Creating the National Cyber Security Authority is vital

Though Rwanda, like many AU member states, is yet to sign and ratify the African Union Convention on Cyber Security and Personal Data Protection, it has taken a laudable step in combating cybercrime. Just last week, the Chamber of Deputies passed the draft law establishing the National Cyber Security Authority (NCSA) and determining its responsibilities, organisation and functioning.

Sunday, April 30, 2017

Though Rwanda, like many AU member states, is yet to sign and ratify the African Union Convention on Cyber Security and Personal Data Protection, it has taken a laudable step in combating cybercrime. Just last week, the Chamber of Deputies passed the draft law establishing the National Cyber Security Authority (NCSA) and determining its responsibilities, organisation and functioning. This stride is in consonance with the implementation of existing national cyber security policy. As well, the Penal Code envisages cybercrimes or computer-related offences though it needs to be reviewed to accommodate the current trend of cybercrime.

Once the Bill establishing the National Cyber Security Authority is signed into law, it will generally safeguard private and government information and infrastructure against online crimes and cyber-attacks. In particular, the NCSA would spearhead the implementation of the National Cyber Security Policy and strategies to ensure that Rwandan cyber territory is secure against cyber-threats. Such undertaking is conformable to the aforesaid AU Convention, which was adopted with the aim of regulating cyber security and data protection on the continent.

Though the AU Convention hasn’t yet secured the minimum requirement to enter into force, it is a significant development in a continent often viewed as a safe haven for cyber criminals. The Convention addresses three main areas that are often seen as either not regulated or substantially dealt with by the governments in the region, namely electronic transactions, personal data protection, cyber security and cybercrime. Additionally, the Convention has also been welcomed that it highlights the importance of adhering to national legislations and international human rights law, with a particular emphasis on the African Charter on Human and Peoples’ Rights.

More specifically, Article 24 of the Convention states that each State Party should develop a national cyber security policy, and Article 25 states that State Party must create legislation on cybercrime, to set responsibilities of national institutions, and to ensure the protection of critical information infrastructure. Together with other similar provisions, the treaty also outlines many safeguards for citizens with regard to processing personal data. Even though Rwanda is yet to subscribe to the AU Convention, the Convention has become a lodestar, inspiring national measures promoting cyber security and combating cybercrime.

So, what role is the National Cyber Security Authority likely to play in enhancing the national cyber security system?

First is to promote the culture of cybersecurity among stakeholders, notably government, companies and cooperatives, civil society organisations and international organisations operating in the country to develop, manage and use information systems and networks secured. In this view, there’s evidently a need to establish a cyber security plan for the systems run by government to ensure the overall cyber security in Rwanda’s cyber-environment. In a similar manner, other stakeholders need to work closely with the government to close any existing loopholes in the cyber security. Of course, the government has to take a leadership role in the whole undertaking. In this perspective, the government has to sensitise and provide education and training to the public. Equally, the policy must be taught in schools and higher learning institutions.

Second, enhancing Public-Private Partnership as a model to engage industry, the civil society, and academia in the promotion and enhancement of a culture of cyber security. Third, to establish appropriate measures to combat cybercrime and to ensure monitoring and respond to incidents and alerts that might arise. In order to be effective in combating cyber-threats, there’s a need to create super Computer Emergency Response Team (CERT) and/or the Computer Security Incident Response Teams (CSIRTs).

It goes without saying that combating cybercrime is an uphill battle that can barely be fought by a state acting individually. It thus necessitates regional or international cooperation through signing agreements on mutual legal assistance with EAC Partner states, ensuring that cybercriminals do not escape justice and at the same time recognising the principle of double criminality.

As often as not, cybercriminals tend to take advantage that the internet doesn’t recognise the so-called geographical boundaries. However, mutual legal assistance can facilitate a country to have extraterritorial impact extending beyond its jurisdiction. In a similar context, there can be exchange of information on cyber-threats and vulnerability assessment through Computer Emergency Response Team or the Computer Security Incident Response Teams (CSIRTs). In a nutshell, empathising on international cooperation, dialogue and coordination in dealing with cyber-threats is paramount.No doubt, cybersecurity plays an important role in the ongoing development of information technology, as well as internet services. Enhancing cybersecurity and protecting critical information infrastructures are essential to each nation’s security and economic well-being. Making the Internet safer (and protecting Internet users) has become integral to the development of new services as well as government agenda.

It is equally noteworthy that lawmakers must continuously respond to Internet developments and monitor the effectiveness of existing Penal Code provisions, especially given the speed of developments in network technology.

Most importantly, there’s a need to acknowledge that dealing with cyber-threats is a shared responsibility, requiring coordinated action related to prevention, preparation, response and recovery from incidents on the part of government authorities, the private sector and citizens.

The writer is an international law expert.