IGF 2022 Day 2 Launch / Award Event #84 ECA Cybersecurity Model Law Guideline

The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

>> CHAIR:  Good afternoon.  And thank you for coming for the launch of the cybersecurity model laws in Africa.  As you know we have ‑‑ we had a meeting ‑‑ we validated this report, this guideline during the African Internet Governance Forum held this year in Malawi. 

    Cybersecurity is a very important topic in the continent.  And we can't realize this digital transition without securing the cyberspace.  We have at the continental level several frameworks of this Convention of cybersecurity adopted by only 14 countries now.  We already added this data governance framework this year.  We are working to develop digital single ‑‑ single digital market with AUC as well as in African strategy on Artificial Intelligence.  All this framework for implementing them we need to secure a cyberspace.  And why today we are going to launch this guideline to try to help all African countries on the missing link in the Malawi Convention. 

    Before we go to the presentation of this model law guideline, I'm going to give the floor to the director of technology and natural resources management at UNECA to say a few words.  Jean‑Paul, you have the floor. 

   >> JEAN‑PAUL ADAM:  Thank you very much, Maktar.  And good afternoon to everyone.  And thank you very much for making the effort to join us for this event and for the presentation on the proposals for model law on cybersecurity. 

    As Maktar already mentioned it is a missing link.  One of the pillars is to be able to have appropriate and secure methods to be able to ensure that African populations, governments, businesses all have secure access to the Internet and can use it as the development tool that we want it to be. 

    We want to make sure that we can really implement the digital transformation.  And in the same way, that you will not achieve ‑‑ you will not achieve the appropriate levels of trade, for example, if your roads and highways are not up to standard and are not safe, in the same way we will not achieve the type of digital transformation that we want if our digital highway is not safe and secure. 

It is about more than just policing.  It is about having a safe space.  It is about having a space whereby anyone can access this space in safety and security without harassment and without challenges to their own well‑being. 

    The goal of this model law is to really allow countries to implement in a very practical sense the type of enabling framework that allows cybersecurity to be implemented in an African context. 

    We are all aware of the Malawi Convention.  We are close to hopefully getting full for it coming in to force with one more signatory.  But what we have realized in the engagement of various countries is that the Malabo Convention, we need to look at it in the context of each individual country.  The hope this individual law makes it easier for countries to adapt to their own situation.  And thereby look at those aspects of the Malabo Convention that are most relevant to them and facilitate the context. 

    We, of course, are also developing a regional center on cybersecurity in Lome.  And this is another one of the pillars that will help us to deliver only the appropriate format for cybersecurity in countries and provide the appropriate capacity building.  The center will assist in the continuation of the implementation of these kinds of model laws.  And also provide a focal point for researchers across the continent looking at cybersecurity as well as engagement from partners such as Civil Society, and also as such as the private sector. 

    And in conclusion, we are on the cusp of the Digital Age in Africa.  We may feel like we are far behind because yes, we have a lot of catching up to do compared to other regions.  But there is also a lot happening. 

Over 2 billion dollars invested in 2021 in tech startups in Africa.  We are seeing increased investment in digital technologies and infrastructure.  11 out of the 69 projects that have been prioritized under the continental PETA framework for priority infrastructure 11 are in ICT related fields.  These are the building blocks that will allow African countries to change their modality of economic growth, moving away from simple extraction and export and resources to true value addition. 

    And I think that is where we have to recognize where safety is critical; security is critical.  And without the right regulatory framework through cybersecurity law we will not be able to deliver.  This is how important this model law is. 

I would like to thank all those who have helped us, the partnerships that we have notably within the IGF context, WSIS context, our partnerships with the African Union and thank the ECA team led by Maktar.  We look forward to seeing more details on the model law. 

   >> CHAIR:  Thank you, Jean‑Paul.  Let me give the floor to Nnenna.  She is connected from UK to make a presentation on the guideline.  After that we are going to open the discussion before we officially launch this model guideline law. 

    Nnenna you have the floor. 

