Since 2015, security experts have forecasted government and commercial online services as the next frontier for illegal activity in Africa. The large gap in available data regarding cybercrime in Africa hinders effective counter measures, which is largely due to the absence of measuring tools and control of cyber crime. Government websites are under increasing threat, as instead of creating their own systems from scratch, governments tend to use existing popular templates, which are easily breached. African governments using such systems often contain sensitive information, thereby enabling identity theft through stolen personal details. In the commercial respect, most African-based businesses – predominantly small and medium-sized – are unable to withstand cyber-attacks, with many going undetected for up to a year. A typical mid-sized business in Africa will have at least one or two internet exposed systems with little or no security to detect or prevent an attack. Such systems will utilise default passwords, thus creating vulnerabilities that are undetected by internal technology or ICT support. The promising e-commerce industry in Africa is also expected to expand to ~$75bn by 2025, and along with it numerous growing cyber threats.
The evolution of cyber crime has lead to more sophisticated attacks in Africa, from password theft to credit card fraud and attacks on entire computer networks, with hundreds of millions of African cyber attacks on an annual basis. Serainu ranked the government and banking sectors as being most vulnerable to cybercrime in Africa (2016). 96% of African organisations including banks, spend on average less than $5,000 on cyber security annually. Due to the invisibility of the threat, many African countries have no specific cyber legislation, leaving shrewd cybercriminals to increasingly target developing countries. This, combined with existing cyber laws that are not strictly enforced and a general lack of awareness of cyber security measures, has created a permissive environment for cyber crime in Africa. Most African countries struggle to crack down on cyber crime, mainly due to budgetary concerns and poorly trained staff, making the war against cybercrime in the financial sector particularly challenging. The most important Pan-African legal document is the Convention of the African Union on Cybersecurity and the Protection of Personal Data, adopted June 2014. Despite this, the 2017 Global Cyber Security Index of International Telecommunications Union named the African continent as demonstrating the lowest level of commitment to cyber security.
A breakdown of key statistics for most affected African countries can be seen below:
Africa is home to a population of about 1.21 billion people, with the youngest population in the world (median age of 19.5 years). The increased use of technology and smart phone ownership heightens cyber risks and vulnerabilities. Before the millennium, Africa only hosted 4.5 million internet users; since then, close to 400 million users are online. Internet connectivity and mobile phones provide unprecedented opportunities for the dissemination and sharing of suspicious data. The African market is already saturated with cyber hackers, who are constantly developing new techniques to access valuable data for ransom, steal from financial institutions, and blackmail governments and companies. Such cyber attacks can potentially cripple African economies, companies and society, without the existence of collaborative and strong defensive cyber mechanisms in place.
Globally, smartphones have been identified as an increasingly attractive target for cyber criminals investing in more high-level attacks, as they are effective in stealing personal data or financial extortion. In 2014, the growth in new vulnerabilities in mobile software worldwide rose by an astonishing 214%. In South Africa alone, 47% of smartphone users experienced mobile cyber crime (2013), whilst in Nigeria, more than one in every seven mobile devices is currently infected with mobile malware (2016). The constant rise in mobile malware targeting Android systems is a matter of concern, considering 89% of the smartphone market share in Africa runs on this platform. The past decade saw mobile phone networks and online banking transform the communications arena in Africa, allowing the continent to catapult the landline generation of development to settle directly in the digital age.
“Africa rising” is the term coined to reflect the new Africa, its expanding middle class and swift adoption of mobile technology. With cybercrime increasing at a more rapid rate in Africa than anywhere else in the world, experts estimate 80% of personal computers to be infected with viruses and other such malicious software. A vast number of domains have the amalgamation of extremely weak networks and information security, leaving the continent prone to cyber-related threats. In 2012, the number of targeted cyber attacks in Africa saw a 42% increase; 31% of which were categorised as cyber espionage, targeting both large and small businesses, with individual consumers also falling prey to viruses and other such cyber threats. In major African cities (Cairo, Johannesburg, Lagos and Nairobi) the rate of cyber connected disruptions aided by internet communications doubled between 2011 and 2014. The CEO of Rwanda Information Society Authority (RISA), Mr. Innocent Muhizi, claimed cyber security in Africa to be “…a growing concern for African organisations as technology evolves. African economies are not yet ready to avert cyber-threats due to lack of adequate expertise to contain these attacks…Urgent action is needed to create [a] safe operating environment for digital economies on the continent to thrive”.
Regarding money transfers, Africa is the world leader through mobile phones, with 14% of all Africans receiving money through mobile transfer. With the continent being home to some of the world’s largest mobile money transfer services – like Kenya’s Mpesa – mobile devices are naturally a primary target for cyber crime. The Internet of Things (IoT) is an easily adoptable solution, given the continent’s ability to leap-frog infrastructure-reliant communications. For instance, in South Africa, smart meters have already been installed as a way of measuring energy usage. Similarly, in Rwanda, SIM cards were connected to POS terminals to accommodate credit card payments. However, despite the revolutionary nature of IoT solutions in Africa[i], its main feature of content sharing among relevant platforms, data security, privacy and hacking risks are of the utmost concern.
In order for Africa’s growing digitization to reach its full potential in face of skilled cybercriminals, policymakers need to implement more effective policies and awareness initiatives. Still, reliable threat information relating to cyber crime in the region is required. This lacking information is crucial to governments in assessing and managing cyber risks, as well as the need for increased cyber expertise. In East Africa, Kenya has the highest number of professionals with 1,400 cyber experts, and Tanzania having the lowest number at 250. In most cases, half of them are not trained or receive ad hoc training when a cyber incident occurs. The borderless nature of cyber crime means as the African economy moves online, along with its citizens and computer systems, the continent’s IT infrastructure becomes an enticing target for professional cyber crime. In 2016, African countries lost $2bn in cyber attacks, with East African major losses including: Kenya at $171 million and Tanzania at $85 million.
How does Africa counter the increasing cyber threat? How do the political, commercial, financial and corporate sectors better defend and protect their cyber systems from being breached? The first step is to identify the threats, structures, main actors, targets, strengths & weaknesses, and the forums used to carry out attacks.
[i] For instance, IoT tech. is being used in eastern and central Africa to protect endangered Black Rhinoceroses from poachers. The technology features an RFID chip, which is embedded into the Rhino’s horn, and an ankle monitor to locate the animal, as well as an alert should the horn be removed from the animal. The IoT tech. can even be used to monitor the Rhino’s vitals.
This article is part of the RED-Alert project, funded by the European Union’s Horizon 2020 research and innovation Programme under grant agreement No 740688.