There has been a noticeable increase in cybercrime both originating from and targeting North African countries. According to a 2017 report by cybersecurity company PandaLabs, four of the world’s top 25 countries where computers were most vulnerable to attacks were in North Africa. Cybercrime occurs in many forms and affects the online security of both the state and private institutions. It has an impact on the financial sector and the security of individuals, and shares links with various other crimes – including terrorism.
According to the UNODC (United Nations Office on Drugs and Crime), ‘cybercrime is an evolving form of transnational crime’ because of its borderless nature, involving actors from various countries who often plan and organise illicit activities in the deep web, where they avoid being detected. Cybercrime often takes the form of phishing, sextortion and cyber terrorism, resulting in the theft of money, personal data and intellectual property; online blackmail; and various forms of sexual harassment. Private computers and small companies are more likely to be attacked because they are typically less secure.
In October 2018, the ENACT project and the Cairo International Centre for Conflict Resolution Peacekeeping and Peacebuilding co-hosted a workshop on Financial Crimes Investigation for Law Enforcement Agencies in North Africa. According to Algerian cyber-security specialist Raouf Farrah, North Africa has a fragile cyber ecosystem that offers countless opportunities for cybercriminals.
Among these, Farrah cited ‘weak IT and cyber infrastructure, repressive and slow cyber security legislative cycles compared to the rapid pace of crime innovation, and … poor cyber-education and awareness of online threats and vulnerabilities’. Farrah explained that the rapid development of mobile Internet access and the so-called Internet of Things have also boosted cybercrime regionally.
Regional dynamics are also a factor. While the information and communication technology sector has developed fairly rapidly in North Africa, it has not been accompanied by the development of adequate cyber security instruments. Offenders exploit technical and legal loopholes and they are faster than states and private companies.
While North African states are poorly equipped to combat cybercrime, this should not pitch the development of security policies towards responses that undermine rights like freedom of expression and information.
Algeria, for instance, created a national authority under the Ministry of Justice to prevent and combat crimes related to information and communications technology in 2015. The decree creating this authority uses vague and poorly defined terminology, such as ‘preventive monitoring’, ‘subversive’ and ‘violation of state security’.
In Egypt, cybercrime laws use similarly vague language to identify crimes such as ‘threatening national security’, ‘harming family values’ or ‘influencing public morals’. Human rights advocates like Wafa Ben-Hassine, a policy analyst based in the Tunis office of digital rights NGO Access Now, have denounced the trend in cybercrime laws to use such broad terms. According to her, these laws put human rights at risk under the false pretext of curbing threats to national security.
Although it has not adopted specific anti-cybercrime legislation, Morocco launched a National Strategy for Information Society and Digital Economy in 2009. It was intended to strengthen the private sector's trust, boost the digital economy and conduct a civic education campaign against cybercrime from 2014 to 2017. Morocco adapted its legal framework and created institutions to ensure the safe use for online consumers and the protection of personal data. According to analyst Asma Daoudi, however, ‘there is a gap between theory and practice and the existence of laws does not mean that they are well applied.’
In 2004, Tunisia adopted a data protection law and created the National Institution for Personal Data Protection, which was to be in charge of monitoring data protection in the private and the public sectors. The Tunisian Internet Agency is responsible for monitoring Internet providers and has been playing a positive role in raising awareness about cybersecurity since 2011, as opposed to its Internet censorship under the regime of Zine el Abidine Ben Ali.
The key challenge for North Africa is therefore not a lack of legislative frameworks, but rather the need to strike a balance between combating cybercrime while preserving human rights and freedoms.
Various international instruments provide guidelines for the development of anti-cybercrime legislation and cyber-security strategies. One example is the 2014 African Union Convention on Cyber Security and Personal Data Protection, which provides tools to regulate cybercrime policies. To date, Mauritania is the only North African country to have signed the convention.
Adapting legislation is necessary, because it helps to sharpen responses and provides clear and logical frameworks to combat this type of crime. But this means that cyber crimes should also be defined with precision, and the roles and responsibilities of various law enforcement stakeholders should be given careful consideration. This is particularly true for cases that deal with international networks.
To ensure the effective implementation of cybercrime legislation, relevant criminal proceedings and laws need to be in place. Investigators require tailored training, and guarantees against human rights violations must be prioritised. The UNODC report about cybercrime has underscored the importance of harmonising national legal frameworks, using modern means of cooperation and providing prevention activities. Cybercrime is a borderless phenomenon, and responding to it requires well-organised, carefully coordinated responses on both national and regional levels.
Rim Dhaouadi, Researcher, ENACT project, ISS