Guidance

African Cyber Experts Fellowship: lessons learnt report 2020

Published 8 March 2021

The purpose of this document is to draw out some of the key lessons learnt from the discussions held as part of the African Cyber Experts Fellowship programme. This is the first iteration of the document, but it is intended to be a living document which can be supplemented and changed as the group develops.

Some of the participating countries have been asked to concentrate on particular topics where they have demonstrated expertise and maturity in a specific area of cyber security. For example, during the Fellowship workshops we heard many success stories from Uganda, particularly with regards to garnering support from senior representatives. As a result, the lessons learned input from Uganda concentrates on the success in changing the mindsets of high-level management and leaders and creating an environment of innovation to drive cyber security forward. The Fellows from the CERT in Mauritius have shared their lessons on the challenges in the development and implementation of the Mauritian Cybersecurity and Cybercrime Strategy, and Botswana have shared their experience on the benefits of international collaboration.

Lessons learned 1: Uganda’s success in changing the mindsets of high-level management and leaders and creating an environment of innovation to drive cyber security forward

This section of the document highlight lessons on Uganda’s success in changing the mind set of high-level management and leaders and creating an environment of innovation to drive Cyber Security forward. The following factors in Uganda’s ecosystem have played together to enable the successful winning over of minds and hearts of our leadership on Cybersecurity matters:

1. Structured Governance and Leadership of cybersecurity efforts
2. Improved awareness and education on cybersecurity matters
3. Continuous enhancement of the Enabling environment
4. Improvement in advisory and stakeholder collaboration
5. Emergency response and collaboration
6. Improvement in capacity for enforcement and judicial officials
7. International collaboration
8. Improved funding for cybersecurity initiatives

1. Governance and leadership

Establishment of the National Information Technology Authority of Uganda (NITA-U) as an agency to provide vision and leadership to spearhead cybersecurity governance, risk remediation planning and response, as well as promoting and monitoring the development of cybersecurity in the country.

The presence of a central body with clear responsibilities makes coordination, development and implementation of all the cybersecurity initiatives much easier. NITA-U is supervised by the Ministry of ICT and National Guidance.

NITA-U has received funding from both foreign and domestic donors towards implementing national and institution specific cybersecurity initiatives.

2. Awareness and education

Since the financial year of 2012/2013, NITA-U has been conducting on average three information security promotion and awareness campaigns in public and private institutions. This is on top of working with other stakeholders to organize at least two conferences with an information security theme every year.

A number of such targeted sessions have been given to key stakeholders like His Excellence the President of Uganda, members of cabinet, members of the ICT committee of Parliament as well as various Boards, CEO and Managing Director of various critical institutions. This has led to an improvement in appreciation of cybersecurity matters as well as improved support through funding for related initiatives. This has as well led to them playing the role of change agents.

NITA-U as well drafts briefs including presentations and keynote speeches for the various key stakeholders and decision makers on cybersecurity matters.

These have contributed greatly to improving understanding of cyber security matters across our various stakeholder groups. We as well have embarked on creating a nationwide awareness program following obtaining of funding. This program will target users of technology across various categories including age.

3. Enabling environment

Uganda enacted the following cyber laws in order to create an enabling environment for cyber security:

a) The Electronic Transactions Act (2011) & Regulations (2013)

b) The Electronic Signatures Act (2011) & Regulations (2013)

c) The Computer Misuse Act (2011)

d) Data Privacy & Protection Act (2019)

On top of the laws above, Uganda’s National cybersecurity strategy is currently being revised with the following as the guiding principles:

a) enhancing private public partnership in development of cyber security capacity

b) ensuring trust and confidence of citizens in the use of Information Technology enabled services

c) taking into consideration international collaboration due to the borderless nature of cyber space

d) promoting a culture of cyber security across all levels of society

e) promoting continuous improvement in cyber security

f) promoting responsibility and action amongst Critical Information Infrastructure operators as regards Cyber Security readiness

Also, in 2014 the Government of Uganda developed the National Information Security Policy & Framework and uses this policy & framework (NISF):

a) as a conceptual structure for guiding Information Security activities

b) as a common risk-based approach for addressing Information Security issues

c) to secure Government of Uganda information and other assets

d) to improve understanding of IS risk, roles and responsibilities

e) to guarantee Information Security compliance by Critical Information Infrastructure operators

f) to improve information security governance and environment

So far we have conducted over 125 NISF awareness sessions, 80 readiness and compliance assessments and supported implementation of remedial initiatives in 48 Government of Uganda institutions.

