Africa’s Evolving Cyber Threats

African governments face a fast-evolving array of digital threats from espionage, critical infrastructure sabotage, organized crime, and combat innovation.


Johannesburg, South Africa. (Photo: Andrew Moore.)

Johannesburg, South Africa. (Photo: Andrew Moore)

In June 2020, the Ethiopian Information Network Security Agency (INSA) thwarted a cyberattack from an Egypt-based actor known as the Cyber_Horus Group. According to INSA, the purpose of the attack was to create significant “economic, psychological, and political pressure on Ethiopia” over the filling of the Nile River’s Grand Ethiopian Renaissance Dam (GERD). The GERD was at the time and continues to be a significant source of tension between Ethiopia and Egypt. Though Ethiopian authorities claimed to have averted a broader attack, the Cyber_Horus Group did manage to hack into a dozen or so government webpages, posting messages threatening war if Ethiopia began filling the dam.

Cyber_Horus Group logoThese attacks illustrate the rising significance of cyber threats to African national security.  A broad range of actors participate in these activities, from lone-wolf hackers to nation-states, who have varying capabilities and intentions. Yet, African governments and security sector actors have only just begun to identify and respond to the ways in which digital technology is transforming African security. Four major categories of security activity merit attention: espionage, critical infrastructure sabotage, organized crime, and the shifting contours of the African battlefield.

Espionage

Espionage, or hacking into adversarial systems to extract sensitive or protected information, is the most pervasive use of state-sponsored cyber capabilities. The rapid diffusion of cyber capabilities and surveillance technology gives a wide range of actors operating in or targeting Africa the ability to conduct cyber espionage. For example, Pegasus malware, among the most sophisticated pieces of espionage software ever invented, was recently discovered to have infected systems in 11 African countries. The attackers were likely engaged in both espionage and domestic surveillance and appear to have come both from within and outside of Africa, with some targeting multiple countries.

“The greatest concerns surrounding cyber espionage in Africa have been linked to China.”

The greatest concerns surrounding cyber espionage in Africa have been linked to China. In 2018, it was reported that all of the content on the servers in the African Union’s (AU) headquarters was being routinely transmitted to Shanghai after network engineers noticed a spike in usage between the hours of 10am and 2pm. Though African engineers acted to replace these servers, Chinese hackers continued to spy on the AU by stealing footage from surveillance cameras. They hid their tracks by transmitting the information back to China during normal business hours.

The espionage threat to the AU from China is so far reaching, in part, because of China’s role in providing the AU with ICT infrastructure. The Chinese built the African Union’s headquarters, which enabled it to build backdoors into AU servers and plant listening devices. China may have similar capabilities elsewhere in Africa, where it has built up to 80 percent of all existing telecommunications networks and set up government networks in over 20 countries.

Critical Infrastructure Sabotage

Everything connected to an information network—energy grids, telecommunications networks, banking, government, and military systems—is vulnerable to sabotage if the information network is disabled. The most damaging and sophisticated cyberattacks, such as the Stuxnet worm (which damaged Iran’s nuclear infrastructure) and Russia’s cyberattacks on Ukraine in 2007 (which caused an estimated $10 billion in damages and took the radiation monitoring system at Chernobyl’s nuclear power plant offline), were state-sponsored acts of cyber sabotage.

In Africa, attacks on critical infrastructure are becoming frequent. Banks are particularly common targets, losing billions of dollars to theft and service disruption. The National Security Agency of Nigeria and the municipal government of Johannesburg have each been victims of attacks that shut down services or leaked sensitive information. With cyberattacks against maritime infrastructure on the rise ranging from piracy to stealing database logs, experts worry that Africa’s ports and shipping industries could suffer an attack causing major disruptions in trade and commerce.

Tin Can Island Port, Nigeria.

Tin Can Island Port, Nigeria. (Photo: businesstimesng.com)

Cyber sabotage often has unpredictable consequences and is not always the work of sophisticated actors. One of the continent’s most damaging cyberattacks occurred in Liberia in 2016 when an overzealous hacker employed by one major telecommunications company sabotaged the network of a rival. This resulted in half the country being cut off from bank transactions. Liberia’s information minister, ostensibly in charge of the country’s response, was cut off from internet access and was left asking for help on French radio. Despite Liberia’s appeals abroad for assistance, authorities did not make arrests until after the software employed in the attack was used to disable Deutsche Telecom, the German telecommunications giant, months after the attacks began.

