The challenge of building cyber security capability in Africa

Dr. Benoit Morel ANALYSIS ICT

Cyber security has become the most complex threat facing modern societies. It is completely man made, and still it outsmarts the experts. As a result, cyber security is not approached ideally in any part of the world. When it comes to Africa, the challenge is even greater.

Africa is a relative newcomer to the world of the internet. According to the World Internet Statistics1, in 2015, the average penetration of the internet in Africa was 27.5%. For comparison, the penetration in North America was 86.9%. The internet is growing fast, in terms of both size and importance. The rate of growth of the internet in Africa during the period from 2000 to 2015 was 6,958%. For North America, the corresponding number was 187%.

The reduction and eventual disappearance of the digital divide may help accelerate the process of modernization of the African economies. However, a closer look at the anatomy of internet use in Africa and its correlation with economic growth and prosperity reveals a few surprises. There is a large variance in the penetration of the internet. If one believes the numbers produced by the World Internet Statistics, Mali, Malawi and Madagascar are among the three African countries with the highest internet penetration (72.1%, 70.5% and 74.7%, respectively)2. Ethiopia is among the countries with the lowest penetration (1.9%). But Mali, Malawi and Madagascar with a 2014 GDP per capita (PPP)3 of $1,559, $781 and $1,429, respectively, are not among the richest countries in Africa and only Mali is (barely) richer than Ethiopia, whose GDP per capita is $1,533. There is no visible correlation with GDP per capita or economic growth;
nevertheless, it is an accepted fact that the modernization of economies encounters an increasing reliance on internet technology. With this technology uptake come cyber security concerns. Cyber security, if not addressed, has the potential to reduce significantly the benefit that African countries will reap from Information Communication Technology (ICT). Furthermore, as the internet couples African countries to the rest of the world, it is imperative that Africa take cyber security seriously.

The realization of the importance that developing countries in general and African countries in particular should take cyber security seriously inspired the UN General Assembly to produce a resolution as early as 2002, which mandated the International Telecommunication Union (ITU) “to facilitate the transfer of information technology and capacity-building to [those] countries, in order to help them to take measures in cyber security”. Unfortunately, the progress has been slow, in particular in Africa, and while cyber security is considered a priority, there is still a lot of work to do.

No template to follow

One problem is that the situation of Africa is unprecedented. The way cyber security works in countries like the US and Europe is the result of a self-organizing process that spanned decades. Today, it is an agglomeration of institutions and firms in a state of flux and chaos, which through competition and collaboration covers the changing spectrum of cyber threats. Governments learn slowly and can look hapless in confronting repeated attacks on their networks. They have to somewhat sheepishly acknowledge repeatedly that key information has been stolen. For their security tools and analysis of incidents, they rely excessively on the private security industry, giving the impression that they have difficulty in building in-house expertise. Another problem encountered by governments like the US is the fact that they built their networks at a time when cyber security concerns were mild. Networks grew quickly and became extremely complicated. As a result, there are multiple connections to the internet and the networks are very difficult to protect. The US government is now engaged in a multi-year effort to rationalize its networks. This is not an example that African governments should follow. As Bismarck said: “Only the fool learns from his mistakes, the clever one learns from the mistakes of the others…” The African governments should, as much as is possible, find their own path to cyber security, emphasizing cost efficiency.

African countries should build national CERTs

The first CERT (Computer Emergency Response Team) was created in the US in 1988 as a response to the Morris worm, which clogged the internet. Since then, many CERTs (and CSIRTs, or Computer Security Incidents Response Teams) have been created to provide a variety of functionalities including protecting specific networks belonging to large firms, banks or military services such as the Air Force, Navy or Army. They are also sometimes associated with academia. Some are national CERTs that form part of a larger ecosystem of CERTs. In the case of Africa, however, the situation is different and therefore the solution should be different.

One well-known problem is that governments are reluctant to divert some of their limited resources to invest in a pursuit whose benefit is measured in “avoided losses”, the kind of loss the country never experienced. Cyber security capabilities cannot be built in a few days. In the event that African governments have to deal with cyber attacks, the only recourse will be to ask foreign consultants to come and help. And although there is no scarcity of such consultants, they all have something in common: they are expensive and some are untrustworthy.

African countries should not wait. They should build expertise at home, now. At the moment, the best experts in cyber security tend to be the cyber criminals. Building that kind of expertise at home, when it comes to Africa, means doing something different from the actions taken in advanced economies. A kernel of expertise has to be developed and it can take only one form: a CERT or CSIRT; a group of people (it does not need to be very large) whose mission is to take responsibility for cyber security in the country.

There are many CERTs and CSIRTs in the world, but Africa requires a particular kind of CERT. Firstly, it has to be a national CERT, strongly supported by the government. Secondly, it must carry responsibility for the whole country’s cyber security, and it must be manned with real expertise since at the beginning at least, it will be the sole repository of that kind of expertise in the country – an unprecedented requirement.
Since each country is different on economical, political and cultural levels, CERTs cannot all be the same. Although they share core features, there comes a time at which they must adjust to the specifics of the country in question.

