Nnenna Ifeanyi-Ajufo

Nnenna Ifeanyi-Ajufo: “The current state of cybersecurity in Africa is the tendency towards a cyber-militarisation approach”

Nnenna Ifeanyi-Ajufo is a Professor of Law and Technology at Leeds Beckett University, United Kingdom and Vice Chairperson of the African Union Cyber Security Experts Group (AUCSEG) and has been actively involved in advising the African Union Commission (AUC) and African Member States on existing international, regional and national legal frameworks related to cybersecurity, as well as promoting cybersecurity in the region.

This interview is also available in French.

What is your analysis of the state of play in Africa regarding cybersecurity and infrastructure regulation?

Thank you for the opportunity to share my insights. In my view, the state of cybersecurity in Africa is defined by two critical factors: governance and regulation. Given the nature of cyberspace, these elements are of utmost importance. Traditionally, cybersecurity has been focused on technical aspects and legal frameworks, but the role of infrastructure is pivotal. Unfortunately, without adequate digital capacity, governing cyberspace effectively is a challenge.

Africa remains the least digitalized region globally, which impacts its approach to cybersecurity. The disparity in wealth distribution across African countries plays a significant role in this context. In poorer nations, cybersecurity is often not a priority, and in regions like the Sahel, conflicts and political instability further detract from cybersecurity initiatives.

In terms of infrastructure, Africa lags behind due to various factors, including technology dependence, uneven distribution of technology, and political issues like corruption. However, some countries, such as Mauritius, Ghana, and Tanzania, are making notable progress in developing cybersecurity infrastructure. This encompasses not just technology, but also the establishment of agencies and authorities, and a commitment to multi-stakeholder collaboration in cybersecurity.

Despite some progress, there is a lack of harmonisation in efforts across the continent. Countries like Togo have also made strides, such as the agreement with United Nations Economic Commission for Africa (UNECA) to establish a regional cybersecurity centre, but challenges like funding persist. The African Union is also working on a cybersecurity strategy, yet implementation varies significantly across the continent due to disparities in wealth, approach, and existing challenges.

On the regulatory front, Africa is at a crucial juncture. The Regional Cyber Security Treaty came into force on June 8, 2023. Originating from the 2009 Oliver Tambo declaration, this convention is ambitious, encompassing electronic transactions, cybersecurity, and personal data protection in a single treaty – a unique approach compared to other regions. However, there has been reluctance among African countries to ratify this convention, with only 15 ratifications to date, none from the continent's major powers like Nigeria, Kenya, Egypt, or South Africa. Even, Ethiopia, the seat of the African Union is yet to ratify the treaty. This demonstrates the lack of capacity to implement an otherwise powerful regulation. It represents the gap between the presence of regulatory frameworks and their implementation.

At the sub-regional level, regional economic communities like ECOWAS and SADC have their cybercrime directives, indicating a more dynamic sub-regional approach to cybersecurity. However, the African Union's influence over these regional initiatives is limited. This is because unlike other regions in the world, regional economic communities are relatively strong. In addition, there's a diversity in legislative approaches among African countries, with some focusing on computer-dependent crimes, while others have broader scopes, as seen in Ghana's 2020 Cybersecurity Act and Nigeria's Cyber Crime Act.

A key aspect of the current state of cybersecurity in Africa is the tendency towards a cyber-militarisation approach toward cyber-governance. This has contributed to a trend of cyber-authoritarianism as many African countries view cybersecurity through a national security lens, leading to practices like internet shutdowns, blocking of specific services (e.g. Nigeria’s Twitter ban between 2021 and 2022) in response to crises rather than focusing on vulnerabilities of citizens in cyberspace. This approach contrasts with the African Union's Digital Transformation Strategy (2020-2030), which advocates for a more people-centred, multi-stakeholder approach to cybersecurity than a government-centred one.

With regard to cybermilitarisation approach of most African countries that you mentioned, would you say that this approach is unique to Africa or is it more in line with the approaches of some major geopolitical powers?

In the realm of cyber diplomacy, African countries often align with Russia and China. The influence of these countries is evident in the negotiations around the Cybercrime Convention and the adoption of their digital sovereignty approaches. This alignment affects how African governments interpret and implement cybersecurity governance. The cybermilitarisation approach observed in many African countries is not entirely unique to the continent but aligns with the trends seen in major geopolitical powers. This alignment reflects the dynamics of cyber diplomacy in Africa. For instance, during the negotiations for the UN Cybercrime Convention, Russia notably spoke on behalf of certain African countries, like Burkina Faso, illustrating this influence.