   >> NNENNA IFEANYI‑AJUFO:  Thank you very much, Maktar.  Good afternoon, everyone.  And I want to say thank you to UNECA for this change‑making effort and initiative to develop a guideline for an appropriate model cybersecurity law in Africa which is much needed.  Listening to Jean‑Paul talk about you will find on every note he is right regarding the benefit and need for such a guideline at a time like this when Africa is pursuing digital transformation in the entire nation.  Under the guideline and direction of the UN Economic Commission for Africa, Africa has an appropriate guideline.  It has been agreed that the guideline shall be known as the ECA guideline for a model law on computer‑enabled and computer‑related crimes in the African Union Member States.  And also referred to as the ECA guideline for a model cybersecurity law. 

    In general, this guideline will provide guidance to African Member States for designing cybersecurity legislation and explains the key features and benefits of a standard cybersecurity law. 

    Before I go forward I wanted to draw our minds to the cybersecurity legal framework landscape in Africa to understand the necessity of a guideline.  Jean‑Paul has talked about the Malabo Convention on cybersecurity.  And since 2014 Africa has been working to ensure it receives adequate ratification for it to come in to force by Article 36 of the Convention.  Africa lacks a regional cybersecurity framework as it is.  There is no uniform law across the region to ensure that there is a legislation covering cybersecurity.  We are at 14 ratifications as it is and hopefully can move forward for it to enter in to force.  Again research has also shown that out of 54 assessed countries, just over half of African countries have a cybersecurity legislation or have passed some form of legislation to promote cybersecurity, which means we are still far behind. 

Again you find that even where cybersecurity legislation exists sometimes the legislation are inappropriate or ineffective.  Sometimes you see a copy and pasting of cybersecurity legislation taken from elsewhere.  There is no regional cybersecurity strategy.  It is still working towards having a regional cybersecurity strategy.  The ITU undertook an assessment this year and only about a third of Africa's 54 countries have completed a national cybersecurity strategy.  If you look at those cybersecurity strategy, research has also shown that only about three, three of the strategies meet the expected demands in terms of what an appropriate cybersecurity strategy is.  And so again I would say that applaud the efforts of ECA in taking this initiative for the region. 

    What's the rationale for this cybersecurity guideline?  We have to think about the fact that introduction and implementation of cybersecurity laws is an essential component of a regional response in how we seek to ensure cybersecurity in Africa.  If you look at the global index it shows that many African countries are at a very weak cybersecurity maturity level.  You cannot curb cybersecurity without the appropriate legal framework.  We are at a time when looking at the digital transformation strategy.  We have just eight years left.  And we know that effective and efficient digital transformation in Africa can only be achieved with cybersecurity.  Many African countries do not have legislation to support cybersecurity. 

So showing you the necessity to develop these Guidelines, again you have rampant, inappropriate legislation.  In 2020, Nigerian cybersecurity legislation was sort ‑‑ there was a move to ask Nigeria to amend the cybersecurity legislation.  Do not meet appropriate Human Rights standards.  So sometimes you have inappropriate legislation across the region to support cybersecurity.  So a set of guiding principles for the African Government is very important so that we can establish standards to ensure cybersecurity at global best practices. 

    Now what was the approach to developing the Guidelines?  We sought to reach a minimum set of baselines considering different factors.  First UNECA looked at existing legislation in parts of Africa.  Again the Malabo Convention and Convention on cybersecurity, which is the Budapest Convention of 2001, and we looked at United Nations norms of responsible state behavior.  Ensuring and advocating that states must look at Human Rights as they police and promote cybersecurity. 

    Finally, we note that there are ongoing efforts to develop a global cybercrime convention.  As part of the efforts to develop this Guideline attention was given to the processing, elaborating the United Nations global convention on countering attacks.  On a guideline you will see topics like ransomeware for recent discussions going on at the UN level of what should be in a cybersecurity legislation. 

Another important fact to mention, I would not take us back to this, is the fact that this is not just issued without consideration to appropriate consultation. 

    During the APrIGF in Malawi in July there was an expert Forum to deliberate on the draft Guideline.  Having taken from experts across the region on different disciplines and fields related to cybersecurity that was consolidated in to the final version.  You would see a difference from the first draft in the sense there are now more provisions and definition of terms is now more expanded to undertake different definitions in relation to the Guideline. 

