Summary of the virtual consultation held on 15 June 2022

The aim of the virtual consultation was to discuss the current status of international cybersecurity in the Africa region and understand capacity building priorities, with the view to feeding ideas and insights into the in-person three-day event in Malawi. The consultation was part of the wider AfriSIG programme which began with the virtual consultation, followed by the in-person event in Malawi and then a ‘consolidation’ pre-event before the global IGF 2022 in Addis Ababa.

It was structured into two main parts:

1) Opening remarks and updates on the OEWG, and

2) Finding “the elephant in the room” – a frank reflection on the challenges to cybersecurity capacity building in the region.

Part 1: Opening remarks and updates on the OEWG

Part 1 began with opening remarks which provided an overall framing of the need for digital Africa to work for everyone and the many roles of different stakeholders (e.g private sector, academia, media, government, civil society) in ensuring a secure cyberspace. Addressing threat actors in cyberspace is challenging because national infrastructures and actors like law enforcement operate according to regulation and policies which do not mirror how threat actors operate (e.g taking advantage of cyberspace’s seemingly borderless nature). It is therefore important to avoid single points of failure, requiring bridges of collaboration between countries that require cooperation, knowledge sharing and enforcement. In terms of African cyber capacity building priorities and initiatives that regional and international collaboration could support, the following were proposed:

1. providing online cyber essentials to improve cyber hygiene across society from the poor and vulnerable to more digitally advanced sectors

2. growing the cybersecurity workforce (from basic digital literacy to advanced cyber training) – to take advantage of opportunities to generate growth and jobs and to fill the global cyber workforce

3. developing cybersecurity curriculum tailored for different sectors

4. empowering women digitally

5. developing empirical evidence in a multistakeholder manner to generate accurate statistics for use by African decision makers (e.g institutional repositories of data)

6. discouraging digital authoritarianism through good governance

7. building cybersecurity access and resilience to ensure that African systems don’t present points of failure.

A briefing on the OEWG on ICTs followed, which situated capacity building within the wider framework of the context of the OEWG and the other pillars of the “responsible state behaviour framework” adopted by the UN member states. Each of the pillars are linked, and capacity building is closely tied with each. These pillars are

1. emerging and existing threats and understanding the cyber threat landscape that could have an impact on international peace and security

2. cybernorms which can also help guide/indicate what gaps exist in terms of capacity e.g to set up infrastructures, institutions or to be part of discussions

3. the application of international law – where most countries, confidence building measures where a role for regions and tailoring CBMs for regions implicates regional organisations). A lot of capacity gaps can be cleaned from listening to member states engage on these topics. For example, at the OEWG so far, the following have been identified:

• The need to determine appropriate mechanisms for states to gain financial resources/access and facilitate technology transfer
• Establishing fellowship programmes (Singapore has put forward a proposal for this)
• Engaging with cyber security capacity maturity model assessments to understand needs and gaps (whether human/personnel, financial, coordination etc)
• More specific needs e.g on climate change and disaster resilience
• Needs for institutional arrangements once needs have been identified, including the role of the UN and other stakeholders (e.g how do we bring in actors like the GFCE, who are the relevant UN entities etc and how do we draw the links, the role of regional bodies, the Cyber Programme of Action initiative)

Regarding the current OEWG (OEWG II), the upcoming third session will incorporate discussion of the annual report which will include discussion of capacity building – the Chair’s main priority. The Chair’s consultations with NGOs on capacity building around the first two sessions have brought to light a lot of important initiatives and ideas from the stakeholder community.

The first OEWG adopted its report before the GGE which included capacity building principles, and the GGE further reiterated these. So far there have been many calls for operationalising the capacity building principles, but there’s still a lot of discussion on the different roles of stakeholders and government when it comes to capacity building – including government roles in identifying gaps and needs in capacity building. Stakeholders will often have in-depth understanding of a particular area which is how they can support governments. It’s also important to ensure that initiatives are complementary. There is no one size fits all, each context is different. Finally, there’s a need for work at the national level to identify gaps and institutional arrangements required to implement the agreed framework.

Part II: The elephants in the room

The second part of the discussion focused on identifying challenges to building African cyber capacity, including by identifying ‘the elephants in the room’.

