- Session Type (Workshop, Open Forum, etc.): Panel – 60 minutes
- Title: Multi-stakeholding cybersecurity in Africa
- Date & Time: Tuesday, 13 November, 2018 - 17:20 to 18:20
- Organizer(s):
Anri van der Spuy, Research ICT Africa, Civil Society, African Group, female
Enrico Calandro, Research ICT Africa, Civil Society, African Group, male
- Chair/Moderator: Enrico Calandro
- Rapporteur/Notetaker: Anri van der Spuy
- List of speakers and their institutional affiliations (Indicate male/female/ transgender male/ transgender female/gender variant/prefer not to answer):
Speaker 1: Koliwe Majama, APC, Civil Society Organisation, African Group, female
Speaker 2: Michael Nelson, Cloudfare, Private Sector, Western European and Others Group (WEOG), male
Speaker 3: William Dutton, Oxford Martin School, Academia, Western European and Others Group (WEOG), Male
Speaker 4: Matthew Shears, Global Partners Digital, Civil Society, Western European and Others Group (WEOG), male
- Theme: Cybersecurity, Trust and Privacy
- Subtheme: CYBERSECURITY BEST PRACTICES
- Please state no more than three (3) key messages of the discussion.
- The successful implementation of a collaborative model for cybersecurity strategy development and implementation resides in agile adaptability, transparency, and trusted information sharing among and between all participations;
- Cybersecurity collaborations should display both vertical and horizontal collaboration between stakeholders, be descriptive rather than prescriptive, and be sufficiently flexible in order to adapt alongside evolving cyber risks and technologies.
- Participation should extend not only to public and private sector entities who tend to own and control critical information infrastructure, but also stakeholders from other sectors (e.g. the banking and finance sectors, business process outsourcing (BPO), health, tourism, energy sectors) and non-for profit stakeholder groups (e.g. the technical community, academia, and civil society)
- Please elaborate on the discussion held, specifically on areas of agreement and divergence.
The session was moderated by Dr Enrico Calandro, Senior Researcher, Research ICT Africa (RIA).
Ms Anri van der Spuy, Associate, Research ICT Africa, talked about the why cybersecurity is a particular concern at RIA and in Africa, highlighting that there is an increasing interest in cybersecurity in Africa. This could be attributed to governments increasingly realising how central the Internet is to economic development. She noted that challenges in Internet governance also apply to cybersecurity, hence the need for fast response rates, expertise, flexibility and resources. Generally, few countries have cybersecurity strategies and many citizens lack education and digital literacy skills. She mentioned that the nature of the cyber environment means that it is difficult to deal with cyber risks as governments are involved to protect public interest and private sector owns a lot of technological infrastructure.
Ms Spuy shared research conducted by RIA on collaborating models for cybersecurity in Mauritius. According to the International Telecommunication Union (ITU) Global Cybersecurity Index 2017, Mauritius is ranked as the top country in Africa and has become a regional hub for cybersecurity. Findings from the research show an improvement in public-private partnerships though still facing shortcomings, some parties being more dominant than others, the need for broader participation and no mention of digital rights.
Provisional policy recommendations include flexibility, transparency, information sharing, descriptive rather than prescriptive arrangements and involving stakeholders who find it difficult to participate and are vulnerable to cyber harm.
Responding to Dr Calandro's question on the need for multistakholder collaboration in the cybersecurity domain, Prof William Dutton, Oxford Martin Fellow, The Global Cyber Security Capacity Centre, said that the Mauritius example shared was a great example for collaboration. He however noted that there are a lot of criticisms to the multistakholder model and one of the complaints is about limited communication, yet cybersecurity capacity building involves communication. He highlighted that the Global Cybersecurity Center is setting up hubs in different parts of the world in order to scale up. Prof Durron added that the security discussion is often removed from reality and as such, the people discussing do not know anything about users or the developing world.
When asked if the multistakholder is emerging in practice, Mr Arthur Gwagwa, Senior Research Fellow, Centre for the Intellectual Property and Information Technology Law (CIPIT), mentioned that policy formulation in Africa is half-hazard. He added that Internet governance (IG) in most cases is running parallel to cybersecurity such that IG issues are discussed in public while cybersecurity discussions often do not involve everyone. He emphasised the need for different approaches to different threat models because different threats lead to different ideas of harm.
Ms Koliwe Majama, Consultant, Association for Progressive Communications (APC), mentioned that there are no frameworks for encouraging civil society engagement in cybersecurity in Africa, and the law-making process is not always clear. She referred to the African Union Article 27 that would generally be categorised as multistakeholder, but Computer Emergency Response Teams (CERTs), are not inclusive. She gave an example of the Zimbabwe CERT which had mostly government/defence and state security but no technical, women's/children's rights representatives. She concluded that civil society needs to ensure that the end-user is being represented and that the discussion is inclusive.
When asked if capacity building is an effective tool for multistakholder participation, Mr Matthew Sheers, Director, Cyber, Global Partners Digital (GPD), mentioned that GPD undertakes programs to build cybersecurity capacity in Latin America, Africa and other developing regions. He referred to GPD's recent report on mulltistakholder approaches to national cybersecurity strategy development, which had been done in 4 countries: Mexico, Chile, Kenya and Ghana. He acknowledged that the key recommendations raised by RIA match with GPD. He noted that in many countries, multistakeholder only includes government and the private sector, but there is need to work across stakeholders and team with particular groups like the technical community.
Mr Michael Nelson, Tech Strategy, Cloudflare, mentioned that Cloudflare protects websites by filtering content coming to them, for example botnets, and distributing content from websites across 150 centres, 9 of which are in Africa. He encouraged the need to build the Information Technology (IT) consultant industry in the content and allow foreign companies to invest.
- Please describe any policy recommendations or suggestions regarding the way forward/potential next steps.
The following policy recommendations were made:
- The successful implementation of a collaborative model for national cybersecurity strategies resides in agile adaptability, transparency, and trusted information-sharing among all participants;
- Cybersecurity collaborations should display both vertical (e.g., between overseeing organisations and other stakeholders) and horizontal (e.g., between peer stakeholders) collaboration between stakeholders, be descriptive rather than prescriptive, and be sufficiently flexible in order to adapt alongside evolving cyber risks and technologies;
- Participation should extend not only to public and private sector entities who tend to own and control critical information infrastructure, but also stakeholders from other sectors (e.g. the technical community, the banking and finance sectors, business process outsourcing (BPO), health, tourism, energy sectors) and not-for-profit stakeholder groups (e.g. academia and civil society);
- Special steps must be taken to involve stakeholders who could find it difficult to participate or who are more vulnerable to cyber harm, including civil society organisations and marginalised communities who may be more at risk of cyber threat;
- Not only commercial interests should drive private sector stakeholders to participate in collaborative cybersecurity effort. Also, the private sector should innovate and mitigate threats, building security into applications and systems along with the need for raising awareness.
- Please estimate the total number of participants.
Approximately 60 participants
- Please estimate the total number of women and gender-variant individuals present.
Approximately 2/3 women.
- Session outputs and other relevant links (URLs):
https://researchictafrica.net/2018/11/08/igf-panel-discussion-on-collabo...
https://dig.watch/sessions/multistakeholding-cybersecurity-africa