Building a successful CERT is not easy. Africa has provided many examples of failed CERTs. There are many scenarios of failures, lack of strong support from the governments being the most common. There have been success stories, and we will witness more of them. Unambiguously the pioneer in Africa, Tunisia built itself and has a lot to offer for budding African CERTs. Egypt and Morocco also built effective CERTs in the wake of Tunisia’s success. Sub-Saharan African countries were slower to join the progression (this of course excludes South Africa, the special circumstances of which cannot be reproduced in the rest of Africa). Nigeria and Kenya are interesting examples of recent success. One is the biggest economy in Africa, the other arguably one of the most advanced technologically. Both countries began on their CERT roads before the rest and both went through a variety of false starts before recently taking off.

A measure of success is the ability of the newly created CERT to be accepted as a full member at the Forum for Incidence Response Teams (FIRST)6. Participation in FIRST is not a given. One has to apply, have two sponsors and go through a review process to prove a certain level of competence. Tunisia was the first country in Africa to make the cut. It was followed by Egypt, Morocco and three CERTs (associated with financial institutions) in South Africa. In the summer of 2015, Nigeria and Kenya became official members. Out of the 326 teams belonging to FIRST, so far, Africa has eight, with some more in the pipeline. Nevertheless, Africa is seriously under-represented in this field.

The pros and cons of regional cooperation

Building a CERT requires infrastructure and some well-trained security professionals which, for smaller countries, may look like an expensive proposition. Africa could also make another precedent: regional arrangements. Some countries could share their CERTs, or at least built them together. A regional organization such as ECOWAS (Economic Community of West African States) or UEMOA (Union Economique et Monétaire de Ouest Africaine) could help in channeling efforts like those in West Africa. Africa does not lack regional organizations. The Economic Community of Central African States (ECCAS), the Common Market for Eastern and Southern Africa (COMESA), the East African Community (EAC), the Community of Sahel-Saharan States (CEN-SAD) or the Southern African Development Community (SADC), to name a few, could play similar roles in the rest of Africa.

Other regional bilateral or multilateral arrangements could turn out to be more appropriate. On the one hand, regional cooperation of CERTs may raise issues: national security considerations may emerge. Political instability (something not uncommon in Africa) may have disruptive effects. On the other hand, being forced to collaborate on such projects could have a healthy effect on those countries and their relations.
Eventually, the different national CERTs should plan to collaborate on the continent level. Africa as a continent raises cyber security issues of its own. By championing the common thread of their endeavour, the different CERTs could help each other build a strong continental cyber front and also avoid the possibility of cyber issues becoming a source of friction – or something even worse – between African States.

Cyber security issues specific to Africa

Mobile platforms like smart phones proliferate everywhere. In Africa, they dominate. In Nigeria, for example, for a population of about 177 million people, there are about 168 million mobile phones, and more than 10 million smartphones7, 84% of which are connected to the internet8. The number of mobile phones can hardly increase, but the number of smartphones is expected to increase further, and quickly. The African continent is one of the most sought-after markets for that technology.

We are only beginning to discover the cyber security issues associated with mobile platforms. The Africans will discover at the same time as the rest of the world, but these issues may take a particular form. For example, the M-Pesa system of payments9, which is becoming popular worldwide, has seen a strong uptake in Kenya and Tanzania and is experiencing increasing penetration in quite a few countries. It allows people living in remote areas to have access to financial services. From an economic point of view, M-Pesa is potentially a game changer. But because it deals with money, M-Pesa is bound to attract the wrong kind of interests from hackers. It is currently difficult to anticipate the kind of scam or vulnerabilities that M-Pesa will eventually reveal, but it is only a matter of time. When this happens, African Governments will be happy to be able to turn to their national CERTs to face that kind of contingency.

A roadmap to the future of cyber security in Africa

The path to building successful CERTs in Africa has not been smooth. The whole process started painfully slowly, and developing the proper expertise turned out to be difficult. Technical depth, which can be acquired (albeit at high expense) in the US, is important too. The problem is that the kind of training and the system of certification (like Certified Information Systems Security Professional, or CISSP) are not optimized for the needs of Africa. Experience has shown that the best source of expertise are people who themselves have operated or are operating national CERTs. Nigeria owes its recent success story to the assistance of Tunisia, and the situation has now improved. There are a few CERTs in Africa – all members of FIRST – that can be of use, namely, Tunisia, Egypt, Nigeria and Kenya. Homegrown expertise is under development and presents an issue for collaboration for the Africans. Not only is it in their genuine interest, but it is also an opportunity for them to teach a lesson to the rest of the world.

Written by

Born in France, Benoit Morel grew up mostly in Geneva Switzerland and completed a PhD at the university of Geneva and CERN in theoretical High Energy Physics. His postdoctoral career in Physics took him to Harvard, CERN and CalTech. From there he moved to what was then the Center of International Security and Arms Control (CISAC) at Stanford as a "Science Fellow". His research interest shifted to International Security. From there he joined Carnegie Mellon University as a faculty, where he has been since. His research interests in security include Nuclear security and safety (in particular the Iraqi and Indian programs) as well as cybersecurity policy and in particular its international dimension.