Nanjira Sambuli: “There is cybersecurity talent and innovation on the African continent.”

GCA interviewed Nanjira Sambuli ahead of the GC3B Conference ending today in Accra, Ghana. Nanjira Sambuli is a Kenyan researcher, policy analyst and strategist studying the unfolding, gendered impacts of digitalization/ICT adoption on governance, diplomacy, media, entrepreneurship, and culture, especially in Africa. Yesterday, Nanjira took part in a panel on return on investment of cybersecurity activities, organized by the  Global Cyber Security Capacity Centre and moderated by Jamie Saunders, an Oxford Martin Fellow at the University of Oxford, a Fellow of the European School of Management and Technology in Berlin, and one of GCA’ Strategic Advisors.


Question: The digitization of Africa seems an unstoppable process in spite of the much slower development of adequate infrastructures. This has taken to a myriad of ‘African ways’ of consuming internet services. What opportunities and challenges do you think this creates in terms of cybersecurity?

Answer: The most salient example here is the  ‘mobile first’ or predominantly mobile mode of accelerating end-user digitalization on the continent. With mobile telephony as a be-all end-all, for access to critical services such as finance and health, it presents unique dynamics pertaining to cybersecurity. For one, most consumer-facing cyber threats on the mobile phone entail social engineering through general or specific targeting of individuals, and SIM Swaps notably for financial-related mobile fraud.  For smartphone users, an inability to constantly update applications can create cyber vulnerabilities, and for feature phone users, updates to their SIM toolkits can stop altogether as developers move to app-based service provision, thus missing any vulnerabilities as well.
At the same time, the ubiquity of mobile can also be leveraged for consistent cyber awareness-raising. And with a young and tech savvy generation, there is potential to embed cybersecurity best practices for consumers by leveraging the ubiquity of end-user mobile technology for information distribution and even attract a cyber workforce by creatively disseminating already available information on aspects of cybersecurity. 


The AFRINIC issue is a very good indicator of the huge challenges faced by the infrastructures of the Internet in Africa. How are the different countries performing in terms of infrastructural challenges? What is the most urgent need to address for the integrity of the Internet in Africa and how can donors help support this?

Being a vast and diverse continent, countries are at different stages with their digital infrastructure and their cybersecurity and cyber-resilience. As more countries adopt cybersecurity laws and policies, we see indicators of acknowledging digital infrastructure as critical infrastructure, and for the need to invest in the requisite capacity to address current and future infrastructural challenges. 

Donors can be of assistance here by working with local country multi stakeholders in mapping out opportunities and challenges with digital/internet infrastructure, and not assume a one-size-fits-all approach. Furthermore, donor coordination is increasingly needed to responsibly invest their resources across multiple needs identified, in order to support countries’ sustainable digital development, including in developing cyber resilience capabilities.

Can you share your perspective on the current state of cybersecurity innovation and the talent pool in Africa? There is a large investment in cybersecurity capacity building across the African continent. Where have you seen these efforts be successful, and where have they fallen short? Do you have any recommendations on how to improve them? 

This would need a country-by-country assessment, but overall, there is cybersecurity talent and innovation on the continent. Cybersecurity capacity building efforts tend to focus on state capacities, which is well and good. Market talent is developing through formal education, self-taught practitioners and infosec associations that complement tertiary education and offer real-world scenarios around which talent can be honed. How the existing talent is absorbed into industry and government is perhaps the bigger policy question, keeping in mind that in the case of the former, a majority of businesses on the continent are micro, small and medium size enterprises that, while leveraging digital tools for their businesses, may not afford in-house cybersecurity talent. For all the excitement and investment in tech innovation on the continent, technical, financial and operational support to ensure products adhere to cybersecurity best practices remains an area where external investments are falling short across the board. The success of cybersecurity capacity building within governments can be difficult to measure externally. 

Overall, investment in cybersecurity capacity building needs to go beyond one-off trainings, minimise duplication of approaches and contextualise for the different realities across and within countries. 


How should we help ensure we are elevating and sustaining local expertise to contribute to the domestic, regional, and/or global cybersecurity landscape? Local context, culture, and experience with technology are critical to designing effective cybersecurity programs. What are some important considerations donors should keep in mind when designing programs to strengthen cybersecurity on the African continent? What about implementers of these programs? 

External support to the continent must adopt a humble stance, and avoid assumptions of ‘lack’, that is, that we lack the local talent or expertise in shaping their interventions. Supporting local landscape and stakeholder mapping exercises conducted by, say, local technical communities/associations or civil society is a good practice to cultivate entry points into different country contexts. Engaging stakeholders from an inquisitive, rather than a predetermined approach will also help donors and other international actors better target their interventions locally. Given the transjurisdictional nature of cyberspace, it might behoove intervening actors to engage local talent as potential contributors to the global space, and not just the local. That is, to not treat cybersecurity interventions and discussions in Africa as though disconnected from what is otherwise perceived as global. 

What do you want international donors and private sector groups to focus on, invest in, prioritise, or not do when thinking about helping support cybersecurity in Africa?

For one, to remember Africa is not a country! Some good practices we’ve identified include:

  • Rooting cybersecurity support in local contexts;
  • Going beyond one-off trainings/support mechanisms; 
  • Ensuring cybersecurity interventions and investments (especially trainings) are demand-driven (and not based on presumed needs and general assumptions of ‘lack’; 
  • Incorporating interdisciplinary approaches into investing in cybersecurity capacity, that is, not just focusing on technical talent but also political, sociocultural and economic disciplines and the value they bring to the cybersecurity domain; 
  • Mainstreaming gender-responsiveness in the design and implementation of cybersecurity interventions; 
  • Working with other donors and private sector groups to minimise duplication of effort and over-concentration in subsets of issues; 
  • Establishing and supporting mechanisms for evaluating success and failures of interventions, and 
  • Offering and supporting sustained institutional resources that do not disrupt steady progress due to shift in donor priorities. 


Thanks to your work in the Fincyber project of the Carnegie Endowment for International Peace, you are familiar with the challenges of turning global, generic recommendations into local, practical solutions. Our Cybersecurity Toolkits, in fact, have been referenced as a good mechanism to implement the Fincyber recommendations, but the tools cannot be good by themselves. How to close the gap between good resources and good implementation?

The capacity on the implementing side is often over or underestimated. Toolkits are great and helpful resources, but just because they’re availed doesn’t directly translate to their ability to be implemented. Capacity constraints, say for MSMEs to have in-house cybersecurity talent or afford to contract cybersecurity experts is a real and practical hinderance, especially in the absence of pooled resources to subsidize or cover the costs of implementing such tools. GCA and other actors involved in designing solutions-in-a-box ought to undertake context-specific studies on what are the challenges in the supply of these solutions and their uptake, and use those findings to better challenge the cybersecurity support coming into places like Africa, to ensure it helps close the exposure gaps sooner, rather than later.


Why is GC3B an important event and what do you hope comes out of  it? What is on your agenda in Accra? 

GC3B presents an opportunity to take stock of what is (not) working in the realm of cyber capacity building, including the assumptions around who gets to build capacity and whose capacity is built. I am attending to share the experiences from studying the intersection of cybersecurity, capacity building and financial inclusion in Africa, and to engage with the broader cyber capacity building community.


The GC3B, where GCA is playing an active role, brings together high-level leaders and experts from the global cyber and development communities under the common theme “cyber resilience for development.”