SADC Harmonised Cyber Security Legal Framework

Prepared by: Dr. George Ah-Thew

Acting Senior Programme Officer ICT

Presented by Adilson Gomes (INCM – Mozambique)

Prepared for: 1st National Conference on Cyber Security

22 - 23 November 2018,

SADC Directorate of Infrastructure

Table of Contents• Background

• SADC Heads of States Declaration

• e-SADC Strategy Framework

• Digital SADC 2027

• SADC Harmonised Cyber Security Model Laws

• Institutionalising Cyber Security

• On-going and Future Work

Background• As of December 2017, the SADC average mobile penetration was

73.1% (ranging from 39.5% to 161%), corresponding to

230,671,681 active mobile subscribers;

• SADC average Internet User Penetration was 19.7% (ranging from

9.6% to 56.5%), corresponding to 62,349,800 Internet Users in

SADC;

• Increase in connectivity unfortunately also translates to

increase of cybercrime;

• Cybercrime in Africa is growing faster than any other continent;

• Cybercrime mostly perpetrated through social media networks;

• There is a need to inspire confidence and security for online users

by promoting a healthy and safe environment where e-Commerce

can thrive and all stakeholders can be assured that should they fall

victim to cybercrime there is recourse.

SADC Heads of States Declaration

• SADC Heads of States Declaration on ICT[August 2001];

• The Declaration on ICT identified five (5)priority areas of focus, namely:Regulatory Environment for ICT;

Infrastructure for ICT Development;

Community Participation and Governance in ICTDevelopment;

ICT in Business Development; and

Human Resource Capacity for ICT Development.

• The SADC Harmonized Cyber Security LegalFramework primarily falls under the two mainobjectives highlighted in Red.

e-SADC Strategy Framework• In May 2010, SADC created an ICT development

strategy called the e-SADC Strategy Framework;

• Developed through a SADC-UNECA collaborationunder the auspices of the DIS;

• Stipulates seven (7) strategic objectives and theSADC Harmonised Cyber Security LegalFramework fall under several of the above them.

Digital SADC 2027

SADC Harmonised Cyber Security Model Laws [1/3]

• Africa received a joint technical assistance from the EuropeanCommission (EC) and International Telecommunication Union(ITU) via the Harmonisation of ICT Policies in Sub-SaharanAfrica (HIPSSA) Project (2008-2013);

• ITU focused on three (3) fast developing regions of the world,namely; Africa, Caribbean and the Pacific island (ACP), hencethe projects HIPCAR and ICB4PAC;

• HIPSSA also built on the previous regional harmonization efforts(studies);

• HIPSSA assisted East, West, Southern and Central AfricanEconomic Communities;

SADC Harmonised Cyber Security Model Laws [2/3]

• Formulation of SADC Harmonised Cyber SecurityLegal Framework (ITU-HIPSSA) consisted of thefollowing model laws for the SADC Region:

E-Transactions/E-Commerce Model Law;

Data Protection Model Law; and

Cybercrime Model Law.

• Project started in November 2011;

• SADC and ITU put together a team of seven (7)Experts: one (1) Project Manager, three (3) InternationalLegal Experts and three (3) Regional Legal Experts;

• Included an assessment through a questionnaire to betteranalyze the existing legal instruments in SADC MemberStates;

SADC Harmonised Cyber Security Model Laws [3/3]

• In line with the ITU Global Cyber Security Agenda(GCA) of 2007 which provides a framework forinternational cooperation aimed at enhancingconfidence and security in the information society;

• Model laws are in conformance with the AfricanUnion (AU) Convention on Cyber Security and DataProtection;

• Multi-stakeholder validation workshop was held on 27th

February to 2nd March 2012 in Gaborone, Botswana;

• Model laws were looked at again during SADC ICTSCOM on 18th to 19th April 2012, in Balaclava,Mauritius;

• Model laws were approved by SADC ICT Ministerson the 8th November 2012 in Balaclava, Mauritius.

Institutionalising Cyber Security [1/2]

• Since November 2012, SADC Member States havebeen undertaking national transpositions of theSADC Harmonised Cyber Security Model Laws;

• SADC Harmonised Cyber Security Model Laws havebeen published and distributed to Member States.

• To date, all SADC Member States have eithertransposed the SADC Harmonised Cyber SecurityModel Laws or have a cyber-security legalframework in place. Some are also developing theirNational Cyber Security Strategy;

• The main institutional mechanism to implementcyber laws is the Computer Incident Response Team(CIRT);

Institutionalising Cyber Security [2/2]• To date, only four (4) Member States, namely;

Mauritius, South Africa, United Republic ofTanzania and Zambia had established an operationalCIRT;

• Eight (8) Member States, namely Angola, Botswana,DRC, Kingdom of Eswatini, Lesotho, Namibia,Mozambique and Zimbabwe have completed theITU CIRT Assessment and are awaiting theenactment of appropriate legislation tooperationalize their National CIRT;

• The process is currently ongoing for Madagascar andSeychelles;

• Botswana and Zimbabwe are being assisted by the ITUto implement their National CIRT;

• Malawi is presently designing its CIRT.

On-going and Future Work [1/2]• Implement the SADC Cyber Security Action Plan that was

approved in September 2018 in Namibia;

• Set up a SADC Cyber Security Capacity Portal to host SADCRegional On-line training materials and courses;

• Continue our efforts to facilitate capacity building workshopson Cyber Security;

• Ensure that all SADC Member States have completed theITU- IMPACT Assessment and are on track to havingtheir CIRTs Operation by December 2019;

• Ensure that SADC Member States are on track to ratifythe AU Convention on Cyber Security and DataProtection;

• Facilitate the establishment of the SADC Regional CIRT;

• Facilitate the collection and sharing of cybercrime statistics(Indicators) by National CIRTs for preparing a SADC AnnualCybercrime Report;

• Facilitate the deployment of a SADC PKI system and useof Digital Signatures in SADC.

On-going and Future Work [2/2]• Build a SADC Cybercrime Repository: Regional database

repository of cyber security policy, strategy and laws, lessonslearned and cybercrime cases dealt with;

• Collaborate with ITU to initiate Cyber Security Assessmentusing the ITU National Cyber Security Strategy (NCS)Toolkit of September 2018;

• Develop a SADC Model Cyber Security Strategy orGuidelines for Member States;

• SADC Secretariat and Member States to join the GlobalForum for Cyber Expertise (GFCE) to benefit from freecapacity building (cyber security best practice) initiatives(www.thegfce.com);

• Develop a list of harmonised indicators to measureprogress in cyber security commitment of all SADCMember States and to include these indicators under theSADC ICT Observatory;

• Encourage Member States to submit statistics data to ICTDevelopment Index (IDI) and Global Cybersecurity Index(GCI) to be ranked every year.

Thank you for your kind attention

Wishing Mozambique a successful 1st National Conference on Cyber Security

THANK YOU

MERCI

OBRIGADO

Por Eng. Adilson Gomes

Em nome de: Dr. George Ah-Thew

Email: gah-thew@sadc.int

SADC Directorate of Infrastructure