Leading member states continue to delay ratification of the Malabo convention, limiting harmonized African policymaking on cybersecurity.
Africa witnessed a spate of cyberattacks in 2023, against African Union Commission (AUC) systems, Kenyan government data systems, and Nigerian election infrastructure among others.
The attacks seem to have served as a wake-up call for the AU, driving its Peace and Security Council (PSC) to make cybersecurity a key agenda point at this year's summit, held in Addis Ababa.
Real achievements were made: African heads of state addressed a number of cybersecurity related matters - the first notable action on the issue since the AU created its Digital Transformation Strategy for Africa (DTS) in February 2020.
At the summit the AUC was directed to expedite the development of a Continental Cybersecurity Strategy. A continental child online protection policy was also adopted, and a Common African Position agreed on the application of international law in cyberspace - a significant development.
But the Malabo Convention, Africa's ambitious continental cybersecurity agreement, remains unratified by most AU countries, limiting its credibility. Without wider ratification, and better cooperation on cyber diplomacy, member states may find it difficult to develop the coherent African cybersecurity agenda that is needed.
Africa's regional cybersecurity situation
Cybersecurity is a flagship project of the AU's Agenda 2063. However, in recent years member states have been criticized for failing to prioritize it.
AU countries face significant, divergent cybersecurity challenges due to their very different political, social and cultural contexts - extant approaches towards the rule of law are similarly reflected in cybersecurity governance dynamics.
Africa has also previously been marginalized in global cybersecurity governance forums - though this seems to have changed as African countries have shown obvious interest in UN negotiations to agree a global cybercrime treaty. The process is chaired by Algeria, and vice-chaired by Nigeria and Egypt.
Indeed, the development of an African group at the negotiations can be interpreted as an emerging push by AU member states to strategically cooperate to improve the continent's cybersecurity.
The Common African Position on the Application of International Law in Cyberspace
An important further moment in cybersecurity cooperation was delivered at the AU summit with the agreement of a Common African Position on the Application of International Law in Cyberspace.
AU member states have, among other things, openly affirmed their obligations to uphold international law in cybersecurity governance
The entire process was spearheaded by the AU's Peace and Security Council (PSC) and provides a contextual African restatement of the applicability of traditional international law rules and principles in cyberspace.
This means that AU member states have, among other things, openly affirmed their obligations to uphold international law in cybersecurity governance, and to ensure responsible state behaviour in cyberspace in accordance with the norms of international law.
That is a very positive step. But the AU could do more to facilitate better cooperation in other important areas.
External influence and cyber diplomacy
AU countries urgently need to better align their cyber diplomacy strategies. Many see China and Russia as key partners in cybersecurity: Russia's position in negotiations on the UN cybercrime treaty, for instance, is supported by many African countries.
The AU can... provide platforms for international cybersecurity cooperation, helping to ensure that African cyber diplomatic relations with the West, Russia and China are not subservient.
Other countries see more promise in working with Western partners, creating a risk that African collaboration on cybersecurity may be undermined by US-China competition.
Without strategically defined cyber diplomatic relations, Africa will continue to find it challenging to build continent-wide cybersecurity capacity, with its policy more divided than assisted by external powers.
The AU can make a valuable contribution here, providing platforms for international cybersecurity cooperation, helping to ensure that African cyber diplomatic relations with the West, Russia and China are not subservient, but developed on a practical, operational basis.
A ratified Malabo convention, providing a harmonized African understanding of cybersecurity policy, would provide a useful basis for that role.
The Malabo Convention
The African Union Convention on Cybersecurity and Personal Data Protection (Malabo Convention), drafted in 2011 and adopted in 2014, portrayed Africa as a continent prepared to tackle cybersecurity with serious, unified action.
The Malabo Convention only entered into force on 8 June 2023...even then, only 15 of the AU's 55 countries had ratified it, limiting its continental credibility.
It would make Africa the only region in the world with a continental agreement that combined cybersecurity, security of electronic transactions and personal data protection in a single treaty.
The Convention only entered into force on 8 June 2023, following serious delays to ratification by AU members. Even then, only 15 of the AU's 55 countries had ratified it, limiting its continental credibility.
Unfortunately, since the Convention entered into force in 2023, only one more African country - Sao Tome - has ratified it. None of Africa's perceived 'super' countries, including Egypt, Algeria, Nigeria, South Africa, Kenya, Morocco or Ethiopia (where the AUC sits) have ratified.
Ratification by these countries is vital: it would represent a major step towards African regional consistency and provide a basis for cooperation to harmonize cybersecurity policies in the region.
The Future of an AU Cybersecurity Agenda
Better progress must be made on the Malabo Convention: doing so would give the AU the potential to become a regional platform for accountable cybersecurity governance.
The agenda must expand a cybersecurity culture that focusses on a multi-stakeholder approach in line with Article 26 of the Malabo Convention.
Beyond that, other challenges remain for AU cyber policy. Now that the PSC has taken centre stage on cybersecurity, the AU must be careful to ensure that its emerging agenda is not centered too much on traditional understanding of peace and security, or become a mere extension of regional military influence in cyberspace.
Instead, the agenda must expand a cybersecurity culture that focusses on a multi-stakeholder approach in line with Article 26 of the Malabo Convention.
There are obvious challenges to making that a reality. Africa is the least digitalized region in the world, with inequitable cybersecurity capacities and infrastructure. That is what makes a people-centred approach in the region a key priority for future AU investment.
As technology races ahead, and African countries seek effective governance solutions, it is vital that ordinary Africans are consulted, active and engaged in policymaking.