Prime
Tanzania's Auditor General uncovers cybersecurity weaknesses in public bodies
What you need to know:
- This comes despite the fact that Tanzania has already positioned itself as one of the countries with strong cybersecurity on the continent, as well as outlining various strategies to ensure continued progress in this area
Dar es Salaam. Tanzania’s cybersecurity infrastructure across public institutions is under serious threat due to widespread weaknesses and lax enforcement of digital safety standards, the latest audit by the Controller and Auditor General (CAG) has revealed.
This comes despite the fact that Tanzania has already positioned itself as one of the countries with strong cybersecurity on the continent, as well as outlining various strategies to ensure continued progress in this area.
The East African nation achieved a major milestone in 2024 when it was ranked Tier 1 in the International Telecommunication Union’s (ITU) Global Cybersecurity Index (GCI), placing it in the same category as global cybersecurity giants like the US, the UK, and South Korea.
However, the audit, which covered 78 public institutions, found that 42 of them did not conduct routine Vulnerability Assessments and Penetration Testing (VaPT), a basic cybersecurity practice aimed at identifying exploitable flaws.
“This is akin to operating a house with open doors and windows,” the CAG stated in the 2023/2024 audit report. “Without these assessments, public systems are left highly exposed to potential cyberattacks.”
The audit further revealed that 39 entities lacked effective remote access controls—a major gap in an era of hybrid work and digital communication—while 43 institutions had not performed network security assessments within the past year.
“The failure to review network configurations and security postures on a regular basis makes it difficult to detect intrusions or unauthorised access,” the report warned.
Equally concerning, 56 institutions did not review user access rights or system logs, increasing the risk of insider threats and data misuse.
In 35 entities, new IT systems were launched without undergoing mandatory User Acceptance Testing (UAT) or comprehensive security evaluations.
“This undermines user satisfaction and compromises system stability,” the audit stated.
“It also opens doors to malicious actors who exploit untested features and loopholes.”
In 33 public institutions, the audit found that system changes—such as software upgrades—were rolled out without prior security assessments.
“This is a recipe for introducing new vulnerabilities,” the report noted.
Furthermore, in 22 institutions, test environments were not separated from live systems, posing a serious risk of system compromise and unintended data leaks.
The CAG also found that 19 institutions used outdated and unsupported database software, while 47 continued to operate with default database user accounts—an open invitation for cybercriminals.
“Default credentials are often well known in hacker communities,” the CAG cautioned.
“Failure to deactivate or change them is irresponsible and leaves these databases highly vulnerable.”
The audit also exposed the absence of ICT incident management frameworks in 60 institutions.
Even when cyber incidents occurred, several institutions delayed response or took no action, undermining the government’s ability to manage digital threats.
The CAG called for urgent reforms, including the institutionalisation of VaPT, enforcement of strict access controls, mandatory system testing before deployment, and immediate disabling of default database accounts.
The report also urged the ministry of Communication and Information Technology (MCIT) to enforce compliance with the e-Government Act of 2019.
In a separate but related assessment, the CAG reviewed the implementation of the National Cyber Security Strategy (NCSS) 2018–2023 and described its rollout as “disappointing.”
“Only 41 percent of the 49 strategic actions under the NCSS were fully implemented. Twelve percent were partially implemented, while 45 percent were not implemented at all,” the report revealed.
“Another two per percent were overtaken by events.”
The audit blamed the poor implementation partly on the lack of a structured monitoring and evaluation (M&E) framework.
“There was no clear mechanism for tracking progress, reporting outcomes, or adjusting actions in response to emerging threats,” the CAG said.
It also noted that the government’s new e-Government Cyber Security Strategy (2022–2027) is not aligned with the NCSS.
It excludes important actions such as fostering international partnerships and reviewing the national regulatory environment.
“There are overlapping responsibilities between the e-Government Authority (e-GA) and the Tanzania Communications Regulatory Authority (TCRA),” the report warned.
“This leads to conflicting policies and weakens the enforcement of cybersecurity standards.”
The National Cyber Security Steering Committee (NCSSC), established to coordinate high-level cybersecurity matters, was also criticised for operating without clearly defined terms of reference.
“This has resulted in fragmented coordination and duplication of efforts,” said the audit.
Furthermore, the MCIT was faulted for delays in establishing key institutions like the Cybersecurity Coordination Framework and a Cyber Crisis Management Unit, both of which are crucial for national response in the event of major cyber incidents.
On legal reforms, the audit found that 40 percent of the proposed cybersecurity-related laws and regulations were not enacted, while 10 percent were only partially implemented.
“Without the legal muscle, enforcement becomes a mere suggestion,” the CAG emphasised.
