"CMM Impact Notes": Somalia 2021

30 September 2024

Following three decades of internal conflict, Somalia is making significant strides in rebuilding a stable and self-reliant security capability. As outlined in the 2020-2024 National Development Plan, a key part of this mission involves investing in cyber-resilient institutions and developing cybersecurity capabilities to support the nations digital development agenda in a safe and secure manner.
 
In line with these goals, the Government of Somalia, with support from the World Bank, commissioned a Cybersecurity Capacity Maturity Model for Nations (CMM) review to the Cybersecurity Capacity Centre for Southern Africa (C3SA) in 2021. This review sought to provide a comprehensive, independent assessment of Somalia's existing cybersecurity strengths and weaknesses, and to establish a framework for prioritising future investments in cybersecurity capacity building.
 
Nearly three years later, we reconnected with the Government of Somalia’s Ministry of Communications and Technology to explore their progress since the review and to understand the long-term impacts of the CMM assessment within their specific context. As the developer and custodian of the CMM model, the GCSCC is eager to discover how countries utilise their reports and the outcomes they achieve. This is what we learned:

screenshot 2024 10 16 at 14 14 04
Starting from a low maturity level, Somalia has made significant improvements to its cybersecurity posture

At the time of review, Somalia was at the early stages of its cybersecurity journey and faced many complex challenges. There was no national cybersecurity strategy to provide clarity and structure to their capacity building efforts, insufficient incident response capabilities to respond to cyber breaches efficiently and limited digital critical infrastructure protections.
 
Since 2021, in a relatively short period of time, the country has made great progress towards improving its national posture. This has included drafting several policies and legislative pieces related to digital security, such as the Cybercrime Act (awaiting deliberation in parliament), Cybersecurity Act (under review for cabinet processes) and e-transaction Law. Furthermore, a national cybersecurity strategy has been drafted and final preparations are underway to launch a Computer Emergency Response Team (CERT) following a readiness review.

Speaking on behalf of C3SA, which helped conduct the assessment, Prof Wallace Chigona commended Somalia's rapid progress: 

C3SA is pleased with Somalia’s proactive response to the 2021 CMM review recommendations. It is encouraging to see such collaboration, and we are confident that these efforts will contribute to long-term stability and development in the region.
The CMM proved to be a valuable tool in identifying gaps and streamlining CCB investments

Each of these items listed above, which are substantially improving Somalia’s cybersecurity capabilities, were identified in their CMM review as being priority areas for development. Conversations with the Government of Somalia confirmed that not only was the CMM instrumental in identifying gaps for improvement but also streamlining future capacity building investments. Having an evidence-based maturity assessment at hand to share with international partners, such as the World Bank, facilitated the effective investment of development funds into the cybersecurity areas that needed them the most. As a result, in just a couple of years, several of the recommendations made in the CMM have now been implemented and Somalia has been able to make tangible progress towards its cybersecurity goals.

The CMM produced unforeseen benefits to stakeholder cooperation

In addition to providing an evidence-base for effective cybersecurity capacity building, when reflecting on the review, the Government of Somalia also identified some unexpected benefits from undertaking the CMM. For example, focus groups and other review processes helped to increase awareness and collaboration amongst various stakeholders across multiple sectors. This enhanced collaboration has in turn fostered a more unified national approach to addressing cybersecurity challenges in Somalia.

The CMM is a useful tool that more countries can benefit from

Overall, Somalia’s positive experience with the CMM has led stakeholders to see the review as valuable mechanism for improving national cybersecurity capacity that all countries can benefit from. When discussing the CMM, Zakarie Ismael, a representative from the Government of Somalia’s Ministry of Communications and Technology, stated: 

“Personally, I highly recommend other countries to undertake a CMM. The model provides a structured framework to assess and improve cybersecurity capacity, identify gaps, and develop strategies that align with international standards.”

C3SA was funded by the Ministry of Foreign Affairs of Norway to conduct the CMM. The support by the GCSCC for C3SA to conduct CMM reviews was funded by Norway and the UK Government.

 

Author: Joe Fulwood

Disclaimer: this case study was written with approval and input from the Government of Somalia. The views and opinions expressed in the report do not necessarily reflect those of the Government of Somalia.