Special Issue; Our Top African Infosec Conversations in 2024

We made a curation of the top themes for African Infosec in 2024

CybAfriqué is a space for news and analysis on cyber, data, and information security on the African continent.

Hi there,

AbdulRahman here.

Tuesdays are not our usual days, but this is the last time we’ll be reaching out this year.

Throughout the year, we have covered the African infosec sector and wanted to sign off the year with a round-up of what we consider the most pressing conversations that have gone down in the African cyber, info, and data security space over the past year. It’s been full of advancements, challenges, and some surprises. We’ve curated the highlights—yes, even the ones you might have forgotten about.

As always, thank you for rocking with us. We appreciate your support, and we hope you enjoy this final read of the year.

— AbdulRahman

Malabo Convention Renaissance

The 2014 Malabo Convention, African Union’s treaty on Cybersecurity and Personal Data Protection was ratified by only 15 countries as of February. Since then, Madagascar and Gabon have formalized the treaty. In Gabon, this move is seen as a significant step to enhance the country’s cybersecurity framework, particularly following the implementation of its data protection law in 2011. A 2016 Global Cyber Security Capacity Center report states the “National Cybersecurity Policy and Strategy capacity in Madagascar is mostly at the initial stage of development.” This corroborates the 2024 Global Cybersecurity Index (GCI), which ranks both countries in tier 4 and is perceived to be evolving.

The UK, for instance, created its Data Protection Act in 2018 which now has at least two iterations called the Data Protection and Digital Information (DPDI) Bill and the Digital Information and Smart Data (DISD) Bill, however, the latter is said to be in line with the General Data Protection Regulation (GDPR) despite the country’s breakaway from the European Union.

Malawi is one of the few African countries with a robust legal framework on cybersecurity and data protection and it ranks 80% (tier 3) in the GCI report. Despite this, the country has not ratified the Malabo Convention. Rather, unlike the convention which provides for cybersecurity and data protection in an act, the country, in response to its 2016 Electronic Transactions and Cyber Security Act, which addresses data protection, enacted a standalone Data Protection Act in June after passing the bill last year.

Digital IDs

Tanzania, a Tier 1 country, is working on issuing digital IDs and has established its Personal Data Protection Commission (PDPC) to oversee data protection issues in line with the provisions of the 2022 Personal Data Protection Act (PDPA). Some top officials have called for amendments to this act. Zimbabwe has also implemented an advanced biometric border control system, which was first introduced in 2023 and is designed to record fingerprints and iris scans. Migrants must have their biometric data processed to travel in and out of the country.

Tanzania and Zimbabwe are joining other African countries like Nigeria, Kenya, Ghana, Uganda, the Democratic Republic of Congo, and many others who already have digital identification systems in place.

Having digital ID systems for many of these countries is instrumental to various socio-economic development benefits, and the digitization of ID systems has been at the agenda forefront for multinational bodies such as the World Bank and UNECA. Digital IDs, however, have the downside of increasing socioeconomic disparity, enabling unnecessary surveillance, and corruption. The inability of the government to facilitate adequate security for this digital data asset is not being critically considered.

E-Governance

Meanwhile, in July 2024, Nigeria proposed a bill known as the National Digital Economy and E-Governance Act to harness the country’s digital economy, covering areas from payments to cybersecurity. This integrated approach is seen as a step forward for Nigeria’s digital ecosystem; however, the bill has several aspects that need improvement, including cybersecurity measures, digital literacy, and infrastructure development. Some lawmakers have also criticized the proposed fine of 10 million naira ($6,067) for individuals and organizations as excessive and unfair.

Cybercrime crackdown

The fight against cybercrime in Africa gained a lot of ground in 2024, with several headline arrests of criminals and the recovery of victims' funds. The most recent of these is the 16th of December announcement by the Nigeria Economic and Financial Crimes Commission’s groundbreaking arrest of 792 suspects of crypto fraud and romance scams in Lagos. This was after a similar arrest of 130 suspects of cybercrimes in Abuja in November and many more earlier in the year. In these arrests, a significant number of foreigners are being recorded, which points to possible increased capacity among local law enforcement, but also an increase in cross-border collaboration between cybercriminals. While different actors have always depended on each other, we have not recorded this level of direct linkage in recent years. Our guess at CybAfrique is that we will be seeing shared TTPs next year.

At the core of many of these successful operations has also been a cross-border collaboration between law enforcement agencies, financial institutions, regional bodies like INTERPOL and AFRIPOL, and other stakeholders. Interpol’s Africa Joint Operation against Cybercrime (AFJOC) initiative brought together folks in many African countries for training, resource sharing, and collaborative operations, which has yielded successful arrests and disruption of cybercriminal activities.