As internet penetration rises and systems more connected, critical infrastructure across Africa will likely become even more vulnerable to costly, disruptive cyberattacks.

Organized Crime

Malicious cyber activity is often driven by financial motives. Cybercrime is of central concern to the African business community, which in 2017 lost an estimated $3.5 billion to cyber fraud and theft, and consistently ranks cybercrime as one of the top threats faced. Most low-level cybercrime, such as illegal spam or SIM-boxing, do not pose significant risks to African national security.

The African business community in 2017 lost an estimated $3.5 billion to cyber fraud and theft.

However, the spread of cyberspace is giving rise to new, destabilizing forms of organized crime characterized by explosive growth and transnational reach. In the past decade, the Business Email Compromise (BEC) scam has grown to become one of the most profitable and prominent threats, resulting in $26 billion of losses globally between 2016-2019. BEC groups are loosely affiliated transnational networks that use state-of-the-art malware and phishing techniques to steal from unsuspecting businesses, governments, and organizations. One of the most prominent BEC actors, a group called SilverTerrier, consists of several hundred individuals, most of whom are situated in major cities in Nigeria. Others are scattered elsewhere across the world, including the United States, which is the world’s second largest hub for BEC activity. SilverTerrier has created over 81,000 pieces of malware, conducted 2.1 million attacks, and caused billions of dollars in damages to individuals and organizations inside and outside Africa.

Rising internet penetration and advances in digital technology are also beginning to alter the financing and market dynamics of more traditional organized crime. Through Facebook, Instagram, and other more hidden “darkweb” platforms, African criminal networks are increasingly trafficking illicit diamonds, small arms, humans, art, and artifacts online.

Emerging Technologies Reshaping the African Battlefield

ICT and related technologies such as drones, artificial intelligence, and the expansion of 5G networks are also having increased consequences for military operations and battlefield tactics, from air combat to ground warfare. Though they have yet to diffuse widely or be fully integrated into modern combat, the proliferation of emerging technology will likely increase the importance of intelligence, precision, and automation in wars of the future.

Information systems are both a source of advantage in terms of intelligence as well as a vulnerability if security forces become too reliant on them and they are hacked, disabled, or repurposed. An early and revealing example is that of Syria, whose highly regarded air-defense network was disabled by an Israeli cyber operation during a 2007 attack on a suspected nuclear weapons program. More recently, in the conflict over Nagorno-Karabakh, Azerbaijan prevailed in part by deploying drones and other autonomous weapons that avoided Armenia’s air defense and electronic warfare systems.

The technology that has the greatest potential to transform the conduct of war in Africa over the coming decade is the drone. Because of its autonomous nature and loitering ability, the drone substitutes for and even in some cases supplants traditional aircraft. In addition, low costs—some models can be acquired and weaponized for as little as $650—carry wide appeal for actors seeking to maximize their efficiency. Drones are already used by 14 African countries and have been acquired and used for intelligence purposes by African militant groups. The use of surveillance drones by the Nigerian extremist group Boko Haram, which are reportedly more sophisticated than those used by the government, have contributed to Boko Haram’s escalation.

An example of the Chinese-made CASC CH-3 drone, used by the Nigerian Air Force. (Photo: tvd.im)

An example of the Chinese-made CASC CH-3 drone, used by the Nigerian Air Force. (Photo: tvd.im)

Libya, where drones have become widely integrated into combat operations on all sides of the conflict, provides a telling illustration of how emerging technology is influencing modern warfare. The defeat of Khalifa Haftar’s Libyan National Army during its 2019 offensive against Tripoli has been widely credited to Turkish intervention, and to Turkey’s deployment of superior intelligence, surveillance, and reconnaissance (ISR), drone, and electronic warfare capabilities.

Lagging Government Responses

So far, the response by most African governments has not kept pace with the rapid evolution of the cyber threats their countries face.

