State capacity is defined as the aggregate total of state’s ability to take charge of security affairs within its jurisdiction. However, it’s important to point out that different scholars have defined state capacity differently. For instance, state capacity may mean power of the state to exercise authority, strength in terms of effectiveness and capability, aggregate strength and effectiveness of institutions and government effectiveness to deliver services even in the face of government changes. Meanwhile, cybersecurity is defined as technologies, processes as well as practices, designed to protect networks and various computer programs as well as data from attack, damage and unauthorized access .
This article presents summary of findings of a study undertaken to assess institutional capacity of the state in Uganda to deal with cybersecurity threats. The research examined state capacity within the context of state bureaucracy and particularly those that are responsible for cybersecurity. Considering the different layers of state capacity other than the military capacity and the coherence of political systems, I examined the institutional capacity of the state in Uganda. Literature in political development holds that the institutional capacity of the State is characterized by professionalization of state bureaucracy. This entails the meritocratic, regular recruitment and advancement processes within the institutions of the state, insulation from political pressures and the ability of the state to provide services during even governmental changes. State capacity is a central determinant of cyber security readiness – particularly a functioning bureaucratic capacity.
The premise of this study was anchored on examining the relevance of state institutions in dealing with cyber security threats in Uganda. In particular, the following research objectives guided the findings of this research. 1) To assess the nature of cyber security threats in Uganda 2) To examine the institutional frameworks in place to deal with cybersecurity threats and 3) To analyze how the institutions of the State have addressed cyber security threats.
The study adopted qualitative study that is descriptive and analytical in nature. The study incorporated primary data from key informants and secondary data which is available in different forms, such as journal articles, book chapters, reports and news articles on the nature of cybersecurity threats in Uganda, the institutional frameworks in place to deal with threats and how the institution have addressed those threats. Primary data targeted a total of 20 key informants drawn from cybersecurity professionals, officials from Government Ministries, Department and Agencies (MDAs), Civil Society Organizations (CSOs) and the private sector. Secondary data was collected through review of relevant documents. Qualitative data was analyzed using both thematic and content analysis. Qualitative data generated from the literature review and primary data were coded and processed and then analyzed according to different themes identified.
It is important to note that in an effort to deal with cybersecurity threats such as cybercrime, malware attacks and cyber espionage, the government of Uganda enacted cyber security laws to curb these threats. It also established both the legal and institutional mechanisms or offices to deal with these threats. However, even with such set up, reports suggested cybercrime continue to increase and Uganda keep losing financially as a result of cyber-attacks targeting its financial institutions such as Bank of Uganda (BoU) and the Ministry of Finance Planning and Economic Development (MoFP&ED). Report from the 2016 cyber security capacity review of the Republic of Uganda further suggested that the country did not have a national cybersecurity strategy as well as a list of critical national infrastructure sectors . Hence, the study sought to interrogate the nature of cybersecurity threats, the institutional frameworks in place to deal with threats and how the institutions have addressed the threats. Findings are presented as follows.
1] The nature of cyber security threats
The findings indicate that cyber security threats in Uganda occur mainly at internal and external levels. At internal level, the lack of personal security etiquette, ignorance around computer and electronic safety resulted into exposures to risks and vulnerabilities. At the level of the state however, this is characterized by disruption to communications by internal criminal gangs within national boarder and hacking for financial gains. External threats manifests through acts of espionage to spy on government ministries, departments and agencies, bad actors employing counter propaganda efforts against the Ugandan state as well as targeted attacks such as Distributed Denial of Service Attacks (DDOs) which is often used as a weapon of mass disruption by external forces .
Findings indicate that there are individual, legal, technical and human resource challenges faced by the state in addressing cyber security challenges in Uganda. Thus, the state can better prepare to respond to incidences of cyber-attacks by building capacity of individuals. However, while capacity building is important, literature shows that this is not sufficient because public security is a function of several factors including law, effective law enforcement, social norms and technology protections . Besides, countries such as Uganda require that they conduct law enforcement training on forensic examination and digital data evidence to curb on criminal activities. The institutions of the state should deploy security products as a form of investment in protecting their own security infrastructures online to address cybersecurity holes . Moreover, employing well known simple inexpensive security best practices would also be very critical step the state can undertake coupled with the deployment of technological and human resources for long term success of state institutions .
2] Institutions of the state dealing with cyber security threats
The major institutions dealing with cyber security threats in Uganda include Ministry of ICT & National Guidance (MoICT&NG), Ministry of Finance Planning and Economic Development and Ministry of Education and Sports while the agencies include National Information Technology Authority Uganda (NITA-U) and Uganda Communication Commission (UCC) and the main security organ according to the study is the Uganda Police Cyber Crime Unit. The legal frameworks cited includes the Computer Misuse Act (2011), Regulations on Interception of Communications Act 2009, Electronic Signature Act (2011), Data Protection and Privacy Act (2019), Electronic Transaction Act (2011) and Anti-Pornography Act (2014) among others.
Literature support the view that relevant institutions mandated to avert cybercrime can overcome cybercrime if there are available jurisdictional arbitrage and that rule of law must be strong enough because, where the institutions are weak, it affects the extent to which cybercrime can be averted. This is because formal institutions of social behavior is considered significant in providing rules of behavior but of course, institutions alone is not sufficient in itself to address the various challenges associated with the cyber space as its generally conceded that, the state alone cannot adequately control cyberspace via laws and regulations . In fact, its noted that many organizations and institutions of the state tend to focus more on technology and prevention and forget to prioritize the time, resources and activities needed to build cyber resilience
3] How institutions of the state have addressed cyber security threats
The study findings revealed that the state is addressing cyber security threats by putting technical infrastructure in place, ensuring Critical Network Infrastructure protection, individual capacity building and security strengthening. This is in line with the study conducted by European Union Courts (2019) on European Union Cyber Security Threat Challenges which recommends that cybersecurity governance should be strengthened to boost the global community’s ability to respond to cyberattacks and incidents as well as ensuring rapid detection and response, protection of critical infrastructure and societal functions, better Information exchange and coordination between the public and private sectors.
The findings indicate that the data infrastructure, finance infrastructure and energy infrastructure should be critically protected by the government as a matter of urgency in addressing cyber security threats. The critical infrastructure institutions identified included Bank of Uganda, National Identification Registration Authority (NIRA) and National Water and Sewerage Corporation (NWSC). The protection of Bank of Uganda guarantees cyber security of the country from loss of finances from central bank, while NIRA is to be protected because it’s the national entity in charge of citizen national data. And National Water and Sewerage Corporation Supervisory Control and Data Acquisition (SCADA) system is used to distribute water in the entire country making them very important for constant monitoring and protection to prevent any incidence of cyber-attacks and security breaches. The significance of these infrastructures, even in defense terms is unmatched as it determines the functional efficiency of a country’s command system .
The study concluded that establishing a well-functioning, effective and independent institutions of state elicit public confidence and trust in government institutions which influences effective policy making processes that are all inclusive and participatory. Moreover, establishment of institutional and legal frameworks alone is not sufficient in addressing the everyday concerns of security and any other aspects of policy making. It is observed that averting cyber insecurities within institutions require an immense measure of state capacity through the control of a well-functioning cyber space coupled with the empowerment of individuals, communities and Government. Harmonization of the legal mechanisms in place, proper institutional coordination, capacity building and awareness raising is key. This study is limited in scope. The author recommends future research study to focus on the role of the private sector in averting or perpetuating cybercrime in Uganda.
Moses Owiny – Is the Chief Executive Officer, Centre for Multilateral Affairs
Email: mowiny[at]thecfma.org
