Ethiopia is one of the least connected countries in the world. Although Internet was introduced in Ethiopia as early as 1997, the level of Internet use density remains low.[i] With recent huge investments – reportedly accounting around 10% of the country’s Gross Domestic Product – in the country’s Information and Communication Technologies (ICT) infrastructures, the level of Internet use is gradually growing. Provision of public and private sector services increasingly rely on Internet protocol based technologies. Ethiopia also has one of the largest social media user bases in Africa. It is now evident that the use of and reliance on Internet – and allied technologies – is set to grow in the coming years.
This growing reliance on Internet-enabled technologies, however, exposes the country to various forms of risks such as threats of cyber-attacks against the country’s critical infrastructures that are crucial for provision of vital public and private services. Ethiopia is not new to the world of cyber-attacks from overseas. Hundreds of hacking and defacement of government websites occurred in the past decade but these had limited economic or political ramifications at the time.[ii] This appears to be changing over time, however. More recently, the country has been gripped by reports of an attack against a major private bank from which a huge sum of money was stolen.[iii]
Recent turn of events have also signalled threats to peace and security that the country is bound to face as it moves to fully join the information society. The anti-government protests in some parts of the country – mediated largely through social media platforms – had shaken the nation’s stability to its core. The street protests were initially accompanied by random hacking and defacement of government websites thereby opening up a new form of airing dissent – hacktivism.[iv] This later grew into what now come to be referred to as ‘hybrid’ cyber-attacks, in the form of ‘disinformation’ campaigns and circulation of ‘fake news’ in social media platforms.
An example of such misleading or false information circulating on social media was the bogus accusation that the cause for a deadly stampede in October 2016 in Bishoftu was the unprovoked police shooting from a helicopter on people attending a festival, had perilous consequences.[v] This led to ‘five days of rage’ by misinformed youth against public and private properties ultimately prompting a state of emergency. The declaration of the emergency – which still is in place – for the first time in a quarter of a century, speaks to the emerging significant impact of ICTs and social media will have on the stability of the nation.
What made these social media mediated violent protests significant is the key role that the social media are poised to play in shaping the domestic peace and security dynamics in Ethiopia. With increasing access to the Internet, social media will soon be an important variable in gauging Ethiopia’s internal stability. With the apparent militarisation of cyberspace – and of course visible signs of cyber conflict, threats to the country’s critical Internet infrastructure from adversaries appear to be insidious. Moreover, the fact that most of the ‘hybrid’ attacks emerge from overseas by actors actively working with the hostile government regime in Eritrea makes the situation more precarious.
Internet Policy Making in Ethiopia
Recent developments should not, however, be a reason to adopt a pessimistic vision of the Internet or social media. Over regulation – or an overly securitised vision of the fledgling Ethiopian new media landscape – might stand in the way of properly exploiting the benefits that these technologies offer. What is needed, instead, are well thought out policy principles and well equipped institutions to enforce them. Of course, the Ethiopian government has generally been progressive in rolling out relevant policy and legal instruments to effectively address the Internet and threats that its (mis)use could pose. Ethiopia issued its first national ICT Policy in 2002, which has since been updated in 2009 and 2016.
The nation’s ICT policy mandates the need to put in place the requisite legal and institutional framework to exploit the benefits of ICTs while also countering their possible threat to national peace and security. A fairly elaborate Cybersecurity Policy has also been adopted by the Council of Ministers in 2011.This policy updates the country’s Foreign Affairs and National Security Policy (2002) in the context of the digital space, and underlies that information security forms an integral part of national security, public peace and security.[vi]
These policy instruments are translated into a number of legal instruments, and several others are in the offing. More recent pieces of legislation include the Telecom Fraud Offense Proclamation (Proclamation No. 761/2012) and the Computer Crime Proclamation (Proclamation No. 958/2016). The telecom fraud offense legislation – contrary to the narrow scope that its nomenclature might suggest – covers a broad range of matters including offenses that concern domestic peace and security. Indeed, the law explicitly stipulates that telecom fraud, over and above the economic losses it results in, may threaten the national security of the country.[vii] The cybercrime law likewise penalises a number of crimes that threaten peace and security in general and cybersecurity in particular.[viii]
Institutions with statutory powers to implement and enforce these policies instruments have also been installed. A principal such government agency is the Information Network Security Agency which is tasked, inter alia, to protect the country’s critical infrastructures from possible attacks.[ix] The National Intelligence and Security Service’s general power to collect intelligence on matters of national security including those of cybersecurity makes it another important body in the area.[x] The Federal Police is tasked to investigate crimes relating to information network and computer systems, alongside its general role of maintaining peace and security.[xi] Other bodies such as the former Ministry of Justice – now the Federal Attorney General and the Ministry of Communication and Information Technology also assume some roles in dealing with threats to national peace security posed in the cyber front. At a judicial level, the Federal First Instance court has a subject matter jurisdiction to adjudge cases relating to ICTs in general while cases under the recent cybercrime legislation fall under the jurisdiction of the Federal High Court.[xii]
Matching Practice to Policy
Ethiopia’s progress in the policy field does not, however, match well with the practice. Despite relatively modern and comprehensive policies and laws already in place, little appears to have been achieved in terms of translating these policy principles into actions. The government often resorts to piecemeal and reactive measures in dealing with emerging cyber threats. This, in turn, has substantially robbed them of efficacy, efficiency, and sustainability in aptly overcoming the ever growing cyber threats. The legality of some of these measures – both under domestic and international law – is mooted. A few examples illustrate the rift between policy and practice.