The contrast between the ratification of the Budapest Convention (Council of Europe's Cybercrime Convention) by only a handful of African countries, and the substantial support for the resolution to start the Cybercrime Convention initiated by Russia, further highlights this leaning towards Russia and China. The influence of these powers is evident not only in the adoption of digital sovereignty approaches but also in the reliance on technology sourced from these countries.

The relationship between the African Union and China is particularly significant in this context. Despite the evident cyber authoritarian tendencies, there has been a notable silence from the African Union in taking a stand against these approaches. When deliberating on potential articles of the UN Cybercrime Convention, the inclination of most African countries towards the perspectives of Russia and China becomes apparent, especially concerning human rights issues. For instance, the ongoing negotiations around Article 5 of the potential UN Cybercrime Convention, which deals with human rights, reveal a tendency among African nations to align with authoritarian stances. This indicates that cyber diplomacy is intertwined with traditional diplomatic relations and influences how African governments interpret and manage cybersecurity governance. Therefore, the cybermilitarisation approach in Africa, while having unique regional characteristics, is significantly influenced by, and aligned with, the broader geopolitical strategies of major powers like Russia and China.

With the significant increase in data centres in Africa, estimated at around 700 new facilities in the coming decade, what are your thoughts on digital sovereignty and local data ownership in this context?

The surge in data centre construction in Africa represents a phase of 'data capitalism', reflective of the continent's digital dependence. In the European Union, data is regulated and protected under GDPR, but in Africa, data protection is far less consistent, and we only have the Malabo convention which only a few countries have finally ratified. The lack of comprehensive regional data protection laws further complicates this issue.

Many African nations lack robust data protection legislation, often resorting to copying laws such as GDPR without the capacity for effective implementation. I recall in 2018 one example when I picked up a data protection bill of one African country which turned out to be a verbatim copy of the UK Data Protection Act. This raises concerns about whether these emerging data centres can be effectively regulated. Despite some countries like Ghana making progress with digital ID systems, there is a general lack of widespread, systematic data collection across the continent—thousands of people on the continent still have no civil registration records such as birth certificates and in places where these are present, they are largely not yet digitalised.

An important consideration is the question of who the primary beneficiaries of these data centres are. It is crucial for Africa to approach discussions on data centrality cautiously, addressing digital inequalities to ensure reciprocal and equitable access, use, and benefits from this data. Africa's vast market potential makes it attractive for international tech companies, yet this interest in building data centres and similar infrastructure is not necessarily driven by the African Union or African initiatives. This disparity raises questions about true digital sovereignty and local data ownership in Africa. There appears to be a misunderstanding of digital sovereignty in the African context. For instance, African leaders might readily share comprehensive national data with international corporations like Google, which may fund data centres, without fully considering the implications for data sovereignty and security. This practice extends to areas like election infrastructure, often managed by foreign companies, with data domiciled outside Africa. The critical issue, then, is whether these data centres are being constructed to genuinely build capacity within Africa or to serve external interests, a situation that could be termed 'data colonialism'. Until there is a broader understanding and discussion about what digital equality means for Africa, it will be challenging to achieve parity in the global digital landscape. This conversation is essential to ensure that Africa's development in the digital age is equitable and beneficial to its people.

In light of the increasing trend of data localisation and domiciliation as a response to data colonialism, to what extent do you consider this approach a viable solution for Africa? For instance, countries like Senegal are adopting the Chinese model of data on-shoring to protect digital sovereignty. How effective is this strategy?

Firstly, it's important to acknowledge that, in my view, complete data localisation is an ambitious goal that may not be entirely achievable. However, we are witnessing a growing trend towards Internet fragmentation and data localisation efforts, particularly in countries like Senegal, which has been proactive in cybersecurity and vocal about digital sovereignty. Senegal's ratification of both the Malabo and Budapest Conventions reflects its commitment to prioritise cybersecurity. The case of Senegal, which is moving towards data on-shoring with China's support, raises crucial points. Reflecting on the incident at the African Union in 2019, where the data servers within Chinese-built AU Headquarters were reportedly transferring data covertly to China, it's clear that there can be a significant gap between rhetoric and reality in these initiatives.

The practicality of complete data localisation in Africa is questionable. The technology companies and infrastructure are predominantly foreign, and the applications of data often have international dimensions. Furthermore, cybersecurity necessitates some level of international cooperation, implying that external powers may still access data despite localisation efforts. This reality underscores the importance of scrutinising the dynamics of international conventions and treaties from a unified African perspective. While the ambition of countries like Senegal to localise government data is commendable, the actual feasibility of such an endeavour across Africa is uncertain. A more harmonised approach to data protection, where African nations collectively define their priorities and develop a deeper understanding of data governance, is needed.

