The advent of the internet and the dotcom era has strengthened the notion that the world is a global village. The internet has simplified human activities which could have been cumbersome.
The use of the internet has surge astronomically. Over 3,440,839,840 people are connected to the internet, accounting for 40% of the world population, and more than 1,070,397,120 websites have been created. The world internet usage and population statistics as at June 30, 2016 showed that Africa with a population of 1,185,529,578 has 339,283,342 internet users.
The internet has provided easy access to information, simplified investigation for security agencies, enhanced social network, and advanced business to consumer sales (e-commerce).
However, the adage that every good thing has a dark side has found expression even in internet usage. Notwithstanding the laudable benefit of the internet, there are peril associated with it. The internet is continuously buzzing with vices which threatens the security of Nations, businesses of conglomerates, and the privacy of individuals. These vices have been qualified as cyberattacks. Cyberattacks include but are not limited to hacking, mail bomb, trojans, web defacement, Denial-of-Service (―DoS‖), trap doors, spoofing, phishing, and vishing. These cyberattacks have resulted in theft of data and money, destruction of data, extortion, distribution of pornography, and disruption of online services amongst others.
The essence of this article is to discuss the growth of e-commerce in Africa, the threat posed by cyberattacks to Africa and the African Union Convention on Cyber Security and Personal Data Protection (the ―Convention‖) as it relates to cybersecurity.
E-commerce in Africa
E-commerce has made purchase of goods and rendering of services easy. With a single click, goods could be purchased, shipped and delivered anywhere in the World within a short time. E-commerce has enabled companies to reach customers in countries where they do not have a physical presence. Enormous transactions are concluded daily on the internet which sum up to billions of dollars annually.
Statistics showed that in 2013, global e-commerce sales amounted to $839.8 billion and is expected to reach $1.92 trillion this year (2016). Meanwhile in 2013, e-commerce sales in the Middle East and Africa accounted for 2.2% of global e-commerce sales. With a projection that this could increase between 2016 and 2018 from 2.4% to 2.5%. The projection demonstrate that Africa is an emerging e-commerce market.
Due to the global nature of the internet, cyberattacks have become transnational. Every gadget connected to the internet is prone to cyberattack. The proximity of the Cyber-attacker is irrelevant, as the illicit act could be conducted from any location.
Statistics divulged that up to 60,740 websites could be hacked daily. The 2016 Symantec Report noted that there were more than 430 million new unique pieces of malware in 2015, a 36% increase from 2014. The number of zero-day vulnerabilities discovered in 2015 more than doubled to 54, a 125% increase from 2014. According to Laura Ani―IT revolution has brought about a vast array of aides and conveniences that have indelibly influenced modern communication, travel, security and commerce. However the massive gains brought by the information age are not perfect, with the pervasive correlation of human activity with electronic resources and infrastructure there is a crucial vulnerability, which is the ever present risk of abuse, insidious manipulation and sabotage of computer and computer networks.
Individuals, Companies, and Countries have been victims of cyberattacks. In 2013, the financial security system of Target was hacked, this led to the loss of the credit and debit cards of up to 40 million customers. This affected the shares of the Company as its shares fell by 46% year-on-year in the fourth quarter of 2013 to $520 million. In 2015, the Office of Personnel Management of the United States was hacked and the breach led to the loss of data of approximately 21.5 million people made up of both current and former federal employees. In January 2016, Ireland’s National Lottery website and ticket machines were knocked offline after a DoS attack.
Africa has also been a victim of cyberattacks. In East Africa, governments are the top target for cyberattacks (33%), telecommunications (22%), and financial services (17%). Cyberattacks has caused Kenya up to 2 billion Kenyan shillings (over $23 million). In 2013, Google Kenya website was hacked.
A 2011 Deloitte Touche survey revealed that financial institutions in Kenya, Rwanda, Uganda, the United Republic of Tanzania, and Zambia had registered losses of up to $245 million due to cyber fraud. In the first half of 2013, the Banks in Zambia lost more than $4 million to cybercrime.
In February 2016, the database of South Africa was hacked. Identities, details and passwords of approximately 1,500 government employees were posted online.
In May 2016, the website of the University of Limpopo was hacked. Other than leaking exam papers, the details of over 18,000 students were leaked.
In Nigeria, the websites of the Nigerian Police Force and the Central Bank of Nigeria have been hacked According to Dr. Vincent Olatunji, Nigeria has experienced 3,500 cyberattacks between 2015 and 2016, with over 70% success rate and a loss of $450 million. According to Adebayo Shittu, Nigeria loses up to N127 billion yearly to cybercrime, which is 0.08% of her Gross Domestic Product. In addition, Nigeria is ranked third in the world for cybercrimes.
Cyber Security Regulation in Africa
The deleterious effect of cyberattack has been dominant in Africa, but ignored, and in most cases, it has been dealt with internally by companies as an information technology problem without any coordinated continental effort to nip it in the bud.
Africa did not have any pan-African regulation on the internet and computer usage until 2014. While the European Union (―EU‖) in 2012 had its comprehensive regulation to govern cybersecurity. In addition, the EU parliament on July 6, 2016 approved the first community-wide rules designed to bolster cybersecurity throughout the EU.
In addition, Nigeria and South Africa which boost of the largest economies in Africa dragged their feet on the enactment of cybersecurity laws. South Africa enacted her cybersecurity law in 2002 while Nigeria stalled until 2015. When compared with other Countries, it is clear that African Countries arrived late to the party. The United States in 1984 made her first attempt at enacting a law
to curtail fraud and related activity in connection with computers. Chile in 1993, China in 1996, Brazil in 2000, India in 2000, and Australia in 2001.
