The argument has two versions:

In one, detailed by cybersecurity consultant and author Jeffrey Carr, there is a dangerous fusion of anti-American forces who do, or will soon have, the means, motive and opportunity to unleash cyberwarfare upon American critical infrastructure and commerce. Looking at Somalia, where piracy and terrorism seem to be mixing, Carr argues that the arrival of the EASSy cable will present a dangerous new challenge to international security:

Once Somalia goes digital, it will create a never-before-seen opportunity for local gangs to move their strategic alliances with Al Shabaab onto the Internet. Their twin exports – extortion and terrorism will have unlimited opportunities for profit and mayhem, particularly if they are directed against critical infrastructure such as energy, water, and transportation facilities.

The second version, which is probably a more likely one, is that the combination of broadband connectivity and poor virus protections in Africa will make African computers prime targets for botnet herders who will use them to “paralyze the network infrastructure of a major western nation.” Writing in Foreign Policy, an organizer of a major cybersecurity summit, Franz-Stefan Gady, argues

“[T]he continent is home to the world’s most vulnerable computers. About 80 percent of the African population lacks even rudimentary knowledge of information technologies, according to a recent World Bank survey. Though Internet cafes are widespread, providers often cannot afford proper antivirus software, making computers very easy targets for skilled botnet operators and hackers.”

Moreover, he says, African countries, by and large, lack the legal wherewithal to prosecute cyber-criminals.

As a final datapoint, consider a recent report by the cybersecurity firm Symantec which says South Africa is in the “unenviable” position of receiving better connectivity right when it is hosting the World Cup; this, they say, is a recipe for accelerated cybercrime.

It should be noted at the outset that the people we are not hearing from on this are Africans. Cybersecurity demands international cooperation, but the views of African regulators, businessmen and civil society – who likely have a more nuanced views of the upsides of connectivity – are missing.

I suspect this voice would add context to the above worries. For example, in countries where basic literacy is a challenge yet to be overcome, worrying about the next Kevin Mitnick rising from Mogadishu seems a little silly. Recall that the most sophisticated cyber attacks come from Russia, a country with a long history of technological prowess, and China, where top-notch technical schools are likely the source of the recent Google hacks. In addition to infrastructure, you need computer skills, and as anyone who works to promote ICTs in Africa knows, this is a tough job.

The obvious response to this is that the Somali terrorist-pirates could purchase hacking services. This are widely available and, as I understand it, fairly affordable (though likely much more than a few AK-47s and a boat). But this is also nothing new. Al-Qaeda, an organization which is far more anti-American, far more well-funded, and has far more access to broadband Internet, does not seem to be a fan of cyberattacks. As far as I know, there is no evidence that Al-Qaeda has established offensive cyber capabilities, despite having operatives in broadband-saturated locations.

There are some hints that affiliated people have considered hacking as a means to their end – manuals, for example – but terrorists rely on shock factor to, umm, terrorize. When effective cyberwar is as theoretical as it, risk-averse groups are likely to stick to IEDs and suicide bombers.

Furthermore, the view of the Somali pirates and “terrorists” is ahistorical. It misses the reprehensible waste dumping and illegal fishing that have decimated the Somali economy (of course enabled by the absence of a functioning government). Writing frantic articles about cyber WMDs arising from this position is reckless. Somalia instead needs state-building, legal protection of its sovereignty and job opportunities.

ICTs are a great opportunity and although they do have potential downsides, the whole framing of these African cyberwar (!!!!) pieces leaves a bad taste in my mouth.

Update: For a hilarious and spot-on treatment of this subject, see this:

I think that Africans have more to fear from older technology outside their continent than the rest of the world fearing Africa. It would be ironic if at some point in the near future, Nigeria had to block IP addresses from the United States.

He’s right. When Franz-Stefan writes that “skillful cybercriminals operating out of an unregulated Internet café in the slums of Addis Ababa, Lagos, or Maputo” will create the world’s biggest botnets, he shows that he has little understanding of those “slums” – for starters, electricity is a little intermittent to power a cyberwar.

Update 2: A new bill in the US Senate would require punishment for governments who do not control cybercrime allegedly occurring in their country. It would create a list of bad states and could cut aid to them if they don’t align their cyber-policies with American desires. Imagine, if you will, that this ends up like the USTR’s Special 301 list which coerces developing countries to enforce more draconian intellectual property regimes. If, as Jonathan Zittrain argues, innovative networks (“generative” in his parlance) are under threat from cybercrime, then it won’t be long until America is coercing African countries to lock down their networks, perhaps at the behest of the same security consultants who are arguing we need to re-engineer our networks to be more locked down. I don’t like where this is heading.

E.K: The Internet was never designed with security in mind. If I was God, and wanted to fix the Internet, I would start by ensuring that every user has a sort of Internet passport: basically, a means of verifying identity, just like in the real world, with driver’s licenses and passports and so on. The second problem is one of jurisdiction. The Internet has no borders, and neither do the criminals who operate on the Internet. However, law enforcement agencies have jurisdictional limits, and are unable to conduct investigations across the globe. I feel we need an international agency to combat this problem, something like an Interpol for the Internet.

PCW: Won’t your suggestion of Internet Passports remove the anonymity from online browsing, thus causing problems for people who may be operating in countries that are not friendly to their views, and so on?

E.K: There is no such thing as anonymity on the Internet, for the average user. It is relatively easy to identify the casual surfer from his IP address and the ISP’s logs. Criminals, on the other hand, are professionals who know how to hide their tracks. A passport would be beneficial to law-abiding users, and would make it that much more difficult for cyber-criminals to hide.

Admittedly, Kaspersky doesn’t have a whole lot of space to elaborate on his “Internet passport,” so I stand the chance of misunderstanding him, but as I understand it, such an idea would be dangerous and unneeded.

One of the major problems confronting cybersecurity is attribution. When Estonian websites are pounded with DDoS attacks, it is next to impossible for the sysadmins to know if the IP address attacking them is just a zombie conduit or the intentioned attacker. Therefore, it is hard to punish those responsible for cybercrime. An Internet passport would, it seems, lower this level of non-attribution and make the senders accountable for their packet-streams.

Free speech relies on anonymity – a face the Supreme Court has recognized, saying,

“Protections for anonymous speech are vital to democratic discourse. Allowing dissenters to shield their identities frees them to express critical, minority views . . . Anonymity is a shield from the tyranny of the majority. . . . It thus exemplifies the purpose behind the Bill of Rights, and of the First Amendment in particular: to protect unpopular individuals from retaliation . . . at the hand of an intolerant society.”

An “Internet passport” would not only jeopardize that, it would disproportionately affect the innocent. Curiously, Kaspersky seems to make this point, saying “there is no such thing as anonymity on the Internet, for the average users… Criminals, on the other hand, are professionals who know how to hide their tracks.” Does Kaspersky really think a criminal-proof system could be created? It seems to me that cybercriminals would simply steal, fake or cheat the Internet passport system, just as they do with our current equivalent – IP addresses and ISP logs. They have both the intent and capability to do so.

While it is true that regular users can be tracked to a certain extent in our current system, there are dozens of well-known methods available to dissidents, journalists and business people to be anonymous online. An Internet passport, by attempting to curtail the criminals’ use of anonymity would do more damage to those who rely on user-friendly, non-technical solutions like TOR. We should not walk down that path.