Like many other countries around the globe, Ethiopia has embraced ICTs and ICT based services as key enabler for social and economic development in the country. Various efforts are also underway to significantly increase Internet connectivity speeds and access. But greater bandwidth will not only mean faster and better internet access but also faster and better means to launch cyber-attacks and opens more opportunities for criminals to exploit naïve users.
In this article I will try to explore the efforts and initiatives being made by the government in fighting cybercrime from three cyberspace governance perspectives namely cyber security-related policies and strategies, legislative frameworks, and institutional arrangements. I will also provide some recommendations on what the government should do so that appropriate plans and measures can be implemented to a safer and secure Ethiopia.
1. Information Revolution and the New Form of Crime: Cybercrime
The dawn of the information age was proclaimed in 1991 by Alvin Toffler in his book The Third Wave. In this book, Alvin Toffler pointed out the history of the world to date can largely be portrayed as three waves namely the agricultural wave, the industrial wave and the information wave. The world is now at “the third wave” and owing to the revolution in information technology and this ‘third wave’ is called as information age.
Even though the World Wide Web only began in the1990s, billions of people are online today. Currently, over 40% of the world’s total population has access to the internet and more are logging on every day. Nowadays, cyberspace has become omnipresent that some have begun to employ the language of nationhood to describe it. If cyberspace were a country, it would be the largest and most populated country in the world, but yet without any government, legislative bodies, law enforcement, protection mechanism, or rules for participation.
It is also estimated that by the year 2017, mobile broadband subscriptions will approach 70% of the world’s total population and by the year 2020, the number of networked devices will outnumber people by six to one, transforming current conceptions of the internet. These figures show how modern life is increasingly relied on internet and digital technologies.
Technology is, however, neutral and hence it empowers those who build and those who could disrupt and destroy alike. With every new invention, there will always be some people who see only its potential to do good, while others see new opportunities to commit crime or make money. In addition, criminals have always been alive to the possibilities of new technologies. Hence, cyberspace presents us not only great promise but also being transformed into a safe haven for criminals. Just as legitimate computer-based activities penetrate most aspects of life, whilst the most confidential information held on computer systems is at the mercy of the computer hacker and identity thieves. Furthermore, almost all traditional crimes can be perpetrated from the online environment.
Millions of people are victims of cybercrime every day and caused trillions in loss. As never before, and at insignificant cost, even ordinary citizens can cause calamitous harm to individuals, companies, and governments from places unheard of. The threat of cybercrime has also reached at the level of national security concern. For instance US President Obama declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation” and that “America's economic prosperity in the 21st century will depend on cyber security.” The UK government also declared that cyber security had become a ‘tier 1’ priority alongside international terrorism and major national incidents. In many cases, ICTs that are vital to national and economic security are subject to disruption from a number of causes, either originating from within a nation or outside its borders. Therefore cybercrime has already become the dark side of the information age.
But what constitutes cyber-crime? Even though it is one of the hottest contemporary global issues and enjoys considerable political, legal, media, public, and academic discourse, the term cybercrime has no universally accepted definition. Defining cybercrime appears, therefore, to be a necessary evil within the community of people involved in researching, investigating, and prosecuting its occurrence. There are a number of expressions and terms used to describe cybercrime in an interchangeable manner such as computer crime, internet crime, e-crime, digital crime, high-tech crime, online crime, electronic crime, and so on.
There are also debates even on the need for defining cybercrime. Some argued that cybercrimes are just a new variant of traditional crime, and that there is no need for defining new categories of crimes. The metaphor of old wine in new bottles aptly depicts this camp’s argument. On the other hand, there are arguments seeking for specific definition of cybercrime. That means there is a view that even though some computer crimes could be prosecuted under existing criminal laws, computer networks enable the commission of entirely new types of crimes such as hacking and denial of service attacks which do not fit under any of the existing crime categories.
As this debate is ongoing, there is still no internationally recognized or standardized definition of cybercrime, nor is there a uniform usage of the term. Even though there is no uniform definition of cybercrime, however, most of the proposed definitions have common denominator that involves the central role played by computer systems in the commission of cybercrimes. i.e. computer systems are used as means or target of crimes. Therefore, I can have a working definition of cybercrime as, an act that covers the entire range of crimes which involves computer, computer network, or other digital technologies either as its target or as an instrumentality.
2. Cybercrime in Ethiopia
2.1. Ethiopian Cyberspace Picture: information society and infrastructure
Despite the fact that Ethiopia is still lagging behind even compared to many developing countries, ICT penetration and usage is steadily growing. As the potential for ICT to increase economic growth and reduce poverty is an established fact, Ethiopia has to embrace ICT use in its entire social, economic and political structures. That is why the Ethiopian Government envisioned every aspect of Ethiopian life is ICT assisted and has made the development of ICT one of its strategic plan priorities.
