In 2020, the United Nations encouraged young people to engage in local dialogues on the futures they wanted to see ahead of the 75th anniversary of its General Assembly. I hosted one of those conversations virtually and among the themes we chose to explore was digital futures – specifically, what the world might look like where wars are not only fought on physical battlefields, but in cyberspace. At the time, it felt distant. Theoretical, even. Six years later, we are living it in real time.

The US-Iran CyberWar

Consider the recent actions of Handala, an Iran-linked hacking group, which crippled the global networks of the US-based Stryker, one of the world’s largest medical device companies; even as the US-Iran war approached a full month. The attack wiped almost 80,000 Windows devices, saw 50 terabytes of data stolen and leaked, and disrupted the organisation’s operations in over 60 countries globally. As if that were not enough, the Federal Bureau of Investigation (FBI) subsequently confirmed that its Director, Kash Patel, had his email hacked even as it claimed that sensitive information was not leaked. If the world’s most technologically advanced nation is still vulnerable, what does that mean for the rest of us?

The Alleged Remita Hack

The answer came closer to home just days ago. ByteDance-linked hackers and other threat actors claimed to have breached Nigeria’s Remita platform and several commercial banks. Remita is not a peripheral system. It is the financial backbone through which the country’s federal government processes payments and manages sensitive financial data. Remita has insisted that no significant breach occurred, but the Nigeria Data Protection Commission is currently conducting an extensive investigation. The incident, confirmed or not, is a warning shot.

So here is the uncomfortable question: if our defences for critical national infrastructure are not yet strong enough, what happens when we face not just opportunistic cybercrime, but coordinated cyberterrorism or outright cyberwarfare?

what happens when we face not just opportunistic cybercrime, but coordinated cyberterrorism or outright cyberwarfare?

Thankfully, there are signs of political will across Africa. Nigeria’s federal government is organising a dedicated cybersecurity taskforce to coordinate with the private sector. Similarly, the Central Bank of Nigeria has mandated financial institutions in the country to conduct self-assessments of their cybersecurity posture as part of the attempts to boost resilience. Somalia recently unveiled their cyber-incident response centre following the coming into effect of its cybersecurity law. Rwanda has developed one of Africa’s most robust national cybersecurity frameworks. Ghana and Kenya have made similar strides. These are encouraging signals. But political will is only the beginning. As African nations build their cybersecurity infrastructure, there are foundational questions that must be confronted head-on.

Five Questions African Nations Must Confront to Strengthen Cybersecurity Efforts

• Whose infrastructure are we building on?

Much of Africa’s digital economy runs on cloud services owned and operated by foreign technology companies. This is not inherently problematic, but it does create a structural dependency that has serious security implications. If a geopolitical dispute disrupts access to those services, or if foreign providers are themselves compromised, African governments could lose access to their own data and systems. The African Union’s Digital Transformation Strategy already mandates investment in local digital infrastructure and content. The practical bridge, while that longer-term investment is made, lies in diplomacy: African nations could actively pursue cyberdefence treaties that legally obligate state parties, including those whose companies own the cloud services we rely on, to cooperate in the event of a breach or attack. As British statesman Winston Churchill opined, “Jaw-jaw is always better than war-war.”

• Is cybersecurity embedded in how we design policy interventions?

Too often, cybersecurity is treated as an afterthought, a checkbox bolted onto a project after the core design decisions have already been made. Data Protection Impact Assessments (DPIAs) exist precisely to prevent this, by identifying and mitigating privacy and security risks before high-stakes systems go live. Yet their implementation across African public institutions remains inconsistent. Every e-government platform, digital identity scheme, and public financial system should be stress-tested for cyber risk from inception, not after deployment.

• Do we have a culture of reporting cyber incidents?

A cybersecurity ecosystem is only as strong as the information flowing through it. When breaches are concealed, whether out of reputational fear or regulatory uncertainty, the entire system is weakened. African nations must build clear, trusted, and liberal frameworks for cyber incident reporting, so that when something goes wrong, the response can be swift, coordinated, and instructive for others.

• Are we investing seriously in local cybersecurity talent?

The global shortage of cybersecurity professionals is acute, and Africa faces a compounded version of this challenge. We have to invest in training highly skilled cybersecurity professionals at scale, through universities, vocational programmes, and specialised academies. But recruitment is only half the battle. If those professionals are inadequately compensated, they will – quite rationally – take their skills elsewhere. Retaining cybersecurity talent is as much an economic policy question as it is an education one.

• What does the average person know about cybersafety?

State-level cyberattacks often succeed not through sophisticated technical exploits alone, but through the simplest point of entry: human error. Phishing emails opened by public officers. Data shared carelessly across unsecured platforms. Digital literacy, for citizens and civil servants alike, is a frontline security issue. It is also inseparable from the broader question of data privacy, which shapes how individuals and institutions handle sensitive information every day.

Conclusion

African nations do not have to wait for catastrophic cyberattacks before these questions become urgent. The warning signs are already here. This is the only time we have to secure our cyberspaces proactively for threats we might not have even conceived; and we can only do that by asking – and confronting – the right questions.

Written by Davida Opara, Communications Lead at Africa Privacy Roundup. Follow Africa Privacy Roundup for more insights on key developments in privacy, AI, and cybsecurity across Africa.