By Johannes Hilling

On July 27th, it was reported that a cyber-attack on Kenya’s eCitizen platform and M Pesa services was conducted, resulting in the disruption of the payment service as well as the processing of eVisas and other government services (Mwai & Nkonge, 2023). While concrete attribution is unclear due to the hack’s recency, the “Anonymous Su dan” group claimed credit, stating political reasons on their telegram channel, reacting  to Kenyan President Ruto’s recent proposal to send the East African Standby Force as  peacekeepers in the ongoing conflict in Sudan (ibid.).  

While African private and public digital infrastructure is repeatedly targeted, this cyber-attack  showcases an overtly political dimension connected to a regional conflict. Regardless of  the group’s origin and motivation, be it cybercrime through ransomware attacks, appreciation towards political parties in Sudan, or the group’s international affiliations, this  attack evokes questions on continental responses to matters of cybersecurity and hybrid  threats, particularly by the prime decision-making body of the African Peace and Security Architecture (APSA), namely the Peace and Security Council (PSC). How does the  PSC perceive and react to cyber threats in peace and security dimensions? What is the  PSC’s role in the broader continental spectrum in dealing with cybersecurity issues? 

In what follows, this paper will, after presenting a rough overview of other continental  advances, summarise the most relevant PSC communiqués and press statements related  to cybersecurity to assess what the PSC has done so far. In a second step, it will briefly comment on the structural opportunities in how far the African Union Commission  (AUC) and other bodies in the APSA acknowledge and respond to hybrid threats and  cyber-attacks interrelated to conflicts. The concluding remarks discuss the role of the  PSC and possible APSA-AGA synergies for concerted response mechanisms.  

Cyber Threats

While dissecting the PSC’s understanding of cybersecurity, let alone a discussion  around a definition of cybersecurity is not an express scope of this paper, the role of cybersecurity in national, regional and international peace and security can hardly be overstated. The  PSC communiqués concerning cybersecurity, as later shown, share this view. For instance, the PSC “expresses deep concern, over the increasing global threats to Cyber  Security, which constitute serious threats to national, regional, continental and international peace and security”(AU PSC, 2019). Cyber-attacks can constitute a means of  warfare and a battlefield in itself (see Mbanaso, 2016). Literature on cybersecurity policy in Africa is replete. See Akintayo (2021) and Orji (2018) on the AU’s  cybersecurity policy, Bala (2021) for implications with an Ethiopian case study, and  Kshetri (2019), Maleh (2022), and Mwangi, Asaya and Akerele (2022) for a more general overview on the state of cybersecurity on the continent. So far, a dedicated focus on  the PSC’s role in cyber policymaking and its peace and security aspects has been lacking.  

Other Continental Advances 

While this essay mainly focuses on the PSC’s communiqués and statements, decision making about cybersecurity is influenced by context on decisions on different international, continental, regional and national levels. Prominent in this regard is the Budapest  Convention of Cybercrime, resolutions and capacity-building programmes by the United  Nations and the ITU, respectively. On the continental level, the first giant leap towards  a common legal framework on cybersecurity was adopted with the “African Union  Convention on Cyber Security and Personal Data Protection” (at this moment referred  to as Malabo Convention) in June 2014 (African Union, 2014). The convention came into force in June 2023 after the 15th member state’s ratification one month earlier (see  Data Protection Africa, 2023) 

The Malabo Convention sets out, for the first time, to define common interest in regulating cyberspace by addressing cybersecurity and the use of personal data on the continent (see Bouke et al., 2023 for a comprehensive literature review on the convention). The convention is structured into four chapters, dealing with electronic transactions (articles 1-7), personal data protection (articles 8-23), cybersecurity and cybercrime (articles 24-31), and final provisions (articles 32-38) such as action to be taken on the AU  level.  

The convention calls all state parties to establish national data protection authorities  (article 11) and to establish and harmonise personal data legislation and rights (13-23).  Further, it calls for the development of state parties’ national policies and strategies and  their responsibility in promoting “a culture of cyber security” (article 26 (1)) as well as  legal measures (article 25) against cybercrime by providing a list of different offences  (article 29-31) and the establishment of national cyber monitoring structures (article 27). Finally, the Chairperson of the AU Commission shall establish and oversee monitoring  mechanisms for this convention through capacity-building according to the state parties’  needs, among other tasks (see article 32). Other bodies, such as the African Union  Mechanism for Police Cooperation (AFRIPOL), are heavily focused on cybercrime and  act as coordinating mechanisms in continental efforts targeting criminal behaviour in  cyberspace. 