One is that the Ethiopian government increasingly relies on temporary closure of social media sites – and sometimes nationwide Internet shutdowns, blocking, and filtering of certain websites – to quell dissent channelled via the web. These measures have repeatedly been taken during the recent protest in some parts of the country. Besides the legality issues that such measures bring up as well as their significant effect on the economy, it is doubtful whether these measures have resulted in sustainable peace in the country. Similar rounds of social media mediated violence could occur at some point. With increasing use of circumvention tools, blocking of websites is already proving futile. And that Internet shutdowns have broader legal, economic, and diplomatic ramifications makes their utility lower. In the course of implementing these measures, there were also instances of major technical errors affecting the whole Internet system, a fact admitted even by a government spokesperson.
The recent unrest has also prompted the government to consider creating what it calls a ‘social media army’ to counter circulation of misleading information and falsehood in social media. To this effect, the Council of Minister’s has adopted a Regulation that establishes an Institute that would train members of this ‘army’.[xiii] From all that we know so far, it appears that the government is resorting to similar measures taken in other countries such as Iran and China of infusing social media platforms with users loyal to the government. By running ideologically polemic information on the web, such methods do more harm than good by burdening free flow of information and expression. Instead of overcoming falsehoods that upset the domestic peace matrix, chances are that ‘social media soldiers’ might distort the truth and reinforce the real threats of ‘fake news’.
Another measure taken by the government is to deploy Internet surveillance tools against persons believed to pose threats to national security. This path does not seem to be taking the government a long way in ensuring domestic peace and security as recent developments suggested that these cyber tools have not been used judiciously. The government is also known to be taking a heavy-handed approach against the fledgling community of local bloggers. Prosecution of these bloggers for vague crimes including a controversial charge for using encryption tools has been unprecedented. [xiv]The government’s goal of maintaining peace and security could have been very well reinforced by tolerating civil discussion in online platforms. Heavy-handed approaches by the government against peaceful dissenters is likely to push them to the extreme and take the path of violence and even disinformation campaigns, which then threatens peace and security.
Maintaining domestic peace and security – including cybersecurity – requires a coordinated, sustainable and goal-oriented approach towards the Internet and its potential for good or bad. In translating the goals set out in the above policy documents, the government must enhance the institutional capacity of all bodies tasked with regulating the Ethiopian web. The technical nature of the Internet requires qualified experts in investigation, prosecution and even in adjudication processes. The global nature of the web also dictates a reliable international cooperation mechanism including with regional bodies. As a prominent member of the African Union (AU), Ethiopia should even take the lead in ratifying the AU Convention on Cybersecurity and Personal Data Protection (2014), and engage towards realizing a robust regional cybersecurity regime.
While the recent move by the government to take the matter more seriously is a positive development, it is vital that the measures that will follow are well thought-out and pragmatic to ensure legality, sustainability, feasibility and efficiency. Pragmatic measures of pacifying the Ethiopian web will ultimately yield not only economically but also diplomatically. Ethiopia’s leading role in regional peace and security efforts also makes it imperative, not only to maintain its domestic stability, but also to lead by example.
Kinfe Micheal Yilma is a Doctoral & Teaching Fellow at The University of Melbourne Law School, and a Lecturer-in-Law at Addis Ababa University Law School. His research interests and publications are in the fields of Internet law and policy, human rights and law reform. He can be contacted at firstname.lastname@example.org or followed on twitter @Ethiokinfe.
[i] A 2016 government figure caps the use density as at 12.5%. See “Ethio-telecom Soars with 10.9 Billion Birr Half-year Profit”, Addis Fortune, 29 March 2016, available at http://bit.ly/2oR5S2R (Last accessed on 15 April 2017).
[ii] See Kinfe Micheal Yilma, “Developments in Cybercrime Law and Practice”, Computer Law and Security Review, Vol. 30, No. 6 (2014):726-729.
[v] For more on the “fake news” phenomenon in Ethiopia, see Kinfe Micheal Yilma, ““Fake News” and Its Discontents in Ethiopia”, Mekelle University Law Journal, Vol. 5, No. 1 (2017) [Forthcoming], available at http://bit.ly/2oHEvHN (Last accessed on 15 April 2017).
[vi] See National Information Security Policy of Ethiopia, 2011, Para 1.1 (3).
[vii] See Telecom Fraud Offence Proclamation, Proclamation No. 761/2012, Preamble.
[viii] See Computer Crime Proclamation, Proclamation No. 958/2016, Art 14.
[ix] See Information Network Security Agency Re-establishment Proclamation, Proclamation No. 808/2013 cum Council of Ministers Regulation No. 320/2014.
[x] See National Intelligence and Security Service Re-establishment Proclamation, Proclamation No. 804/2013.
[xi] See Ethiopian Federal Police Commission Establishment Proclamation, Proclamation (as amended), Proclamation No. 720/2011, Art 6.
[xii] See Federal Courts Proclamation, Proclamation No. 25/1996 (as amended), Art 4(7) cum Art 15(1); see also Computer Crime Proclamation, supra n 8, Art 40.
[xiii] See “The Council of Ministers Adopts A Regulation Establishing Youth Development and Cyber Talent Institute”, Fana BC, [Amharic: Author’s Translation], 18 March 2017, available at http://bit.ly/2nV9HDx (Last accessed on 15 April 2017).