It must be due to this commitment that the ICT penetration and usage is steadily growing in the country. For instance, the Ministry of Finance and Economic Development in its recent Annual Progress Report for fiscal year 2011/12 Growth and Transformation Plan reported that: the number of mobile subscribers and telecom density for mobile lines increased from 10.7 million and 12.85 % in 2010/11 to 17.26 million and 20.4 % in 2011/12 respectively. Similarly, the coverage of wireless telephone service increased to 90 percent in 2011/12 even if the plan was to reach 63 %, while the number of subscribers and telecom density for fixed line declined from 0.854 million and 1.03 percent in 2010/11 to 0.805 million and 0.95 % in 2011/12 respectively. Generally, the total subscribers base has increased to 20.73 million at the end of 2011/12, of this internet subscribers has covered 2.661 million including mobile internet subscribers in the fiscal year.
There is also a staggering increase in social networks users. The young generation of the country is logging on every day to the online environment. Recent reports show that as of 2012, there were over 1 million Facebook users, with 45 per cent are between the age of 18-40. According to the recent research paper of Trend Micro Incorporated, Ethiopia is one of the top 10 African countries with the biggest number of Facebook users. The number of broadband subscription has also increased from 27,043 in 2011 to 30,372 in 2012. According to the Australia-based telecoms research company, BuddeCom, Ethiopia’s broadband market is also set for a boom following massive improvements in international bandwidth, national fiber backbone infrastructure and 3G mobile broadband services. There are also recent reports that show Ethiopia’s International Internet bandwidth is better than many other African countries as the country has been working towards improving its international bandwidth through international fiber optic links via Djibouti, Kenya and Sudan. As the country is Africa's second most populous and owing to the huge investments being made by the government, there is also a huge potential user base that can make Ethiopia an ICT hub of Africa in the very near future. Several ICT infrastructure development projects are also underway such as the construction of the EthioICT-Village which is expected to generate ICT related jobs for approximately 300,000 employees.
In addition to the development of infrastructures, the government of Ethiopia is also trying to promote and facilitate an extensive use of ICT and internet supported services. To this effect, the government has adopted e-Government Strategy in 2010, which planed enablement of 211 e-services. Several government agencies are also providing their services online through the government portal.
As digitalization and business automation is also increasing, computer networks are becoming the nerve system of our critical infrastructures. The use of ICT is also embraced in the banking and financial sector. Even though in Ethiopia cash is still the most dominant medium of exchange, electronic-banking is started, electronic fund transfer was legally recognized for the first time in 2011. This time, almost all banks in the country have already introduced core banking system, mobile banking and ATM services. The Ethiopian Commodity Exchange is also pushing out trading prices for key commodities countrywide through mobile phone messaging and internet based services.
But it is an established fact that with reliance on computer systems and other digital technologies comes with vulnerability to cybercrime and cyber-attack. Reliance on computer systems and Vulnerability to cyber-attacks are two faces of the same coin. Therefore, once Ethiopia is connected to a global network, it becomes vulnerable to cybercriminals operating anywhere in cyberspace. And thus Ethiopia is vulnerable to cybercriminals not in theory but in practical terms.
2.2. The Reality of Cybercrime in Ethiopia
At the end of 2013, TREND Micro Incorporated has published a report entitled “Africa a New Safe Harbor for Cybercriminals?” In this report TREND Micro Incorporated identified three “Reasons Why Africa Is Poised to Become a New Cybercrime Safe Harbor” namely the availability of faster and more affordable internet access, the expanding Internet user base, and the lack of cybercrime laws.” The United Nations Conference on Trade and Development (UNCTAD) also indicated that developing countries have become staging grounds for attacks by cyber criminals due to the greater prevalence of unprotected systems. Africa as a continent is therefore, vulnerable to a range of online criminal activities and becoming a major source of cybercrime in the global information society. On the other hand, Africa as a continent has been criticized for lagging behind in curbing the threat of cybercrime.
Ethiopia is not an exception to this rule. On the one hand there is a massive increase of internet access and internet user base is expanding. But on the other hand, cyber security governance is at its very embryonic stage and much needs to be done. Therefore, there is no reason why Ethiopia could not be the save heaven or new Safe Harbor of Cybercrime.
As discussed above, the government of Ethiopia is working on the development ICT infrastructures and ICT based services. But greater bandwidth will not only mean faster and better internet access but also faster and better means to launch cyber-attacks and opens more opportunities for criminals to exploit naïve users. The pervasiveness of mobile phones throughout the country, the introduction of new services including mobile money and financial service such as ATMs, will also provide new opportunities for cybercriminals.
Despite the fact that Ethiopia cannot be immune from the threat of cybercrime, there is no consolidated report that shows the exact prevalence and impact of cybercrime in the country and to what extent the Ethiopian information society is vulnerable. This is because, among others, companies and individual users do not report cybercrime incidents for several reasons, do not keep organized record and some are not even know that they are targeted by cybercriminals. Records in the intelligence agencies and the law enforcement are also either not properly recorded or not accessible. Ethiopian-specific literatures on the extent of cyber-crime activities are also nonexistent. This inadequacy of statistics could lead to over- or under estimating the threat of cybercrime in the country.
In this work, I tried to extract the better picture of cybercrime in the country based on, among others, two source of information. The first information was collected from a survey conducted on some institutions in Addis Ababa. Some technical reports obtained from Information Network Security Agency (INSA) are also used as source of information.
