N※N

Government urges public institutions to strengthen cyber security systems

  //politics-government.news-articles.net/content/ .. utions-to-strengthen-cyber-security-systems.html
  Published in Politics and Government on Wednesday, September 24th 2025 at 8:59 GMT by The Citizen
          ^{🞛 This publication is a summary or evaluation of another publication 🞛 This publication contains editorial commentary or bias from the source}

Tanzania’s Public‑Sector Cyber‑Security Mandate: Strengthening Digital Defenses in a Rapidly Evolving Threat Landscape

In a decisive move to safeguard national digital infrastructure, the Tanzanian government has issued a sweeping directive urging all public‑sector institutions to bolster their cyber‑security systems. The call, published on the news portal The Citizen, comes amid escalating cyber‑threats that now touch every corner of the country’s public administration, from ministries and state‑owned enterprises to local government offices and public service agencies. The directive, underpinned by the 2021 Cyber Security and Data Protection Act, seeks to align Tanzania’s public‑sector cyber‑security posture with global best practices while addressing the unique vulnerabilities inherent in an increasingly digitised public service delivery model.

1. The Rising Stakes of Cyber‑Threats in Tanzania

Tanzania has been experiencing a rapid increase in both the frequency and sophistication of cyber‑attacks. According to the Cyber Security Unit (CSU) of the Information and Communication Technology Authority (ICTA), the country witnessed a 45 % rise in ransomware incidents over the last year, with several high‑profile attacks targeting the Ministry of Finance, the Tanzania Communications Regulatory Authority, and a handful of public hospitals. While the government’s own cyber‑security framework is robust, many public‑sector bodies remain under‑prepared, lacking adequate patch management procedures, incident‑response plans, and employee training programmes.

The article notes that in a survey conducted by the CSU in 2023, 62 % of public institutions reported that they had not performed a comprehensive risk assessment in the past 12 months. Moreover, the lack of standardised security policies meant that data breaches and service disruptions could propagate across ministries, potentially jeopardising sensitive national information and eroding public trust in digital services.

2. The Government’s Directive – Key Provisions

The government’s directive, issued by the Ministry of Information, Communication, and Digital Economy (MICDE), outlines a three‑stage approach for public institutions to elevate their cyber‑security posture:

1. Risk Assessment & Asset Inventory
   Every institution is required to conduct a formal cyber‑risk assessment within 30 days, mapping all critical assets, including servers, databases, and cloud‑based applications. The assessment must identify potential vulnerabilities and rank them by severity.

2. Patch Management & System Hardening
   The directive mandates a strict patch‑management regime, ensuring that all operating systems, applications, and firmware receive timely updates. Institutions must also implement security hardening guidelines—such as disabling unused services, enforcing strong password policies, and configuring secure network segmentation.

3. Incident Response & Workforce Training
   A comprehensive incident‑response plan is now compulsory. The plan should outline roles, responsibilities, communication protocols, and recovery procedures for a range of potential incidents—from phishing attacks to distributed denial‑of‑service (DDoS) assaults. In parallel, institutions must roll out a cybersecurity awareness training programme for all staff, with a focus on phishing recognition, data protection, and secure handling of confidential information.

The directive further calls for the establishment of a Cyber‑Security Working Group in each ministry, chaired by a senior officer and tasked with monitoring compliance, reporting incidents to the NCSC, and coordinating joint exercises with law‑enforcement agencies.

3. Legislative and Institutional Framework

While the 2021 Cyber Security and Data Protection Act provides the legal scaffolding for such initiatives, the article highlights gaps in its practical implementation. For instance, the act stipulates that public bodies must conduct regular audits; however, the enforcement mechanisms and penalties for non‑compliance are still being refined.

In response, MICDE has set up a Cyber‑Security Compliance Office (CSCO) that will oversee the enforcement of the directive. The CSCO will conduct quarterly audits and publish anonymised compliance reports on its website, ensuring transparency and encouraging peer benchmarking.

The article also references a partnership between Tanzania and the African Union’s African Cyber Security Initiative (ACSI), which provides technical assistance and training modules. This partnership is expected to accelerate the adoption of industry‑standard controls, such as ISO 27001 and NIST SP 800‑53, within public institutions.

4. Challenges and Mitigation Strategies

The directive’s ambitious scope is not without hurdles. Key challenges identified include:

• Resource Constraints: Many institutions operate on tight budgets, limiting their ability to purchase security tools or hire skilled personnel. The government is addressing this through a “Cyber‑Security Investment Fund” that offers low‑interest loans and grants for critical security projects.

• Skill Shortages: There is a national shortage of cyber‑security professionals. To mitigate this, MICDE is collaborating with universities to launch a Cyber‑Security Fellowship Programme, providing scholarships and hands‑on training for students.

• Legacy Systems: A significant proportion of public institutions still rely on legacy software that lacks modern security features. The directive proposes a phased migration plan to move to cloud‑native and micro‑service architectures, with a target of decommissioning legacy systems by 2028.

5. Looking Ahead – A Vision for Digital Resilience

The article concludes with a forward‑looking statement from Deputy Minister of ICT, Dr. James Mwakaganga, who emphasized that cybersecurity is no longer a technical issue but a national security priority. He added: “By embedding a culture of security into every public service, we not only protect our data but also safeguard the integrity of our democratic institutions.”

In line with this vision, the government is drafting a National Cyber‑Security Strategy for 2025‑2030, which will outline long‑term goals such as establishing a national cyber‑defence command centre, fostering public‑private partnerships, and positioning Tanzania as a regional hub for cyber‑security expertise.

6. Bottom Line

The directive by Tanzania’s government marks a pivotal step toward enhancing the cyber‑security resilience of the public sector. By mandating comprehensive risk assessments, patch management, incident response plans, and workforce training, the initiative seeks to create a unified defense posture capable of countering increasingly sophisticated cyber‑threats. While challenges such as resource constraints and skill gaps remain, the government’s proactive measures—supported by legislative reforms and regional cooperation—lay a solid foundation for a safer, more secure digital ecosystem in Tanzania.

For more detailed information, the article links to the Ministry’s official cyber‑security policy brief, the NCSC’s audit framework, and the ACSI partnership agreement—resources that provide deeper insight into the operational and technical nuances of Tanzania’s evolving cyber‑security landscape.