Now that Africa has a cybersecurity Convention, the questions that may confront the Convention are, how effective is the Convention? Has it resolved most, if not all issues arising from cyberattacks and crimes?
The Convention was adopted on June 27, 2014 by the 23rd ordinary session of the African Union (―AU‖) Assembly made up of 54 Member States. The Convention is a demonstration of the AU to establish a legal framework for information in Africa. It is worthy of note, that the main impediment to the expansion of e-commerce in Africa is lack of a continental policy to regulate e-commerce and ensure cybersecurity. The terminus of the Convention therefore, is to protect personal data, regulate e-commerce, and ensure cybersecurity.
Acts that constitutes Offence under the Convention
Offences under the Convention are in 4 categories:
- Attack on Computer systems;
- Computerised data breach;
- Content related offences; and
- Property offences.
The Convention enjoin AU members to enact laws that criminalise acts that may fall under these categorises.
a. Attack on Computer systems
According to the Convention, an attempt to obtain or obtain unauthorized access to a computer is an offence. Exceeding authorized access to a computer is also an offence. Also constituting an offence is an attempt to obtain or obtain unauthorized access to a computer with intent to commit another offence or facilitate the commission of an offence. The Convention neither define ―unauthorized access‖ nor ―exceed authorized access.
In the same vein, it is an offence to hinder, distort or attempt to hinder or distort the function of a computer system. The Convention did not criminalize conspiracy to hinder or distort the functions of a computer system.
An attempt to enter or entering of ―data fraudulently‖ in a computer system is regarded as an offence. This pertains to entry of data on a computer without consent, which is the same as entry of data
without authorized access. Thus covered under Article 29(1) (a) of the Convention. Of importance is an attempt to enter or entry of ―fraudulent data‖ on a computer system. Bizarrely, the Convention criminalized the entry of ―data fraudulently‖ without criminalizing entry of ―fraudulent data‖. The implication is that fraudulent data may be entered on a computer so long as the holder of the fraudulent data has authorized access to a computer. But a counter-argument here is that, the Convention criminalize continuous act of fraud or attempt to remain fraudulent in part or all of a computer system
Similarly, it is an offence to damage or attempt to damage, delete or attempt to delete, deteriorate or attempt to deteriorate, alter or attempt to alter, change or attempt to change Computer data fraudulently.
b. Computerised Data Breach
Under the Convention, acts that would constitute computer data breach include:
- The interception or attempt to intercept computerized data fraudulently by technical means during non-public transmission to, from or within a computer system;
- The alteration or suppression of computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic. An intention to defraud may be required before criminal liability attaches;
- To knowingly use data obtained fraudulently from a computer system;
- To fraudulently procure, for oneself or for another person, any benefit by inputting, altering, deleting or suppressing computerized data or any other form of interference with the functioning of a computer system;
- Negligence in the processing of data without complying with the preliminary formalities for the processing; and
- Participating in an association formed or in an agreement established with a view to preparing or committing any of the offences under the Convention.
c. Content related Offences
Under this category, any act in respect of child pornography is regarded as an offence.
Promoting racism or xenophobic through a computer system constitute an offence. Any threat or attack of a person through a computer system due to race, color, descent, national or ethnic origin or religion is an offence.
More so, deliberately denying, approving or justifying acts of genocide or crimes against humanity through a computer system is an offence.
The Convention require Member States to take necessary legislative measures to criminalize the violation of property such as theft, fraud, handling of stolen property, abuse of trust, extortion of funds and blackmail involving computer data.
In addition, the Convention criminalize the use of computer systems for terrorism and money laundering.
It is noteworthy, that the AU realized that Member States would need to amend their criminal laws in order to give effect to these offences. Thus, Member States are urged to amend their criminal laws to include ―by means of digital electronic communication. The purpose of this inclusion is to ensure that the substantive criminal law of the Member States reflect the use of computer and other electronic devices for the commission of a crime is an offence.
To add more, the Convention require member States to enact laws that would restrict access to protected systems classified as critical National defense infrastructure due to the critical National security data they contain.
Liability for Offences
Under the Convention, any party including State, Local Communities, Public Institutions, Natural Persons, and Companies may be liable held liable for cybercrime.
Sanctions for Offences
The Convention enjoin Member States to legislate on the punishment that would be proportionate to the cybercrime committed. However, the Convention has recommended some sanctions, which are:
- Injunction; and
Admissibility of Digital Evidence
The Convention enjoin Member States to legislate on the admissibility of digital evidence for the purpose of establishing offenses under their National criminal law. In admitting the digital evidence, the Convention require that it must have been tendered before the Court, originated from an identifiable person, made out and retained in a manner capable of assuring its integrity.
The decision of the AU to recognise, and regulate data protection, e-commerce, and cybersecurity in Africa is laudable. Although the Convention may be imperfect, it is a good start.
The Convention is required to be ratified by at least 15 AU Member States before it would come into force. Surprisingly, only 8 Member States have signed the Convention and it has not been ratified.
It is expected that when the Convention becomes effective, that it would attract more technological investment to Africa, foster e-commerce, secure the cyberspace, gradually mitigate cyberattacks, and punish cybercrimes.
Overall, the Convention is a clear indication that Africa is joining the rest of the World to ensure cybersecurity.