“Cybersecurity Can No Longer Be Treated As A Secondary Issue”
“Cybersecurity Can No Longer Be Treated As A Secondary Issue”
https://www.thereporterethiopia.com/48845/
Publish Date: 2026-01-31 03:16:00
Source Domain: www.thereporterethiopia.com
Using an unordered list, summarize the following article with between 4 and 8 key points. Cyber Security Association chief highlights risks to a rapidly digitizing Ethiopia As Ethiopians grow increasingly reliant on digital platforms for banking, communication and public services, cyber threats have quietly become part of everyday life, often unnoticed until systems fail or data is compromised. Beneath the country’s rapid digital expansion lies a growing struggle to secure networks, protect institutions and build public awareness, as cybercrime evolves faster than regulation, skills and coordination. Ethiopia has seen a steady rise in attempted cyber-attacks in recent years, targeting government systems, financial institutions and critical infrastructure. While officials say most attacks are successfully intercepted, cybersecurity experts warn that gaps in policy enforcement, limited technical capacity and low public awareness continue to expose critical vulnerabilities. In a country pursuing ambitious digital transformation goals, cybersecurity has become not just a technical concern, but a matter of economic stability and national resilience. At the center of this debate is Birhanu Beyene (PhD), president of the Ethiopian Cyber Security Association. From The Reporter Magazine Educated in computer science from the undergraduate level through PhD at the University of Hamburg, Germany, Birhanu e spent nearly 23 years as a researcher and instructor at the same institution. Drawing on decades of academic and professional experience, he now plays a leading role in shaping Ethiopia’s cyber security discourse. In this interview with The Reporter’s Surafel Ashebir, Birhanu shares his assessment of Ethiopia’s cybersecurity landscape, the most pressing threats facing public and private institutions, and the policy and capacity gaps that must be addressed to safeguard the country’s digital future. EXCERPTS: The Reporter:How would you describe the state of cybersecurity in Ethiopia? From The Reporter Magazine Birhanu Beyene (PhD): As more Ethiopians come online and embrace digital services, from mobile banking to online payments and social media, our daily lives are increasingly shaped by technology. With every tap and click, we enjoy the convenience of instant transactions, easier access to information, and seamless communication. But this digital growth also comes with a shadow: cyber threats are on the rise. Hackers and online criminals are constantly looking for vulnerabilities and just one weak link whether in a banking app, a payment system, or even a personal device can lead to financial loss, identity theft, or breaches of private information. For the average user, these threats are invisible, yet their impact can be deeply personal, affecting livelihoods, trust, and the sense of security in an increasingly connected world. What types of cyberattacks are most frequently targeting the country, and which institutions are most affected? Cyber-attackers rarely strike at random. Their motives are often calculated and varied, ranging from financial gain and money laundering to political signaling, espionage, or simply the desire to damage an institution’s reputation and public trust. In today’s interconnected digital environment, certain organizations stand out as particularly vulnerable, not because they are careless, but because they are essential. At the top of the risk scale are critical and necessary infrastructure institutions. These include power utilities such as electricity providers, financial institutions, and healthcare systems. A successful attack on these sectors does more than disrupt servers; it disrupts lives. In hospitals, for example, cyber criminals often target patient medical records, drug supply chains, and internal systems that doctors rely on to make urgent decisions. In banks and financial institutions, attacks can freeze transactions, expose sensitive customer data, and shake confidence in the broader economy. When these systems go down, the impact is immediate and deeply human. A second major target group includes higher education and research-based institutions, security agencies, and organizations that generate or store valuable research and policy information. Universities, in particular, hold years of academic research, unpublished studies, and sensitive data, often protected by limited cybersecurity budgets. For attackers, this information can be sold, weaponized, or used to gain strategic advantage. Beyond these high-profile targets, there is another, often overlooked category: small and individual organizations. These entities are frequently used as stepping stones to attack larger institutions. Hackers exploit their weaker defenses, knowing that many small organizations cannot afford dedicated cybersecurity professionals or advanced protection systems. Once inside, attackers move quietly, using trusted networks to reach bigger and more secure targets. These attacks are among the hardest to prevent because they hide in plain sight. Crucially, many cyber attacks do not begin with complex technology but with people. Human behavior remains the weakest link. Sending passwords through email, writing login details in notebooks, or reusing the same password across platforms creates easy entry points for attackers. A single careless click or shared credential can open the door to an entire system. Cyber threats are not just technical problems, they are organizational and human ones. Protecting vulnerable institutions requires not only stronger systems, but also awareness, training, and a culture that treats cybersecurity as a shared responsibility because in the digital age, one small mistake can have consequences far beyond a single screen. At present, how vulnerable are government agencies, private companies, and the public to