The telecommunications sector is increasingly recognised as the backbone of modern communication, playing a crucial role in facilitating connections and supporting critical infrastructure as ICT has become an indispensable part of our daily life. 

However, this essential function also makes the industry a prime target for cyber threats, especially given the large volume of data handled by telecom companies.

In Namibia, the rapid growth in mobile phone usage and digital services has amplified the vulnerabilities within the telecommunications sector. As highlighted by the Communications Regulatory Authority of Namibia (Cran) in its 2023/2024 Universal report, most Namibians have access to 3G and 4G networks, which has led to an explosion in data usage. 

This surge necessitates robust cybersecurity measures to protect against the rising tide of cyber threats.

The Communications Act (No. 8 of 2009) mandates Cran to promote consumer interests and regulate telecommunications services, including matters related to telecommunications security, and network standards such as cybersecurity measures. However, the current reliance on the goodwill of telecom operators for cybersecurity is inadequate. 

Without a regulatory framework, there are no legal obligations for operators to implement necessary security measures, leaving personal data vulnerable and the sector exposed to increased risks.

It is with this background in mind that this article outlines three possible regulatory approaches:

Self-Regulation

This voluntary approach allows operators to set their own cybersecurity standards based on their risk appetite and economic constraints. While self-regulation can offer flexibility and adaptability, it lacks accountability and could result in inconsistent application of security measures. This approach may leave consumers at risk if operators prioritise business interests over security.

Quasi or Co-regulatory Approach

This hybrid model involves collaboration between industry stakeholders and regulators, with a legislative framework supporting industry-led initiatives.

The co-regulatory approach allows for flexibility and leverages industry expertise while ensuring adherence to basic security standards. It aligns with global trends where countries are moving towards co-regulation to balance industry innovation with necessary regulatory oversight.

Explicit Mandatory Legislative Regulation

This comprehensive approach entails amending existing legislation or enacting new laws to impose strict cybersecurity obligations on telecom operators. This may take the form of amending the Communications Act to strengthen the existing framework and introduce a risk-based security framework and several high-level key obligations alternatively, the elaboration and enactment of the Cybercrime Bill. 

While this method ensures compliance through legal enforcement and sanctions for non-compliance, it often involves a slower legislative process and higher costs due to extensive stakeholder engagement and infrastructure requirements.

Namibia’s Cybercrime Draft Bill, 2021 reflects the country’s commitment to creating a secure and resilient cyberspace. The bill aims to enhance the nation’s ability to combat cybercrime, promote consumer trust, and support the ongoing digital transformation of various sectors, including telecommunications.

 The bill proposes the establishment of a National Computer Incident Response Team (CSIRT), criminalises specific cyber-related offences and aims to enhance consumer trust and foster digital transformation. Although, this bill represents progress in enhancing cybersecurity frameworks, sector-specific regulations are essential to ensure that the particular needs of telecommunications are adequately met.

The impact of implementing these regulations extends beyond compliance, as it involves safeguarding operators’ reputations and maintaining consumer trust. As cyber threats evolve, proactive measures are vital for operators to stay ahead of potential risks. The need for digital education and literacy among consumers is also highlighted, as fostering awareness can enhance compliance and resilience within the industry.

In conclusion, the telecommunications sector is pivotal for Namibia’s national security, economy, and public safety. As digital services continue to expand, so too does the risk of cyber exploitation. 

A proactive regulatory approach is necessary to address these challenges effectively. While self-regulation may offer flexibility, it lacks the accountability required to protect consumer interests.

*Magano Katoole is a legal advisor: Legislative drafting at the Communications Regulatory Authority of Namibia (Cran).