There's a hype to the Fourth Industrial Revolution (4IR) with its disruptive digital technologies that promise to transform our lives, calibrate our decision making with algorithmic precision and satisfy our every craving in real time. But what are its risks, and how do we police this new cyber environment?
One of the problems with 4IR, South Africa's Tshwane University of Technology cyber expert Prof Mammo Muchie and others have observed, is that 'technology advances at exponential rates, human society does not.' So while business leaders at the World Economic Forum in Cape Town last week focused on the massive economic and developmental potential of dramatic advances in technology, others remain concerned about human security and the potential vulnerabilities.
At a recent Institute for Security Studies seminar on the issue, Anriette Esterhuysen - a senior figure on the Global Commission on the Stability of Cyberspace and a convener for the African School on Internet Governance - said African countries needed to develop good basic capacity in institutions such as the courts and government ministries to withstand virtual threats in the new digital age.
At the same time, Africa must be part of the global conversations about establishing 'cyber norms'. These provide the base or the 'ecosystem' in which the continent can build resilience to mitigate the abuse of technology.
South African President Cyril Ramaphosa has established a 4IR Commission to embed cyber culture into government. But commissions are only as robust as the actions that follow. And due to the transnational nature of the threat, any policy prescription should locate South Africa and Africa more generally in an international context, rather than retreat into national silos.
An increasingly interconnected world makes Africa as vulnerable (if not more so) than the wealthier global north. When the Cambridge Analytica scandal became headline news, in which big data was manipulated to help shape the voting patterns of millions of citizens, it emerged that the data of 60 000 South African internet users had been compromised.
Lower internet penetration in Africa compared to the global north is also no insurance against data manipulation and cyber attacks. Tech expansion is happening at an astonishing rate. There are expected to be nearly half a million more internet users in sub-Saharan Africa by 2022.
'Controlling the narrative', whether for political, commercial or social ends, has seen the use of technologies such as Twitter bots, which automatically convey multiple messages, proliferate. In future, as 4IR technologies allow for even more automation, issues of accountability and attribution will become murkier. This new technological dawn also represents a shifting of power from traditional governments to those who control and own big data, including big commercial entities.
Tech was once the preserve of nation states and their militaries. Now it is available off the shelf for anyone who can afford it. On the one hand that is empowering and represents a diffusion of power to ordinary citizens. But because cybercriminals who abuse that resource are not constrained by borders, their actions raise questions of accountability.
Countries in the global south struggle with capacity. South Africa is no exception. Ramaphosa has promised that one million more young people will be trained in data science in the next decade in South Africa. There is scope for the private sector to play a bigger role in developing human know-how in order to reap the benefits of big tech for society in general. This will also help identify 'blind spots' before they're exploited by those breaking the law.
So what laws are we referring to when it comes to those who abuse big data or commit cybercrime? The answer is littered with caveats. South Africa's law doesn't fully cover cyber issues. This year the Protection of Personal Information Act (2013) will come into effect. However with organisations having two years to ensure they are compliant, it won't be until 2022 that we start to see enforcement.
South Africa is also still without a law that deals specifically with cybercrime and cybersecurity. The Cybercrimes and Cybersecurity Bill needs to be approved by Parliament before it is enacted as law. Given the transnational nature of cybercrimes, international law should similarly develop to cover them.
Already South Africa is participating at the United Nations level in several initiatives to establish cyber 'norms' (agreed rules of state behaviour) to support international human rights law. These include limits on state actions that threaten human rights and the security of users.
But there is a sense among many international players that at a global level South Africa could use its position to show leadership and achieve more for the region as a whole. The country has indicated its desire to 'go it alone' by resisting ratifying key cyber conventions such as the Malabo and Budapest conventions, choosing instead to use such treaties as reference points.
While issues of sovereignty are politically sensitive, not least given the view by some in government that such bodies are 'elite clubs' that set the rules, the exponential nature of technological change needs a decisive and timely response. This would help ensure that Africa as a whole doesn't become a 'safe haven' for cyber criminals, cyber terrorists and more.
At a domestic level there are practical steps that could be considered in the short term to fortify countries against cyber attacks. Closer government engagement with the private sector could help build the human and technical capacity to withstand threats. That may include upscaling skills exchange programmes, and deploying industry specialists to engage in global conversations on creating an ecosystem to minimise future threats.
Politics and ideology must not be allowed to stand in the way of building a consensus among African states, industry, government and civil society to develop a robust response to future threats.
Karen Allen, Senior Research Adviser, Emerging Threats in Africa, ISS