Negotiations on a United Nations cybercrime treaty have been ongoing since May 2021 and, if passed by the General Assembly, could become a crucial legal framework for the prevention of cybercrime globally. But is this proposed treaty enough to solve Africa’s cybersecurity problem – and could the treaty give rise to unintended risks?
While cyberattacks are on the rise globally, having increased by 125% through 2021, Africa faces particular challenges when it comes to cybersecurity. The continent lacks digital security infrastructure, with around 90% of African firms operating without implementing the necessary security protocols. The economic pain inflicted by cyberattacks is already grave, imposing an estimated cost of almost $600m a year on South Africa and around $500m on Nigeria, the continent’s two biggest economies.
The UN cybercrime treaty aims to lighten the burden, but the road to completion is a long one. Complex negotiations on nine chapters, 60 articles and hundreds of amendments are underway. National representatives are currently meeting in New York to discuss the draft text of the convention, which is the basis for the final treaty. Negotiations will continue into early 2024, with the aim of adopting the treaty during the UN General Assembly in September 2024, according to an analysis from Chatham House.
According to research associate Isabella Wilkinson, the treaty, which would be the first binding UN instrument on a cyber issue, “could become an important global legal framework for international cooperation on preventing and investigating cybercrime, and prosecuting cybercriminals.”
Andy Madaki, a cybersecurity consultant based in Abuja, believes that a global legal framework for managing cybersecurity risks is important. He notes that, in Nigeria and many other African countries, the risks have increased in the last few years. For one, the coronavirus pandemic brought whole swathes of activity and data online that, up until then, had remained analogue. Geopolitical tensions have heightened the threats of cyberwarfare instigated by state or non-state actors. Chapter II of the draft treaty criminalises various cyber offences that have become more prominent in light of these conditions.
Madaki also notes that the African Continental Free Trade Agreement (AfCFTA) “will help with the ease of doing business across the continent, but from a cyber perspective, it poses another threat […] If goods and services are going to moving from Point A to Point B, this will most likely involve the transfer of personal data. What do we have in place to manage this?”
The move to put in place global standards for these processes is a “move in the right direction,” he believes.
While Madaki sees how international cooperation on such issues could help mitigate against the risks, he also notes that in many cases African countries do not have any cyber-specific laws on the statute book themselves or have only just started implementing them. International frameworks are welcome but perhaps limited in usefulness when national laws barely exist.
“It’s baby steps […] Nigeria only passed its first data protection regulation in 2020. We’ve only just had our Data Protection Act in June this year. Before you start talking about UN treaties, you need to ask how many African countries actually have laws in place themselves to protect people from these risks? The problem with international conventions and treaties is that you could be putting the cart before the horse.”
Even where national laws do exist, attempts to implement further rules on a regional or international level can often be fraught with issues. Rotimi Ogunyemi, a technology attorney and chair of the Nigerian Bar Association Section on Business Law, tells African Business that while the treaty could theoretically “allow for uniformity in cybersecurity provisions,” but that this will not necessarily work in practice. There is also no guarantee that, should the UN treaty be passed, governments will adopt its provisions.
“Regional efforts have been made, such as the ECOWAS Regional Cybersecurity and Cybercrime Strategy, and the African Union’s Malabo Convention, but adoption has been limited,” Ogunyemi says. “The treaty’s potential benefits are tempered by varying views on digital governance across African countries and challenges stemming from institutional and technical incapacities.”
Some sections of the draft treaty have already proved controversial, with critics warning that vague wording could offer authoritarian leaders an opportunity to clamp down on free speech online. This has already proved to be a problem in several African countries. Earlier this year, the Senegalese government shut down access to the internet and restricted the use of social media following protests regarding the imprisonment of opposition leader Ousmane Sonko. Ethiopia, Sudan, and Tanzania are just some of the African countries to have enforced internet limits during times of protest or political instability.
Ogunyemi tells African Business that “Article 29 empowers states to collect real-time traffic data of “specified communications” within their territory. This provision raises privacy concerns and calls for careful consideration of the scope and definition of the term.”
Ogunyemi is also concerned that Article 28 of the treaty, which concerns the search and seizure of stored digital information, as well as Article 30, which outlines the situations in which authorities can intercept content data, could be misused and “pose a potential risk to free speech online.”
He cites several case studies which illustrate the potential risks. In Nigeria, the Cybercrimes Act of 2015 has criminalised online content deemed to be merely “annoying” or “insulting,” which Ogunyemi says “has allowed politicians and those with access to state resources to weaponise the law.”
The former president of Zambia, Edgar Lungu, passed similar regulations that were fiercely opposed by civil liberties groups, including Amnesty International. Current President Hakainde Hichilema campaigned to repeal the laws, and in office has agreed to “reconsider” them, but they are still on the statute books. Côte d’Ivoire has also seen cases of defamation laws being used to convict journalists of criminal offences for articles exposing corruption and other politically inconvenient stories.
“These examples demonstrate how laws intended to regulate speech and expression can be exploited by governments to suppress opponents and activists in the digital realm,” Ogunyemi says. “The draft treaty’s provisions, if misused, could further erode trust in international law as a safeguard for free speech and human rights, raising serious concerns about the potential impact on free expression and civil liberties.”
Despite the potential challenges associated with the treaty, there are also hopes that, if regulations are implemented effectively and appropriately, this could support the growth of Africa’s tech industry.
While Madaki cautions against “regulation that restricts innovation too much and creates barriers to entry,” Ogunyemi believes the treaty could “significantly impact African tech companies’ competitiveness.”
“The draft treaty’s Chapter VI addresses major threats to businesses and takes a proactive approach to cybercrimes,” he notes. “The chapter emphasises collaboration between the public and private sectors and the need to share experiences and perspectives to develop optimal preventive measures. If effectively implemented, these measures could reduce cybercrimes and their detrimental effects on businesses.” Ogunyemi also points out that the treaty provides strong protection for intellectual property which could “encourage further research and innovation within the African business community.”
There are certainly risks involved with regulating cyberspace. But as the proposed UN treaty shows, along with laws that have already been implemented in Europe and other developed markets, countries around the world are taking more and more steps to crack down on virtual crime. Ogunyemi suggests that Africa’s tech firms will need to recognise this and keep up with regulatory trends, particularly if they wish to expand outside of their national borders.
“The financial toll of cybercrime has hindered innovation and growth, particularly threatening new startups,” Ogunyemi says. “The treaty’s global perspective will foster confidence in international collaborations and expand market access for African businesses.”
Source: African Business