By Mohamed Wurie Bah of the Law Firm of Michael and Michael
Introduction
In the rapidly evolving landscape of cybersecurity, legislation plays a pivotal role in safeguarding the digital realm and upholding fundamental rights. The Cybersecurity and Crime Act 2021, enacted two years ago, was designed to address the growing challenges of cyber threats, digital crimes, and data security. As we approach the second anniversary of this groundbreaking piece of legislation, it’s time to take stock of its impact and assess the progress and challenges it has brought forth.
In this article, we will delve into the various aspects of the Act, exploring the key provisions, its intended goals, and its effect on various stakeholders. We will highlight the achievements and advancements made in enhancing cybersecurity while acknowledging the hurdles that have emerged during the implementation phase. The digital landscape is vast and complex, and understanding the act’s influence is crucial for policymakers and the public.
The Genesis of the Cybersecurity and Crime Act 2021
In our increasingly digitized world, the need for a comprehensive cybersecurity law has never been more urgent. The rapid expansion of the digital landscape in Sierra Leone has brought unprecedented convenience and connectivity, but it has also exposed us to a myriad of cyber threats, crimes, and vulnerabilities. These threats range from cyberattacks targeting our feeble and fragile infrastructure to cybercrimes that compromise personal data and financial security. Even though we have yet to record any significant cyberattack, without a robust legal framework, it becomes challenging to combat these threats effectively.
A comprehensive cybersecurity law provides the necessary tools and regulations to protect individuals, organisations, and governments from digital risks. It outlines the responsibilities and liabilities of various stakeholders, sets standards for data protection, and empowers law enforcement agencies to investigate and prosecute cybercriminals. As technology advances, the digital realm expands, and our reliance on it deepens, the imperative for a legal infrastructure to safeguard our digital lives becomes increasingly apparent.
Since the first cyberattack recorded in history, when a computer science graduate, Robert Morris, released a small piece of software known as “the Morris worm” in 1988, causing outages in the then-nascent Internet, humanity has been looking for ways to secure the world’s most vulnerable space, cyberspace. Like many developing nations, Sierra Leone grapples with challenges posed by the rapid evolution of technology and digital advancement.
A National ICT Policy was developed in 2009, proposing a strategic vision for the sector’s development. One of the priorities of this Policy is the development of a clear vision and legal frameworks in cybersecurity and the fight against cybercrime. In 2019, the government developed a National Innovation and Digital Strategy. The strategy covers, amongst many other things, cyber security, which ignited the then Ministry of Information and Communication to demand resources for a cyber security strategy.
Fast forward to March 2021, a National Cyber Security Policy was drafted, which gave birth to a bill that was passed by Parliament in June 2021 and subsequently became law after it received its presidential assent on the 25th day of November 2021, intending to respond to this imperative growing threat, aiming to address the unique challenges posed by our modern, interconnected world. Sierra Leone is a signatory to the Budapest Convention on Cybercrime and on the 8th of February 2023, the Council of Europe officially invited the country to accede to the Convention. This invitation is valid for five years from the date of its adoption.
The ACT
The Act begins by providing a set of clear and precise definitions that lay the groundwork for subsequent provisions. These definitions encompass key terms such as “Critical National Information Infrastructure (CNII)”, “data”, “device”, “Cybersquatting,” “Cyberstalking and bullying,” etc. The Act’s scope extends to cover not only providing for an effective, unified, and comprehensive legal, regulatory, and institutional framework for the prohibition, prevention, detection, prosecution and punishment of cybercrime but also the prevention of the abusive use of computer systems and provide for the establishment of a structure to promote cybersecurity and capacity building.
The Act is structured into seven distinct parts. Part 1 serves as an introduction, providing definitions as stated above and laying the groundwork for subsequent provisions. Part 2 focuses on administrative and coordination aspects. Part 3 addresses the protection of critical national information and infrastructure. Part 4 delves into the powers and procedures, primarily dealing with procedural aspects of the law. Part 5 revolves around international cooperation, emphasising the importance of cross-border collaboration. Part 6 takes centre stage, containing the core substantive law outlining specific offences. Finally, Part 7 encompasses miscellaneous provisions, covering additional matters and details.
As indicated above, Part 2 focuses on administrative provisions by virtue of Section 2 establishing the National Computer Security Incidence Response Coordination Centre, now dubbed the National Cybersecurity Coordination Centre (NC3), which is headed by the National Cyber Security Coordinator. The Centre is responsible for managing cyber security incidences in Sierra Leone. Further, Section 4 established the National Cybersecurity Advisory Council comprising the Vice President who serves as the Chairman, the Minister of Finance, the Attorney-General and Minister of Justice, the Minister of Internal Affairs, the Minister of Foreign Affairs and International Cooperation, the National Security Coordinator at the office of National Security, the Director General at the Central Intelligence and Security Unit, the Chief of Defence Staff of the Republic of Sierra Leone Armed Forces, the Inspector-General of Police, the Director-General, National Telecommunications Commission, the Governor of the Bank of Sierra Leone, the National Cyber Security Coordinator who serves as Secretary of the Council, the Director General Financial Intelligence Unit, the Minister of Information and Communications, and a barrister and solicitor of over 15 years post-enrolment at the bar that is nominated by the Sierra Leone Bar Association and appointed by the President. The primary role of the council is to provide strategic leadership and oversight guidance on the implementation and development of a national cybersecurity legal framework and to make recommendations to the Government on issues relating to the prevention and combating of cybercrime and the promotion of cybersecurity in Sierra Leone.