    So what is the objective of the Guideline?  And this is a very important aspect in terms of understanding the purpose of the Guideline.  The Guideline is not a law.  The Guideline is not binding on any African state.  The Guideline is not a legislation.  It is just a set of guiding principles for African Member States.  So UNECA cannot constitute states and say you must have a binding treaty.  So it is a guiding principle which African states can follow or sought to establish standards for ensuring cybersecurity or cybercrime laws. 

So the Guideline will not limit ‑‑ it does not limit and it cannot limit the operation of any national or regional law that's already in existence or may come in to existence in the future that regulates cybersecurity or prohibits any activity that is regarded as cybercrime in their own jurisdiction. 

    The Guideline as well if you look at the guide ‑‑ it does not attempt to provide specific legislative language for stipulating the provisions of cybersecurity or cybercrime laws or how the implementation of that law would go.  You see may or should; it leaves the precise language to the discretion of African states with respect to the sovereignty of African states and recognizing that African states may vary in terms of legal systems. 

So the precise language is left to the discretion of African states.  Now what is the purpose of the Guideline?  Just briefly.  It is designed to assist Member States in drafting and reforming, modernizing cybersecurity laws.  There are so many investments that African states must begin to think about, to take in to account the need for promoting cybersecurity in the region and to change our dated laws.  It is also for policymakers, for legislators who wish to understand the valuable component of a model cybersecurity law.  I was in Costa Rica for a Council of Europe event last month.  And one of the representatives was saying they needed a law and they couldn't find anything.  And they had to go to the Commonwealth model law at that time just to do something in one week.  That sort of gives you a vivid evidence or representation of the need for a model Guideline. 

    The Guideline also attempts to breach best practices principle looking at offenses and powers and mutual assistance.  It also provides Guidelines for provisions.  So apart from the general and elaborate, substantive offenses, powers, you will find it gives detailed provisions in relation to principles, such as law enforcement, oversight, respect for Human Rights.  It also provides guidance on law enforcement activities for ensuring cybersecurity that underscores the respect for Human Rights in accordance with international and regional Human Rights standards such as the African Charter on human and people's rights.  For example, we went as far as including identity theft you do not see in many legislation.  But it identifies recommendations on standards for cybersecurity laws. 

    Just to give a brief outline, before I give the floor back to Maktar, it has seven parts.  The first part is the introduction.  And I will take you through the components of each part.  Part 2 is general scope.  General scope just advises African Member States on what an appropriate cybersecurity legislation should include as a summary.  Part 3 looking at general offenses and African states are not tied to taking everything.  There is the liberty because they are sovereign states to say we want to look at general scope.  We want to look at the cooperation part to give us appropriate understanding.  We do not have adequate laws, but we want to understand what cybersecurity management is. 

So part 4 looks at criminal procedure and determination of liability.  And part 5 looks at criminal procedure as it relates to law enforcement.  Part 6 looks at cybersecurity cooperation which is very important.  And finally for me the most important part, cybersecurity management, which is not usually talked about when you talk about cybersecurity.  We find that in Africa there is more of a focus on criminalization.  And we don't look at prevention.  We also don't look at how we respond at the end of effects.  So part 1 gives you a general Guideline in terms of introducing the Guideline, what the Guideline is about.  It talks about the object of the Guideline, the purpose of the Guideline and, of course, a very important component which is the definition of terms.  It defines the terms that you will find in the Guideline of the Guideline.  Part 2 looks at general scope.  What part 2 does is to tell states how to focus the content of cybersecurity legislation. 

    What to look at.  What is cyber dependent.  What is cyber enabled.  What the law must respond to and manage and prevented.  The sort of services that are essential for functional cybersecurity enforcement or cybersecurity policing.  It also talks about how to prioritize Human Rights and a general framework in terms of what would be the content of the legislation. 