In the survey, data were collected from set of questionnaires distributed to 40 institutions that are familiar with the uses of ICT. Of the 40 institutions, 35 responded giving a response rate of 87.5%. Respondents were from both private and government institutions which cover, 17 banks, 12 ICT institutions and 6 other institutions such as federal government agencies, Medias, and transport. The purpose of the questionnaire was to investigate the reality of cybercrime at organizational level and examine how the institutions are vulnerable to the threat of cybercrime. Accordingly, the questionnaires were categorized in to the following four perspectives which I believe that they can give some picture of cyber security status at organizational level in Ethiopia.
• Reality and prevalence of cybercrime,
• Preparation of organizations to deal with cybercrime incidents,
• Reporting of incidents and
• Perceptions on legislative, policy and law enforcement measures
Regarding the reality and prevalence of cybercrime respondents were asked to indicate the forms of cybercrimes that frequently or infrequently perpetrated against their respective institutions. Accordingly, it was found that all the respondents have experienced a number of cybercrime incidents. It was also fairly clear that seven forms of cybercrimes are experienced by the institutions who participated in the survey. Of these cybercrimes; computer virus, worm, malware or other malicious attack (57.1 %,), website defacement (40%), illegal access (17.1%), and spam (14.7%) are the leading cybercrimes frequently perpetuated against the institutions. The respondents also indicated a range of infrequently occurred but emerging other forms cybercrimes such as causing damage to computer data (62.9%), denial of service (DOS) (45.7%), system interference (45.7%). Over all, this survey result demonstrates that cybercrime is real in Ethiopia and taking the lack of detecting capability of institutions in to account, it is fairly valid to presume that the reality of cybercrime in Ethiopia is more than what this survey reveals.
Majority of the respondents (77.1%) also said that they do not set any organizational structure specifically dedicated to deal with cybercrime threats. Only 8.6% of the institutions (three banks) have specialized team responsible for cyber security incidents. This shows that cyber security governance is neglected in most of the institutions who involved in the survey, and hence I can acknowledge that organizations in the survey are ill prepared to detect, prevent, and investigate cybercrimes.
The survey was also used to examine to what extent cybercrime incidents are reported to law enforcements in Ethiopia. As the survey figures out, most cybercrime incidents perpetuated against the institutions go unreported. While more than half of the institutions said that they do not report at all, 25.7% said they report only major cyber-attacks, most of them related with banking fraud. The question is therefore, what make institutions reluctant to report cybercrimes perpetuated against their information and information infrastructures?
The survey result shows that organizations are reluctant to report cyber security incidents to the law enforcement for different reasons. From these reasons, the general belief that the law enforcement would not be capable of dealing with such cases (37.1%) and fear of adverse publicity (25.7%) are the major ones. I also witnessed during the survey that the institutions are reluctant to disclose any cyber-attack even for research purpose for they fear that publication could destroy their image and reputation. There are even organizations (11.4%) who believe that the solution for cyber security incidents are technical and hence are out of law enforcement jurisdiction.
As it will be discussed in the following chapter, the government of Ethiopia is currently taking policy measures on cyber security in general and cybercrime in particular. There are also some pieces of legislations, although scattered here and there, that can deal with some cybercrime issues. Therefore, in order to effectively protect themselves from cyber-attacks, organizations are expected to fully appreciate the current cyber security situations and measures in the country. Unfortunately, the survey revealed that most of the institutions are not aware of the existing cyber security governance measures. For instance, out of the 35 institutions, 57.1% said there is no national cyber security policy and strategy, which actually exists, and 22.9% responded they are not sure whether Ethiopia has cyber security policy and strategy. Only the remaining (20%) are aware of the national cyber security policy and strategy. Similar result was revealed while the respondents were asked to evaluate the sufficiency of existing legal framework of Ethiopia to assist with the apprehension and prosecution of cybercriminals. While 22.9% of the institutions felt that the existing legal framework is not sufficient, 65.7% responded that there is no cybercrime law in Ethiopia at all. When asked if they perceive the law enforcement well equipped (with expertise, tracing, detection and investigation tools, etc) to counter cybercrime, most respondents did not think it is.
There are also technical reports that demonstrate the prevalence of cybercrime in the country. As it will be detailed in the following chapter, INSA is a government agency established for the purpose of securing the Ethiopian cyberspace. As the agency conducts cyber security intelligence, it has several recorded cyber-attacks perpetuated against the country. Even though the records are not publicly available, Website defacement, spamming, Malware and virus attack, Computer fraud and forgery Identity theft and Denial of service (DOS) are the leading cyber-attacks in the country.
Besides the technical report and survey results, there are also other sources that show cybercrime is a vivid threat to Ethiopia. For instance, Kaspersky recently identified Ethiopia an number 79 most infected country in the world. Trend Micro Incorporated, in its very recent research paper has also identified top 10 Malicious URLs Hosted in Ethiopia. As cybercrime is often international in nature, occurring across boundaries and impacting on users in different countries, it is inevitable that Ethiopia will obviously be both victim and the source of the problem. When Ethiopian websites are defaced, for instance, users are warned that accessing attacked websites may infect their PCs.
