The CyberFI project works to coordinate global efforts to advance cybersecurity as a priority consideration in digital financial systems, with a special focus on digital financial ecosystems across Africa. We are pleased to publish this chapter as part of EU Cyber Direct’s Closing the Gap conference. We aim to critically analyze the current narratives toward cybersecurity capacity building, particularly on the African continent. We argue that by leapfrogging legacy infrastructures and contextually adapting technologies to connect the unconnected, Africa has a lot to contribute to prevailing discourses on capacity-building based on the fast-growing fintech sectors in several countries. To this end, we propose an analytical framework for a nuanced understanding of capacity-building challenges in emerging markets that can help elevate everyone’s contributions to the global governance of cyberspace and digital technologies.
Executive Summary
Bolstering cybersecurity has become an increased priority in the financial sector. A slew of cyber attacks to the financial system post-2016 exposed systemic risks in cyberspace and created an impetus for countries to robustly protect themselves against digital threats.
Maintaining a secure cyberspace for the financial system has implications for digital financial inclusion, particularly among vulnerable populations. Previous definitions of financial inclusion have traditionally been framed from a nondigital lens. But as countries on the African continent transform their digital financial services, digital financial inclusion (DFI) takes on unique importance. Not only does DFI drive technology adoption in the Global South but it also centers cost-saving methods of access into the financial system, something that previously unbanked or underbanked individuals lacked. Fintech firms in Africa as well as broader digital financial ecosystems are expanding at an unprecedented and rapid pace.
Carnegie’s CyberFI project has been engaging and curating perspectives from local and regional experts on cybersecurity dimensions, with insights from diverse African financial ecosystems. Across the resulting publications, authors have highlighted that divergent ICT regulation practices, national cybersecurity policies, and consumer protection strategies complicate efforts toward coordinated strategies for cyber capacity building (CCB). However, country-specific contexts are also vastly unique across the continent, and they exemplify the need for strong regional and even local-level CCB considerations. For instance, as author Noelle Cowling notes, a major challenge in South Africa with regards to securing this expansion of digital financial services, is “nurturing cybersecurity awareness and financial literacy rates within the population. This will require a horizontal approach across government, education, and corporate entities.”
Some CCB stakeholders center cyber literacy and awareness building measures, while others provide consulting and advisory services, research methodologies and maturity assessments, and toolkits. For example, a collaboration between Carnegie Mellon University’s CyLab Security and Privacy Institute and CMU-Africa, “CyLab-Africa,” facilitates surveys to capture the cybersecurity landscape across Africa and provides controlled testing and monitoring surveys at small-medium sized financial/fintech institutions.
Other organizations apply a “train the trainer” model. The Global Cyber Alliance, for example, has used this model to train private sector organizations like Serianu, a pan-African cybersecurity consulting firm, to then further train organizations in Kenya to access and utilize better cyber risk management tools. The Toronto Centre deploys a similar approach by training regulators and “providing high-quality capacity building programs for financial sector regulators and supervisors, particularly in emerging markets and low-income countries.”
The Global Forum for Cyber Expertise, one of the main coordinating bodies of CCB, maintains a database, the Cybil Portal, which acts as a collection of CCB projects for GFCE’s members to reference as they are embarking on CCB projects. This database includes many examples of CCB projects relevant to the financial system and can help prevent duplication of efforts.
Emerging Questions and a Proposed Analytical Framework for Effective and Sustainable Cyber Capacity Building in Digital Financial Inclusion
Our paper outlines the lack of clarity and specificity in CCB efforts as stakeholders continue to bolster efforts across the globe. For one, many CCB endeavors are not explicit about the driving forces behind their projects—whether it is stakeholders within specific institutions who seek assistance to build cyber capacity (that is, demand driven), or whether capacity building is defined and shaped by those who supply it. The assumptions by external actors that filter down into actual CCB projects will necessarily impact the effectiveness of requisite investments by carrying out projects that may or may not be what intended beneficiaries have expressed a need for.
