3. Cybersecurity strategies in Africa

Generally, African countries have made little progress in developing and implementing national cybersecurity strategies. Recent information indicates that only 17 of Africa’s 54 countries have completed a national cybersecurity strategy, which is less than half the global average, as the map below indicates.   

Fig. 2 A depiction of countries with NCS. Source: ITU National Cybersecurity Strategies Repository

Fig. 3. Africa Cybersecurity StrategiesSource: Africa Centre for Strategic Studies, Article on ‘Africa Lessons on Cyber Strategy’

Unfortunately, the existence of a document called a national cybersecurity strategy is not sufficient to address cybersecurity issues on a national scale. The relevant issue is its implementation and impact on the country. The article on Africa’s lessons on cyber strategy (Ajijola and Allen), identifies the strategies of three countries it considers to have met the minimum essential criteria in Africa. They are Eswatini, Kenya and Senegal. The criteria include:

• A threat assessment that identifies the scope and scale of a country’s cyber threats
• A plan of action that contains concrete goals and activities intended to address the threats
• A timeline
• An assignment of responsibilities across key stakeholders
• Clear provisions that allocate resources

The Eswatini Cybersecurity Strategy clearly defines the scope of the strategy which would cover all sectors of the country and provide guidelines to all relevant stakeholders on their expected roles and responsibilities. The strategic context identified the threats and vulnerabilities, while the capacity review provided the current status of cybersecurity in the country.

The strategy also described its alignment with the national goal of the country and sets out its own goals to include; enhance security and resilience; strengthen the cybersecurity governance, policy, regulatory and legislative frameworks; build Eswatini’s capacity and expertise in cybersecurity; foster a safe and secure information society for Eswatini; and strengthen cooperation, collaboration and partnerships on cybersecurity. The strategy also assigns roles and responsibilities for implementation, including a monitoring and evaluation framework. 

The same model is adopted for Kenya and Senegal. One of the strategic success factors in developing and implementing a national cybersecurity strategy is the need for inclusiveness, which would provide the necessary resources for crafting and implementation.