cyber threats? Currently, we can say that there is no institution or individual that is not vulnerable to cyber attacks. In today’s digital reality, vulnerability to cyber attacks is no longer an exception, it is the norm. There is virtually no institution or individual that can claim complete immunity. While government bodies and some large private organizations may be better positioned to withstand attacks due to stronger defense systems and resources, individuals and small institutions remain dangerously exposed. Ethiopia’s rapid digital expansion illustrates this risk clearly. With more than 80 million estimated mobile phone users, the country is now deeply embedded in the global digital network. Every phone call, text message, online transaction, or Wi-Fi connection places users into what experts often describe as a vast digital ocean. In this space, an attacker does not need to be physically close. A cyber criminal operating thousands of kilometers away can target a user in Ethiopia as easily as someone next door. Something as routine as connecting to a public or home Wi-Fi network can become a point of entry. Without adequate protection, these networks can be exploited, exposing personal and organizational data to unauthorized access. This reality underscores how easily ordinary users can become targets often without realizing it. The risk is even higher for small organizations and individual businesses. Unlike large institutions, most do not have the financial or technical capacity to establish dedicated cybersecurity departments or hire skilled professionals. Their systems are often fragmented, unmonitored, and poorly protected, making them attractive targets for attackers. In many cases, hackers deliberately exploit these weaker entities as gateways to larger, more secure institutions. At the individual level, the stakes are deeply personal. Sensitive information such as bank account details, ATM PINs, residential addresses, identification data, and private communications is increasingly stored on mobile phones and digital platforms. When compromised, the consequences extend beyond financial loss to include identity theft, emotional distress, and long-term damage to personal security. What makes cyber threats particularly alarming is that they are not only technical problems; they are human ones. Every unsecured device, reused password, or unprotected network increases exposure. As Ethiopia continues its digital transformation, the challenge is not simply about expanding access, but about ensuring safety within that access. In this interconnected era, cyber insecurity affects everyone from institutions to individuals, from urban centers to rural communities. The growing digital footprint brings undeniable benefits, but it also demands awareness, responsibility, and collective action. Without these, the digital promise risks becoming a shared vulnerability. Do Ethiopia’s existing cyber security laws and policies provide adequate protection against digital threats? Laws and regulations are, by nature, shaped by the realities of their time. They are drafted to respond to a country’s existing conditions, its institutions, risks, and capacities. But those conditions are not fixed. They evolve, often faster than the policies designed to govern them. For this reason, it is increasingly difficult to claim that any single policy is fully sufficient, especially in sectors driven by rapid technological change. In many cases, a policy may appear adequate on paper, yet fall short in practice. Implementation remains the critical gap. A regulation issued years ago may have been appropriate for the technological landscape of its time, but the digital environment has since transformed. New platforms, new threats, and new ways of exchanging information have emerged, rendering older frameworks outdated or incomplete. Recognizing this shift, authorities have in the past year been working toward approving a new policy framework intended to keep pace with current technologies and emerging risks. This effort reflects an understanding that cybersecurity and information governance cannot rely on static rules in a dynamic digital world. Still, policy-making alone is not enough. Technology continues to change at a speed that outpaces legislation, making periodic review and revision not a luxury, but a necessity. Effective regulation must be living and responsive, regularly updated to reflect new realities rather than reacting after damage has been done. Equally important is enforcement. A policy that is not implemented is, in practical terms, meaningless. Without clear mechanisms for accountability, monitoring, and compliance, even the most well-written regulation offers little protection. Experts also emphasize the need for annual information security audits. These audits serve as early warning systems, helping institutions identify weaknesses, measure compliance, and adapt defenses before vulnerabilities are exploited. They translate policy from abstract intention into operational reality. In the end, the strength of a country’s legal and regulatory framework is measured not by how many policies it issues, but by how well those policies are enforced, reviewed, and updated. Are the country’s judicial and law enforcement institutions sufficiently equipped to investigate and prosecute cybercrime cases effectively? It is difficult if not impossible to say that the current response is sufficient. Cybersecurity demands far more than good intentions or isolated efforts; it requires sustained investment in human expertise, technology, and financial resources. These capacities cannot be built overnight. They grow gradually, through long-term planning and collective commitment. At its core, cybersecurity is a shared responsibility. It cannot be left solely to the courts, the police, the Information Network Security Administration (INSA), or any single institution. While INSA operates an incident reporting center designed to receive and track cyber attack reports, its effectiveness depends heavily on cooperation