CHAPTER III – PROMOTING CYBER SECURITY AND COMBATING CYBERCRIME
Section I: Cyber Security Measures to be taken at National Level
Article 24: National cyber security framework
1. National policy
Each State Party shall undertake to develop, in collaboration with stakeholders, a national cyber security policy which recognizes the importance of Critical Information Infrastructure (CII) for the nation identifies the risks facing the nation in using the allhazards approach and outlines how the objectives of such policy are to be achieved.
2. National strategy
State Parties shall adopt the strategies they deem appropriate and adequate to implement the national cyber security policy, particularly in the area of legislative reform and development, sensitization and capacity-building, public-private partnership, and international cooperation, among other things. Such strategies shall define organizational structures, set objectives and timeframes for successful implementation of the cyber security policy and lay the foundation for effective management of cyber security incidents and international cooperation.
Article 25: Legal measures
1. Legislation against cybercrime
Each State Party shall adopt such legislative and/or regulatory measures as it deems effective by considering as substantive criminal offences acts which affect the confidentiality, integrity, availability and survival of information and communication technology systems, the data they process and the underlying network infrastructure, as well as effective procedural measures to pursue and prosecute offenders. State Parties shall take into consideration the choice of language that is used in international best practices.
2. National Regulatory Authorities
Each State Party shall adopt such legislative and/or regulatory measures as it deems necessary to confer specific responsibility on institutions, either newly established or pre-existing, as well as on the designated officials of the said institutions, with a view to conferring on them a statutory authority and legal capacity to act in all aspects of cyber security application, including but not limited to response to cyber security incidents, and coordination and cooperation in the field of restorative justice, forensic investigations, prosecution, etc.
3, Rights of citizens
In adopting legal measures in the area of cyber security and establishing the framework for implementation thereof, each State Party shall ensure that the measures so adopted will not infringe on the rights of citizens guaranteed under the national constitution and internal laws, and protected by international conventions, particularly the African Charter on Human and Peoples‟ Rights, and other basic rights such as freedom of expression, the right to privacy and the right to a fair hearing, among others.
4. Protection of critical infrastructure
Each State Party shall adopt such legislative and/or regulatory measures as they deem necessary to identify the sectors regarded as sensitive for their national security and well-being of the economy, as well as the information and communication technologies systems designed to function in these sectors as elements of critical information infrastructure; and, in this regard, proposing more severe sanctions for criminal activities on ICT systems in these sectors, as well as measures to improve vigilance, security and management.
Article 26: National cyber security system
1. Culture of Cyber Security
a) Each State Party undertakes to promote the culture of cyber security among all stakeholders, namely, governments, enterprises and the civil society, which develop, own, manage, operationalize and use information systems and networks. The culture of cyber security should lay emphasis on security in the development of information systems and networks, and on the adoption of new ways of thinking and behaving when using information systems as well as during communication or transactions across networks.
b) As part of the promotion of the culture of cyber security, State Parties may adopt the following measures: establish a cyber-security plan for the systems run by their governments; elaborate and implement programmes and initiatives for sensitization on security for systems and networks users; encourage the development of a cyber-security culture in enterprises; foster the involvement of the civil society; launch a comprehensive and detailed national sensitization programme for Internet users, small business, schools and children.
2. Role of Governments
Each State Party shall undertake to provide leadership for the development of the cyber security culture within its borders. Member States undertake to sensitize, provide education and training, and disseminate information to the public.
3. Public-Private Partnership
Each State Party shall develop public-private partnership as a model to engage industry, the civil society, and academia in the promotion and enhancement of a culture of cyber security.
4. Education and training
Each State Party shall adopt measures to develop capacity building with a view to offering training which covers all areas of cyber security to different stakeholders, and setting standards for the private sector. State Parties undertake to promote technical education for information and communication technology professionals, within and outside government bodies, through certification and standardization of training; categorization of professional qualifications as well as development and needs-based distribution of educational material.
Article 27: National cyber security monitoring structures
1. Cyber security governance
a) Each State Party shall adopt the necessary measures to establish an appropriate institutional mechanism responsible for cyber security governance;
b) The measures adopted as per paragraph 1 of this Article shall establish strong leadership and commitment in the different aspects of cyber security institutions and relevant professional bodies of the State Party. To this end, State Parties shall take the necessary measures to:
i) Establish clear accountability in matters of cyber security at all levels of Government by defining the roles and responsibilities in precise terms;
ii) Express a clear, public and transparent commitment to cyber security;
iii) Encourage the private sector and solicit its commitment and participation in government-led initiatives to promote cyber security.
c) Cyber security governance should be established within a national framework that can respond to the perceived challenges and to all issues relating to information security at national level in as many areas of cyber security as possible.