Therefore, cybercrime is a real and growing threat to Ethiopians and the Ethiopian economy and thus requires comprehensive and systemic response. In the following section, I will examine how the Ethiopian government is responding to cybercrimes with special emphasis on three major cybercrime governance concerns namely cyber security-related policies and strategies, legislative frameworks, and institutional arrangements.
3. The State of Cybercrime Governance in Ethiopia
3.1. Policy Measures
3.1.1. The National ICT Policy and Strategy 2009
In 2009, the Ethiopian Government adopted a general ICT policy and strategy but with cyber security implication. The ICT policy recognizes, among other things, the need for the promotion of cyber security and the resilience of network infrastructures. In this regard ICT security is identified as one strategic focus of the policy with the following specific objectives.
• To secure and safeguard the national electric communications system (national, institutional and individual security).
• To enhance user confidence and trust within the public, as well as to protect both data and network integrity.
• To prevent, detect and respond to cyber-crime and misuse of ICT so as to contribute to the fight against national, regional and international crimes such as fraud, organized crime and terrorism.
• To address national security implications arising from the widespread application of ICT within the economy and society.
• To build overall implementation, crime’s prevention and controlling capacity of government bodies in charge of ICT policy implementation and monitoring.
3.1.2. The GTP 2010/11-2014/15
The growth and transformation plan (GTP) was formulated by the government in 2010 with the objective, inter alia, to enhance the country’s vision to become a middle-income economy as of 2020-2023. In this document the development of ICT and telecommunication infrastructure are among the strategic pillars of the GTP period. In furtherance of this strategic pillar, the GTP clearly spells out that the government is committed to ensure the security of ICT service and protect the systems from cyber-crime by creating an appropriate institutional framework (policy, law and regulation) as well as organization and human resource capability.
3.1.3. The National Information Security Policy 2011
The National Information Security Policy 2011 is the most important document in the issue of cyber security for it is the first cyber specific policy and it recognizes for the first time that Ethiopia is vulnerable to cybercrimes not just in general terms, but also in its full detail and hence there is a sense of urgency to reduce the threats and vulnerabilities. The policy also recognizes that cyber security is an integral part of national security, organizational security, public peace and security and the protection of basic rights and freedoms of citizens. The policy seeks to achieve the following, inter alia, major goals:
(i) Build national capability for coordinated prevention, detection, response, deterrence against threats and minimize damage, cost and recovery time from attack that do occur;
(ii) Enable the country to use information as a means and resource in the implementation of its peace, democratization and social and economic development programs;
(iii) Ensure the confidentiality, integrity, availability and authenticity of national information asset;
(iv) Transform Ethiopia into an information-secure society which supports the development of a trustworthy and competitive information infrastructure.
In furtherance of these goals, the policy identifies seven strategic pillars including the adoption of appropriate legal and regulatory frameworks, raise public awareness, promote information security education and training, foster national cooperation and coordination, promote and strengthen international cooperation, enhance R & D towards self-reliance, and protection of critical information infrastructures. Each strategic pillar also has specific objectives to be achieved and detailed implementing strategies. This shows that the Ethiopian government is ready and committed to respond against the threat of cybercrime, at least at policy level.
3.2. Institutional Regulatory Mechanisms
The adoption of legal and policy frameworks per se is nothing unless they are effectively implemented. And this calls for the establishment of robust and specialized institutions. In the Ethiopian context, the government is working on the establishment of institutions dedicated to ensuring cyber security. As yet INSA is the only institution prominently featuring in the regulation of cyber security in Ethiopia. INSA was established in 2006 by the Council of Ministers Regulation No. 130/2006 and re-established in 2011 by Council of Ministers Regulation No. 250/2011 and Proclamation No. 808/2013. Now INSA is the sole cyber security organ in Ethiopia with the objective to ensure that information and computer based key infrastructures are secured, so as to be enablers of national peace, democratization and development programs.
Form the above objectives it is clear that INSA is responsible to handle cyber security issues with national security and critical infrastructures concern. On the other hand cybercrime is not only national security concern. It also affects individuals and business of all level which requires either expand the responsibility and outreach of INSA or the establishments of other specialized units especially within critical infrastructures. INSA is also responsible for the establishment of national computer and computer network emergency readiness and response team. Bases on this power, INSA established Cyber Emergency Readiness and Response Team known as ETHIO-CERT in 2012.
In the national information security policy 2011, it is clearly provided that Computer Emergency Response Teams (CERTs) will be established at national level, in all critical infrastructures and government agencies. But so far only ETHIO-CERT, which is now operating within INSA, is established. Furthermore, the policy required for the establishment of specialized cybercrime units within the police and public prosecutor departments and for the establishment of specialized court bench. The telecom fraud offence proclamation No.761/2012 also required for the establishment of national technical task force. Despite these legal and policy declarations, however, they are not implemented yet. The law enforcements (police and public prosecutor) do not have cybercrime units, national technical task force is not yet established and there is no specialized court bench to entertain cybercrime cases.