The lack of an effective response is due, in part, to deficits in capacity. The continent faces a growing 100,000-person gap in certified cybersecurity professionals. Many organizations, businesses, and agencies lack basic cyber awareness and fail to implement rudimentary cybersecurity measures. Governments frequently fail to monitor threats, collect digital forensic evidence, and prosecute computer-based crime.  Ninety-six percent of cyber security incidents go unreported or unresolved, meaning that cyber threats in Africa are likely much worse than recognized.

“The continent faces a growing 100,000-person gap in certified cybersecurity professionals.”

The deficits in capacity are compounded by slow progress in formulating and passing foundational cyber policies. Only 15 African countries have completed national cybersecurity strategies, which lay out strategic objectives and assign government-wide responsibilities for cyber threat monitoring and response. Eighteen have established the equivalent of national computer incident response teams (CIRTs), or multi-stakeholder groups of cybersecurity professionals who help countries respond to and recover from major security incidents. Only six African countries have ratified the Budapest Convention on Cyber Crime and eight the African Union Malabo Convention on Cybersecurity and Personal Data, two important treaties that help African nations share threat information, set uniform standards, and benefit from technical assistance and cooperation from the international community.

The problem is even more acute in the African security sector. Security sector leaders often lack basic awareness of the increasing intersection between digital security and national security. Narrowly, this has meant that the incorporation of information, communications, and related technologies by African security forces into military strategies, operational plans, and tactics remains at an incipient stage. African countries are unprepared to address some of the continent’s more serious, rapidly evolving cyber threats. One particular concern is addressing how African governments might respond to cyberattacks by external state actors, which, due to their expertise, sophistication, and ability to place malware into critical ICT infrastructure, are among the hardest to monitor, deter, and plan for.

three surveillance camerasThe lack of knowledge of cyber issues has contributed to a lack of effective regulation and oversight, while amplifying opportunities for abuse. Ambiguous and broad information security laws give African governments authority commonly used to track political opposition, crack down on political dissidents, and limit freedom of expression. African governments have shut down the internet dozens of times in recent years in attempts to quell dissent, and have worked with intelligence firms and governments from all over the world to acquire powerful, and largely unregulated, digital surveillance capabilities.

Takeaways

To manage the continent’s growing array of cyber threats, African governments will have to increase investments in cybersecurity capabilities, national strategies and policies, and CIRTs that meet international standards. A truly effective response, however, will require more than just importing expertise and good practice from abroad.

African governments could benefit from greater regional cooperation.  Given that they are among the countries most vulnerable to cyberattacks, it is in the interest of African nations to be more engaged in international fora currently developing norms around state behavior in cyberspace and the use of lethal autonomous weapons. Such fora could help foster collective agreement and deter some of the most harmful uses of emerging technology, such as cyberattacks against critical infrastructure, election interference, or the use of drone swarms to inflict mass civilian casualties. The ratification of the Malabo Convention, which requires member states to identify and protect critical information infrastructure from all forms of threats, is an important first step.

Several priorities stand out for security sector actors. First, they should strengthen defensive systems by protecting military computers, communications networks, and other critical security infrastructure from cyberattack. Second, they should build capacity to monitor and respond to espionage, sabotage, or illicit resource transfers by organized criminal networks and state actors. Finally, and not least, armed forces across the continent will need to integrate broader advances in ICT and related technologies into military strategies and tactics.

“Digital rights are essential to safeguarding citizen security.”

At the same time, it is crucial that African governments adopt multi-stakeholder policies and legal frameworks that leverage nongovernment expertise and ensure adequate oversight of security actors wading into the ICT arena. The open nature of the digital revolution means that decisions over how to monitor, control, and employ digital technologies are best not left solely to the security sector. Much of the cyber community’s expertise and human capital lies in the private sector. Even more importantly, the tendency of African governments to adopt security-centric, heavy-handed approaches in information environments should be mitigated. This will require strong and specific legislation that governs the use of private data, deference to civilian authorities in crafting and implementing national cyber strategies and policies, and accountability to opposition groups, independent experts, and civil society. Digital rights, which are essential to safeguarding citizen security, must be respected.

In one crucial respect, cyber threats are the same as physical ones: to effectively confront them, African governments will have to abide by sound security sector governance principles.


Additional Resources