Furthermore, cybersecurity was declared a flagship project in the AU’s Agenda 2063.  The last two implementation reports so far did not mention meaningful progress “due to  lack of budgetary resources” (African Union, 2020, p. 36) except for the then-awaited ratification of the Malabo Convention and the formation of the African Union Cybersecurity Expert group (AUCSEG) in 2019. A press release on 12 December 2019 celebrated the African Union Cybersecurity Expert Group’s (AUCSEG) inaugural meeting after being endorsed by the Executive Council through Specialized Technical Committee on ICTs’ decision, EX.CL/Dec.987 (XXXII) (African Union, 2019). Its primary role  will be to advise the AUC on cyber security, provide solutions in domesticating the Malabo Convention, assist in establishing CSIRTs, and support the AU in creating an African Position within existing international processes related to cybersecurity, among others. 

The 2022 “Lomé Declaration on cybersecurity and fight against cybercrime”, as the  result of the Cybersecurity Summit 23-24 March, organised by Togo in collaboration  with UNECA, provided some leverage to the Malabo process by having all member  states’ ministers to agree in following up on the ratification process and strengthen African cooperation in cybersecurity (UNECA, 2022). 

The Peace and Security Council 

The Peace and Security Council (PSC) is the “standing decision-making organ for the prevention, management and resolution of conflicts” on the African continental level, according to its protocol (African Union, 2002, p. 4). Within its objectives to “promote peace, security and stability in Africa,  […] anticipate and prevent conflicts, […] to undertake peace-making and peace building functions for the resolution of these conflicts; […] co-ordinate and harmonise continental efforts in the prevention and combating of international terrorism in all its  aspects” (ibid.), it convenes regularly in closed and open sessions through its 15 elected  member states and AU representatives and acts “as the sole decision-making body of the AU and the central pinnacle of the APSA’s institutional framework” (Desmidt, 2019, p.  81). The AUC is responsible for implementing and supporting the operations of the  PSC, which reports through the respective commissioners about the state of implementation and other initiatives and “has in fact become the driving force behind the implementation of the AU’s peace and security agenda.” (Engel & Porto, 2014, p. 137).  

Thus, its communiqués inform the relevance of the topics discussed, and the fact  that at least five meetings of the PSC dealt with cybersecurity alone detect the overall engagement with the cyber domain in the AU-APSA conflict dimension. This dimension is also influenced by other advances, as stated above. The role of the PSC as a  key player in resolving conflicts might give a better understanding of how the cyber  domain is addressed in the institutional setting of the African Union. The following  presentation of the most relevant PSC communiqués will give flesh to the bone towards  answering how to intervene in cyber threats through the regional African Union setting.  

The PSC Cybersecurity-related  Communiqués

The PSC tabled cybersecurity for the first time at its 627th meeting on 26 September  2016 in an open session dedicated to “the crucial role of cybersecurity in the promotion  and maintenance of peace and security in Africa” with the respective press statement  (AU PSC, 2016). For the first time, it noted both the importance of information and  communication technologies (ICTs) and the threat to “national, regional and international peace and security” stemming from cyber threats and acknowledges “that a safe  and secure cyberspace is a necessary condition for reaping the benefits of the digital  transformation of Africa”. “A culture of cybersecurity” should be promoted through the  member states, including capacity building on tackling cybercrime, diplomatic capabilities to actively participate in international meetings and training of officials and government employees in cybersecurity. Furthermore, the PSC urged the member states to  follow up on the Malabo Convention and to develop “national and regional computer  emergency response teams (CERT) and computer security incident response teams  (CSIRT)” (ibid.). 

Regarding regional and international cooperation, the PSC stressed the need to establish  mechanisms, platforms and fora to discuss cybersecurity through the AUC and the consultations in the United Nations Group of Governmental Experts on a global cybersecurity framework. The AUC should thus develop a coordinative role in the continental  efforts, for instance, through a dedicated unit in the AU’s peace and security department. The PSC meeting communiqué No. 749 from 27 January 2018 (AU PSC, 2018) with  the theme: “Towards a Comprehensive Approach to Combating the Transnational  Threat of Terrorism in Africa” took up the issue again to recall the role of cybersecurity  and ICTs in the 627th meeting and reaffirmed “the need to counter the use of ICT technologies by terrorist groups, whether in their fundraising, narrative promotion, and recruitment of others to commit terrorist acts”. It welcomed Egypt’s proposal in the 627th meeting for an event/conference “to start an African Dialogue aiming at combating terrorism online and securing cyberspace” (ibid.) 

