Internet Infrastructure Security Guidelines for Africa Unveiled by the African Union

On 30 May 2017, the African Union launched its ‘ Internet Security Infrastructure Guidelines For Africa’.  The goal of the Guidelines is to facilitate implementation of the African Union Convention on Cyber Security and Personal Data Protection (Malabo, 27 June 2014; see the related Incyder article).

The Guidelines were developed by the African Union Commission (AUC) in cooperation with the Internet Society, ‘a non-profit organization dedicated to ensuring the open development, evolution, and use of the Internet’. The Guidelines document is non-binding, but recommends actions to be taken by various stakeholders in the context of the African cyber security environment, which means lack of awareness and of human and financial resources.

The multistakeholder model and ‘collaborative security approach’ are highlighted as important for protecting Internet infrastructure. Four essential principles of Internet infrastructure security are identified: ‘Awareness, Responsibility, Cooperation and [A]dherence to Fundamental Rights and Internet Properties.’

According to the document, an Africa-wide Cyber Security Collaboration and Coordination Committee (ACS3C) should be formed at the African Union level, to act as a multistakeholder advisory group to the AUC. Capacity building programmes would be developed by the AUC, as advised by the ACS3C.

At the national level, the Guidelines recommend states to: identify and protect critical Internet infrastructure; facilitate information exchange through a national multistakeholder structure; establish and strengthen the national-level Computer Security Incident Response Teams (CSIRTs); promote internet infrastructure resilience through Internet exchange points (IXPs); and use public institutions to lead by example in cyber security.

At the ISP/operator level, the stakeholders are advised to establish baseline security, especially with regard to: routing and DNS; filtering spoofed traffic and preventing DDoS attacks; using TLS; and employing good patching policies. Cooperation is to be supported. Organisations should maintain a culture of cyber security at all levels.

The purpose of the Guidelines is laudable and its objectives are simple, apolitical and well within the reach of countries with limited resources. The promotion of the ‘multistakeholder model’ is positive, even though it is not clear if this is in any way related to the multistakeholderism-multilateralism debate. Despite proclaiming its link to the AU Convention, the document largely avoids elaborating on it, apart from mentioning that ‘[r]atifying and applying the [AU] Convention is a strong first step towards creating an African legal context in which a healthy Internet infrastructure security ecosystem could develop.’ Considering the mixed reception of the AU Convention, the apolitical nature of this document is a strength of the initiative.

Authors: Tomáš Minárik and Audrey Garcia

This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.