    Part 3 looks at general offenses.  And this is very important.  Like I said, you would see many provisions and such offenses that you do not find in many treaties or even legislation that exists in the continent and outside of the continent.  It looks at illegal and nonauthorized access.  Illegal interception, misuse of computer devices, unauthorized interference with computer systems, child pornography, misleading content targeted at children.  How do we deal with content that is targeted to mislead children that may be criminal at the end of the day.  Whether a person is leaving or diseased.  Denial of service attacks.  Ransomware and computer extortion, fraudulent inducement.  This is something that is new. 

Online infringement of copyright and related rights.  It looks at cyber squatting and unlawful obtaining of personal data.  If you go on to part 4 of the Guideline, it looks at criminal procedure and determination of liability.  How do you determine liability which is very important.  Before you can determine liability in any criminal legislation.  So it gives it guidance on criminal intent.  It gives guidance on criminal negligence.  It gives guidances on abiding and abetting as well as persons and offenses by cooperation.  So we are aware that crimes can be committed by corporations as well.  It gives guidance as to how states can ensure liability of persons, whether individuals or corporations, as well as when corporations commit offenses that can be tagged as cybercriminal in national laws or legislation. 

    In part 5 it looks at more procedural and gives guidance on substantive powers.  Conditions and safeguards that are necessary for law enforcement.  The preservation and disclosure of data.  Production and obtaining as well as search and seizure of computer data.  It talks about authorization and blocking and filtering and removal of illegal content online by promoting public/private partnership.  Online service providers, Internet service providers as well as the jurisdictional scope of states when states can enter their jurisdiction in terms of law enforcement or have been cybersecurity. 

In chapter 6 it talks about cybersecurity cooperation and details guidance and advice on cooperation and mutual legal assistance.  The measures to law enforcement cooperation, international cooperation, but most importantly a multi‑stakeholder approach to cybersecurity in any African state.  So it gives guidance on public/private partnership as is very important. 

    Finally, chapter 6, finally, it talks about critical infrastructure.  The essence of that chapter is on cybersecurity management.  So in terms of cybersecurity management, it tells states how to protect critical national infrastructure, what can be defined as critical infrastructure, how they can go about defining and understanding critical infrastructure.  It also advises states on computer emergency response, the need for 24/7 cybersecurity point of contact.  And framework to pursue and promote cybersecurity.  The establishment of a central authority for cybersecurity regulation.  Cybersecurity assistance and support for victims, this has been missing in Africa.  We prosecute, criminalize, but we do not talk about promoting and establishing support for victims.  And in situations they have fallen prey to cybercrime activities. 

It talks about education and training as part of cybersecurity leadership and management and also advises states on cybersecurity research and development.  This is something very important to UNECA.  We heard Jean‑Paul talk.  And so this is very important to include in any legislation.  And finally which is ultimate, the need for African states to regularly amend domestic legislation.  We see how revolution, how change, amendments and enhancement, growth in terms of ICT penetration and use causes more increase in criminal activity.  So it is important that domestic legislation will always be revised or amended to meet expected and contemporary standards at any time. 

    That is just a brief summary of what is contained in the Guideline for the model cybersecurity law.  I give the floor back to Maktar.  And I look forward to the deliberations that will follow.  Thank you very much. 

   >> CHAIR:  Thank you very much for this wonderful presentation.  This report has been prepared since maybe 12 months, 11 months.  We have a ‑‑ as I said at the beginning we have a validation workshop in Malawi.  And what we have written ‑‑ it is not a law ‑‑ it is a Guideline to assist Member States to develop their national cybersecurity strategy.  We cover a lot of area on this Guideline.  Just I want to give you the floor for your view, comment before we proceed to the launch of this report. 

    We have one, two, three, four.  Let me start by ‑‑ go ahead, please. 

   >> AUDIENCE:  Thank you very much.  I mean this is an excellent, excellent initiative.  But just I was writing quite a few notes.  There are several Member States that have different cybersecurity laws, different levels, Guidelines.  They have data protection acts, which some of these issues address.  I wanted to really just get a sense of how this Guideline marries in to this.  I think it was inferred, but I just wanted it in simple terms and proper clarity so that we can get out of here knowing this is how it merges in to this.  Thank you. 

