Multistakeholding cybersecurity in africa

Event report

[Read more session reports and live updates from the 13th Internet Governance Forum]

Can the multistakeholder model be applied to the cybersecurity discussion? We need to build the technical capacity and expertise of different stakeholders so that when they come to the table, they have something to offer. 

The session was moderated by Mr Enrico Calandro, Senior Researcher, Research ICT Africa (RIA). 

Ms Anri van der Spuy, Associate, Research ICT Africa (RIA), talked about why cybersecurity is a particular concern at RIA and in Africa, highlighting that there is an increasing interest in cybersecurity in Africa. This could be attributed to governments increasingly realising how central the Internet is to economic development. She noted that challenges in Internet governance also apply to cybersecurity, hence the need for fast response rates, expertise, flexibility and resources. Generally, few countries have cybersecurity strategies and many citizens lack education and digital literacy skills. She mentioned that the nature of the cyber environment means that it is difficult to deal with cyber risks as governments are involved to protect public interest and private sector owns a lot of technological infrastructure. 

Spuy shared research conducted by RIA on collaborating models for cybersecurity in Mauritius. According to the International Telecommunication Union (ITU) Global Cybersecurity Index 2017, Mauritius is ranked as the top country in Africa and has become a regional hub for cybersecurity. Findings from the research show an improvement in public-private partnerships. Though still facing shortcomings, with some parties being more dominant than others, the need for broader participation and no mention of digital rights. 

Provisional policy recommendations include flexibility, transparency, information sharing, descriptive rather than prescriptive arrangements, and involving stakeholders who find it difficult to participate and are vulnerable to cyber-harm. 

Responding to Calandro’s question on the need for multistakeholder collaboration in the cybersecurity domain, MrWilliam Dutton, Oxford Martin Fellow, The Global Cyber Security Capacity Centre, said that the Mauritius example shared was a great example of collaboration. He however noted that there are a lot of criticisms of the multistakeholder model and one of the complaints relates to limited communication, yet cybersecurity capacity building involves communication. He highlighted that the Global Cybersecurity Center is setting up hubs in different parts of the world in order to scale up. Professor Durron added that the security discussion is often removed from reality and as such, the people discussing do not know anything about users or the developing world. 

When asked if the multistakeholder model is emerging in practice, Mr Arthur Gwagwa, Senior Research Fellow, Centre for the Intellectual Property and Information Technology Law (CIPIT), mentioned that policy formulation in Africa is haphazard.  He added that Internet governance (IG) in most cases is running parallel to cybersecurity such that IG issues are discussed in public while cybersecurity discussions often do not involve everyone. He emphasised the need for different approaches to different threat models because different threats lead to different ideas of harm. 

Ms Koliwe Majama, Consultant, Association for Progressive Communications (APC), mentioned that there are no frameworks for encouraging civil society engagement in cybersecurity in Africa, and the lawmaking process is not always clear. She referred to the African Union Article 27that would generally be categorised as multistakeholder, but Computer Emergency Response Teams (CERTs), are not inclusive. She gave an example of the Zimbabwe CERT which had mostly government/defence and state security but no technical or women’s/children’s rights representatives. She concluded that civil society needs to ensure that the end-user is being represented and that the discussion is inclusive. 

When asked if capacity building is an effective tool for multistakeholder participation, Mr Matthew Sheers, Director, Cyber, Global Partners Digital (GPD), mentioned that GPD undertakes programs to build cybersecurity capacity in Latin America, Africa and other developing regions. He referred to GPD’s recent report on multistakeholder approaches to national cybersecurity strategy development, which had been done in 4 countries: Mexico, Chile, Kenya and Ghana. He acknowledged that the key recommendations raised by RIA match with GPD. He noted that in many countries, multistakeholder models only includes government and the private sector, but there is need to work across stakeholders and team with particular groups like the technical community. 

Mr Michael Nelson, Tech Strategy, Cloudflare, mentioned that Cloudflare protects websites by filtering content coming to them, for example botnets, and distributing content from websites across 150 centres, 9 of which are in Africa. He encouraged the need to build the Information Technology (IT) consultant industry in content and allow foreign companies to invest. 

By Sarah Kiden