3.3. Legal Frameworks
3.3.1. The FDRE Criminal Code 2004
Cybercrime related legislation in Ethiopia has a recent history. It came to the attention of the Ethiopian parliament for the first time in 2004 where the Penal Code 1957 was revised. Therefore the first legislative word in Ethiopia on cybercrime was the Criminal Code of the Federal Democratic Republic of Ethiopia 2004 (hereinafter referred to as the Criminal Code), which criminalizes four malicious cyber conducts such as: unauthorized access, causing damage to data, disrupting the use of computer services and misuse of computer devices. These provisions are incorporated in the Criminal Code under the chapter titled “crimes against rights in property”. That means the Criminal Code treats cybercrimes as property crimes. But now the technological developments have gone way far beyond what the Criminal Code could have envisaged at the time of its enactment. There is no doubt, therefore, that the Criminal Code was not enacted taking in to account the current cybercrime threats. At this time, cybercrimes can be perpetrated against any legally protected interest be it property, moral, liberty, security, and so on.
At the time the Criminal Code was enacted, the technological development was at its embryonic stage in Ethiopia as it was not integrated into all aspects of life, the currently pervasive social medias did not penetrated to Ethiopia, and there was no sense that computers use entailed specific problems of security or criminal conduct. And thus there was no sense of urgency about the issues of cyber security. It cannot be surprising, therefore, that the legislature could not have foreseen the pace of technological change over subsequent years. Furthermore, the penalty clauses provided in the Criminal Code are too lenient, given the dire impact of cybercrimes.
Making things worse, enforcing anti-cybercrime laws in Ethiopia become almost ineffective. Despite the introduction of cybercrime provisions in the Criminal Code, prosecution based on these provisions is lacking. Could this mean that cybercrime has not yet infiltrated in Ethiopia?
As discussed earlier, a well-founded answer would be ‘NO.’ But there are several legal and practical constraints that hinder the investigation of cybercrimes and prosecution of offenders.
To enforce the Criminal Code, there is a corresponding procedural legislation called The Criminal Procedure Code Proclamation 1961 (hereinafter referred to as the Criminal Procedure Code). The rules in the criminal procedure code are, however, suitable for traditional offenses and not for cybercrimes. This is because the Criminal Procedure Code was enacted in 1961, where the world was arguably unaware of cybercrimes and even computers were unknown in Ethiopia. Therefore, the incorporation of cybercrimes in the criminal code without, however, amending its corresponding procedural aspect makes the investigation and prosecution of cybercrimes ineffective.
Another problem relates with the capacity of the law enforcement. The law enforcements in Ethiopia are not yet equipped with resource and expertise necessary for the investigation of cybercrimes and prosecution of offenders. They rather rely on conventional investigation methods used for ordinary crime in order to identify, arrest and prosecute cyber criminals. As discussed earlier, the cybercrimes such as hacking, web defacement, malware attack and spam are the common and overwhelmingly growing cybercrimes in Ethiopia. These core cybercrimes, however, never entered the criminal justice system. This shows that the law enforcement in Ethiopia is not operating effectively in cyberspace. So far, very few cases, most of them relating to bank fraud, reached the courts and were either tried by old laws by extending their interpretation or closed for lack of evidence.
For instance in the case of Federal Ethics and Anti-Corruption Commission v. Michael Worku 2012, the defendant was a bank clerk in Construction and Business Bank and using his privilege (access right), the defendant has created fictitious user ID to transfer and withdraw 9.9 million Ethiopia Birr from different bank accounts. Even though this was a cybercrime act for the defendant created fake user IDs and hack passwords of supervisors of the bank, he was not charged under the computer related provisions but under article 407 (1) (a) and (b) of the Criminal Code which criminalizes abuse of power by public servants.
In the case of Federal Public Prosecutor v. Abraham Benti and Wendwesen Girma, and Federal Public Prosecutor v. Mesele Yohannes, the defendants were involved in breaking banking networks, misuse of access codes (passwords) and withdrawn funds from cash machines using stolen PIN numbers. Even though application of real-space laws to cyberspace may yield unexpected results, these perpetrators were charged by old laws with “aggravated fraudulent representation” under article 696 of the criminal code.
There are also other cybercrime related cases which were closed by the public prosecutor office for lack of evidence. Therefore, it can be concluded that most cybercrime incidents are not reported and those reported incidents are either gone off-track to traditional crimes or closed for lack of evidence. But it is worthy to note that the effort of relying on vague interpretations of the existing laws to include cybercrimes is not done only for lack of appropriate laws but for the law enforcement failed to enforce the existing cybercrime related provisions.
3.3.2. Other Legislations with Cybercrime Implication
Three other pieces of legislations are also in force which includes the National Payment System Proclamation No.718/2011, the Registration of Vital Events and National Identity Card Proclamation No. 760/2012 and the Telecom Fraud Proclamation No. 761/2012.