   >> AUDIENCE:  Thank you very much.  I just wanted to find out about the review process.  So South Africa does have a cybersecurity bill.  At the moment we have a cybersecurity act.  And we have some laws in terms of cybersecurity at the moment.  However, I think that what we don't have and we do need is a startup act which is what we are in the process of writing at the moment.  And we've just collected a movement and are just starting to get some legs and action in terms of creating the South Africa startup act.  So in terms of innovation and new technologies there is a lot of work going on in Africa at the moment across investment and Development Programs in entrepreneurship across the sector.  I just wanted to find out about the review process in light of it being a recommendation.  Has there been work done in to the review process and how or what are the recommendations in terms of review and progress in innovation and technologies? 

   >> AUDIENCE:  My question is you mentioned that there is two billion or something that's invested in Africa.  And there has been a lot of support for women business.  I don't know if you mentioned it.  I just want to find out was that for training?  How was it used?  Because we find that there is so much money spent on entrepreneurship and a lot of it goes to facilitators and trainers, not the business itself.  So if you can just elaborate on how that portion was used. 

   >> AUDIENCE:  Thank you.  Good afternoon, Ladies and Gentlemen.  I come from Zambia.  My name is Richard.  So we have the cybersecurity and cybercrime acts in Zambia.  Very problematic law.  Just the genesis, how it was born.  Enacted in Parliament when all ‑‑ parliamentary stand orders were suspended.  But it is also in the content itself of the bill, the way the law is structured.  And because it has got very vague and purposefully vague provisions on search and seizure, for example, publication of information and others.  Warrants, warrants should be obtained. 

    The judicial safeguards are very weak.  How ‑‑ and this law is in court.  But also some parts have been petitioned by lawyers and ourselves.  And the review process has started.  How do you think that this review, this review can help our situation in Zambia?  It is not only in Zambia where this problem, like we ‑‑ when we come here to the EU, we have these good things that you are talking about.  But what is it that happens between Hari and Zuka?  We have this good model.  We have these problems that we are discussing.  And these laws are facilitating during shutdowns.  How can you help us ‑‑

   >> CHAIR:  Thank you. 

   >> AUDIENCE:  Thank you very much.  My name is Victor from the Action Network.  Thank you very much for these Guidelines.  Just some observations, one on the management of cybersecurity.  I know Nnenna said it was most important.  We found it at the end of the presentation.  I'm wondering in terms of prioritization, we have ‑‑ we have a problem with the focus of cybersecurity laws starting with offenses.  And it is a big problem.  If we are seeing one to one focus on cybersecurity, would it have made more sense to start with cybersecurity management as the primary thing that laws are supporting as opposed to giving you the criminal aspects?  We are not dealing with criminals.  We are trying to improve cybersecurity.  Something to think about in that respect. 

The other thing is I have seen a lot of provisions on, you know, search and seizure and all these things. 

    How does a Guidelines deal with judicial oversight?  Because we know a number of countries that is the biggest gap because like from a ‑‑ my colleague just said, you know, access, you know, without any formal procedure, without any oversight without any check and balance, without any reporting framework for transparency.  To what extent does the Guideline help clarify and encourage countries to be more transparent, especially when they want to do interception? 

And I think lastly is on where you mention public/private partnerships, and I know the one multi‑stakeholder has been mentioned.  Sometimes public/private eliminate Civil Society Organization.  Would it have been useful to just say multi‑stakeholder approaches to cybersecurity as opposed to public/private so then part of the stakeholders don't look like they have been limited? 

   >> CHAIR:  Thank you very much.  Let me give the floor to Nnenna to respond to the first round of questions and then we will give the second round ‑‑

   >> NNENNA IFEANYI‑AJUFO:  The gentleman from Zambia has answered the first question.  Any governmental institution will do.  And so this is not a law.  It is not a law.  It is not going to tell states you must do this.  But in terms of its good offices, UNECA is giving a Guideline.  It is much needed.  Like the gentleman from Zambia is saying, when we look at the cybersecurity laws we did an analysis.  You find that some are very problematic.  If you have a law in South Africa remove it.  But I feel that the problem is when we gather like this, we talk about Kenya, Nigeria, South Africa, Morocco.  We talk about the big countries.  We forget there is smaller African countries that need guidance who are not even at this table.  So they still need guidance. 