The PSC’s council 850th meeting communiqué addressed “Mitigating the Threats of  Cyber Security to Peace and Security in Africa” on 20 May 2019 (AU PSC, 2019). It  starts by recalling the Malabo Convention, the Executive Council Decision from the  Thirty-Second Ordinary Session 25-26 January 2018 to implement cybersecurity as an  Agenda 2063 flagship project. Concerned with the increasing global threats to cybersecurity and its implications towards national, regional, and international peace and security, the communiqué stressed national undertakings in cybersecurity risk assessments  and further enhancing their cybersecurity capabilities, to own their ICT infrastructures,  to establish and enhance regional and continental coordination, through harmonisation  of cyber strategies, cyber security responses and cybercrime laws. In the latter part, it  called for the member states to enhance their participation in continental efforts such as  the Smart Africa Initiative, the Malabo Convention and AFRIPOL and requests the  AUC “to establish mechanisms and platforms, such as regional forums dedicated to  discussing cyber security-related issues” and “to expeditiously develop a Continental  Cyber Security Strategy and a cyber security Model Law” (ibid.) With a much stronger voice, this communiqué reiterated much of what had been said before but pledged to now hold an annual session on cybersecurity in the PSC from now onwards.  

The PSC’s 1097th meeting held on 4 August 2022 (AU PSC, 2022a) convened on the  theme of “emerging technologies and new media’s impact on democratic governance,  peace and security in Africa” touching on broader topics on the influence of  technological development on peace and security, reiterating the already developed regulatory framework such as the Malabo convention and the AU Data Policy Framework. The meeting called for the “mainstreaming of cybersecurity in all AU peace and security mechanisms” and enhanced cooperation among the member states. It further demanded the  AUC to develop a “forward-looking Cybersecurity Strategy that considers emerging  technologies and new media” and to “develop necessary frameworks for common values, standards and codes […] relat[ing] to technology and democratic governance”.  Subsequently, the AUC was requested, in collaboration with the RECs, to systematically address possible misuses of technology, including cyberattacks as well as to work on  the awareness of AU member states on emerging technologies and to “develop a strategic approach to implement the UN norms on responsible state behaviour in cyberspace  at regional and continental levels” (ibid.) 

The PSC’s 1120th meeting on 9 November 2022 (AU PSC, 2022b) convened on the “on the Inaugural Engagement between the PSC and AUC on International Law.” After emphasising the essential role of cyberspace and ICTs in peace and security, the communiqué underlined the need for a common position in applying international law on cyberspace and increased African engagement therein. The AUC shall draft statements on the International Law to cyberspace and consult with stakeholders (see ibid.) The last communiqué on this topic was adopted on 13 April 2023 on “Cyber Security:  Impact on Peace and Security in Africa” (AU PSC, 2023). The preambulatory clauses emphasised the Malabo Convention as well as all the meeting communiqués mentioned prior  and explicitly issue their concern over the threat of “cyber-attacks, malicious use of  ICTs, and incidents of unethical and hostile cyber activities undertaken by both state and non-state actors, including the targeting of government institutions and public infrastructure; the spread of misinformation and disinformation, subversive activities and  interferences with national government processes, as well as the promotion of ideologies of hate and hate speech”. In condemning all cyber-attacks on the continent, especially those on the AUC IT infrastructure and encouraging the member states to develop  national cybersecurity strategies and policies, including CERTs/CSIRTs, the PSC intends to strengthen national and continental cybersecurity capacities. The AUC was requested “to expedite the establishment of a Unit within the Political  Affairs Peace and Security Department, which will work with all other stakeholders in  monitoring and reporting on cyber-security issues within the Continent, pursuant to  Press Statement [PSC/PR/BR.(DCXXVII)] adopted at its 627th meeting (Open Session)  held on 26 September 2016;” (ibid.)