There are efforts to continuously identify and close gaps in legislation which has led to the emergence of other pieces of legislation. This is done through benchmarking amongst others. The continuous promotion of awareness of existing and new legislation including strategies and frameworks improves both their understanding as well as adherence.

4. Advisory and stakeholder collaboration

Uganda established the National Information Security Advisory Group (NISAG) as forum for providing guidance to Uganda’s critical Infrastructure operators, amongst others, on risks that face their systems and measures that can be taken to reduce the risks to acceptable levels. The NISAG secretariat was established at NITA-U.

NISAG’s mandate is to maintain a national risk register and provide advisory services to Government of Uganda on Information Security and also ensure that issues of cyber security are addressed appropriately.

a) NISAG members are from various private and public institutions including operators of Critical National Infrastructure.

b) NISAG was inaugurated by the Hon. State Minister for ICT on 30 October 2014 and held first quarterly meeting in April 2015.

c) NISAG maintains the National Information Risk Register (NIRR) for capturing risks that have a high national impact.

NISAG ensures consistent collaboration between public and private critical information infrastructure operators to ensure robust cybersecurity implementations as well as advises the Government on threat sources as pertains the country’s digital infrastructure for prevention.

The NIRR is used to highlight and monitor management of risks to Critical National Infrastructure. The NIRR is produced in differently versions to be consumed by the different levels of audience.

Through research, as well as collaboration with regional and international organisations, information on impeding and active threats is obtained and shared with stakeholders in the form of threat alerts.

5. Emergency response collaboration

In a national coordinated approach for handling Information Security incidents, a National Computer Emergency Response Team / Coordination Centre (National CERT/CC) was established in February 2014.

a) The National CERT/CC is the organisation devoted to ensuring that appropriate technology and systems management practices are used to resist attacks on networked systems and to limit damage and ensure continuity of critical services in spite of successful attacks, accidents, or failures.

b) In March 2015, the National CERT/CC applied and was admitted to the Forum for Incident Response and Security Teams (FIRST) fellowship programme for 2015. Consequently, FIRST facilitated National CERT’s participation in the annual conference that took place in June 2015 in Berlin, Germany.

c) National CERT/CC has been signed up to receive customised intelligence reports (detailing detected malicious activity to assist in their detection and mitigation).

The National CERT/CC plays the following roles:

1. to ensure the protection of the nation’s Critical Information Infrastructures
2. assist in drafting the overall plan on the country’s approach to cyber security related issues
3. conducts training and information security awareness amongst the various stakeholders i.e. law enforcement and judiciary and
4. serve as a focal point for further building and implementing the National Culture of Cyber security including responsible sharing, reporting of incidents

6. Capacity of enforcement and judicial officials

There are deliberate and continuous efforts to improve the capacity of investigation (Uganda Police), Prosecution (Directorate of Public Prosecution) and Judicial Officials (defence attorneys and Judges) on matters to do with cybersecurity. This is through awareness, education and training programs. This has improved on their capability to enforce the cyber laws.

A cybercrime unit under the Uganda police force was created with the following mandate:

a) provide enforcement of cyber security related laws

b) provide efficient cybercrime investigation

c) ensure collaboration with similar international institutions

NITA-U has also organized a number of trainings for this target group as well as support during the development of process documentations like the Digital evidence acquisition guides.