The first one was enacted with the objective to regulate and oversight the national payment system of the country so as to ensure its safety, security and efficiency. This law was enacted at the time where some banks in Ethiopia started to introduce electronic payment systems such as ATMs.
In this regard the adoption of the National Payment System Proclamation No.718/2011 was a good start as it is the first legislation to recognize electronic fund transfer and electronic signature in Ethiopia. Despite the recognition of electronic fund transfer and electronic signature, however, the law does not address the cyber security issues inherent to the electronic financial system. Only article 35 of the law deals with unlawful acts and criminalizes forgery and fraud related activities specifically related with forgery of and fraud with payment instrument. The wordings of article 35 also seem to deal with conventional financial related forgery and fraud crimes. Therefore, this proclamation is insufficient to address the whole range of cybercrime activities emerging in the financial area.
The second legislation, Proclamation No. 760/2012, introduces the national electronic Identity Card system. Even though the issuance of the electronic Identity Card is not yet began, this law has very important provisions which deal with cyber security issues. Article 65 deals with some cyber security issues by stating that “information shall be protected from electronically designed attacks, theft or form other similar criminal abuse” (emphasis added).
Article 66 also provides for very punitive clauses which range from 5 to 25 years of rigorous imprisonment against cyber related malicious activities such as: make use of forged or falsified certificate of vital event or national identity card, falsification of certificate of registration of vital even or national identity card, falsification of data collected in relation to registration of vital events or national identity card by altering, modifying or deleting its content, and damaging, destroying, suppressing or unlawfully accessing the data collected in relation to the registration of vital even or national identity card. Even though articles 65 and 66 of this law are very relevant provisions to address cybercrime issues, this law specifically deals with data relating to Vital Events and National Identity Card and the range of cyber related criminal activities are not comprehensively addressed yet.
The third piece of legislation is the Telecom Fraud Proclamation No. 761/2012 which criminalizes inter alia interception of, access to and interference with telecommunication networks, services or system without authorization. The law also outlaws illegal manipulation or duplication of SIM card, credit card, subscriber identification number or data. However, this law was rushed in to law without public discussion and it has been severely criticized on the ground that it incorporates vague terms, and overly punitive provisions.
The aforementioned pieces of legislations are in force in Ethiopia which deal with certain cybercrime issues. But it is important to underscore the fact that none of these legislations are comprehensive to combat cybercrime because they are either piecemeal legislations incorporated in other laws or they are too specific to deal with all cybercrime issues. Therefore, it can be argued that the legal environment in Ethiopia is still inadequate as the laws currently in force are scattered and can be characterized as general laws with cyber security implication. And thus Ethiopia needs comprehensive and cyber security specific laws urgently. Piecemeal legislation approach or relying on the vague interpretation of old laws to include cybercrimes let the problem to continue and grow. The Government of Ethiopia is now aware of the inadequacy of the scattered pieces of legislation and has been alarmed with the increase in the cyber-crime attacks in the country. Accordingly, new comprehensive cybercrime legislation is drafted, which is now under public discussion and its basic features are examined as follows.
3.3.3. The Draft Cybercrime law
The draft cybercrime law is drafted by INSA and currently it is under consideration by the public and it is expected to be approved by the parliament soon. The draft cybercrime law recognizes, in its preamble, that the use of ICTs is vulnerable to various cyber-crimes and other security threats that can impede the overall development of the country and endanger individual rights. It also takes cognizance of the fact that the laws presently in force in the country are not tune with the technological changes and are not sufficient to prevent, control, investigate and prosecute cyber-crimes. Accordingly, the draft cybercrime law has repealed the cyber-crime related provisions of the Criminal Code which are relating to computer crimes.
1. Basic Principles of the draft cybercrime law
A. Principle of techno-neutrality
As clearly spelled out in the explanatory report to the draft cybercrime law, technology-neutral approach was adopted in drafting the substantive provisions and the justification is that using technology neutral language makes the law to be applied to both current and future technologies involved in the commission of cybercrime. As Uchenna Jerome Orji stated in his recent book, cyber security law and regulation, this approach has been a prevailing standard of international cyber security legislations such as the Council of Europe convention on cyber-crime.
The draft African Union convention on the establishment of a credible legal framework for cyber security in Africa 2011 also obliges member states to adopt approved language of choice of international cybercrime legislation models. It seems to accord with these international cybercrime legislation models that the draft cybercrime law adopted technology neutral language as a guiding principle. Besides complying with international model laws, the adoption of techno-neutral approach in the draft cybercrime law also makes its enforcement effective as it will not obsolete with technological changes and will be comprehendible by laypersons.
B. Principle of intentionality
As to the mental element of perpetrators, different jurisdictions require different approaches. Whilst most countries require intention as a requisite for cybercrime acts, others adopt both intention and reckless. In the draft cybercrime law, the “intentionally,” requirement is incorporated to each substantive provision. The justification is also stated in the explanatory report to the draft cybercrime law that the risk of criminalizing reckless activities of the information society may be greater than its advantage as this may result in unintended consequences of punishing ordinary and innocent conduct of computer users. In the criminal acts against the confidentiality, integrity and availability of computer systems, networks or data, the draft cybercrime law also incorporated additional elements of “without authorization or in excess of authorization”.
