In the past decade, the African continent has gained a renewed centrality in the international arena, with key global actors strengthening their diplomatic ties with African States. Areas such as connectivity and digital infrastructures in the continent have become target of competition between global powers. The latter, however, often feature very different visions of how the digital domain should be shaped to protect data sovereignty and address escalating cyber threats, while at the same time securing integrated economies and the functioning of critical infrastructures. The continent has already witnessed several high-profile cyber incidents: the cyber-attack to South Africa’s critical data and city services in 2019 has highlighted the vulnerability of interconnected systems and the whole-of-society disruption that may follow from a single incident. In the continent, most firms and institutions remain below the “cyber poverty line”, a benchmark for acceptable cybersecurity, that varies according to the essential security needs of a given context. Yet, many African States pursue ambitious cybersecurity and digital transformation agendas, and they often turn to foreign partners offering support. The choice of one partner over another is driven mostly by pragmaticism, in terms of capability to deliver on priorities set by African States.
The question that emerges from observing the strong partnerships that African States are building is what model of governance African leaders are adopting in the digital domain.
Technology is not neutral, and neither is digital governance. The struggle over Africa’s cyber future reveals a power struggle over diverging governance models. If African governments fail to set a digital autonomy, namely to manage their own digital assets, protect their sovereignty and advance their values and interests in conformity to the wishes of their people, foreign models of digital governance by default will become the 'Africa model'.
CHINA’S STRATEGIC APPEAL
Africa’s digital transformation cannot be understood without acknowledging the scale of China’s engagement. Under the Belt and Road Initiative (BRI), Chinese companies have built the backbone of the country’s connectivity: Huawei has contributed to the development of 50% of Africa’s 3G networks , 70% of the continents 4G networks and has already the monopoly over 5G. Chinese communication giants have also signed deals with countries like South Africa, Kenya, and Nigeria on satellite-based internet, optic fiber and more technology transfers, improving infrastructures while at the same time increasing job creation and skills development. Each year, China hosts tens of thousands of university undergraduate and post-graduate students from Africa, offering thousands of scholarships to African students.
Chinese influence in the continent is not a new phenomenon, however, the growing embeddedness of the technologies, from the management over technical aspects to the control of the ICT systems, poses increasing dependencies and vulnerabilities, particularly for what concerns the control over digital assets. With this regards, one of the top priorities on African digital agenda as enshrined in the Malabo Convention is the development of digital identities, a matter that requires know-how, technologies, resources and often happens to be handled by foreign firms: on one side denying home-grown solutions poses a risk of dependency from foreign actors, on the other the access of foreign actors to biometric data and the lack of an adequate legal framework to protect individuals pose an issue of violation of human rights.
Noteworthy, the digital sector governance model that China exports around the world is centered around the Chinese understanding of digital sovereignty, according to which China has the right to govern the Internet within its borders and to keep it under rigid control. In this framework, Chinese tech companies have close ties with the State, often are owned or controlled by it, and the technologies are centered around surveillance mechanisms that are used in both mainland China and abroad to retain data, access sensitive information and control citizens. In Africa such technologies are present across infrastructures, smart cities projects, digital economies and the risk of penetration at the expenses of citizens is real. In 2017 it was found that, since 2012, the Chinese-funded headquarters of the African Union (AU) in Ethiopia, during nights were sending enormous amount of data to a major espionage center in Shanghai.
On the same line, scholars and cyber governance experts have also suggested that this model might have been used to shape governance frameworks with significant policy implications: in Kenya, for instance, Chinese telecom firm Huawei was appointed as the lead advisor for the country’s national ICT master plan; in Angola, the Chinese artificial intelligence firm Percent Corporation developed an advanced system for data visualization and analysis to support government decision-making. These systems accurately and dynamically record data about the full life cycle of birth, education, marriage and social security of every person, as well as a person's biometric information such as fingerprints and facial image. The declared aim is to manage population resources, but the collection of such data is obscure and can easily lead to misuse, not just by foreign actors but also by domestic authoritarian leaderships.
As a matter of fact, in recent years many African governments have been accused of militarizing their approach to cyber-governance. In the first half of 2019 at least six governments in Africa shut down the internet: in Sudan, during an attack perpetrated by a government paramilitary on the capital Khartoum, the internet went dark; also in Nigeria, between 2021 and 2022, Twitter and Internet were banned in response to crises.