Financial breaches

The Ugandan Central Bank lost some $17 million, South Africa’s Social Security Agency lost $9.6 million, and Nigeria’s First Bank was reported to have lost some $25.8 to an insider attack. This year, the continent has continued to record bizarre figures in financial breaches, caused by a mix of weak security protocols, insider attacks, and just poor policy efforts on KYC fronts.

Flutterwave, Nigeria’s Unicorn, has also continued down recovery efforts for funds it lost last year, which has proven a frontier for what recovery efforts could look like in Nigeria.

Recent reports from Positive Technologies say at least 22% of all successful attacks in Africa happen to financial institutions, second after 29% to government organizations. As reiterated by many experts, the continent’s cybersecurity frameworks are far lagging behind digitization efforts.

Democratic disruptions and internet restriction.

We partly agree with the folks at Freedom House. This year, indicators of internet freedom from a continent-wide perspective have improved. On the surface, we recorded fewer shutdowns and restrictions compared to last year. Extreme cases, such as the increased destruction of communication infrastructure in Sudan, are somewhat carryovers from last year. Unlike 2023, where we saw setbacks in relatively stable spaces.

This year, reports of internet restrictions have come from historically restrictive countries, such as Uganda and Egypt. What we’ve noted at CybAfrique, however, is more directly censor internet freedom rather than restrict access to the internet.

In many countries, including Nigeria, Ghana, and Kenya, we’re seeing the passing of “cybercrime prohibition” papers that have served as a guise to prevent the use of social media. Nigeria and Kenya also passed social media moderation policies that require influencers and creators to pass their content through them before posting.

Starlink struggles with regulations.

Since it entered, Africa in January 2023, first in Nigeria and now in 14 African countries, Elon Musk’s Starlink’s journey in Africa has been chaotic as it struggles with stable presence and expansion in the continent.

The disruptive offering of SpaceX’s Low Earth Orbit (LEO) satellites powered Starlink internet service has shaken up the internet service provision space in the continent, keeping the local players competition on their toes. It is touted to be the solution to Africa’s digital divide problem by providing high-speed coverage to every African, who can afford it, anywhere in the continent.

However, despite Elon Musk’s active meeting with African leaders, the rapid expansion drive has faced resistance in the form of licensing requirements and restrictive regulations to be complied with in the continent. The terms which mostly are to promote local investment in infrastructure and economy, and protect local content and competition sometimes are criticized for only safeguarding the interest of leaders and the monopolies already present in the African countries.

Starlink faces resistance ranging from license denials, restrictions, and even outright bans, challenging its expansion to many African countries. In South Africa where it had to cede at least 30% equity to local ownership by black people, women, youth, and people living with disabilities for it to be licensed, and Cameroon which banned the import of its kits and confiscated some at the borders in April. Senegal, Burkina Faso, DR Congo, Cote d’Ivoire and now Namibia have also restricted the ISP in their territories. While Starlink still struggles with regulations to legally expand to many African countries, its services are still being accessed through backdoors by Africans in the continent.

Binance vs Nigeria

Despite the growth in adoption, African leaders’ prejudice and scrutiny of cryptocurrency platforms aren't going anywhere near the end, soon. Earlier this year, in February, and for several months after, two executives of crypto trading platform Binance were charged with money laundering and tax evasion in Nigeria and taken into custody by the law enforcement agency. The eight-month-long debacle saw different drama and plot development before ending in an unexpected climax.

In February, the initial arrest of Binance’s head of financial crime compliance, Tigran Gambaryan, and Regional Manager for Africa, Nadeem Anjarwalla, was met with several lashing and criticism by crypto traders, stakeholders in the industry and, even US officials. Shortly after being taken into custody, Anjarwalla escaped and became a fugitive hunted by even international authorities for Nigeria.

In the course of the investigations, the Nigerian authorities made varying demands from the crypto giant while still keeping its executive hostage. The CEO of Binance, speaking with the press said Nigerian authorities asked for a $150 million bribe, which the country officials denied. Following the various developments in the arrest and investigation, Binance suspended transactions in naira on the platform indefinitely.

This scenario continued till October when all charges against Gambaryan and even Anjarwalla who had escaped custody were withdrawn, following heavy intervention from the U.S. government, and media pressure from members of the international infosec community.

And this rounds our list of significant events in the space in the past one year. We look forward to what the ecosystem has to offer in 2025, and be sure that we will be here to keep you informed.

This is CybAfrique—signing out for 2024. ✌