7. International and regional collaboration

NITA-U has established working relationships with various international partners including but not limited to the World Bank, Government of UK, Egypt, Cameroon, South Korea as well as with the Commonwealth Cybercrime Initiative (CCI), United Nations Office on Drugs and Crime (UNODC), International Telecommunications Union (ITU), Information Security Forum (ISF), Commonwealth Telecommunications Organisation (CTO), Internet Watch Foundation (IWF), Forum for Incident Response & Security Teams (FIRST), African Union, East African Community, Team Cymru, the shadow servers group and Oxford Global Cyber Security Capacity Centre with regards to cyber security.

These relationships have been valuable in providing funding, capacity building, technical support as well as benchmarking opportunities to boost our efforts in cybersecurity.

8. Improved funding for initiatives

Government of Uganda through the Ministry of ICT and National Guidance runs the National ICT Initiatives Support Program (NIISP) to facilitate the creation of an ICT Innovation ecosystem and marketplace for Ugandan innovative digital products.

NIISP primarily aims at facilitating growth and development of the software applications and innovations industry. Cybersecurity innovations are within the NIISP scope.

The Specific Objectives for the NIISP are:

a) to provide systematic and sustainable support to national ICT innovators

b) to promote ICT products, services and solutions for improved service delivery as part of a wider digital ecosystem

c) to establish and operationalize ICT innovation parks

d) to promote local electronics manufacturing and assembly

9. Conclusion

The above factors or efforts have enabled Uganda to successfully change the mind set of high-level management and leaders and have enabled us to create an environment of innovation to drive Cyber Security forward.

Note that the above factors have been enumerated in no particular order of importance but supreme amongst them has been awareness, education and training.

Lessons learned 2: Mauritius: the challenges in the development and implementation of the Mauritian Cybersecurity and Cybercrime Strategy

This document shares some of the experiences of the Computer Emergency Response Team of Mauritius (CERT-MU) in the development and implementation of the Mauritian Cybersecurity Strategy and the Cybercrime Strategy 2014 to 2019, and the main challenges that were encountered during these initiatives. The Mauritian Cybersecurity Strategy and Cybercrime Strategy were developed following a national survey conducted in October 2013 to assess the security posture of businesses in Mauritius. Moreover, a wider consultation was done along with all stakeholders from the government, private sector and the civil society to finalise the strategies. Consultation workshops were also organised along with stakeholders to validate the documents and same were made available on the Ministry and CERT-MU website for public opinion.

The aim of the strategies was to make the Mauritian cyberspace more secure and resilient and it focused on the following strategic guidelines:

1. securing the Cyberspace and establishing a front line of defence against Cybercrime
2. enhancing the resilience to cyber-attacks and defend against the full spectrum of threats
3. developing a collaborative model between the authorities and the business community to improve national cybersecurity and cyber defence
4. improving the cyber expertise and cyber security awareness of all societal actors

Based on the above guidelines, the strategies described action plans that provided reasonable assurance of resilience and security to support national missions and economic stability. 28 projects were identified in the Cybersecurity Strategy and some of the key priorities included the protection of critical information infrastructures, a clear governance framework, creation of public and private partnership, fighting against cybercrime by developing law enforcement capability, improving the legal framework and fostering international and regional cooperation on cybercrime.

The development and implementation of the Strategy was a tedious task and required the coordination and support of all stakeholders. Some issues and challenges faced in bringing the strategy to life are listed below

Issues and challenges

Legal provisioning for project(s) implementation

Legal provisioning is an important aspect for implementing the projects of national cybersecurity strategy and it should be kept in mind while finalising the legal framework through the legal framework assessment exercise. The take up of amendment of legal provision(s) in the existing legislation or creating new ones at the time of project implementation could be taxing affair and may derail the set targets. This could even lead to failure of the project.

Inter-institutional collaboration and assignment of stakeholdership roles

Ownership and the stakeholdership are the vital threads of the strategy development and require a concrete analysis to come up with actionable plan involving public and private sector that could be realised. The exercise requires lengthy discussions and validation process before finalising roles and responsibilities of the institutions as per their mandate.

