Cybersecurity Governance in Ethiopia

Halefom Hailu cyber law and policy researcher and deputy director of legal and policy affairs, Information network Security Agency (INSA)

The African Internet Governance Forum 201506 – 08 September 2015

African Union Commission, Addis Ababa, Ethiopia

Introduction:

• Cybersecurity is a domain involving all human activities.

• Addressing cyber security requires global and interdisciplinary efforts.

• This presentation focuses on Ethiopia’s efforts to address cybersecurity

Ethiopia’s response to cybersecurity

Policies and Strategies

Legislative Measures

Institutional Arrangements

Polic

ies

and

Stra

tegi

es

• National ICT Policy and Strategy 2009• focuses on ICT in general with cybersecurity

implication• GTP2010/11-2014/15

• a general five year national plan with cybersecurity implication

• Criminal Justice Policy 2011• cybercrime implication

• National Information Security Policy 2011• the first cyber-specific policy

Excising legislations: Le

gal m

easu

res

• Criminal Code 2004 (repealed the Penal Code of 1957)

• The first legislative word on cybercrime

• criminalizes four cybercrime acts• Other Legislations with Cybersecurity Implication• National Payment System• National ID• Telecom Fraud

Pending legislations:• Cybercrime law• E-commerce law• Electronic signature law• Data protection law

The Draft Cybercrime law• Drafting methodology

– influenced by the Budapest convention– techno-neutrality– Required state of mind – intentional– Non-intentional acts excluded b/c of risk of over

criminalization • Criminalization

– Crimes against computer system and data (core cybercrimes) –including spam

– computer-related crimes (traditional crimes facilitated by computer system)

– Content-related crimes (child pornography, cyber stalking--)

• Procedural and evidence rules• Rules on International cooperation In

stitu

tiona

l str

uctu

re • Information network security agency

• A government agency exclusively dedicated to cybersecurity

• National CERT (ETHIO-CERT established in

2012)• initiatives to establish cyber-units with in police and prosecutor authorities• other institutions such as MCIT

Challenges : • Legislative challenges

– Laws always lag behind technology – We have 21st century crime but 20th century

procedures– inadequate rules of evidence (there is no separate

evidence law in Ethiopia. evidence rules are scattered within different substantive and procedural laws)

– every criminal activity now involves digital evidence

• Lack of awareness – Cybersecurity incidents are not reported to

responsible authorities– Awareness creation campaigns (Radio program)

• Lack of capacity (investigative, judicial, prosecutorial)– Cybercrime cases are either closed for lack of

evidence or decided by interpretations of old laws, handled by non—specialized judges (do not receive any form of cybercrime related training)

– Law enforcement is not equipped with necessary resources and expertise

• Inadequate cooperation among stakeholders – Duplication of efforts – overlapping powers

• Global nature of cybersecurity – cybercrime may be committed any where there is

internet connection – Ethiopians are consumers of foreign services such as

facebook and hence data stored or processed abroad– most Ethiopian websites are hosted abroad– even where offenders and victims are within Ethiopia,

the nature of networked communications means that data will routinely be routed through, stored in foreign states

THANK YOU!