Localising government data, particularly sensitive information like electoral data, within the country is a crucial step towards safeguarding digital sovereignty. It’s vital for African countries to build their capacity in technology and data governance to make this ambition realistic. While the aspiration to localise, data is not far-fetched and is indeed being pursued by other countries, the transition to such a model in Africa needs careful consideration, balancing ambition with the realities of technological dependence and international cooperation.

What strategies have proven effective for African governments to collaborate towards achieving digital goals, particularly regarding digital sovereignty and multinational digital infrastructure projects? Additionally, where do the lapses lie and how can they be addressed?

The effectiveness of strategies for African governments to achieve consensus and action in digital realms is influenced by a variety of factors, some of which are man-made, while others are inherent to the region's realities, such as political instability and conflict. These factors often shift the priority away from digital goals.

For instance, the African Union experienced a significant cyber attack this year, yet the response was unclear, reflecting the overarching issue of prioritizing physical conflicts over digital threats. The African Union, unlike the EU, does not have the same regional influence and is relegated to observer status in the cybercrime negotiations. This limitation hinders the AU from speaking for or holding its member states accountable in digital matters.

The individualised approach to governance in African countries impacts cyber governance. While the African Union has started pursuing a unified African position on cybersecurity, a mere policy paper doesn't necessarily equate to consensus, as evidenced by the limited impact of the Malabo convention.

Furthermore, the African Union needs to prioritize funding and capacity building in digital governance and cybersecurity. Currently, many African countries rely on capacity building provided by external states, leading to a lack of a harmonised approach. This situation is compounded by donor superiority, where external countries dictate Africa's digital priorities.

Regional economic communities like ECOWAS play a significant role, but they face their own sub-regional governance challenges. Even with directives like the ECOWAS Cyber Crime directive, inconsistencies such as internet shutdowns within member states reveal gaps in implementation and adherence.

Another strategy could involve African 'champion' countries like Morocco, Egypt, Ghana, and Mauritius leading and guiding others. The Malabo convention, now in force, could serve as a platform for creating a harmonised approach and amending parts of the convention to better suit regional needs. Africa's digital transformation strategy, if implemented transparently and accountably, could provide a robust framework for the continent's digital evolution. However, there's a lack of clarity regarding its implementation and relevance to individual African countries. Ensuring transparency and accountability in implementing this strategy would help define Africa's digital governance landscape more effectively.

Considering the limitations of the African Union, could engagement with regional economic communities be a more effective solution for addressing digital challenges, or does bilateralism offer a better approach in the short to medium term?

The engagement with regional economic communities indeed presents a viable solution, complementing the limitations of the African Union in addressing digital challenges. Various states are also taking initiatives on a unilateral and bilateral basis. For instance, the United Nations Economic Commission for Africa (UNECA) and Togo's collaboration to host the first African Heads of State Cybersecurity Summit last year is a prime example. This summit led to the Lomé Declaration on cybersecurity and the fight against cybercrime, a significant commitment from over 27 African countries to promote cybersecurity and endorse the Malabo Convention, which at the time hadn't come into force. This collaborative approach, especially in regional forums, could be augmented by the leadership of countries in each region, like Kenya for instance advancing in cybersecurity governance in East Africa. These nations could spearhead workshops and dialogues, fostering a better understanding and implementation of cybersecurity measures across smaller or less developed countries in their region.

The African Internet Governance Forum, under the UN framework, is another platform where substantial progress is being made. This forum, which includes regional and sub-regional iterations like the West African Internet Governance Forum and the North Africa Internet Governance Forum, focuses significantly on state involvement but also boasts a strong presence of civil society organisations. These organisations, such as Paradigm Initiative and ICT Africa, are growing in number and relevance and working with governments and relevant stakeholders in pushing for digital governance, digital rights, digital public goods, and cybersecurity. Moreover, initiatives like the Africa School of Internet Governance contribute to shaping a unified African agenda in digital governance. The African Union Cyber Security Experts Group which I am a member of, for example, has been instrumental in advocating for specific priorities in capacity building for Africa within these forums.

The international cooperation fostered by entities like the Global Forum on Cyber Expertise, which focuses on capacity building in Africa, demonstrates the potential of combining efforts beyond bilateral agreements. This collective approach is essential for a comprehensive and effective strategy in addressing the digital challenges facing Africa.

