Reviewing Senegal’s Cybersecurity Capacity Maturity: a strategic approach

As part of the GFCE initiative “Progressing Cybersecurity in Senegal and West Africa”, the Global Cyber Security Capacity Centre (GCSCC), in collaboration with the government of the Netherlands carried out a cybersecurity capacity maturity review in Senegal, premised on its National Cybersecurity Capacity Maturity Model (CMM). After consultations with various stakeholder groups, a report with the findings and recommendations was submitted to the government of the Netherlands and the Ministry of Posts and Telecommunications in Senegal. Key findings show that Senegal is more advanced in developing cybersecurity legal frameworks, training and education, and national infrastructure resilience. Potential areas for enhancement include a national cybersecurity strategy, incident response, crisis management, responsible reporting, and cybersecurity marketplace.

Written by: Global Cyber Security Capacity Centre (GCSCC)

In January 2016, a team from the Global Cyber Security Capacity Centre (GCSCC), University of Oxford, in collaboration with the Dutch Government of the Netherlands, carried out a review of the cybersecurity capacity maturity of Senegal premised on its National Cybersecurity Capacity Maturity Model (CMM). The aim of this effort was to enable the country’s government to benchmark and prioritise investments in cybersecurity capacity. The review, hosted by the Ministry of Posts and Telecommunications, was part of the GFCE initiative launched by the Foreign Ministry of the Netherlands and Senegal to exchange expertise that would contribute to addressing cybersecurity issues in Senegal.

During a three-day consultation, the researchers held roundtable discussions with representatives from ten stakeholder groups, including representatives from public sector entities, legislators and policy owners, criminal justice and law enforcement, armed forces, academia, civil society, telecommunications companies, finance sector and the Cyber Task Force. Discussions were premised on the five dimensions of the CMM: policy and strategy; culture and society; education, training and skills; legal and regulatory frameworks; standards, organisations, and technologies.

Following the review, the country review report was submitted to the Ministry of Posts and Telecommunications, presenting the findings across the dimensions critical to build a country’s cybersecurity capacity and identifying recommendations for the government.

Key findings

Overall, the maturity of Senegal’s cybersecurity capacity across the five dimensions of the CMM varied between the start-up and established stages of maturity. In some areas, such as the dimension on policy and strategy and culture and society, Senegal is just beginning discussions on enhancing the capacity of these factors. For example, while there is no national cybersecurity strategy, national incident response capacity or coordinated awareness campaign, all stakeholders agreed that raising the maturity in these factors would fill much needed gaps in the national cybersecurity landscape.

In other dimensions, such as national education, training and skills and the legal and regulatory frameworks, there was some existing capacity in cybersecurity, but still moving from the formative to the established stage. For instance, several universities in Senegal offer courses in information security and cryptography, but do not yet offer courses in cybersecurity specifically. Similarly, there are aspects of the legal environment that have been adopted in order to mitigate cybercrime. Senegal has already adopted, since 2008, legislation on cybercrime, data protection, and e-transactions, though it was widely agreed that the implementation of these laws varies, thus inhibiting the country from elevating its maturity in this factor.

Finally, we came to understand that the implementation of cybersecurity standards within private companies and public entities and at the national level are frequently dictated by whether the institution is under the purview of an external parent company. If an international company mandates security requirements, then ISO standards are usually adopted, but there are few companies that do so voluntarily.

These findings, while unique to Senegal, are comparable to the experiences gathered in other countries with similar level of development across the world. While cybersecurity is an increasingly recognised priority, specific measures to elevate maturity across the different dimensions are still at the initial levels of development and implementation is not always sufficient yet.  

Recommendations

In Dimension 1, which looks at cybersecurity policy and strategy, the development of a National Cybersecurity Strategy, the design and dissemination of a coordinated cyber programme and the development of a national CSIRT were recommended as the key actions for enhancing capacity. In addition, the establishment of a mechanism for regular vulnerability disclosure and information sharing between the public and private sector was emphasised.

Key recommendations relating to the second dimension, which focuses on cyber culture and society, include the enhancement of efforts at all levels of government to promote understanding of risks and threats, the development of a national awareness raising programme, and the expansion of secure e-government services.

Moreover, cybersecurity education, training and skills are crucial to the development of cybersecurity capacity. Recommendations for this third dimension of the CMM encompass engraining cybersecurity training and education throughout all levels of education, developing a nationally coordinated programme on cybersecurity education and skills development, and providing training for experts on various aspects of cybersecurity, as well as conducting mandatory cybersecurity trainings for board members.

In Dimension 4, which looks at legal and regulatory frameworks and the capacity of the criminal justice system, the GCSCC recommended to review and amend existing laws on cybersecurity, data protection and cybercrime, strengthen national investigation capacity for computer-related crimes, and establish and strengthen international cooperation mechanisms to combat cybercrime.

Finally, recommendations for the enhancement of technology and standards aspects of cybersecurity include the promotion of the adoption of international IT standards, the establishment of a national programme for infrastructure development and the fomentation of sharing information and best practices among organisations.

Next steps

Senegal has since started to define the priorities to enhance the country’s cybersecurity capacity and has begun to implement some of the recommendations. This includes the development of the National Cybersecurity Strategy which is supported by the GFCE initiative, until the end of the year (on December 2016). In September 2016, the national digital strategy named SN2025 has been officially validated technically with all Senegalese ICT stakeholders. The document considers the recommendations of the report prepared by the GCSCC. Senegal has also begun to review the framework legacy with a group of national and international experts and to discuss the creation of a National Cybersecurity Center.

A study for the awareness campaign in 2017 is under way. Some stakeholders have been appointed by Senegal and are ready to participate in the campaign.

In 2017, the second regional Experts Meeting is planned as part of the GFCE initiative. It builds upon the first meeting held in Dakar in April 2016 which provided the building blocks for the “Dakar Declaration on Cybersecurity” and whose components cover cybersecurity strategy, incident response teams, legal frameworks, cybersecurity awareness and cybersecurity education. It sets cybersecurity capacity building on the agenda in Africa and is embraced by several African countries and regional organisations.

This article first appeared in the second issue of the Global Cyber Expertise Magazine – November 2016.