 

Furthermore, the importance of a common African position on cybersecurity was underscored through a request to the AUC to complete the draft statement on the application of international law to cyberspace. Other requests to the AUC in the communiqué were establishing platforms and mechanisms, such as regional fora dedicated to cyber security, to share best practices and experiences. It encouraged all member states to use the existing capacities, such as AFRIPOL and CISSA, use the present learning opportunities, and call for the Regional Economic Communities (RECs) and Regional Blocks (RBs) to actively contribute to the member states’ efforts to combat cyber-attacks and establish regional cybersecurity centres. It finally called all member states to sign and ratify the Malabo Convention.  

Analysis 

What can be noticed first is that the PSC is repeating itself on central themes in the  communiqués from 2016 to date(2024), from urging member states to sign and ratify the Malabo Convention to establishing mechanisms and platforms for discussion and the sharing of experiences on the AU level through the AUC. Most of the matters decided upon  are directed to the member states or the AUC to establish expertise. While some progress has been made, for instance, through the creation of the AUCSEG or through help  provided by, e.g., UNECA in drafting model laws, an implementation problem is apparent. While one of the prime decision-making bodies of the AU has understood the  threats to peace and security of cyber-related incidents, at least on paper, there are no sufficient continental mechanisms to present a continental set of solutions. Moreover, it might seem like a futile  attempt to ask the AUC to present a continental cyber security strategy, given that only  19 African states have a national cybersecurity strategy in place, according to the ITU  (ITU, n.d.) only 15 states have ratified the Malabo Convention almost a decade ago when it was initially drafted.  

PErceiving  the Malabo Convention’s ratification process as the main bottleneck  could be deceiving. While this essay cannot explain the inner dynamics of the AUC in  cyber issues and their way forward, it is evident that the role of the PSC in cyber conflicts must be sharpened, and the agency of the AUC to be increased. So far, it is unclear  who makes decisions and rules on cyberspace on the continental level and how to respond to cyber-attacks.  As a result, limited implementation impedes  the  cyber security position embedded in the African Peace and Security Architecture (APSA), thus derailing continental responses to the cyber  threats occurring across  conflicts. The slowly grinding implementation process can be observed through the Lomé Declaration in 2022, whose main aim was to  raise awareness for the Malabo Convention at the member states’ ministerial level.  

An attempt to make sense of the implementation problem could be to discuss the notion of delegation in the AU’s peace and security matters. Hardt (2016) argues that in  the PSC, “AU Commission member states delegate some decision-making autonomy to  the organisation’s secretariat—known as the commission in order to compensate for  limitations in resources critical to security decision-making” (Hardt, 2016, p. 162). The  lack of the AUC’s progress in complying with the PSC’s communiqués, except for the  formation of the AUCSEG, extends Hardt’s argument in so far as the PSC delegates a majority of the necessary steps such as national cyber legislation back to the member states in an attempt to raise awareness for the importance of national advances. The PSC and AUC are thus caught in  a vicious circle on many decisions on cyber issues as well as on the implementation of the Malabo Convention, with crosscutting interests in  the realms of APSA and AGA and thus demand increased synergies  and precise strategies  on how cybersecurity can be structurally embedded in the continental body’s institutions to foster the AU’s “cyber posture” (see Akamo, 2022).  

Conclusion 

This essay summarised the main communiqués by the PSC on matters of cybersecurity after outlining the cybersecurity policy landscape on the continent with a focus on continental advances. The following brief analysis acknowledged that the PSC connected  cybersecurity risks as threats to overall peace and security but framed the challenges  distilled from the communiqués as lacking implementation and thus the necessary structural embeddedness in the implementing organs such as the AUC. Thus, it thus necessary to connect cyber threats to general questions in the African Peace and Security Architecture.

Bibliography 

African Union. (2002). Protocol Relating to the Establishment of the Peace and Security Council of the African Union. 

African Union. (2014). Convention on Cyber Security and Personal Data Protection  adopted by the 23rd ordinary session of the assembly, Malabo, Equatorial  Guinea. 

African Union. (2020). First Continental Report on the Implementation of Agenda  2063. 

African Union. (2019, December 12). Press release: African Union Cybersecurity Expert Group holds its first inaugural meeting.  https://au.int/en/pressreleases/20191212/african-union-cybersecurity-expert group-holds-its-first-inaugural-meeting 

Akamo, J. (2022). The Malabo Convention and Africa’s Cyber Posture. Institute for  Peace and Security Studies. 

