Averting insecurity in the cyberspace broadly requires an immense measure of state capacity through control of a well-functioning, independent, meritocratic, and resourced institutional bureaucracy. The empowerment of Government, communities, and individuals is equally critical. National governments like Uganda have invested on securing their critical national infrastructures against cyber-attacks. However, there are challenges affecting cybersecurity capacity building needs and development in Uganda and Africa. These challenges also include capacity of state institutions to secure its networks both internally but also externally, knowledge and skills gaps, the limited resources dedicated to cybersecurity, the lack of inter-agency coordination, the poor perception of threat scenarios – focusing on traditional centric security approaches and securing the technology as opposed to securing also, the welfare of individuals and communities.
Uganda has a national information security and cybersecurity strategy and set up institutional frameworks to deal with cybersecurity incidents. The country’s security sector development plan, 2015 observes that Uganda’s security threats are diverse and do not respect any artificial boundaries nor do they distinguish ordinary citizens from governments or business entity even though the plan does not explicitly list in specific terms what it considers real threat to the nation’s cyberspace except in broad terms.
The Country’s Security Sector Development Plan mentions Cybersecurity within the broad context and understanding that society’s increasing dependence on global information and communications infrastructure has created vulnerabilities and opportunity to be exploited by unscrupulous actors. And proceeds to note that these actors could use diverse ways of malicious behaviors such as hacking, financial fraud, espionage, or cyber war fare to cause damage. The plan further notes that the dangers posed by these groups through cyber-attacks are increasing risks to national security. However, despite all the awareness of the risks, in 2019, it was reported that Cybercrime led to loss of UGX 11.4 billion, which is approximately $3.09 million dollars – a clear sign and indictment of the complex nature of cybersecurity threats and the capacity gaps of the state to thwart such threats.
Nature of Cybersecurity threats
Cybersecurity threats take three forms in Uganda. The technical cyber security threats, the cyber-crime espionage threats, and the military civil defense threats. Cybersecurity threats in Uganda occur at individual, state, and external levels. At individual level, the lack of personal security etiquette, ignorance around computer and electronic safety and security results into exposures to risks and vulnerabilities. At state level, this is characterized by disruption to communications by internal criminal gangs within national boarders, hacking for financial gains, among others.
External threats manifests through acts of espionage to gather intelligence on others especially government ministries, departments, and agencies, but also malicious actors employing counter propaganda efforts against the state. Attacks such as Distributed Denial of Service Attacks (DDOs) and malwares are used as a weapon of mass disruption by external forces including governments.
The technical cyber security threats occur at a point where computers and computer networks remain key agents and targets of attacks. It revolves around malware which includes viruses, worms, Trojans, and system intrusion. Indeed, the presence of computer malware has remained visible proofs of the pervasive insecurity of the information infrastructure for a long time.
The cybercrime-espionage threats and technical threats are closely related as crimes takes place over computers and computer networks and infrastructures and the same crime can be averted through the same platforms. Until today the notion of computer crimes such as economic and financial fraud dominates discussions about computer misuse and has remained one of the primary reasons why States have enacted Computer Misuse legislations and established institutions such as the Computer Emergency Response Teams (CERTS).
However, a distinct dimension of national security became apparent when a criminal act of computer intrusion was grouped and clustered together with the more traditional and well-established espionage discourse – where nation States would spy on each other for the purpose of gathering intelligence over computer networks and infrastructures such as the internet. In Uganda, accusation of spying on behalf of Rwandan government by the MTN group Uganda officials led to deportation of MTN staff working in Kampala. This matter escalated and later strained diplomatic relations.
Military-civil defense threats also referred to as information warfare on critical infrastructures is also dominant in the digital age. In Uganda, the Uganda Police cybercrime unit and the Uganda People’s Defense Forces cyber defense units are examples of institutions that are dealing with these issues. However, limited information regarding the nature of threats around this category is available in the public domain.
Institutions of the state dealing with cybersecurity in Uganda
Cybersecurity incident response at national level in Uganda is coordinated by the National Information Technology Authority (NITA-U) through the Computer Emergency Response Team – Uganda (CERT-UG) but also at institutional level, it is only Information Technology Departments within the Ministries, Departments and Agencies responsible for dealing with any related computer incidences or breaches. NITA-U is headed by the Ministry of ICT and National Guidance (MoICT&NG). The Ministry also has its other agencies such as the Uganda communications Commission (UCC) – which also runs its own CERT.
The legal and regulatory frameworks in respect to cybersecurity includes primarily the Computer Misuse Act 2011, the Electronic Transactions and Signature Act 2011, the Regulations on Interception of Communication Act 2009 and the Data Protection and Privacy Act 2019. Other relevant laws and policies governing Uganda’s cyberspace includes: the e-government framework and National Information Security framework, NITA, U Act and the UCC Act. Despite the above efforts, Uganda like other African countries still grapples with cybersecurity challenges. Cybercrimes continue to rise internally ranging from incidents such as fraudulent sim card registrations and swapping, online impersonation, unauthorized access, remote access vulnerabilities, malware, data manipulation and social engineering. As pointed earlier, cybercrime led to loss of Uganda shillings 11.4 billion which is approximately $3.09 million dollars in 2019. The hacking of the parliament of Uganda website and that of the Civil service College in Uganda –affiliated under the Ministry of Public service illustrates core examples of the threats the country is grappling with internally.
Therefore, establishing a well-functioning, meritocratic, effective, and independent institutions of state elicit public confidence and trust in government institutions which influences effective policy making processes that are all inclusive and participatory. Effective institutions require coordination capacity at all levels with multi-stakeholder groups such as civil society, private sector, academia, and technical community. Where these capacities are lacking, policy making processes, as well as the institutions themselves are bound to fail in delivering positive cybersecurity outcomes. Moreover, empowerment of individuals, communities, and government is key. There must be deliberate efforts to build capacity of individuals by raising awareness, sensitizing the public about cybersecurity issues and concerns.