East Africa’s Cyber Security Strategies

November 21, 2013

East African governments have recently been announcing that they will soon begin developing cyber security strategies and also assess the government’s IT security framework in order to tackle crimes related to cyber activities. In region of estimated 136 million people, governments have revealed work will soon start on the new strategy expected to strengthen alignment of cyber risk management within the East African Community countries. Some members have hired experts to help develop the domestic strategy that sets out governance structures and lines of accountability for IT security operational capabilities, cyber security risk, cyber security workforce skills, management of cyber threats and cyber security emergency response. Me think that before new strategies are adopted, there is a need to assess the effectiveness of the each country’s IT security standards and policies as well as different sector’s approach to data and system protections. Various sectors in East African region are heavily reliant on ICT in delivering services as well as managing internal business and activities. There are genuine emerging threats to information security that pose an escalating risk for ICT systems in the region and any effort to examine the appropriateness of IT security policy direction, standards and processes, the role of agencies handling the systems and the effectiveness current IT security controls is crucial to the development of the region.

The ability of East African countries public sector bodies to combat cyber security threats and the understanding of such threats by senior managers varies depending on the country. While in Uganda, Kenya and Tanzania there are good technical people working in cyber-security across the public sector the same is not the case with Burundi and Rwanda. Standardizing cyber security strategy in totality is not the solution to the current and future problems. Each country should establish a steering team that is drawn from across local and central government and the wider public sector to oversee the cyber security strategies from outback to metropolitan areas. Such teams need to understand risks supposed to be managed and what strategic investment governments need to make. With technology changing fast, security strategies must focus on core issues that do not change and there is need for the region to have greater control of cyber security issues that will entail a wider management understanding of security procedures, training of security cleared staff within the public sector and more widespread understanding and sharing of threat information among the five countries that make the East African Community regional economic bloc. Studies have shown there is still some way off in many parts of the public sector in the region and very few have good information security infrastructures.

There is also the need for Governments to regularly review plans in place to deal with its cyber security. Government agencies and relevant sectors should develop computer emergency response teams. The task of stakeholders is to ensure systems and networks are as safe as possible to inspire confidence and trust in the privacy of data and information so the digital economy can grow and prosper. In Tanzania, Kenya and Ugandan companies have been accused of outsourcing their responsibility to protect customer information by failing to ensure third party they engage with have the proper security in place although so far there has been no major data breach. Lack of legal framework to compel companies to legally oblige under universally acceptable data protection laws have led to companies failure in protecting information entrusted to them by customers with Telecom companies and Banks among the worst offenders. East Africans should make sure when they hand over data to organizations that they have been reassured that information will be protected. Lack of investments in the region has led to more than 70% of companies to outsource key functions to third parties for what they always claim how such is not their core area of business. In my opinion, they do have a responsibility themselves to ensure that any third parties they engage with have the proper security in place because legally a company cannot transfer the responsibility for information collected.

Cyber security is important to East Africa and Africa as a whole because high level of security of networks will contribute to the development of the required market environment and confidence that will enable the progress of societies. As noted by recent reports of cyber crime statistics, the consequences of cyber security can be serious and wide-ranging and depending on the target and size of the targeted, the financial impact alone can be immense. Cybercrime also affects the brands, compromises customer confidence, violate compliance mandates, and also weakens the ability to generate revenue. There is need to focus on training because hard evidence on cyber crime research shows that infrastructure alone is not the weakest element and inadequately trained staffs has been cited as a security threat and that is a major security risk. East African countries must look at the importance of the effective implementation of cyber-security strategies. The successful exploitation of the oil and natural gas exploration in Uganda and Tanzania respectively means there will be high level of network and information security. This means that cyber security is important and will contribute to the development of the required market environment and trust, to enable the progress of East African region as a safe and secure society.

Contador Harrison