C. Limits on the Criminal Liability of ICT Intermediaries for Third Party Content
Every online transaction involves technical intermediaries and it is a widely recognized principle, such as in the EU Directive on Electronic Commerce 2000 that these technical intermediaries should not be criminally responsible when they unknowingly distribute or host unlawful content created or uploaded by third party users. The draft cybercrime law also adheres to this principle. As a principle therefore, the draft cybercrime law exempted internet service providers (intermediaries) from criminal liability of unlawful content created or uploaded by third party users. However, there are some specific conditions under which the service providers can be held criminally liable for third party contents. According to article 16 of the draft cybercrime law, an online service provider can be criminally liable provided that the service provider:
(1) Directly involves in the publication or edition of the content data, or
(2) Upon obtaining actual knowledge that the content data is illegal, failed to take any measure to remove or to disable access to the content data, or
(3) Upon obtaining notice from competent administrative authorities to remove or to disable access to the content data, failed to take appropriate measure.
Accordingly, it can be argued that service providers cannot face criminal liability under the draft cybercrime law if they are only innocent disseminators or they have the intent only to transmit data without knowledge of what the data contain.
D. Principle of internationality
As distance is obliterated in the cyber space, cybercrime can be perpetrated from anywhere in the world. And to adequately fight these crimes, international cooperation is a requisite. The draft cybercrime law is designed in cognizance of this requirement and it declares under article 25 that:
The investigatory authority shall cooperate with competent authorities of another country in taking appropriate measures to provide assistance in matters concerning cyber-crime, including the exchange of information, joint investigations , extradition, technical assistance in accordance with this Proclamation and agreements to which Ethiopia is a party and within the limits of the country’s legal system.
Despite the recognition of the principle of international cooperation, however, the draft cybercrime law does not address the details of cooperation unlike international cybercrime models, such as the Council of Europe Convention on Cybercrime.
The first part of the draft cybercrime law deals with definitions of set of terms and phrases. But the draft cybercrime law does not provide any definition for what constitutes cybercrime; instead it categorizes and criminalizes set of malicious activities. Even though it does not have provisions that criminalizes offences related to infringements of copyright and related rights in the information society, the draft cybercrime law adopted the Council of Europe Convention on Cybercrime mode of classification. Accordingly, the draft cybercrime law, under part two, classified the substantive provisions in to three categories of cybercrime acts.
Section one (article 3-8) deals with crimes against computer system and computer data such as: Illegal access, Illegal interception, Interference with computer system, Causing Damage to computer Data, and misuse of computer devise. In the explanatory report, it is stated that section one of the draft cybercrime law is designed to protect malicious activities against the confidentiality, integrity and availability of computer systems, networks and data.
Section two (article 9-11) is about “computer related forgery, fraud and theft” which are ordinary crimes and are already criminalized in the Criminal Code. But the incorporation of these crimes in the draft cybercrime is justified in the explanatory report that the provisions in the Criminal Code are not sufficiently broad to extend to situations involving computer networks.
The third section (article 12-16) covers content-related cybercrimes such as child pornography and child grooming, cybercrimes against liberty and reputation of persons (such as cyber stalking, online harassment, blackmailing, and defamation), dissemination of spam, and cyber-crimes against public security. As these categories of crimes directly relate with other competing interests such as the freedom of expression of the information society, they need to be interpreted narrowly.
3. Procedural Provisions
The criminalization of malicious acts is not an end by itself unless appropriate mechanisms for investigation and prosecution of the offences are laid down. The new technological environment poses challenges not only on the substantive law but also on the procedural and investigative techniques. Therefore, procedural mechanisms and investigative techniques should also keep abreast of the new technological environment. In this regard the draft cybercrime law goes one step forward as it incorporates all the procedural aspects of cybercrime as provided in international cybercrime models such as the Council of Europe Convention on Cybercrime and international telecommunication union (ITU). In addition to the traditional procedural mechanisms, therefore, the draft cybercrime law entrusts law enforcement authorities with new, computer specific powers. In this regard, the draft cybercrime law entrusts the “investigatory authority” with new procedural and investigative techniques (article 21-36) which include the preservation order of stored computer data, production order, access, search and seizure of computer data, and real-time collection of computer data. In the explanatory report, it is stated that these procedural and investigative techniques are applicable to all types of computer data in general and to traffic data, content data and subscriber data in particular. The definitions of traffic data, content data and subscriber data are also provided in Article 2 (5, 6, and 7). As these new measures entrust the investigatory authority with new powers, there is a need for balance with other competing interests such as privacy and other basic human rights. It is worthy, therefore, to examine these new investigative powers and how the draft cybercrime law tried to balance these powers with privacy and other basic human rights.
Under article 29 (1), the draft cybercrime law empowers the investigatory authority to order a person to preserve specified computer data in that person’s possession or control. It also obliges the person ordered by the investigatory authority to take immediate and necessary steps to make secure the specified computer data and preserve it for three months; and keep such order confidential. This provision lacks independent judicial review. In the explanatory report, two justifications are provided for such arrangement. These are:
(1) Because of the volatile nature of computer data, preservation order must be very fast and it should not wait the time taking legal process, and
(2) The preservation order does not compel the disclosure of any computer data and thus there are no privacy concerns.