So we are not saying it affects what South Africa is doing.  We are not saying that it is going to displace what any country is doing.  This is just ‑‑ on the basis of the good offices of the UN agency to say we need Guidelines because there are so many laws that need to be addressed in terms of international best practices.  It is clear on the object that it doesn't trivialize state sovereignty.  It doesn't tell states what you are doing, it is no good. 

In terms of clarity, this is a Guideline and states working with the UN would appreciate that.  In terms of the review process, like Maktar has said this has been ongoing for a long time.  I see experts in the room that give valuable advice how it was reviewed.  It was a Forum at Malawi where experts give recommendations on what to see, taking in to recognition the different legal systems that exist in Africa. 

    After that we also looked at getting experts on the table to review what had been done.  And then like I said, we waited for the third session of the UN ad hoc process to look at more discussions and that particularly informed the provision on cybersecurity cooperation.  And like Victor was talking about the OEW process as well.  We looked at that and that led to the provision on public/private partnership. 

In terms of the billion dollar question and I would leave that for Jean‑Paul and Maktar, it is not within my powers to answer that.  In terms of the gentleman from Zambia, I absolutely agree with you.  Depends on states and that's where Civil Society Organizations can then come in with people like Victor, saying to states that there is a Guideline we wish you can look at.  You can look at the Malabo, for example.  African states have not given adequate ratification.  You can't force them.  It is where the multi‑stakeholder discussion comes in to say look, you have this sort of Guideline.  Let can this be a guide as to how you develop your laws.  And that's why I agree with Victor's position, that perhaps cybersecurity management should have come before. 

So this traditional security centered approach affects the way that African countries design their cybersecurity laws.  So what does this Guideline do is temper that understanding?  There is a continuous mention of Human Rights.  Even if you go to search and seizure, you go to warrants, it shows you that, you know, law enforcement officers must get warrants from the judiciary.  We assume the judiciary is independent and not biassed, to start telling judges what to do.  I'm a lawyer, for example.  We believe in equity and finance of the judicial sector.  The independence of the judiciary and the fact that judiciary is not biassed.  You may not need to start telling states. 

    And feedback from Victor is taken as well.  Thank you for your points always.  What you highlighted is important.  Why it is even at the end, when you have read it at the end it remains in your consciousness for longer because it is the last thing you see and it remains in your subconscious more than what you see in the beginning.  Thank you very much. 

   >> CHAIR:  Thank you.  I think you have the same question as Malawi.  Let me give the floor to Jean‑Paul. 

   >> JEAN‑PAUL ADAM:  The question on investment and tech startups, so the figure I gave was 2.15 billion U.S. dollars, which is actually the private sector investment in tech startup.  It is not ‑‑ it is not aid.  And it is not Government led.  It is actually showing that a lot is happening in Africa.  Maybe despite the fact that our ‑‑ even if our environments are not optimal.  But it means that there are things happening, in 2021 in the midst of the pandemic.  We need to then frame that innovation and provide the opportunities to actually take that even further. 

Cybersecurity is one of those pillars.  Those funds, we are talking billions of dollars, those will dry up in an instant.  And the environment for investment is not secure.  And here a lot of that environment is more and more going digitally. 

    So we ‑‑ that's why the cybersecurity aspect is so important.  And then on the question ‑‑ on the training, I figure I talked about was not about training.  It was about investment in developing companies or developing startups and companies. 

    But you make an extremely valid point about where there are funds that are available for capacity building.  We want to make sure that that capacity building is not simply going to consultants.  We want to build capacity in the country.  If I use the example of the coding camp that ECA has been organizing, actually a lot of the people who are here in Nigeria, for a lot of the trainers that we use now for the coding camps were trained in the first addition of the coding camp and a lot of them here in IGF.  So the idea is that we want to build capacity in countries to do so.  And I think on cybersecurity, the point will be the same.  You have to build local capacity for training and for research which can then replicate within the country. 