Setting up the Public Private Partnership (PPP) framework

One of the core elements of a national cybersecurity strategy is the public-private partnership (PPP). The PPP framework consists of various stakeholders from the public and private sector. It involves a collaborative effort of all key players to safeguard the cyberspace from attacks. It establishes a common scope and objectives and uses defined roles and work methodology to achieve shared goals. However, implementation of the PPP framework is a challenge and it requires a proper balance between roles and responsibilities to be defined for proper execution and setup.

Budget estimation for projects

Accurate budget estimation is the key to the successful implementation of the strategy action plan and requires the consideration of the number of factors such as technology readiness, infrastructure as well as the skills availability. The steps associated with the budgeting process are highly dependent on both the estimated lengths of tasks and the resources assigned to the project. A number of constraints, financial, political, and organisational, may dictate the methods by which resources such as personnel, equipment, services and materials are acquired, and this should be carefully taken into account while calculating the budget.

Accurate assessment of human resource requirements

For proper implementation of the strategy, it is important to have the right people with right skills needed to execute the projects on time. In this process, it is important that the skill requirement exercise is undertaken through a proper survey and its findings are used to address the HR requirements.

Both strategies are currently being reviewed and a new strategy is being drafted which will cover both Cybersecurity and Cybercrime in Mauritius.

Lessons learned 3: Botswana: international cooperation

One of Botswana’s National Cyber Security Strategic Objectives is on stakeholder collaboration and cooperation. The country believes that the best approach in building a secure cyber space is to work with others.

Therefore, during the Africa Cyber fellowship programmes, international collaboration was promoted and enhanced. Over this period, Botswana learnt and adjusted her cooperation and collaboration efforts. Botswana has used the Africa Cyber Fellowship to promote cooperation with her international partners. The Fellowship is an ideal environment through which Botswana could reach out, since she is introduced to many potential partners in one place. The past partnerships fostered through the ACF include:

1. European Union Cyber Resilience for Development (Cyber4Dev)

This is a flagship EU cyber cooperation and collaboration project, partnering with developing countries. Botswana was introduced to the programmes and potential of being a member, through one of the ACF Donor presentations. Following this, Botswana was able to follow up with relevant partners, especially through Foreign and Commonwealth and Development Office (FCDO). The partnership is ongoing, with EU assisting Botswana on implementation of her National Cyber Security Strategy.

2. UK-Africa National Cyber Risk Assessment

Botswana partnered with the United Kingdom’s Home Office to host the inaugural UK-Commonwealth African countries National Cyber Risk Assessment (NCRA). The Botswana team liaised with their UK counterparts and aided on the project. This was possible through contacts established at ACF meeting. Further, the meeting in Gaborone provided Botswana an opportunity to discuss and hold side meeting with Microsoft’s member of policy team. She was able to also guide Botswana on other initiatives which the country was unaware, including the Paris Call. Due to resource constraints Botswana NCS team hasn’t had opportunity to participate. However, they shared their information with their colleagues including in law enforcement. It has transpired that one of Botswana’s legal reforms team has attended one of the Paris Call events.

3. Global Forum for Cyber Experts

Botswana has always wanted to engage on cyber security at international level, especially on policy matters. GFCE and the Meridian Project were identified as a route to achieve this objective. However, Botswana wasn’t always clear on the best approach. Through ACF and FCO’s Robert Collett, Botswana was able to join GFCE early this year. Due to coronavirus outbreak, the country’s participation was limited. That notwithstanding, Botswana GFCE liaison officer and ACF member has managed to attend virtual meetings via zoom sessions organised by GFCE. Other NCS team members have also participated.

