ECA Regional Perspective on E-Security Cyber security workshop & training 25-28 August 2008 Lusaka, Zambia Dr Sizo D. Mhlanga Regional Advisor ICT Policies & Strategies ISTD/UNECA
Contents General ECA’s response & International Frameworks Security status in Africa e.g. ECA programmes
Cyber Crime in Africa Limited connectivity, smaller number of users, are factors that currently shield potential African “targets” from most attacks - Africa is still very vulnerable to most major attacks; Africa is faced with weak underlying technology and inherently vulnerable software; Uninformed, misguided and malicious users contribute to the problem - lack of awareness & cybersecurity culture; Impact of increased capacity with weak or non-existent legal, regulatory & policy environments &insufficient security technology render Africa a lucrative entry point for cyber criminals using it as a hub to coordinate & launch attacks.
Network Security – Trust & Confidence IT is becoming more prevalent in Africa & users are more & more depended on these systems - the Internet has created a borderless space for information exchange & the keyword for the deployment of Internet applications, e-gov, e-com, e-trade etc.. is TRUST; As the Information Society becomes more & more important to business & society, ensuring thesecurity of both the infrastructure& the informationtraversing through it is critical; Solutions to combat the security threats already exist but implementation is at times costly & complex & if poorly executed, may cause more problems than they resolve; This calls for systematic & careful planning - proper policies, laws, regulations & awareness can help mitigate the threat; Success depends on various key stakeholders & policies must be enacted & enforced by government, industry & individuals.
eGov: a key pillar of eStrategies eBusiness eLearning eGovernment eHealth Broadband (wired, wireless), multi-platform (PC, TV, mobile, …) Security
E-government index The Web Measure Index - 5 stage model (Emerging, Enhanced, Interactive, Transactional & Connected) measuring the country’s online presence/absence; Telecommunication Infrastructure Index -5 indices relating to a country’s infrastructure capacity i.e.-Internet Users; PCs; Main Tel Lines; Mobile phones; and Broadband availability/100 persons; Human Capital Index - composite index of the adult literacy rate & the combined primary, secondary & tertiary gross enrolment ratio.
ECA’s response - What is AISI? Launched in 1996 by African Ministers of planning, economic & social development; A vision for ICT development in Africa; A cooperation framework for partners to support ICT development in Africa Activities: Policy development; Training & capacity building; Sectoral applications; Infrastructure development
E-Strategies Regional Information and Communication Infrastructure (RICI) National Information and Communication Infrastructure (NICI) Sectoral Information and Communication Infrastructure (SICI) Village Information and Communication Infrastructure (VICI) AISI RICI NICI SCAN-ICT SCAN-ICT SICI VICI Stakeholder Involvement
Policy process deliverables The inter-related Entities • Framework: Why? Baseline scenario • The Policy: What? Gov policy commitments on what needs to be done • The Plan: How?Policy commitments translated into concrete programmes Policy Framework Plan
The AISI and security Within the AISI framework,the security aspect is addressed in : The formulation of National andRegionalICT policies and strategies; and Thedesign of legal frameworks for the Information Society.
International Framework • - Resolution adopted by the UN General Assembly [on the report of the Second Committee (A/58/481/Add.2)] 30 Jan 2004 • 58/199. Creation of a global culture of cybersecurity and theprotection of critical information infrastructures • WSIS Plan of Action • C5. Building confidence and security in the use of ICTs - Confidence and security are among the main pillars of the Information Society • Connect Africa goal (Oct 2007)Goal 5.Adopt a national e-strategy, including a cyber security framework and deploy at least one flagship e-government service as well as e-education, e-commerce and e-health services using accessible technologies in each country in Africa by 2012, with the aim of making multiple e-government and other e-services widely available by 2015.
e-Security in Africa Legal Framework Countries with laws on electronic signatures: Mauritius, Tunisia, Cape Verde, South Africa, Egypt….. Countries with Draft laws on electronic signatures:Algeria, Burkina Faso, Cameroon, Morocco, Senegal EAC - Regional e-Gov framework was approved in Nov 2006 & there is a Regional Taskforce, spearheading the development and implementation of the Regional legal framework for cyber laws.
PKI Development in Africa A PKI (public key infrastructure) - enables users of a basically unsecure public network such as the Internet to securely and privately exchange data and money through the use of a public and a private cryptographic key pair South Africa (Private Sector : Thawte - a certificate authority (CA) for X.509 certificates - an ITU-T standard for a PKI) Tunisia (ANCE) Egypt (ITIDA) Mauritius (ICT authority CCA) Efforts are underwayto create an African PKI Forum
An African Cyber Security Strategy ECA/Global ePolicy Resource Network (ePol-NET) involved in the development of a cyber security framework for Burkina Faso, Ghana, Kenya and Mozambique – a programme that looks at the policy, legislative, regulatory and infrastructure requirements; Policy requirements set out duties and responsibilities of the various domestic, regional and international stakeholders and beneficiaries of this security policy; Legislative and regulatory requirements - sets limits, establishes a code of conduct, defining standards and some of the technical issues which may be imposed on stakeholders such as service providers, financial institutions, vendors/merchants, as well as work towards building the necessary trust and confidence demanded by users, key stakeholders, both within Africa and from around the world. Infrastructure requirements will provide for minimum security standards and ensure providers are able to address the evolving demands of users and protect their networks against increasingly sophisticated attacks, originating from around the world.
What is e-security policy? A plan of action for tackling security issues, or a set of regulations for maintaining a certain level of security Practices for securing computers, buildings, or vital infrastructure Strategies articulated at both the organizational & national Organisational level - a high-level document outlining management commitment to IT security by defining IT security & its supporting sub-policies; National level - a government’s approach to ensuring the security of its national interests through legislation, regulations, training, investment & awareness
Project status Kenya-enabling legislation for the e-Gov Security Strategy in support of the operationalizing the Kenya e-Government Strategy; Ghana- the design and development of a national e-security policy which complement its ICT4D Policy and a comprehensive operational e-security strategy in support of the existing e-gov initiatives e.g. E-customs and intranet; Mozambique- the design and development of a national e-security policy which addresses all aspects required to secure the critical ICT infrastructure and technology. An e-gov security strategy with guidelines and standards which all systems and users must adhere to ensure the availability and safety of these critical systems; Burkina Faso- policy on the protection of the essential ICT infrastructure.
Conclusion ECA with partners to continue assistance on experience sharing amongst the RECs on: Policy, Legal and Regulatory Frameworks; and Cyber laws and Information Security. ECA and RECs to cooperate with Governments for the implementation at the national levels; Support the creation of the Africa PKI Forum including the sharing of experiences
Thank You ! http://www.uneca.org/aisi/