Depending on your perspective, Africa is either a global asset or a liability in the information security (infosec) world — or a bit of both.
Many people unfairly portray African nations solely as malicious hackers and scammers. Nigeria bears the most accusations with frequent mentions of Nigerian prince scams. While threat actors such as the Yahoo boys do operate in Nigeria, the so-called 419 scams (named for the numerical section of Nigeria's criminal code) aren't always African in origin. Yet this stereotype remains very much a part of the cybersecurity lexicon.
It's easy to make Africa a cybercrime scapegoat through sustained myths, misconceptions, and just plain ignorance of the continent's rich history and culture. Perpetuating negative stereotypes makes everyone less secure by not engaging African talent on the world's information security stage.
Instead, the global information security community needs to help African nations defend against the growing misinformation, disinformation, and malinformation campaigns from China and Russia that already have taken root there.
Foreign threat actors are finding ways to infiltrate African nations to help create a malicious hacker army through gifts or disinformation campaigns. For example, an infosec professional in Zimbabwe told me that the local consulate from a known state sponsor of cybercrime offers free lunch and computer lessons to locals.
It's imperative that the infosec community recognizes the talent in Africa that wants to learn and helps them become defenders, not future threat actors.
Expanding Africa's Cybersecurity Talent
In 2018, I was invited to a conference in South Africa to present a workshop and a keynote talk about cybersecurity basics to a group of librarians and information professionals. The attendees were eager to learn and share knowledge of cybersecurity best practices. They know their countries have data security issues, and they have many professional communities working hard to train and upskill people for information security jobs and a better future.
Here are some of the nongovernment organizations (NGOs) and nonprofit organizations that are doing amazing work in Africa, both in educating students and practitioners and spreading security awareness in their communities.
- Africa Cybersecurity Consortium: The ACC is one of many groups in Rwanda training information security professionals through internship placement programs and training.
- Africahackon: This security collective is building the next generation of African cybersecurity talent in Kenya and other countries by hosting capture the flag competitions, providing hands-on training for digital forensics, and more.
- Cyber Security Experts Association of Nigeria: Led by an executive council of cybersecurity leaders, CSEAN holds a well-attended annual conference, seminars, training, and workshops to raise the bar of skilled infosec professionals in Nigeria.
- Cybersafe Foundation: Based in Nigeria but serving several countries in Africa, CyberSafe has multiple skills training and awareness programs. Its successful CyberGirls program offers a free one-year fellowship for women ages 18 to 28 who receive job training for cloud security, governance, risk, and compliance (GRC), and other roles.
- Security BSides: This well-known US-based grassroots security community is growing in Africa with groups in Algiers, Algeria; Cape Town, South Africa; Kampala, Uganda; Lagos, Nigeria; Mombasa and Nairobi, Kenya; and the country of Togo.
- SheHacks Kenya: SheHacks KE was established in 2016 to give Kenyan women working in infosec a place to connect and provide learning opportunities for girls and students.
- SheSecures: This West Africa-based organization provides community, career building, and cyber literacy.
- Wentors: Based in Lagos but serving the globe, this group pairs women in IT and information security with mentors who are professionals in their field.
Shining Light Into Darkness
The words of the late geographer Dr. George H.T. Kimble still ring true today: "The darkest thing about Africa has always been our ignorance of it." We are at a pivotal point: The global information security community can embrace and support our African counterparts, or it can let history repeat by watching the continent be consumed by digital colonialism and used as props by nation-state actors. Doing the latter will impact us all.