Akintayo, J. O. (2021). Algorithms of Oppression?: AU’s cybersecurity policy and its  enforcement in Africa. In Routledge Companion to Global Cyber-Security Strategy. Routledge. 

AU PSC. (2016). Press statement issued after the 627th PSC meeting held in Addis Ababa, Ethiopia, 26 September. PSC/PR/BR.(DCXXVII). 

AU PSC. (2018). Communiqué of the 749th meeting at the level of heads of state and  government held in Addis Ababa, Ethiopia, 27 January. PSC/AHG/COM.(DCCXLIX). 

AU PSC. (2019). Communiqué of the 850th meeting held in Addis Ababa, Ethiopia, 20  May. PSC/PR/COMM. (DCCCL).

11 

AU PSC. (2022a). Communiqué of the 1097th meeting held in Addis Ababa, Ethiopia,  04 August. PSC/PR/COMM.1097.1 (2022). 

AU PSC. (2022b). Communiqué of the 1120th meeting held in Addis Ababa, Ethiopia,  09 November. PSC/PR/COMM.1120.1 (2022). 

AU PSC. (2023). Communiqué of the 1148th meeting held in Addis Ababa, Ethiopia, 13  April. PSC/PR/COMM.1148 (2023). 

Bala, D. B. (2021). Cyber Security in African Union and Ethiopia and Its anticipation.  International Journal of Mechanical Engineering, 6. 

Bouke, M. A., Abdullah, A., ALshatebi, S. H., Atigh, H. E., & Cengiz, K. (2023). African Union Convention on Cyber Security and Personal Data Protection: Challenges and Future Directions (arXiv:2307.01966). arXiv.  https://doi.org/10.48550/arXiv.2307.01966 

Data Protection Africa. (2023, May 19). Africa: AU’s Malabo Convention set to enter  force after nine years. Data Protection Africa | ALT Advisory.  https://dataprotection.africa/malabo-convention-set-to-enter-force/ 

Desmidt, S. (2019). Conflict management and prevention under the African Peace and  Security Architecture (APSA) of the African Union. Africa Journal of Management, 5(1), 79–97. https://doi.org/10.1080/23322373.2018.1563465 

Engel, U., & Porto, J. G. (2014). Imagining, Implementing, and Integrating the African  Peace and Security Architecture: The African Union’s Challenges. African Security, 7(3), 135–146. 

Hardt, H. (2016). From States to Secretariats: Delegation in the African Union Peace  and Security Council. African Security, 9(3), 161–187.  https://doi.org/10.1080/19392206.2016.1208474

12 

ITU. (n.d.). National Cybersecurity Strategies Repository. ITU. Retrieved 14 August  2023, from https://www.itu.int:443/en/ITU-D/Cybersecurity/Pages/National Strategies-repository.aspx 

Kshetri, N. (2019). Cybercrime and Cybersecurity in Africa. Journal of Global Information Technology Management, 22(2), 77–81.  https://doi.org/10.1080/1097198X.2019.1603527 

Maleh, Y., & Maleh, Y. (2022). The African View on Cybersecurity. In Y. Maleh & Y.  Maleh (Eds.), Cybersecurity in Morocco (pp. 29–40). Springer International  Publishing. https://doi.org/10.1007/978-3-031-18475-8_3 

Mbanaso, U. M. (2016). Cyber Warfare: African Research Must Address Emerging  Reality. The African Journal of Information and Communication (AJIC), 18, Article 18. https://doi.org/10.23962/10539/21789 

Mwai, P., & Nkonge, A. (2023, July 28). Kenya cyber-attack: Why is eCitizen down?  BBC News, Nairobi. https://www.bbc.com/news/world-africa-66337573 

Mwangi, T., Asava, T., & Akerele, I. (2022). Cybersecurity Threats in Africa. In D.  Kuwali (Ed.), The Palgrave Handbook of Sustainable Peace and Security in Africa (pp. 159–180). Springer International Publishing.  https://doi.org/10.1007/978-3-030-82020-6_10 

Orji, U. J. (2018). The African Union Convention on Cybersecurity: A Regional Response Towards Cyber Stability? Masaryk University Journal of Law and Technology, 12(2), 91–129. 

UNECA. (2022, March 23). In Lomé, leaders commit to tackle cybercrime and enhance  digital safety in Africa. https://www.uneca.org/stories/in-lom%C3%A9%2C leaders-commit-to-tackle-cybercrime-and-enhance-digital-safety-in-africa