4. UN Open Ended Working Group (OEWG)

Although participation in Open Ended Working Group on Cyber wasn’t strictly because of ACF, the programme has contributed. UK’s FCO reached out to Botswana ACF participant to alert him on an opportunity for the country to send female participants to the United Nations. The objective was to promote women in United Nations meetings on security. The participants took part in workshops organised by UNITAR and sponsoring member states (UK, Canada, Australia, etc). They also participated in UN OEWG. The programme was rewarding and especially helped Botswana to further enhance her collaboration efforts. Botswana for example has been studying Czech Republic’s Prague 5G seminar, aimed at promoting safe deployment of 5G technology, while averting potential security risks. Botswana hasn’t taken a position on 5G yet, hence these will be useful.

Botswana has managed to benefit from local and international partnership.

Strengths

Botswana has a small, close-knit cyber security community. Therefore, it is easy to reach out and collaborate at national level, since the players are few and known to each other. At international level, the country is a member of various international collaborative bodies, where cyber security is discussed and promoted. These include Southern African Development Community (SADC), Commonwealth of Nations and its sub-organisations like Commonwealth Telecommunications Organisation (CTO). Botswana is also member of United Nations, International Telecommunication Union and Global Forum for Cyber Experts. These organisations offer Botswana an opportunity to collaborate with like-minded states. Recently Botswana supported United Kingdom’s draft for UN OEWG statement, written on behalf of Commonwealth of Nations.

Weaknesses

Botswana hasn’t always maximised opportunities for collaboration. For example, the country was slow to setup contact points for international partners on cyber security. Most of the collaboration and cooperation efforts are also not well coordinated, for maximum benefit.

Opportunities

Botswana can build on existing networks and expand into new ones for information sharing, collaboration and cooperation. There is opportunity to unlock value, creating a safer cyberspace, if the country were to coordinate these efforts under one office organisation.

Threats

Failure to actively collaborate and share information might leave the country isolated and vulnerable to threats. There is strength in knowledge sharing and adopting non-binding norms that promote cooperation among the cyber security nations.

Lessons learned 4: Nigeria

No doubt the effort behind this initiative and its objectives stands to elevate Africa’s capacity to succeed in its quest for self-reliance and advancement through Information Technologies. The expression of friendship from the British government and its people to invest in the continent’s future, shows the importance it places on nurturing and leading Commonwealth countries to a sustainable developmental path.

1. The journey…

During the thirty months that I have been in the Fellowship, interacting with experts from across the continent opened up a new perspective on the need for a continental determination to enhance capacity in cyber as well as building technical ability to response to threats as well.

Key takeaways and lessons learnt from the Fellowship are as follows:

a) There is a need for an accelerated capacity building drive in the continent due to the huge infrastructural and technical skills gaps identified in some of the presentations from other Fellows. Building capacity will definitely be the key instrument to FastTrack cyber skills development within the continent.

b) The Fellowship as a centre of resource, identified the need for the importance of harnessing the capabilities of technology towards integrating Africa into the global technology arena in order to improve social development in the continent.

c) Challenges in coordinating Africa’s response to cyber threat and the need to establish governance and support structure to provide mechanism for protection.

d) Funding the empowerment process through technology.

e) FCO is an important stakeholder in cyber development initiatives across the continent.

2. Way forward

If this Fellowship programme is planned to continue, the following thoughts offer some possible future action points for the group. Please consider:

a) an Afro-Centric skills development initiative that aligns to Commonwealth Cyber Declaration.

b) developing cyber strategies and leadership in the African Context.

c) develop a funding framework that will support sustainable initiative and programmes for the continent.

d) FCO to expand the group to include expert from other non-commonwealth countries.

e) create and engage Regional Cyber Expert (RCEs) to address regional issues that speak to (a) and (b) above.

The future use of this document

As mentioned in the introduction, this is the first iteration of the document and it is intended to be a living document which can be supplemented and changed as the group develops. The outbreak of COVID-19 has had a significant impact on the planning for the future direction of this Fellowship programme, but it is still hoped that this group will continue and further lessons learnt can be added to this version as the group continues to collaborate and evolve.