These included, from the point of governments:

• A competing policy landscape (e.g climate change, housing etc) with multiple urgent priorities where cyber threats and cybersecurity can be seen as ‘abstract’ and not afforded the right attention despite increasing reliance on many parts of society on digital technology
• A vendor driven cyber capacity building landscape driven by the global North
• A lack of understanding of the breadth of cyber threat (e.g from cyber dependent threats to cyber enabled threats e.g disinformation campaigns, fraud etc) – and a need to understand the complex landscape or ecosystem of cyberspace
• A need to understand the urgency and need to respond to cyberthreats and attacks that requires a “whole of government approach” to define response protocols and define threats, building relationships with non-government sectors
• One size does not fit all: the region is diverse and there are different needs and responses. Larger and more developed countries may have very different requirements to smaller and less developed countries, and different conceptions of what cyberthreats are
• Cybersecurity does not equate to regime security (e.g this can be seen through the use of internet shutdowns), instead this should be about building a resilient society, not propping up a particular regime
• Cybersecurity and cyberdevelopment can lead to the fetisihisation of tech, without looking at the blindspots and put in place measures to protect against cyber espionage/surveillance or threats that undermine the rule of law
• Global North agendas need to ensure that they do not hamper development. For example, China’s assistance and partnerships are popular and mean that African governments have to assess whether this assistance is in their interest because of the need to access certain technologies. Therefore, it’s critical for partners and donors to have difficult conversations about building indigineous capacity for example through exchange/fellowship programmes, the need for building out a plurality of suppliers for example (perhaps by setting up subsidy systems)
• Lethargic pace of decision-making and the need for the implementation of cyber legislation by putting in place adequate resources “scaffolding” – e.g wifi for law enforcement agencies.

From the point of view of civil society, the serious issues with lack of access to relevant discussions including at the OEWG and the importance of engaging non-governmental stakeholders to ensure human security and wellbeing in cyberspace were highlighted. The need for better modalities to be adopted in the future was stressed, especially due to the tendency to see peace and security issues in developing countries/regions including African countries as the exclusive domain of governments. Even with the best of intentions, this can mean that the laws and frameworks may not be fit for purpose and even unimplementable. Overcoming this requires implementing the OEWG capacity building principles which reference the need for capacity building to protect human rights and be gender sensitive.

It was also stated that there are also capacity building needs that civil society has as far as cybersecurity is concerned which can result from a lack of resources to participate. Therefore, there is a need to focus on capacity building for a wider range of stakeholders and not just governments. There is a need to identify steps to implement the capacity building principles and identify capacity building needs of civil society through a mapping, which could list resources and initiatives that are relevant and available.

Part III: Open discussion

An open discussion followed these remarks, with the following reflections offered:

• Critical information infrastructure resilience is essential as governments digitise their economies – from banking infrastructure to telecommunications
• Non-governmental actors include private businesses, academia, civil society and other partners all have a role to play in building national cybersecurity ecosystems. It is therefore important for civil society to be invited to contribute to relevant discussions
• Different maturity levels and resilience levels exist across the content
• In terms of nexus between cybersecurity and development, there used to be more of an emphasis on national security but we are seeing a shift to seeing cybersecurity be a development issue
• Developing national workforces is key
• Cybersecurity frameworks and interventions ought to be rights respecting and civil society has a role to play here
• There is a lack of regional coordination, e.g when it comes to African countries there was active engagement but not from a regional perspective/from the African Union – civil society could help play a role to mobilising and encouraging the AU to demonstrate leadership
• Implementation of what has been agreed at the OEWG and GGE is the current priority. There has been a lot of guidance recently on how to implement the framework
• Aligning capacity building efforts with the framework and with the capacity building principles can be important for collaboration
• Countries can get together and articulate systems of support, globally, regionally and within their own governments for capacity building needs.
• More trust needs to be build for effective cooperation to happen
• The focus should be on societal security, or ensuring cybersecurity that allows societies to thrive
• A strategic approach (e.g through holistic national strategies and frameworks) which is honest and tailored to each country’s needs is required, and this can also be an opportunity to learn from and collaborate with international partners.