    Then the aspects about how the model law is applied.  We can't ‑‑ we can't insist that Governments apply it in one way or another.  But we have seen that some of the reticence about ratifying the Malabo Convention, it is so vast.  And some countries have had difficulty and there are different reasons. 

    Some which may be more valid than others.  But countries have found it hard to just domesticate the Malabo Convention in its entirety.  Some countries have taken a pragmatic approach and Ghana is an example.  And they have done that domestication already.  Adapt with their own situation.  And then the linking this with the role of the regional center which would be established in Lome, this will help countries to do peer learning. 

If you take an example of a country that has successfully implemented a cybersecurity law and it doesn't need to be based on our model law.  We heard the example of South Africa.  They may have an existing law, which is good.  It is saying if you want to look at some of the best practices and they are contained in in model law.  We want to use the regional center to demonstrate in very practical terms because I think it is very important to think about this in practical terms and not just theoretical.  Because I think a few of you have made the point that a few governments as soon as they think of cybersecurity, the first thing they think about is Counter‑Terrorism restriction means of control.  And that's the wrong way to look about it. 

    So if the first reaction is to look at restriction, then that's not the point of implementing cybersecurity.  You are trying to make a road safe.  You are not trying to close the road.  You are trying to make sure that the road is able to get people from A to B as quickly, as safely and simply as possible.  That's what a cybersecurity law should be about. 

And I really agree fully with the point from Nnenna about the role of Civil Society will also show this is the model law.  And certainly I think it is valid to say that if the ‑‑ and there is no one size fits all.  But if in certain countries we see that cybersecurity aspects are being applied too restrictively, then there is a big role for Civil Society to use the model law as an advocacy tool to try and bring countries towards a more practical and user friendly experience.  And I really appreciate the input and proposal for looking at multi‑stakeholder engagement and not just necessarily focusing on the private sector. 

    So I think those are maybe the ‑‑ I hope I have covered the points.  If I have missed something, tell me. 

   >> CHAIR:  Second round.  After I will come to you later.  Let me ‑‑

   >> AUDIENCE:  Hi everyone.  I'm Ellen from Indonesia.  I think we have several issues that looks quite the same about criminalization, issues on ‑‑ several issues that Nnenna has mentioned also.  I just want to know about the standpoint of the cybersecurity model law on how to have the digital forensics measure in handling the cybersecurity incidents or cybersecurity crime.  If you can elaborate on that part, thank you. 

   >> CHAIR:  Jimsome. 

   >> AUDIENCE:  Thank you very much.  I'm Jimsome.  I was one of the expert group members.  I really want to commend UNECA, JP and Maktar and Nnenna for the excellent vision and job done.  Let me first say that it is just a comment, let me say that the whole essence of cybersecurity is basically to guarantee the confidentiality, integrity and availability of Internet resources that has development.  And then when the infringement and just to be penalties, so that's ‑‑ to secure an infrastructure.  Internet economy basically. 

    So as Nnenna mentioned, the management of cyber infrastructure is actually a big priority.  That's as you say very correct.  So how to manage it to ensure vulnerability are identified and properly mitigated.  And if the issue of infringement, there should be penalties. 

    Well, I really wish this would have come up earlier, but it is still okay, Nigeria came out with a cybercrime law in 2015.  As the Chair of the Africa Alliance then, we took a review and we saw glitches there.  And we raised it.  And took to a court of law and that was why the ECOWAS Court of Justice said it has to be reviewed.  So if this had been there at that time, it will help.  So this is very, very useful.  And really appreciate UNECA for doing it.  As the Parliament in Nigeria going ahead, seeing it now from UNECA it collaborates what we said before, no conflicts.  So just to say that thank you for the job done. 

   >> CHAIR:  Thank you for this comment.  And for commenting on the work done. 