Article 29 (1) of the draft cybercrime law also stated that the investigatory authority can exercise the power of “preservation order” only if the following cumulative requisites are met: the computer data must be necessary for cybercrime investigation, and the computer data to be preserved must be for specific case or computer data must be specified, and the investigatory authority must have reasonable grounds to believe that specific data is vulnerable to loss or modification. It can be argued that these requirements are limitations on the investigatory authority and thereby play balancing role between individual privacy and investigative powers.
Another investigative power as provided under article 30 of the draft cybercrime law is the “production order”. According to this provision, the investigatory authority is empowered to order a person to submit specified computer data in that person’s possession or control. Unlike the preservation order, production order requires the disclosures of data and hence privacy sensitive. Therefore, the draft cybercrime law makes this investigative power subject to judicial warrant.
Article 31 of the draft cybercrime law also entrusts the investigatory authority with specific powers to search, or similarly access, computer systems, network, computer data, or computer-data storage media. This investigative power refers to both physical and virtual search or access and is subject to prior judicial warrant. The draft cybercrime law takes cognizance that data that is physically stored in another computer system or storage device can be legally accessed through the searched computer system by establishing a connection with other distinct computer systems. In this respect, the draft cybercrime law empowers the investigatory authority to extend to that other computer system without requesting separate search warrant. The process of searching or similarly accessing computer data, computer system, network or any other computer data storage device is not, however, an easy task. In the execution of this investigative power, for example, the investigatory authority may face technical difficulties such as encryption that may hinder the investigation process. To uncover these practical problems of search, seizure or access, international cybercrime model laws such as the Council of Europe Convention on Cybercrime 2001, adopted a new investigatory power that enable competent law enforcements to order any person with knowledge about the functioning of the system or measures for its protection, when reasonable, to disclose this information that enable search, seizure or access. The draft cybercrime law also adopted this approach under article 31 (4). The problem with this provision is, however, it is not clear whether this order includes the accused or not. If it is interpreted in a way to include the accused, it contravenes the constitutional guarantee against self-incrimination.
Real-time collection of computer data, which is useful to obtain computer data existing only in transient communications, is another new investigative measure adopted by the draft cybercrime law. This investigative power is also subject to independent judicial review. This is because the real-time collection or interception of computer data is privacy sensitive. Under exceptional circumstances, however, the draft cybercrime law allows the real-time collection or interception of computer data without prior court warrant.
4. Conclusion and Recommendations
Even though it has not been yet fully integrated in to everyday aspect of life, the use of ICT and ICTs supported services are embraced by individuals, government and business in Ethiopia. The government of Ethiopia is also working on the development ICT infrastructures and ICT based services which will increase the level of reliance on these infrastructures and services. But it is an established fact that with reliance on computer systems and other digital technologies comes vulnerability to cybercrime and cyber-attack. Therefore, once Ethiopia is connected to a global network, it becomes vulnerable to cybercriminals operating anywhere in cyberspace. And thus Ethiopia is vulnerable to cybercriminals not in theory but in practical terms.
The government of Ethiopia is aware of the threats from cyberspace and is working towards curtailing these threats in terms of policy, institution and legislation. But these efforts are at very initial stage and are inadequate to deal with the ever changing cyber environment and growing threat of cybercriminals.
The current state of affairs of cyber security in Ethiopia should not be allowed to continue because cybercrime is thriving. To change this status quo and strengthen cyber security governance in Ethiopia, comprehensive works need to be done and I want to provide the following recommendations.
• As cybercriminals take advantage of jurisdictions that lack comprehensive legal frameworks on cyber security in general and cybercrime in particular, I recommend that Ethiopia has to speed up its comprehensive proposed cybercrime law but also avoid the piecemeal and scattered legislation approach for it is among the bottlenecks of enforcement and interpretation.
• Laws alone will not suffice in preventing or investigating cybercrime, and thus, the Ethiopian law enforcement authorities ought to be adequately equipped with necessary legal, technical and human capabilities and updated on emerging trends of cybercrimes by subjecting them to regular and special cyber training courses
• AS combating cybercrime is an extraordinarily difficult that requires coordinated and focused efforts, specialized units should have to be established in law enforcement authorities so that they can effectively detect, investigate and prosecute cybercrimes.
• Among the problems in detecting and investigating cybercrime lies in the fact that those victims of cybercrime do not always notice that they are being victimized. Therefore, the author suggests that the Ethiopian government and law enforcement agencies should promote cybercrime awareness and establish effective means that offers tips for safe online and provides timely information relating cybercrime to the public. It is also recommended that the Ethiopian government have to establish user friendly and accessible reporting mechanisms.
• Finally, I recommend for the topicality of the issue of cybercrime across all stakeholders in general and academia and civil societies in particular. In this regard, the government should support researches, forums and workshops held on the issue.