We discuss the significance of coordination and minimizing duplication in implementing CCB efforts. Coordination of CCB projects is crucial regardless of how many funding pathways are in place or where donor-specific interests lie. A synchronized CCB plan allows entities to take ownership of certain projects, institutions to be recognized as knowledge brokering bodies, and processes to be standardized if they are serving common capacity building needs. For example, the Council of Europe coordinates all its CCB activities relevant in the Western Balkans through the same cyber crime office in Budapest. By working with dedicated consultants, aligning on joint objectives, and standardizing procedures, the Council deconflicts projects and streamlines CCB efforts to make the largest impact for the largest number of users. In March 2021, the African Development Bank granted $2 million through the Africa Digital Financial Inclusion Facility, a similar platform working with partner institutions to develop the African Cybersecurity Resource Center, a platform to build resilience and prevent cyber crime in digital financial systems across Africa. Of course, solely streamlining efforts as a priority to create efficiency may not necessarily ensure that the unique needs of users are met. But streamlining and coordination may increase the equity and access to positive CCB outcomes by minimizing duplication and increasing a shared understanding of what specific capacities are in most need of being built. This is contingent upon funders, regulators, and implementors of CCB having an accurate and robust assessment of needs in the area they are serving.
The paper also emphasizes the importance of creating readily accessible frameworks to assess what is and isn’t working in CCB efforts. Because there are fragmented definitions of what CCB means in the international community, frameworks to assess successful CCB efforts are limited as well. We propose in the paper seven indicators with which to assess CCB projects, with a focus on mitigating unintended consequences and problematic “solutions.” Key components of the analytical framework are:
- Context-rooted training as a CCB measure: CCB implementers should indicate whether they intend to conduct one-off or continuous trainings, and complete post-training assessments. This is so that CCB efforts are effective for intended beneficiaries and are sensitive to diverse cultural norms.
- Demand-driven and contextual CCB: CCB efforts should be implemented following an assessment of the actual needs of the beneficiaries of the CCB project. If the development community doesn’t test assumptions about what is and is not useful to build cyber capacity, projects may be developed in a one size fits all approach that could assume characteristics of a diverse group of people with very diverse gaps.
- Interdisciplinary approaches: Interdisciplinary factors—that is, social, political, economic, and cultural dynamics—impact cyber capacity efforts, as capacity building and cybersecurity are not merely singular issues. Furthermore, effective cyber capacity is more than addressing technical capabilities, as many cyber crime tactics such as social engineering rely on psychology.
- Gender-responsive CCB approaches: Investigating systemic, gendered dynamics that perpetuate the inequalities in cybersecurity and technology workforce writ large is critical. Gendered perspectives can sharpen cybersecurity design, defense, and response mechanisms to mirror the reality that neither technology broadly, nor cybersecurity more specifically, is gender neutral.
- Complementary and non-duplicative CCB efforts: CCB implementers should continue to use tools like the Cybil Portal created by the Global Forum for Cyber Expertise to track CCB efforts to minimize duplication and maximize visibility of successful projects that others can adapt.
- Evaluation on gaps and successes: Funders and implementers should be involved in information gathering about what does and doesn’t work in CCB implementations. This will make future efforts more effective and create a collaborative evaluative culture.
- Sustainable institutional resources: Arguably the most important pillar, CCB efforts should be sustained across the long-term to ensure that recipients of CCB measures aren’t negatively impacted by changes (or worse, endings) to ongoing projects based on the priority shifts of donors or funding bodies.
CCB is a broad term with many definitions and many stakeholders. Contextually building, developing, and sustaining cyber capacity for digital financial services in particular can allow countries to build financially inclusive and accessible systems. Though not unique to CCB, the lack of definitional clarity should not stand as a barrier to coordinated, effective CCB that centers the voices of the most vulnerable.