   >> AUDIENCE:  I will not say once again what Jimsome said, but the fact is it is again great work that you have been doing in ECA.  With the report yesterday that you launched about the cybersecurity over the 40 countries, providing, identifying giving information, such important information which is very important.  The cybersecurity model law is extremely important for many countries we have met where people do not have the proper knowledge and experience to put together a proper law.  The only thing I would suggest just for you to take in to consideration is to make at least two workshops about the model law; one for the French speaking countries and one for the English speaking countries.  And for this to invite the multi‑stakeholders to understand the whole principle about the model law and to help them start building their own capacity with that regard.  Thank you very much. 

   >> CHAIR:  Thank you.  One minute because we are running out of time. 

   >> AUDIENCE:  So it was not ‑‑ it is not really anything more.  And maybe I should have introduced myself.  My name is Catherine.  I'm the outgoing director of research at the Web Foundation.  But I have been working in cybersecurity governance for the last six years. 

So the question I was asking and maybe it was misunderstood was just to get the clarity and the clarity has come.  It is more of a comment that I see this as an opportunity to actually help even reviewing the existing laws and existing documents.  So that was the clarity I was requiring.  Because then I can even go back to Kenya, Rwanda and say hey, you can use this law for this.  I needed that clarity.  That's where I was coming. 

   >> CHAIR:  Thank you very much.  Nnenna, please answer this question before we conclude. 

   >> NNENNA IFEANYI‑AJUFO:  Thank you so much.  Thank you for the comments that have come in.  I wanted to say to Maktar and Jean‑Paul that I agree that there should be a workshop.  In terms of digital forensic, if you look at the Guideline it talks about two important sections; criminal procedure and law enforcement and also the other part in terms of mutual legal assistance.  So you cannot necessarily spell out in terms of such a rule how to go about digital forensics.  These are more procedural issues that would go in hand in the court of law as well as doing law enforcement that gives a broad Guideline on search and seizure.  Law enforcement offices in terms of jurisdiction would understand.  The model Guideline has elaborated.  Law enforcement officers can then underscore that on the general framework and whole framework of what is appropriate for cybersecurity and proceedings in relation to cybercriminal activities.  Thank you. 

   >> CHAIR:  Thank you very much.  What we have written for this session, this document it is not a law.  It is a guiding principle.  As you know you have 17 countries having a cybersecurity framework in the continent.  But this framework has a lot of missing links.  When we go to the infrastructure management, child pornography, also in the regional cooperation, even the regional cooperation when you look at the Malabo we have missing documents. 

This document will provide an opportunity for the country who already have their model laws, their policy framework on cybersecurity to update their policy.  And it is more important also for countries who do not have one now.  Because we are going to start Day Zero and we will provide all information necessary for them to draft an adequate framework on cybersecurity because the Guideline is based as Nnenna said on the post in the world.  We look at the national level where the country makes a lot of progress, the country in reference in cybersecurity.  We take on the lessons learned from this country to develop this Guideline. 

    The name is very clear.  It is a Guideline.  And now it is more important also for the Civil Society, yeah.  Because cybersecurity, it is an issue for everyone.  We need to build as capacity for everyone for cybersecurity. 

    And why this document is important?  For the Civil Society, for ‑‑ because I think the parents are not many times at home.  And you have kids.  And you don't know how it is going to the online service.  This will help them educate the kids and also to know how we can navigate it in this digital era and how we can put in place adequate policy regulatory framework on cybersecurity to protect the citizens.  It is important I think for all African countries.  And also this Guideline, also it is a general Guideline we can apply in Indonesia. 

Yesterday we presented our study with 40 countries in Africa and 30 countries in Asia and we face a similar challenge. 

And I would like to thank you all very much for your involvement because it is too late and for your contribution also to this Guideline model law.  To Frank for the good work.  Of course, we are going to translate this in to French and publish in the website. 

    And the idea for the workshop also we are going to organize next year based on our budget and we will see how to organize this.  And thank you very much for ‑‑ we can do hybrid.  Yeah.  And we ask also all people here to popularize this Guideline, yeah, in your several networks because it is a public document for Africa, even as a continent.  Thank you very much. 

I would now like to ask everyone to come here to launch officially this Guideline model law.