Lack of laws governing cybercrime making Africa a safe haven for cybercriminals, interview

Which African countries have laws criminalising cybercrime? In your policy brief you mention Cameroon, Kenya, Mauritius, South Africa and Zambia.

Only a handful of African countries have taken the step of criminalising cybercrime. That’s really what the policy brief looks at - the gap between such a pressing problem on the continent and the fact that so few countries have actually adjusted through legislation and laws.

So the rest of the continent doesn’t have any laws governing cybercrime?

Unfortunately, it’s not really on the radar screen for many of the countries and for good reason: there are certainly pressing problems across the continent. But cybercrime is a problem that is going to creep up on folks here. Unless African nations start to address this it’s really going to damage the economic potential of the continent and the national security of the continent.

It seems that the different legal conventions are rather confusing – let’s start at the international level. Mauritius is the only country to have ratified the Council of Europe’s Convention on Cybercrime, a widely supported initiative.

Even though it is called the Budapest Convention and a lot of the EU countries are supporting that instrument, it’s actually a global instrument. South Africa, where I’m based, was actually part of the drafting process. Several different nations, not just EU nations, were part of the consideration of this instrument. Unfortunately it hasn’t really had a lot of support here in Africa. Only Mauritius has taken the step of ratifying, South Africa has not ratified, surprisingly.

In Africa itself we have four different regional models or frameworks from different regional bodies.

Even though the Africa Union has been debating this AU convention there have been different regional approaches that have tried to tackle the issue. They’ve had little success and it’s been a challenge to get countries onboard, uniting behind one approach.

The African Union approach, the AU Convention on Cyber Security and Personal Data Protection, no African countries have ratified this?

To my knowledge that’s correct. It’s going to be a bit of a challenge to get countries to understand everything that’s included in this convention. It’s not just dealing with cybercrime and the policy brief focuses only on the cyber crime provisions of the convention. But it deals with a wide swathe of e-commerce, data privacy and other provisions. For many countries it may be difficult to understand everything that’s in the convention, let alone be able to ratify it.

One of the concerns about the African Union model is about restrictions to free speech. Will it limit free speech?

It’s certainly a point of contention and as I compared the AU’s approach to the Budapest Convention, during the Budapest Convention some of these same provisions were controversial. As in infringements on free speech and as a result during the Budapest process those provisions were actually taken out and made into an addendum so that more countries could support the broad concepts of the underlying Budapest Convention. The controversial free speech elements were put aside into an addendum. In the African Union approach, those same sort of controversial provisions which limit speech on xenophobia, on other issues like that, those are actually in the body of the convention. So there may be some free speech issues raised by some member countries.

Cybersecurity firm Trend Micro have called Africa ‘the new safe harbour for cybercriminals’. It seems few African governments are doing anything to address this.

Yes, that’s absolutely right. Africa is growing immensely in terms of connectivity, mobile technologies are growing exponentially. Recent studies have said that almost 20 per cent of the population will have internet access by the end of 2014. Subscriptions on mobile phones are growing 20-fold between the end of 2013 and 2019, that’s double the rate of growth of the rest of the world. We’re looking at a lot more people having access to the internet and therefore a lot more potential victims to cybercrime. The question is whether or not, as more and more people become connected to the internet, whether or not there’s appropriate safeguards and I talk about, in a prior policy brief, a multi-layered approach to fighting cybercrime. Its not just international instruments to unite the world in an effort to fight cybercrime, it’s also about cybersecurity awareness and education, individuals understanding the need to have strong passwords and not to click on certain links that they don’t trust. So if African countries don’t address the cybercrime element there will certainly be a safe harbour here on the continent.