It started with loud music and the smell of marijuana. When South African police stormed a hotel room in the Western Cape they found six people huddled over 32 computers and mobile devices. This extortion syndicate was extracting millions of dollars from unwitting individuals.
A senior source at South Africa's National Prosecuting Authority (NPA) says such 'boiler rooms' of malicious cyber activity are rapidly expanding. 'We have never had a major incursion or data breach referred to the NPA from the police ... no seminal event' - such as when Ukraine's power grid was taken down by hackers in 2016. But, says the source, it could just be 'a matter of time.'
Africa needs to be better prepared for both cyber-dependent crimes, in which new computer-based technologies form the basis of new crimes, and cyber-enabled crimes, in which new technologies are used to commit old-style crimes, such as money laundering.
In more developed economies there's been an increase in attacks from 'hacktivists' who use the dark arts of cyber to embarrass, advocate or protest. According to cyber analytics firm Kaspersky Lab, there are 13 842 cyber attacks daily in South Africa. That equates to more than 570 attacks every hour. Bank fraud, particularly the use of malware on mobile phones, has also increased dramatically, says the South African Banking Risk Information Centre.
For banks and governments to protect individuals, more personal data may need to be held
Kenya is facing a similar problem. The Communications Authority has reported a dramatic rise with 9 million malware attacks in just three months from October to December 2018. With mobile phone subscriptions across sub-Saharan Africa expected to reach 930 million by the end of 2019 and the growth of e-commerce and e-banking continent-wide, the potential to inflict huge financial, reputational and political damage is clear.
South Africa, as a leading economy in Africa, is acquiring new tools in its armoury to fight the criminals. The Cybercrimes and Cybersecurity Bill (2018) broadens the scope of cyber offences as set out in earlier legislation, permits extradition and offers tougher sentences.
Yet at a continental level the political will of many other states to take decisive action has been lacking. It is perhaps ironic that the African Union (AU), which has sought to encourage a continent-wide approach through the Convention on Cyber Security and Personal Data Protection (2014), was itself the focus of a major cyber attack, according to French newspaper Le Monde.
The alleged theft of data from the AU's Addis Ababa headquarters over a five year period was blamed on China, which built and kitted out the AU's Ethiopian hub. China's foreign affairs ministry denied the allegations made by AU officials, but the incident exposed vulnerabilities and has led to a wholesale revamp of the AU's computer, security and telecommunications systems.
The use of military force in response to a cyber threat represents a shifting terrain
The AU Convention, also known as the Malabo Convention, seeks to harmonise legislation, regulation and governance strategies across Africa and establish 'institutions that share information on cyber threats and vulnerabilities such as the cyber emergency response teams.' Yet only a handful of countries including Ghana, Kenya and Mauritius have established such bodies.
Just four African states have ratified the convention, limiting its enforcement power. The same goes for the Budapest Convention, widely considered the global 'Gold Standard'. Only Cabo Verde, Ghana, Mauritius, Morocco and Senegal have incorporated it into national law. Countries such as South Africa, which has not yet ratified, are preferring to go it alone.
At a recent conference on cybersecurity hosted by the South African Police Service, plans for a 24-hour rapid response unit were enthusiastically debated. However until it becomes a fully funded reality, law enforcement agencies and the banking sector are relying on informal networks to try to prevent the country from becoming a safe haven for cyber criminals.
Data, which has become the 'new gold', has attracted crime syndicates to position themselves as service providers - hackers for hire. Advocate Wilma Gernandt, who trains prosecutors in South Africa on the perils of cyberspace, believes there are 'at least 10 such criminal syndicates' operating in the country.
African leaders cannot bury their heads in the sand and paint this as a developed country problem
They compete by offering so-called offensive tools, explains Neil Walsh, head of cybersecurity and fraud at the UN Office on Drugs and Crime. These are computer networks and mobile phones that are turned into listening devices. It opens opportunities to meddle in elections, steal data or seek ransom funds from targets that may include governments, utility providers, the military, manufacturing and commercial players.
To counter the threat, difficult trade-offs need to be considered by the public, according to Luca Viganò who leads cybersecurity research at King's College London. For instance, to build a firewall to protect individuals against data theft and fraud requires a delicate balancing act between personal privacy and security. For banks and governments to protect individuals, he explains, more personal data may need to be held, to make it harder for automated systems to steal data or mimic clients.
How cyber threats from states or non-state actors such as terrorist groups affect geopolitics in Africa also needs some consideration. Earlier this year Israel set a new precedent when it launched air strikes against a Hamas target which the Israeli defence force claims was a 'digital warfare operative.' Imagine the same happening in Somalia, Yemen or Ethiopia? This use of military force in response to a cyber threat represents a shifting terrain.
With the rapid evolution of new technologies, and the dawn of 5G which will enable faster, real-time communication, the question of how to police this new space is a pertinent one. In particular, how to locate cyber awareness into virtually every aspect of life from conducting business to alleviating poverty, doing diplomacy and providing security.
African leaders cannot bury their heads in the sand and paint this as a developed country problem. Just as technology has the possibility to transform lives with the click of a mouse, it can also destroy them.
Karen Allen, Senior Research Adviser, Emerging Threats in Africa, ISS Pretoria