In April, Morocco’s National Social Security Fund said that hackers had breached its systems, exposing sensitive citizen data online.
While officials eventually confirmed the incident and activated contingency protocols, the episode revealed critical gaps in the nation’s cybersecurity, from outdated systems to inadequate training.
Much detail about Morocco’s response is not known, although officials claimed that the documents posted online, showing unverified financial data about prominent companies and individuals, were “misleading, inaccurate, or incomplete.”
Nevertheless, the cyberattack demonstrates the extent to which cybercrime has proliferated in Africa. Countries across the continent must do more to prepare to respond to such attacks quickly. After all, the difference between a manageable incident and a full-scale crisis often comes down to the speed and coherence of the response.
Africa’s digital transformation has made public institutions both more efficient and more vulnerable. Across the continent, public services are becoming more digital, more connected, and more exposed. National databases hold growing volumes of personal and financial data. Institutions that once operated in isolation are now integrated through shared identity systems, cloud platforms, and crossborder trade infrastructure.
This shift brings undeniable benefits: efficiency, inclusion, and modernization. But it also raises the stakes.
Cyberattacks can leak private information, as seen in the Morocco case, or cause surface-level disruptions—but they can also interrupt core infrastructure. Pension systems, customs platforms, digital ID services, and banking networks have become targets for attackers pursuing financial, political, or ideological objectives. For example, in 2021, South Africa’s Transnet state-owned port operator was paralyzed by a ransomware attack, severely disrupting trade at one of the continent’s most critical logistics hubs. Such systems are essential to daily operations, governance, and economic stability, making them high-value targets in an increasingly contested digital environment.
The pressure is compounded by trade dynamics. As African countries adopt digital trade frameworks and seek deeper integration through instruments such as the African Continental Free Trade Area, countries will be expected—by international partners, investors, and peer countries—to maintain adequate cybersecurity hygiene. A poorly handled response to a cyberattack could stall digitization programs, delay funding, or complicate regional cooperation.
Each attack carries political, financial, and reputational consequences—reaching far beyond the technical perimeter.
A challenge beyond technology
Many of the toughest barriers to an effective cyber response are not technology-based: They’re political and institutional.
In both the public and private sectors globally, teams often delay escalation for fear of reputational or political consequences. That hesitation, sometimes just a few hours, can turn a manageable incident into a full-blown crisis. Ambiguity about how leaders responded to attacks—in terms of whether alerts were triggered and whether decision-makers were activated promptly—can also be costly reputationally and politically. Still, such ambiguity is common.
Another widespread challenge is that responses are often siloed. Ministries, regulators, and public service operators sometimes act independently, fearing blame or jurisdictional conflict. But attackers rarely limit their scope to a single system. Without pre-agreed protocols, time is lost by navigating institutional hierarchies instead of stopping the threat. This was evident in the Transnet ransomware incident in South Africa, where coordination issues extended the disruption to national trade routes.
There is also an institutional instinct, in some settings, to manage cyber incidents quietly. While discretion is understandable, early internal escalation does not require immediate public disclosure—it simply ensures that the right people are activated in time to reduce harm. Silence, on the other hand, delays action.
Private-sector organizations, especially in regulated industries or critical infrastructure, have faced similar dilemmas. Yet, speed and transparency improve dramatically when senior leaders are involved early and when the culture favors accountability over blame.
Governments face additional complexity—political sensitivities, multiple layers of authority, media pressure—but the principle holds: Adequate responses take place in cultures built on trust, not just compliance. Shifting from a blame-based culture to a readiness mindset is essential if African states want to match the pace and sophistication of evolving threats.
What’s required
To ensure that they can adequately and quickly respond to cyberattacks, African states should work to improve governance, communication, and trust.
One way to do that is by setting a standard requiring cybersecurity teams to initiate a comprehensive response process within twelve hours of attack detection. This twelve-hour window should encompass critical early-stage activities including initial triage to assess severity, coordination of response teams across relevant departments, forensic analysis to understand attack vectors, and preliminary impact assessments to identify affected systems and data. Importantly, this timeframe focuses on launching the response framework rather than completing full remediation—which requires more time to ensure permanent fixes—or conducting exhaustive breach analysis, which demands thorough investigation. The twelve-hour standard also excludes public disclosure during this initial period, allowing teams to maintain operational security while attackers remain unaware of detection.
By establishing clear expectations for these foundational response activities, organizations can ensure they rapidly mobilize resources while preserving the time needed for comprehensive long-term solutions.
Igniting a response to a national cyber incident within twelve hours does not boil down to having cutting-edge cyber defense infrastructure. But three core capabilities—each attainable, even in resource-constrained environments—are needed.
First, basic detection capabilities across digital assets are needed. This doesn’t require advanced technologies such as artificial intelligence—just logs, alerts, and system awareness. Even well-organized and properly rehearsed manual processes can be effective. Establishing a situational awareness platform—even if rudimentary—that enables organizations, government entities, and incident response teams to exchange real-time threat intelligence can ensure visibility during a crisis.
Second, there needs to be a clear chain of command in the event of a cyberattack. Institutions need to know who is in charge, how to reach them, and what thresholds trigger escalation. Appointing a national cyber incident lead with the authority to coordinate across agencies can help mitigate slow reaction times caused by bureaucratic silos and overlapping mandates.
Third, secure communication platforms must be made available to all key actors on a response team. The most effective coordination happens with tools that are set up before the crisis—not in the middle of it. These don’t have to be expensive platforms, but they must be resilient, well-known to all key actors, and able to function even during partial system failures.
In addition, states should also hold periodic simulations to test these capabilities and to uncover gaps between agencies, protocols, and assumptions on the one hand and real-world behavior on the other.
Each of these capabilities is within reach. But they require more than technical fixes—they demand political prioritization, institutional alignment, and above all, consistent follow-through.
The twelve-hour test isn’t about beating a clock. It’s about knowing whether a country’s systems, people, and institutions are ready to act—before the damage is irreversible. That readiness is not out of reach for Africa. But it starts with treating cyber response as a core function of national security, not a technical afterthought.
Yasmine Abdillahi is a nonresident fellow with the ’s Africa Center. She is the executive director of security risk and compliance and the business information security officer at Comcast.
The Africa Center works to promote dynamic geopolitical partnerships with African states and to redirect US and European policy priorities toward strengthening security and bolstering economic growth and prosperity on the continent.
Image: Cables in a data center. (Jordan Harrison, Unsplash, Unsplash License) https://unsplash.com/license