2. Institutional framework
Each State Party shall adopt such measures as it deems necessary in order to establish appropriate institutions to combat cyber-crime, ensure monitoring and a response to incidents and alerts, national and cross-border coordination of cyber security problems, as well as global cooperation.
Article 28: International cooperation
State Parties shall ensure that the legislative measures and/or regulations adopted to fight against cyber-crime will strengthen the possibility of regional harmonization of these measures and respect the principle of double criminal liability.
2. Mutual legal assistance
State Parties that do not have agreements on mutual assistance in cyber-crime shall undertake to encourage the signing of agreements on mutual legal assistance in conformity with the principle of double criminal liability, while promoting the exchange of information as well as the efficient sharing of data between the organizations of State Parties on a bilateral and multilateral basis.
3. Exchange of information
State Parties shall encourage the establishment of institutions that exchange information on cyber threats and vulnerability assessment such as the Computer Emergency Response Team (CERT) or the Computer Security Incident Response Teams (CSIRTs).
4. Means of cooperation
State Parties shall make use of existing means for international cooperation with a view to responding to cyber threats, improving cyber security and stimulating dialogue between stakeholders. These means may be international, intergovernmental or regional, or based on private and public partnerships.
Section II: Criminal Provisions
Article 29: Offences specific to Information and Communication Technologies
1. Attacks on computer systems
State Parties shall take the necessary legislative and/or regulatory measures to make it a criminal offence to:
- Gain or attempt to gain unauthorized access to part or all of a computer system or exceed authorized access;
- Gain or attempt to gain unauthorized access to part or all of a computer system or exceed authorized access with intent to commit another offence or facilitate the commission of such an offence;
- Remain or attempt to remain fraudulently in part or all of a computer system;
- Hinder, distort or attempt to hinder or distort the functioning of a computer system;
- Enter or attempt to enter data fraudulently in a computer system;
- Damage or attempt to damage, delete or attempt to delete, deteriorate or attempt to deteriorate, alter or attempt to alter, change or attempt to change computer data fraudulently.
State Parties further undertake to:
- Adopt regulations compelling vendors of information and communication technology products to have vulnerability and safety guarantee assessments carried out on their products by independent experts and researchers, and disclose any vulnerabilities detected and the solutions recommended to correct them to consumers;
- Take the necessary legislative and/or regulatory measures to make it a criminal offence to unlawfully produce, sell, import, possess, disseminate, offer, cede or make available computer equipment, program, or any device or data designed or specially adapted to commit offences, or unlawfully generate or produce a password, an access code or similar computerized data allowing access to part or all of a computer system.
2. Computerized Data Breaches
State Parties shall take the necessary legislative and/or regulatory measures to make it a criminal offence to:
- a) Intercept or attempt to intercept computerized data fraudulently by technical means during non-public transmission to, from or within a computer system;
- Intentionally input, alter, delete, or suppress computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless of whether or not the data is directly readable and intelligible. A Party may require an intent to defraud, or similar dishonest intent, before criminal liability attaches;
- Knowingly use data obtained fraudulently from a computer system;
- Fraudulently procure, for oneself or for another person, any benefit by inputting, altering, deleting or suppressing computerized data or any other form of interference with the functioning of a computer system;
- Even through negligence, process or have personal data processed without complying with the preliminary formalities for the processing;
- Participate in an association formed or in an agreement established with a view to preparing or committing one or several of the offences provided for under this Convention.
3. Content related offences
1. State Parties shall take the necessary legislative and/or regulatory measures to make it a criminal offence to:
- Produce, register, offer, manufacture, make available, disseminate and transmit an image or a representation of child pornography through a computer system;
- Procure for oneself or for another person, import or have imported, and export or have exported an image or representation of child pornography through a computer system;
- Possess an image or representation of child pornography in a computer system or on a computer data storage medium;
- Facilitate or provide access to images, documents, sound or representation of a pornographic nature to a minor;
- Create, download, disseminate or make available in any form writings, messages, photographs, drawings or any other presentation of ideas or theories of racist or xenophobic nature through a computer system;
- Threaten, through a computer system, to commit a criminal offence against a person for the reason that they belong to a group distinguished by race, colour, descent, national or ethnic origin or religion where such membership serves as a pretext for any of these factors, or against a group of persons which is distinguished by any of these characteristics;
- Insult, through a computer system, persons for the reason that they belong to a group distinguished by race, colour, descent, national or ethnic origin, or religion or political opinion, if used as a pretext for any of these factors, or against a group of persons distinguished by any of these characteristics;
- Deliberately deny, approve or justify acts constituting genocide or crimes against humanity through a computer system.
2. State Parties shall take the necessary legislative and/or regulatory measures to make the offences provided for under this Convention criminal offences. When such offences are committed under the aegis of a criminal organization, they will be punishable by the maximum penalty prescribed for the offense.
