; is hard to deny. Moderated by those African economies suffering dependence on resources such as oil (and thus at the mercy of global prices), and the northern economies hit hard by the Arab Spring, growth on the continent has been substantial. Between 2010 and 2015, the overall GDP growth rate on the continent sat at an encouraging 3.3%. A McKinsey Global Institute report has described these economies as ‘Lions on the move’; but as the lions move across the savannah they must ensure they are not left exposed as they prepare to bring down the Heartibeast.
Kenya-by-Torricelli
As the continent has grown, its relationship changed with the rest of the world has changed. Kenya is fast becoming not only an important pin in the fight against the spread of terrorism, but a geopolitical hotpoint by any measure. Until recent terror incidents in East Africa imposed a slump in aftermath, tourism was on the rise. Crucially, Africa is coming online. The East African Marine System is giving Kenya an enviable connectivity; this undersea fibre optic cable is leading tech growth in the country. Foreign venture capital investments in the continent have risen sharply, and forecasts indicate this is a trend that will continue, with up to $608 million US expected to be invested in 2018 in tech start-ups on the continent. However, while there has been greater penetration of digital services of late, there is a great deal of inequality evident in technological penetration rates. While 63% of the population on the continent have means of connection via mobile cellular services, just 16% are users of the Internet.
Interest in developing the mobile sector is perhaps testament to other confounding variables in the African equation: start-up costs of purchasing laptops and desktops, the lack of reliable electricity supply, and access to supplies and parts another. Nonetheless, large strides are being made in innovating through mobile devices. Kenya’s M-PESA system developed in 2007 has been replicated across the continent. Customers registered with the service exchange cash at authorised outlets for electronic value stored in an account linked to their SIM card. They can then send money to pay bills or to another M-PESA user, who is allocated the nominated amount in their account. They can in turn either withdraw the amount from an authorised vendor or they can in turn send the money out of their account as required. This system of mobile money has revolutionised payments, removing past insecurities of dealing with cash, of transferring small amounts over long distances, and of low penetration of bricks-and-mortar financial services outside cities. World Bank research indicates that there are nearly four times as many M-PESA outlets as there are branches of formal banks, post offices or ATMs. Throughout East Africa, companies compete to offer smaller commissions on transfers, with regional integration meaning demand for cross-national services. Research conducted by the World Bank in 2009 indicates that M-PESA handled 320 million USD in peer-to-peer transactions — or nearly 10% of Kenya’s GDP.
Safety Nets
The World Economic Forum’s Networked Readiness Index 2015 paints a bleak picture: 30 of the 31 African countries included in their sample were ranked in the bottom 50% of the index (only Mauritius bucked the trend). Of particular note is Nigeria — a country at the heart of a tech boom on the continent — which dropped seven places in the 2015 Index since 2012. Pleasingly, however, Kenya has risen six points since 2012 and is now ranked 86th. Rwanda, while still ranked 83rd overall, was ranked first in Government Success in ICT Promotion.
Despite these recent successes, it appears that both regulators, legislators and businesses are asleep at the wheel, blind to the impending juggernaut of cyber-crime; and civil society is just as blind to the creeping civil liberties infringements. Financial institutions from Kenya, Uganda, Rwanda, Tanzania and Zambia reported losses of $245m US in cyberfraud in 2011. Estimates from the International Data Group Connect show that cybercrime has cost the South African economy up to $543m US, the Nigerian economy $200m US and the Kenyan economy $36million US. It is therefore unsurprising that studies among four African countries that cybersecurity is correlated with enhanced economic performance.
Digital connectivity is growing in Africa among individuals and corporations alike, and with it will come an increase in cybercrime. Nigeria is not only the biggest target of malicious Internet activity but the most prolific source of it as well — some may remember a certain infamous scam from the early days of email. In terms of individual cyberattacks, South Africa has among the highest number of victims in the world, third only to Russia and China. The role of technology in the formulation and execution of terror attacks remains a prescient concern in parts of Africa, as it does elsewhere in the world. Wounds in Kenyan society are still fresh after the Westgate Mall bombing in Nairobi, which claimed 67 lives in September 2013. This attack, as well as a spate of kidnappings and attacks in Nigeria are known to have had technology at the heart of their formulation. As in the West, politicians and civil society will have to find the line between civil liberties and terror networks hiding behind online anonymity.
Fighting Information
Yet regulators have demonstrated, at best, a lacklustre response to the growing crisis. While there has been a recent impetus to develop cybercrime legislation, there are still significant gaps in crime-fighting policy. Lack of commercial impetus can, as usual, be laden with partial blame: though it must surely rise before long, the Middle East and Africa’s share of global e-commerce remains relatively small — 2.3% of global e-commerce in 2016. Until recently, cybercrime has been prosecuted under the Kenya Information and Communication Act, as well as existing legislation against sexual and financial crime, and the Kenyan Penal Code. The Kenya Information and Communications Act has come under criticism from civil society groups for infringing on constitutional guarantees on free speech, with the vague language in portions of the Act used to clamp down on political dissidents in a country with a fractious political system.
By way of response Kenya recently drafted a Cyber Security and Protection Bill (2016) which established a National Cyber Threat Response Unit, along with provisions and penalties for a raft of cybercrimes, including bullying, terrorism, illegal pornography, and identify theft. The creation of such a task force, one fit for dealing with cybercrime, was viewed as a major step forward for Kenya in bringing matters of crime online into the mainstream. Language from the Bill borrows heavily from international standards on similar matters, and combines the best proven industrial practice with academic contributions. However, the Bill was then withdrawn from debate with concerns about loopholes contained, and failure to comply with parliamentary procedure on public debate on the Bill.
The Security of Distinction
The opposite shore of this particular legal Dirac sea is the lack of protection it affords to citizens in terms of their personal information, and the limits of interference imposed on their governments. Controversy in the recent past surrounded the decision by the Kenyan government to fund an enormous surveillance programme with a system of 2000 cameras including facial- and number plate recognition in Nairobi and Mombasa. This proposal helped to highlight the dangers of operating in an unclear or poorly defined legal environment. The constitutional right to privacy is, to a certain degree limited by the Prevention of Terrorism Act, albeit with the caveat that it is within a reasonable and justified framework and does not infringe upon those not under suspicion. There were further concerns that the Data Protection Act of 2013 did not give adequate protection of images of individuals collected through these cameras, as images were not considered personal data. While the Bill did call for best practice in data collection and storage, there is clearly a pathway for its misuse in a highly politicised environment.
More recently, the Kenyan government has come under fire — and not for the first time — on monitoring of telephone communications. In years gone by, the government came under scrutiny for accessing personal information from Safaricom (a Kenyan telecoms provider) databases. The most recent scandal has come to pass under the guise of preventing counterfeit mobile phones, though there is widespread condemnation of the move, involving as it does monitoring and surveying personal communications.
Nature abhors a vacuum, and the dangers of allowing this cyber protection vacuum to exist are manifold and easy to demonstrate. Governments across the continent must practice urgently against both exogenous and endogenous attacks. As the economy of greater Africa grows and becomes more developed, so will the size and severity of commercial and individual cyber attacks. The same reticence to tackle such issues is also impacting civil liberties in an age where data collection has never been more possible, more important or more ripe for abuse. The international strides of such crimes will require the African Union’s continued support, to facilitate and monitor policies and Bills to tackle this issue. The lions may be on the move, but their guard must not be allowed to drop.