Part 6 is the most important area of the Act, which created substantive offences such as unauthorised access to a computer system, unauthorised data interference, and Unauthorised system interference. Other offences include misuse of devices, unauthorised disclosure of passwords, Computer-related forgery, Computer fraud, Identity theft and impersonation, cyberstalking and bullying, cybersquatting, Infringement of copyright and related rights, online child sexual abuse, online adult sexual abuse, registration of cybercafes, cyber-Terrorism, racist xenophobic offences, breach of confidence by the service provider, etc. All these offences have prescribed punishment provided for by the Act.
Progress and Achievements so far
One of the major success stories of the Act is the creation of the National Computer Security Incidence Response Coordination Centre, otherwise known as the National Cybersecurity Coordination Centre (NC3), which is an agency under the Ministry of Communication, Technology, and Innovation. It has a mandate to handle all cybersecurity issues, including responding to cybersecurity incidents in Sierra Leone.
Since its establishment, the Centre has achieved significant milestones in bolstering the nation’s cybersecurity resilience through a multifaceted approach to capacity building and collaboration. One noteworthy accomplishment lies in the capacity-building initiatives undertaken for its staff, including comprehensive training workshops and symposiums focused on cybersecurity and crime. The introduction of online courses further exemplifies the commitment to continuous learning and skill development among NCCC personnel.
Additionally, the centre has played a pivotal role in raising awareness and providing training programs for various stakeholders. Notably, the organisation orchestrated a two-day national cybersecurity symposium, fostering a shared understanding of the Sierra Leone Cybersecurity and Crime Act among diverse stakeholders. Collaborating with the OCWAR-C project, the NC3 conducted specialized judicial training on cybercrime and electronic evidence, demonstrating a commitment to equipping the Judiciary with the necessary expertise.
Furthermore, the NC3 has proactively engaged in capacity-building collaborations with international partners. By organising training sessions for the Police and Law Enforcement agencies, the centre has facilitated knowledge transfer and shared best practices in cybersecurity and cybercrime investigation. Such collaborations enhance the collective capability to combat global cyber threats effectively. The NC3’s strategic partnership with the World Bank stands as a testament to its commitment to broader digital transformation and infrastructure development. This collaboration has yielded tangible support for projects that propel Sierra Leone towards a more digitally resilient future.
Since the enactment of the Act, the Police, through the Cyber Unit at the Criminal Investigation Department, have made about 1,100 investigations and have prosecuted about 382 cases relating to various offences created by the Act.
Challenges Face
Implementing the Act has encountered several challenges that have influenced its effective enforcement. A significant hurdle has been the initial lack of expertise as the country embarked on this cybersecurity initiative from scratch. For example, the police have always considered and investigated the larceny of a mobile phone as a cybercrime. The scarcity of professionals with specialised knowledge in cybersecurity and cyber law has impeded the swift and efficient execution of the act’s provisions. Coupled with this, a general lack of awareness and understanding of the Act among the public and key stakeholders has been another notable challenge. This has hindered the seamless integration of the Act into everyday practices and impeded its intended impact.
Moreover, the absence of robust technological infrastructure poses a considerable challenge in prosecuting and investigating cyber perpetrators. Cybercrime investigations demand sophisticated tools and technologies, and the inadequacy of such resources has limited the authorities’ ability to trace, apprehend, and prosecute cybercriminals effectively. Additionally, the implementation process has been constrained by resource challenges, primarily stemming from a lack of funding. Adequate funding is indispensable for ensuring the availability of cutting-edge technologies, training programs, and the establishment of specialised units necessary for enforcing the Act. Addressing these challenges requires a comprehensive and sustained effort to build expertise, enhance awareness, invest in technological infrastructure, and secure adequate resources to fortify the implementation of the Cybersecurity and Crime Act in Sierra Leone.
The Future
Potential amendments and areas for improvement.
Several crucial amendments are proposed to enhance the efficacy and relevance of the Cybersecurity and Crime Act in Sierra Leone. Firstly, it is imperative to include a precise definition of an electronic device within the Act. Given the rapid evolution of technology, a clear and comprehensive understanding of what constitutes an electronic device is essential for the accurate interpretation and application of the law.
Secondly, in order to align the Act with internationally recognized standards, particularly those outlined in the 2nd Additional Protocol of the Budapest Convention, amendments should be made to provide more robust safeguards for fundamental human rights. This entails ensuring that the provisions of the Act adhere to principles of proportionality, necessity, and respect for privacy, thereby striking a balance between cybersecurity measures and the protection of individual liberties.
