A new report by the Global Cyber Security Capacity Centre (GCSCC) has exposed loopholes in Uganda’s cyber security capacity; indicating that it’s at an embryonic state and that no concrete action has been taken to help the situation.
The report was compiled after a three day consultation with different government and private sector stakeholders who included; Government Ministries, National Information Technology Authority, Uganda (NITA-U); Academia; Civil society; Law enforcement; Internet governance representatives; Internet Society chapters; Criminal Justice; Intelligence Community; National Security representatives; CSIRT team; Commercial sectors and SME’s; Finance Sector; and Telecommunications Companies.
According to the report, all Uganda’s indicators lie in the start-up and formative levels which are the lowest on the indicators chart.
The consultations were based on the GCSCC’s Cyber Security Capacity Maturity Model which is composed of five distinct areas of Cybersecurity Capacity:
Cybersecurity Policy and Strategy (Startup level)
This dimension explores the capacity of the government to design, produce, coordinate and implement a cybersecurity strategy as well as policies upholding the strategy.
The survey discovered that there is no official document on Uganda national cybersecurity strategy. Instead, Uganda has a National Information Security Policy (NISP) and a National Information Security Strategy (NISS)
Cyber culture and society (Startup level)
This dimension assesses important elements of a cyber-culture on an individual and organizational level and their perception by various stakeholders. It determines the level of trust in e-government and e-commerce services and adherence to privacy standards by the entities that engage in provision of these services.
In Uganda, the report says, “there is an absence or at best minimal recognition of a cybersecurity mind-set within most of the government agencies. However, there is recognition of cyber risks and threats, and efforts towards cybercrime awareness campaigns have been initiated.”
Cybersecurity Education, Training and Skills (Startup level)
This dimension assesses the availability and quality of cybersecurity education, training, and skills in Uganda for various groups of government stakeholders, private sector, and population as a whole. It evaluates existing educational offerings and national development of cybersecurity education; training and educational initiatives within public and private sector; and corporate governance, knowledge, and standards.
In Uganda, there is gradual increase in information-security education and training.
The report notes that “a number of information Security training initiatives are starting to focus towards increasing the attractiveness of cybersecurity as a career and its relevance to both the private and public sector.”
Legal and regulatory frameworks (Formative level)
This dimension looks into the Government’s capacity to design and enact national legislation and accompanying by-laws directly and indirectly relating to cybersecurity, with a particular emphasis placed on the topics of ICT security, privacy and data protection issues, cybercrime, and on the stakeholder groups represented by law enforcement, prosecution services, and courts.
The report observes that “Uganda has a number of legislation in place, which address Internet misuse.”
“The Ministry of Information and Communications Technology (MoICT) in conjunction with Ministry of Justice and Constitutional Affairs (MoJCA), Uganda Communications Commission and National Information Technology Authority (NITA-U) of Uganda have jointly coordinated the drafting of the Data Protection and Privacy Bill, which is currently due for debate in Parliament. It was suggested that in future the East African Community (EAC) countries should have a harmonized Data Protection and Privacy Law for all member states,” asserts the report.
Standards, organisations, and technologies (Formative level)
This dimension brings forward the importance of implementation of cybersecurity standards and minimal acceptable practices; existence of well-functioning and high capacity organisations coordinating cybersecurity with formal authority over multiple stakeholders; and existence of a vibrant cybersecurity marketplace of technologies and cyber insurance services.
The report indicates that in Uganda, information security standards are being adhered to by the Government.
“There have been some initial signs of promotion and take-up across the public sector and Critical National Infrastructure (CNI) organisations. There is no total compliance to ISO standards or certification yet in a number of Government institutions,” the report further states.