Africa witnessed a spate of cyberattacks in 2023, against African Union Commission (AUC) systems, Kenyan government data systems, and Nigerian election infrastructure among others.
The attacks seem to have served as a wake-up call for the African Union (AU), driving its Peace and Security Council (PSC) to make cybersecurity a key agenda point at this year’s summit, held in Addis Ababa.
Real achievements were made: African heads of state addressed a number of cybersecurity related matters – the first notable action on the issue since the AU created its Digital Transformation Strategy for Africa (DTS) in February 2020.
At the summit the AUC was directed to expedite the development of a Continental Cybersecurity Strategy. A continental child online protection policy was also adopted, and a Common African Position agreed on the application of international law in cyberspace – a significant development.
But the Malabo Convention, Africa’s ambitious continental cybersecurity agreement, remains unratified by most AU countries, limiting its credibility. Without wider ratification, and better cooperation on cyber diplomacy, member states may find it difficult to develop the coherent African cybersecurity agenda that is needed.
Africa’s regional cybersecurity situation
Cybersecurity is a flagship project of the AU’s Agenda 2063. However, in recent years member states have been criticized for failing to prioritize it.
AU countries face significant, divergent cybersecurity challenges due to their very different political, social and cultural contexts – extant approaches towards the rule of law are similarly reflected in cybersecurity governance dynamics.
Africa has also previously been marginalized in global cybersecurity governance forums – though this seems to have changed as African countries have shown obvious interest in UN negotiations to agree a global cybercrime treaty. The process is chaired by Algeria, and vice-chaired by Nigeria and Egypt.
Indeed, the development of an African group at the negotiations can be interpreted as an emerging push by AU member states to strategically cooperate to improve the continent’s cybersecurity.
The Common African Position on the Application of International Law in Cyberspace
An important further moment in cybersecurity cooperation was delivered at the AU summit with the agreement of a Common African Position on the Application of International Law in Cyberspace.
The entire process was spearheaded by the AU’s Peace and Security Council (PSC) and provides a contextual African restatement of the applicability of traditional international law rules and principles in cyberspace.
This means that AU member states have, among other things, openly affirmed their obligations to uphold international law in cybersecurity governance, and to ensure responsible state behaviour in cyberspace in accordance with the norms of international law.
That is a very positive step. But the AU could do more to facilitate better cooperation in other important areas.
External influence and cyber diplomacy
AU countries urgently need to better align their cyber diplomacy strategies. Many see China and Russia as key partners in cybersecurity: Russia’s position in negotiations on the UN cybercrime treaty, for instance, is supported by many African countries.
Other countries see more promise in working with Western partners, creating a risk that African collaboration on cybersecurity may be undermined by US–China competition.
Without strategically defined cyber diplomatic relations, Africa will continue to find it challenging to build continent-wide cybersecurity capacity, with its policy more divided than assisted by external powers.
The AU can make a valuable contribution here, providing platforms for international cybersecurity cooperation, helping to ensure that African cyber diplomatic relations with the West, Russia and China are not subservient, but developed on a practical, operational basis.
A ratified Malabo convention, providing a harmonized African understanding of cybersecurity policy, would provide a useful basis for that role.
The Malabo Convention
The African Union Convention on Cybersecurity and Personal Data Protection (Malabo Convention), drafted in 2011 and adopted in 2014, portrayed Africa as a continent prepared to tackle cybersecurity with serious, unified action.
It would make Africa the only region in the world with a continental agreement that combined cybersecurity, security of electronic transactions and personal data protection in a single treaty.
The Convention only entered into force on 8 June 2023, following serious delays to ratification by AU members. Even then, only 15 of the AU’s 55 countries had ratified it, limiting its continental credibility.
Unfortunately, since the Convention entered into force in 2023, only one more African country – Sao Tome – has ratified it. None of Africa’s perceived ‘super’ countries, including Egypt, Algeria, Nigeria, South Africa, Kenya, Morocco or Ethiopia (where the AUC sits) have ratified.