3. State Parties shall take the necessary legislative and/or regulatory measures to ensure that, in case of conviction, national courts will give a ruling for confiscation of the materials, equipment, instruments, computer program, and all other devices or data belonging to the convicted person and used to commit any of the offences mentioned in this Convention.
4. Offences relating to electronic message security measures
State Parties shall take the necessary legislative and/or regulatory measures to ensure that digital evidence in criminal cases is admissible to establish offenses under national criminal law, provided such evidence has been presented during proceedings and discussed before the judge, that the person from whom it originates can be duly identified, and that it has been made out and retained in a manner capable of assuring its integrity.
Article 30: Adapting certain offences to Information and Communication Technologies
1. Property Offences
a) State Parties shall take the necessary legislative and/or regulatory measures to criminalize the violation of property such as theft, fraud, handling of stolen property, abuse of trust, extortion of funds and blackmail involving computer data;
b) State Parties shall take the necessary legislative and/or regulatory measures to consider as aggravating circumstances the use of information and communication technologies to commit offences such as theft, fraud, handling of stolen property, abuse of trust, extortion of funds, terrorism and money laundering;
c) State Parties shall take the necessary legislative and/or regulatory measures to specifically include “by means of digital electronic communication” such as the Internet in listing the means of public dissemination provided for under the criminal law of State Parties;
d) State Parties shall take the necessary criminal legislative measures to restrict access to protected systems which have been classified as critical national defence infrastructure due to the critical national security data they contain.
2. Criminal liability for legal persons
State Parties shall take the necessary legislative measures to ensure that legal persons other than the State, local communities and public institutions can be held responsible for the offences provided for by this Convention, committed on their behalf by their organs or representatives. The liability of legal persons does not exclude that of the natural persons who are the perpetrators of or accomplices in the same offences.
Article 31: Adapting certain sanctions to Information and Communication Technologies
1. Criminal Sanctions
a) State Parties shall take the necessary legislative measures to ensure that the offences provided for under this Convention are punishable by effective, proportionate and dissuasive criminal penalties;
b) State Parties shall take the necessary legislative measures to ensure that the offences provided for under this Convention are punishable by appropriate penalties under their national legislations;
c) State Parties shall take the necessary legislative measures to ensure that a legal person held liable pursuant to the terms of this Convention is punishable by effective, proportionate and dissuasive sanctions, including criminal fines.
2. Other criminal sanctions
a) State Parties shall take the necessary legislative measures to ensure that in the case of conviction for an offense committed through a digital communication medium, the competent court may hand down additional sanctions;
b) State Parties shall take the necessary legislative measures to ensure that in the case of conviction for an offence committed through a digital communication medium, the judge may in addition order the mandatory dissemination, at the expense of the convicted person, of an extract of the decision, through the same medium, and according to modalities prescribed by the law of Member States;
c) State Parties shall take the necessary legislative measures to ensure that a breach of the confidentiality of data stored in a computer system is punishable by the same penalties as those applicable for breaches of professional secrecy.
3. Procedural law
a) State Parties shall take the necessary legislative measures to ensure that where the data stored in a computer system or in medium where computerized data can be stored in the territory of a State Party, are useful in establishing the truth, the court applied to may carry out a search to access all or part of a computer system through another computer system, where the said data are accessible from or available to the initial system;
b) State Parties shall take the necessary legislative measures to ensure that where the judicial authority in charge of investigation discovers data stored in a computer system that are useful for establishing the truth, but the seizure of the support does not seem to be appropriate, the data as well as all such data as are required to understand them, shall be copied into a computer storage medium that can be seized and sealed, in accordance with the modalities provided for under the legislations of State Parties;
c) State Parties shall take the necessary legislative measures to ensure that judicial authorities can, for the purposes of investigation or execution of a judicial delegation, carry out the operations provided for under this Convention;
d) State Parties shall take the necessary legislative measures to ensure that if information needs so require, particularly where there are reasons to believe that the information stored in a computer system are particularly likely to be lost or modified, the investigating judge may impose an injunction on any person to preserve and protect the integrity of the data in his/her possession or under his/her control, for a maximum period of two years, in order to ensure the smooth conduct of the investigation. The custodian of the data or any other person responsible for preserving the data shall be expected to maintain secrecy with regard to the data;
e) State Parties shall take the necessary legislative measures to ensure that where information needs so require, the investigating judge can use appropriate technical means to collect or record in real time, data in respect of the contents of specific communications in its territory, transmitted by means of a computer system or compel a service provider, within the framework of his/her technical capacities, to collect and record, using the existing technical facilities in its territory or that of State Parties, or provide support and assistance to the competent authorities towards the collection and recording of the said computerized data.