What are your thoughts on the role of an organisation like Smart Africa in the African digital transformation ecosystem, particularly in integrating the private sector into the discourse?

Smart Africa plays a unique and significant role in the African digital transformation ecosystem, though its position is complex and raises several questions. This organization, backed by several governments and led by the Rwandan president, operates somewhat independently of the African Union, focusing on cybersecurity and digital governance.

The creation of the Continental Cyber Security Blueprint by Smart Africa is noteworthy. However, it leads to questions about the overlap and distinction between Smart Africa's initiatives and those of the African Union. Smart Africa's involvement with multiple African governments and its alignment with heads of state like Rwanda's president is intriguing, especially considering whether these efforts could be more effectively channelled through the African Union.

Smart Africa’s position in the digital landscape is somewhat ambiguous: it is unclear whether it should be seen as an independent civil society organisation, an intergovernmental organisation, or a unique entity. This ambiguity is evident in Smart Africa's collaborations with different organisations on various projects, despite seeming to operate independently.

The engagement with private entities is one area where Smart Africa stands out. It provides a regional platform that not only has the attention of many African countries but also collaborates extensively with tech companies and telecommunication firms. This inclusive approach is crucial because there is no other platform with such a regional outlook that actively involves private companies in shaping the digital landscape in Africa. Furthermore, international tech giants like Google and Microsoft, while global in their operations, are establishing a significant presence in Africa, challenging the traditional notion of local versus international tech companies. Their involvement in the region, whether through direct presence or through labour sourced from Africa, is reshaping the digital business landscape.

The emergence of Smart Africa and its increasing influence raise questions about the role of the African Union in championing digital transformation. Is it a matter of political will, funding, capacity, or leadership that has led to the rise of Smart Africa as a key player in digital initiatives? These questions are essential to consider as Africa navigates its digital transformation journey, seeking to balance capacity, leadership, and prioritisation of digital objectives. The future of digital transformation in Africa might hinge on how well regional bodies like the African Union and platforms like Smart Africa can collaborate and align their efforts for the greater good of the continent's digital landscape.

How does China and the Digital Silk Road fit into African ambitions for digital transformation?

The role of China and its Digital Silk Road in Africa's digital transformation is multifaceted and raises questions about international relations and state interests. It's important to consider this in the broader context of global superpower strategies and foreign aid in Africa. When comparing China's approach with initiatives like the White House's digital transformation acceleration program, it becomes evident that foreign aid and cooperation have long been tools of state interest and influence. The apprehension towards China's Digital Silk Road often contrasts with the reception of similar initiatives from Western powers. This difference in perception could partly be due to the history of colonialism in Africa, which affects how cooperation with different global powers is interpreted. Africa's willingness to cooperate more readily with China or Russia, as opposed to Western countries, might be influenced by a lack of historical colonial ties with these nations.

Regarding China's role in Africa, it's crucial to understand that foreign aid, including digital assistance, is not a new phenomenon. China, like the US, knows what it stands to gain from its involvement in Africa's digital sphere – a massive market and a testing ground for various technologies. Africa, with its vast population and relative openness to new technologies, presents an attractive opportunity for digital powers like China. The apprehension about China's increasing digital influence in Africa might stem from its status as a digital superpower and its established relationships in the continent. The affordability and accessibility of Chinese technology products make them a preferred choice in many African countries. If China offers digital infrastructure development in addition to its existing contributions, it's likely that African governments would be receptive.

The approach of other superpowers, like the US and EU, which have also pledged significant funds for Africa's digital development, raises similar questions. The mode of implementation of these pledges, whether they involve significant local involvement or are led by foreign experts, can influence the level of acceptance and independence in these partnerships. Ultimately, the dynamics of international cooperation, historical ties, accessibility of resources, and state interests play crucial roles in shaping Africa's digital transformation journey. The choice of partner – whether China, the US, the EU, or others – will depend on these factors and the specific needs and strategies of individual African countries. As long as international cooperation does not contravene any laws or principles of international relations, states have the discretion to choose their partners based on mutual interests and benefits.

This interview is part of the Negotiating Africa’s digital partnerships: interview series led by Dr Folashade Soule with African senior policymakers, ministers, private and civic actors to shed a light on how African actors build, negotiate and manage strategic partnerships in the digital sector in a context of geopolitical rivalry. The series is part of the Negotiating Africa’s digital partnerships policy research project hosted at the Global Economic Governance programme (University of Oxford) and supported by the Centre for International Governance Innovation (CIGI).