from organizations and the public. In practice, that cooperation is often missing. Many institutions choose not to report cyber attacks, fearing reputational damage or loss of public trust. This silence, however, comes at a cost. When attacks go unreported, authorities are unable to properly monitor trends, investigate perpetrators, or strengthen legal responses. What remains hidden cannot be regulated or prevented. For this reason, the role of the public is critical. Citizens and organizations alike are expected to report even minor cyber incidents. Small warnings can help prevent larger breaches, and collective reporting strengthens the legal and technical capacity to respond. Cybercrime itself adds another layer of complexity. It is borderless by nature, often originating outside national jurisdictions. Identifying the source of an attack let alone holding perpetrators accountable can require international cooperation, technical sophistication, and lengthy investigations. Bringing cybercriminals to justice is rarely straightforward. While there have been promising beginnings in policy development and institutional response, experts agree that much more work lies ahead. Laws must not only exist, but be continuously updated and actively enforced to keep pace with evolving threats. Perhaps most importantly, many cyber attacks exploit human vulnerability rather than technological failure. Weak passwords, poor digital habits, and lack of awareness open doors that even the strongest systems cannot fully close. This reality makes public awareness not a side issue, but a central pillar of cybersecurity. In the end, strengthening cyber defenses is not just a technical or legal challenge, it is a social one. Without awareness, transparency, and shared responsibility, even the most advanced systems remain exposed. How do cybersecurity lapses in banking and digital payment systems impact Ethiopia’s broader economic growth? Cyber threats carry consequences that go far beyond disrupted systems or temporary inconvenience. Their impact is deeply financial, political, and social and in many cases, long-lasting. At the most immediate level, financial theft is the clearest danger. Individuals, private institutions, and even governments can lose vast sums of money within minutes. For ordinary citizens, this may mean drained bank accounts or stolen savings. For institutions, it can translate into losses running into millions, sometimes without any clear path to recovery. Closely tied to financial loss is reputational damage. Trust is the backbone of institutions, especially banks and financial service providers. When a bank suffers a cyber breach or theft, the damage is not limited to the stolen money. Customers begin to question the institution’s ability to protect their assets. Fear spreads quickly, withdrawals increase, and confidence erodes. In extreme cases, customers simply walk away. At a broader level, cyber attacks can escalate into national security threats. When cyber warfare targets government systems, critical infrastructure, or state institutions, it has the potential to weaken a country’s sovereignty. Such attacks can disrupt public services, manipulate information, and influence political stability. In this sense, cyber weapons can be as powerful as traditional ones capable of reshaping political dynamics without a single shot being fired. The economic cost of cyber attacks is particularly devastating. The damage does not end with the initial loss of money. Rebuilding compromised systems, restoring data, strengthening defenses, and compensating victims require enormous financial resources. For many institutions, especially in developing economies, these recovery costs can be crippling. Taken together, cyber attacks represent a silent but formidable threat. They drain financial resources, undermine public trust, weaken national authority, and place heavy burdens on already strained economies. Currentlyaround 13 trillion dollars are being stolen from countries around the world every year. In an increasingly digital world, the true cost of cyber insecurity is not only measured in lost data or stolen money but in shaken confidence and long-term economic harm. Is there a shortage of skilled cybersecurity professionals in the country, and what is your Association doing to address this gap,particularly in training specialized personnel? A study is needed to determine how much manpower is needed to maintain Ethiopia’s cybersecurity. This is a weakness that is still unknown. This needs to be done, but as we see in the world, cybersecurity is a very dynamic sector. It is becoming very challenging. It needs to change every minute, every second, so there is a problem of professionals who can do this. There are many professionals in this sector in the world, especially in the West. In a country like ours, which is a beginner, there is undoubtedly a shortage of professionals. We believe that universities can fill this gap. There is nothing like investing in a person with special talents. In this regard, INSA has a talent center. In that center, people with special talents will gain knowledge and experience in a wide range. The benefits of opening such centers are very great. Therefore, I say that the government and the private sector should work together. As an institution, we are developing various platforms and research processes to make such programs a reality. Given that Ethiopia currently lacks a fully sovereign cyber space, can we say that the country’s digital infrastructure is sufficiently protected? It is difficult to make such a claim when data sovereignty itself remains unresolved. True digital security begins with control over data, over infrastructure, and over the technologies that power everyday life. At present, much of that control lies beyond national borders. The core technologies used across institutions and households alike are largely designed, owned, and managed by others. The technology we use is not what we created ourselves. This dependence creates a quiet but serious