Additionally, to address the nuanced nature of cybercrimes, particularly in the realm of interpersonal digital misconduct, the Act should distinguish cyberbullying and cyberstalking as separate offences under Section 44. Clear and distinct definitions and penalties for these offences will contribute to a more nuanced and targeted legal framework for combating online harassment.
Lastly, to bolster the act’s effectiveness in a digital evidence context, a clear and comprehensive provision should be introduced regarding the admissibility of electronic evidence. This provision should delineate the standards and procedures for admitting electronic evidence in legal proceedings, ensuring its reliability, authenticity, and integrity. This clarity will strengthen the legal foundation for prosecuting cybercrimes and provide a framework adaptable to the evolving landscape of electronic communication and data storage. These proposed amendments collectively aim to fortify the Cybersecurity and Crime Act, aligning it with contemporary technological advancements, international human rights standards, and the nuanced nature of cybercrimes.
Training Experts
In light of the growing importance of cybersecurity in Sierra Leone and the critical role played by the Act, it is imperative to invest in a comprehensive training program and capacity building for cybersecurity experts. Training should cover a range of aspects, from understanding the technical intricacies of cyber threats to mastering the legal and Policy dimensions of the Act. By nurturing a pool of skilled professionals in the field, Sierra Leone can enhance its capabilities in preventing, detecting, and responding to cyber incidents. Furthermore, the act’s effective implementation requires personnel well-versed in its provisions. Training experts will not only contribute to national security but also position Sierra Leone as a regional leader in cybersecurity expertise.
Introduce Data Protection and Privacy Laws
The establishment of specific data protection and privacy laws is crucial to complement the Cybersecurity and Crime Act. While the Act addresses issues of cybersecurity and cybercrimes, it is equally important to safeguard individual’s personal information and privacy rights. By introducing dedicated data protection and privacy laws, Sierra Leone can provide a robust legal framework for the collection, use, and storage of personal data. Such laws would empower individuals with rights over their data, hold organisations accountable for data breaches, and ensure that data is processed fairly and transparently. This would align with global data protection standards and enhance the overall trust and confidence of both citizens and international partners in Sierra Leone’s digital ecosystem.
Provide for the Emergence of Artificial Intelligence and Robotic Laws
As the use of artificial intelligence (AI) and robotics becomes increasingly prevalent in various sectors, including critical infrastructure and healthcare, it is vital to introduce legal frameworks that govern their use and potential liabilities. The Cybersecurity and Crime Act should be expanded to accommodate the emergence of AI and robotics laws, addressing liability, accountability, and ethical considerations. This will ensure that the integration of AI and robotics technologies in Sierra Leone is conducted responsibly and within legal boundaries, preventing misuse and potential harm while fostering innovation in a structured and secure manner.
Introduce Competition Laws
In the context of cybersecurity and digital technologies, competition laws are essential to ensure a level playing field and prevent monopolistic practices that may compromise cybersecurity. By introducing competition laws, Sierra Leone can foster a competitive market that encourages innovation while safeguarding consumers and businesses from unfair practices that could pose cybersecurity risks. Such laws would promote healthy competition among technology providers, leading to improved products and services, greater security, and better value for consumers. The integration of competition laws within the cybersecurity framework can enhance the overall resilience and stability of Sierra Leone’s digital economy.
Cooperation between the Telecommunication Industry and other Stakeholders
The significance of cooperation among stakeholders, particularly between telecommunication companies and law enforcement agencies, cannot be overstated in the effective implementation of the Act in Sierra Leone. Telecommunication companies play are pivotal as custodians of vast amounts of sensitive data and the infrastructure that facilitates digital communication. Collaborative efforts between these companies and law enforcement agencies are critical for several reasons.
Conclusion
In conclusion, the evaluation of the Cybersecurity and Crime Act unveils a nuanced landscape, showcasing commendable progress alongside notable challenges. The Act, structured across seven integral parts, stands as a cornerstone for cybersecurity initiatives in Sierra Leone, with the National Cybersecurity Coordination Centre playing a pivotal role. Achievements, including extensive capacity-building initiatives, collaborations with international partners, and strategic partnerships, underscore Sierra Leone’s commitment to fortifying its digital defences.
However, substantial challenges in implementation cast a shadow. The initial lack of expertise, coupled with limited awareness and resource constraints, presents formidable hurdles. Overcoming these challenges requires a concerted effort to invest in training programs, enhance public understanding, and secure adequate resources for effective execution. Furthermore, proposed amendments to the Act, encompassing refined definitions, enhanced safeguards for human rights, clear distinctions in offences, and explicit provisions for the admissibility of electronic evidence, are imperative to maintain legislative agility and responsiveness to evolving digital landscapes.
Sierra Leone’s journey in navigating the complex intersection of cybersecurity and legislation is dynamic, mirroring the global struggle to balance security imperatives with individual rights in an increasingly digitised era. By learning from achievements, addressing challenges, and embracing proposed amendments, Sierra Leone can persist as a proactive player in the global cybersecurity arena. Sustaining commitment to innovation, collaboration, and adaptability will be paramount in safeguarding the nation’s digital future.
