5. Policy, legislative and regulatory guidelines

In developing national policy, legislation and guidelines for the protection of CI and CII, a review of provisions of existing international conventions, legislation, and structures should be considered. 

UN General Assembly resolution 58/199 (2003) ‘Creation of a global culture of cybersecurity and the protection of critical information infrastructure recognizes that each country will determine its own critical information infrastructures and invites the Member States to consider, the elements for protecting critical information infrastructures in developing strategies for reducing risks to critical information infrastructures, in accordance with national laws and regulations;

UN Global Counter-Terrorism Strategy under Pillar II ‘Measures to combating and Preventing Terrorism’, member states resolved ‘to step up all efforts to improve the security and protection of particularly vulnerable targets, such as infrastructure and public places, as well as the response to terrorist attacks and other disasters, in particular in the area of civil protection.’

United Nations Group of Governmental Experts (UN GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security, 2015 report (paragraph 13g) recommends for consideration voluntary, non-binding norms for responsible state behaviour in cyberspace which include taking appropriate measures to protect their critical infrastructure from ICT threats taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions.

African Union Convention on cybersecurity and Personal Data Protection Article 24 requires signatories to develop, in collaboration with stakeholders, a national cybersecurity policy that recognises the importance of Critical Information Infrastructure (CII) for the nation to identify the risks facing the nation in using the all-hazards approach and outline how the objectives of such policy are to be achieved.

Under Article 25 of the convention, states are required to adopt such legislative and/or regulatory measures as they deem necessary to identify the sectors regarded as sensitive for their national security and well-being of the economy, as well as the information and communication technologies systems designed to function in these sectors as elements of critical information infrastructure; and, in this regard, proposing more severe sanctions for criminal activities on ICT systems in these sectors, as well as measures to improve vigilance, security and management.

In addition, there are requirements in agreements signed under Regional Economic Communities in Africa such as SADC Protocol on Politics, Defence and Security Co-operation, 2001, which seek to establish an institutional framework by which member states could coordinate policies and activities in areas of policy, defence, and security. The Organ for Politics, Defence and Security established under this protocol supports achieving and maintaining security and the rule of law in the SADC region. The Organ’s objectives are in the areas of Military/Defence, Crime Prevention, Intelligence, Peace-making & Peacekeeping Enforcement, Foreign policy, Conflict Management, Prevention & Resolution, and Human Rights. Specific activities to achieve these objectives are spelt out in the Strategic Indicative Plan for the Organ on Politics, Defense and Security Cooperation (SIPO I). These include regular assessments of the regional public security situation and building capacity to combat cybercrime and terrorism.