vulnerability. One of the most significant risks comes not from hackers alone, but from technology suppliers themselves. Software installed on mobile phones and computers can, intentionally or otherwise, collect sensitive information about users’ lives. In a world where data has become a strategic asset, the possibility of surveillance whether commercial or political cannot be ignored. This does not mean that all imported or foreign-made technology is inherently dangerous. The point is not to reject technology outright, but to acknowledge its potential risks. In reality, no country can build or purchase everything on its own. Global cooperation and technology exchange are unavoidable. However, many countries manage this reality through strict regulations clearly defining what technologies are acceptable, under what conditions, and with what safeguards. Here, the challenge is policy and enforcement. Without strong regulatory frameworks, it becomes difficult to distinguish between appropriate and inappropriate technologies. When standards are weak or oversight is limited, risky tools can enter the system unchecked. Accepting every technology simply because it is available or affordable exposes the country to long-term security and privacy risks. This is why experts increasingly argue for making technology as locally controlled as possible. Keeping national data within the country, developing domestic capacity, and strengthening oversight mechanisms are key to resilience and ensuring that critical information remains under national jurisdiction and legal protection. Even then, no system can be made perfectly secure. Strong action can reduce risk, but it cannot eliminate it entirely. Cyber threats evolve, and absolute protection is an illusion. What matters is minimizing exposure, strengthening control, and making informed choices so that technology serves national interests, rather than quietly undermining them. How is the Ethiopian Cyber Security Association collaborating with educational institutions to strengthen cybersecurity ? Our members are mostly university professors and students. Developing curricula at the university level, conducting research, and conducting studies are among our activities. We have recently established a student club in this regard. It is a club that allows students to develop their knowledge and experience in cybersecurity. We are working to establish similar clubs in other universities. Cybersecurity education and research should be guided by the curriculum. We have established a working group and are working to do this. We are also working with INSA and other stakeholders to provide training. What solutions or strategic initiatives does the Association propose to ensure robust cyber security across the country? Building real digital security begins not with machines, but with people. Understanding the risks that come with digital devices and raising public awareness about them must be the first priority. Without this foundation, even the most advanced systems remain vulnerable. A single careless action can undo layers of technical protection. Beyond awareness, there is an urgent need to develop local technology that is capable, modern, and responsive to current realities. Keeping pace with rapid technological change is no longer optional. It is a matter of national resilience. Countries that rely entirely on external solutions remain dependent and exposed, while those that invest in their own digital capacity gain greater control over their systems and data. Equally critical is the role of strong and enforceable policies, particularly in the legal sphere. Cybersecurity cannot be treated as an abstract concern or a technical issue left to specialists. It must be embedded in law. Clear regulations are needed to define responsibility, accountability, and acceptable digital behavior across institutions. This includes the workplace. When an individual is hired by an organization, vigilance in the use of information technology should not be left to personal judgment alone. It should be a legal obligation. Mandatory standards covering password management, data handling, system access, and reporting of incidents can help ensure that cybersecurity becomes part of professional duty, not an afterthought. Looking ahead, what key actions is the Association planning to further secure Ethiopia’s digital infrastructure in the coming years? The Association is currently guided by a five-year strategic plan that places public awareness, policy engagement, and research at the center of its work. In collaboration with key national institutions, particularly INSA and the Ministry of Innovation and Technology, the plan aims to create structured platforms where citizens can access training, professional advice, and expert guidance from senior officials and practitioners in the field. A major focus of this effort is evidence-based engagement. Through research and policy dialogue, the Association is contributing to discussions on cyber law, regulatory frameworks, capacity-building, and consulting services. These initiatives are designed not only to strengthen institutions, but also to translate complex cybersecurity issues into practical knowledge for the wider public. In the near future, the Association also plans to carry out a gap analysis examining how private organizations understand and approach cybersecurity. The study is expected to identify weaknesses, measure preparedness, and inform targeted interventions across the private sector. Regionally, the Association is strengthening its reach through active membership in the African Cyber Security Alliance, working in partnership with continental actors. Within this framework, it is taking a leading role in the research domain, with efforts underway to expand and deepen this contribution. Cybersecurity can no longer be treated as a secondary issue. As digital systems become more embedded in everyday life and national infrastructure, taking cybersecurity seriously is not just a technical necessity, it is a national responsibility.