These practices, on one side might reflect the tendency of some African leaders to perceive cybersecurity as a matter of national security, to be pursued in line with their authoritarian stance; on the other, they might suggest a tendency to align with foreign authoritarian stances in cyber diplomacy.
What is certain, is that from these countries’ perspective, China is a vital partner at a time in which African countries are seeking to diversify their international alliances, especially considering factors such as the imposition of U.S. tariffs on key exports, and the ambitions of the majority of African States to pursue advanced digital agendas.
Generally speaking, in light of the attractive financial arrangements backed by Chinese State and the capacity to build efficient business solutions across the diversity of the continent, the Chinese offer is enticing to African leaders.
EUROPE IN AFRICA: THE THIN LINE BETWEEN PRAGMATISM AND RHETORIC
On another front, the European push toward deeper cyber engagement in Africa is expressed through multiple initiatives, including those led by specific EU Member States. Cybersecurity is critical for the EU, and the Union has continued to integrate cybersecurity into all dimensions of its external action. The focus towards Africa comes as Africa grows and becomes more entangled in the global economy. The European digital strategy in the continent aims at contributing to a collective framework of cyber-diplomacy: according to the EU strategy, the EU Global Gateway initiative will make investments in digital infrastructures to ensure an open, free and secure Internet, in line with the African Union Declaration on Internet Governance. Overall, the EU advocates for a multi-stakeholder model, which includes states, the private sector, civil society and others: the aim is to share knowledge and skills by implementing cyber security capacity-building measures (CCB), resilience of networks and information systems and data and privacy protection, in line with the principles and values of the EU’s external action, the UN 2030 framework and Africa 2063 agendas. The EU, which has promoted the first comprehensive data protection framework and is itself undergoing efforts to enhance its strategic autonomy (not only in the digital field), could position itself as an equal partner to the African Union and cooperate on regulatory, financial and strategic frameworks to advance digital agendas. However, the EU appears more focused on counterbalancing China’s influence on the continent through narrative-driven partnerships rather than through concrete and sustained action.
If Europe (and the West more broadly) wants to be seen as a credible, reliable partner, must prove pragmatic and coherent, and respond to the interests and needs of African actors, rather than just its own.
THE NEED FOR A LONG-TERM, COMPREHENSIVE AND RESILIENT CYBER POSTURE
African leaders are envisioning a model for the governance of African cyber space. The African Union's Digital Transformation Strategy (2020-2030), which advocates for a more people-centered, multi-stakeholder approach to cybersecurity, is built on the following pillars: 1) enabling adequate policy and regulation, 2) close the digital infrastructures gap, 3) improve digital skills & human capacity and 4) strengthen digital innovation and entrepreneurship.
To achieve the goals of the Africa Union’s Digital Transformation Strategy, African States have committed to different measures and initiatives: the AU Convention on Cyber Security and Personal Data Protection, also known as the Malabo Convention, aims at the creation of a uniform cyber governance system at the continental level, that unifies the regulatory approach between the African Union Member States and promotes cyber resilience. However, only 15 out of 55 African Union MSs have signed and ratified it up to date: the heterogeneity of the continent plays a considerable role in finding common ground on these new pressing issues, with implementation varying significantly across the continent due to disparities in wealth, approach and existing challenges.
For this reason, the decision-making has occurred more easily at the sub-regional level, where regional economic communities like the Economic Community of West African States (ECOWAS) and the Southern African Development Community (SADC) have adopted their own cybercrime directives, indicating a more dynamic approach to cybersecurity.
While the Malabo Convention provides a framework for greater governance autonomy, it requires strengthening and more stark enforcement, as well as the political will to enhance coordination.
In order to set a sustainable governance framework to foster integration and ensure digital conflict resolution, including the protection from cyber threats (attacks or propaganda) and from attacks against digital assets (data sovereignty), the continent would arguably benefit from developing its cyber capabilities in a more uniform manner, avoiding excessive dependence on external actors, whether state or private. Despite the limited adoption and the inherent weaknesses of the Malabo Convention, this document shows that African States value autonomy and independence when developing cyber governance policies. This is also evident by the strong agency showed by African States (although in a fragmented way) in pursuing diversified partnerships according to specific necessities and interests. Beyond States, African people are the protagonists of this digital revolution: while their voices may be often on the background, they have made clear how much they value digital growth and resilience. As external actors scramble for strategic assets, the question of what model of governance African leaders are adopting in the digital domain acquires greater relevance for their future development and security.