Vulnerable and Unprepared: How Ethiopia's Digital Ambitions Are at Risk

Really, it is.In fact, Ethiopia claimed the top spot in Africa on the Global CyberAttack Index. The index ranked countries by their Normalised Risk Index (NRI) which measures the gap between a country's cybersecurity posture and its level of vulnerability or risk of attack. It also factors in the volume of cyberattacks and the number of affected organizations in each nation. Ethiopia’s NRI was 100%, making it the most vulnerable to cyberattacks and the least prepared country to defend itself.

If that wasn’t convincing, let’s look at the number of attacks Ethiopia has faced over the years. In 2010, Ethiopia faced a reported 576 cyberattacks. That number jumped to 792 in 2011. By 2013, there were 2898 reported cyberattacks in Ethiopia. Between 2011 and 2013, malware incidents increased by a staggering 356%. The numbers we’ve heard recently offer no consolation either. In 2023, INSA reported that it thwarted more than 6,700 cyberattacks in 12 months. However, many organizations in Ethiopia do not keep organized records, and in some cases, are not even aware that they are targeted by cybercriminals. So, it won’t be hasty to conclude that the numbers might even be higher than reported. 

What is Ethiopia’s Response? 

The threat of attacks is not the only concern; Ethiopia's lack of preparedness to confront it is equally alarming. Ethiopia established its first cybercrime regulations with the Criminal Code in 2004, which criminalized hacking, malware dissemination, and denial of service attacks. Despite many cybercrimes occurring since then, only a few cases have been reported in court. In 2013, Ethiopia's Information Network Security Agency (INSA) released a draft for comprehensive cybercrime legislation to broaden the scope of outlawed crimes and introduce crucial procedural rules. 

In 2021, INSA published the National Cyber Security Policy and Strategy (NCSPS) that was pending approval from the House of Representatives. Despite these strides, a study conducted in 2020, shows that only 11.6% of government institutions in Ethiopia have legal frameworks that are at their trial level, while about 87.4% of these institutions have no recognized legal framework to prevent cyber attacks. Although INSA is doing commendable work, there is no unified front to face cybersecurity head-on. With all the digitization Ethiopia is undergoing, it makes one wonder if there’s such a thing as “too much ambition”.

Putting the cart before the horse?

Ethiopia’s digitization effort will, without a doubt, transform the country. As more Ethiopians adopt digital payment methods and digital IDs, they enter the digital space carrying sensitive information, personal identities, and their finances with them. So, without proper cybersecurity measures, the digitization of Ethiopia might lead to severe consequences. 

Apart from lacking legal structures, poor public awareness, and poor infrastructure, another major challenge for cybersecurity in Ethiopia is a limited local cybersecurity capacity.  Companies in Ethiopia often face high costs to contract external cybersecurity firms. Both public and private sector attention must be paid to the development of local cybersecurity capacity.  

As Ethiopia continues its ambitious digitization efforts, the need for more comprehensive cybersecurity measures has never been more urgent. The country must prioritize building local cybersecurity capacity, investing in infrastructure, and fostering public awareness to protect sensitive information and financial assets effectively. Without these critical steps, the promise of a digital future could come with severe risks, sabotaging the very progress Ethiopia aims to achieve. There is no better time than now for stakeholders across all sectors to collaborate and create a unified approach to cybersecurity.