Cybersecurity is a growing concern for governments – and citizens – across the world. Africa is no exception: in 2017, a number of African countries, particularly Nigeria, Angola, Egypt and South Africa, were affected by the WannaCry ransomware attack (two years on, one million computers are still at risk). In fact, according to Serianu’s Africa Cyber Security Report 2017, 96% of cybersecurity incidents in Africa go unreported or unsolved.
South Africa has seen a number of ransomware attacks, including one on Liberty Holdings (which caused the company’s share price to fall 5%), the ViewFines data breach (where almost a million records containing sensitive personal data were exposed), the attack on Johannesburg City Power, and the massive DDoS attack on IT service provider Cool Ideas.
The Ponemon Institute states that the average cost of a data breach in South Africa in 2018 was R36.5 million, up from R32 million in 2017, and, according to cyber-analytics firm Kaspersky Lab, there are 13 842 cyber-attacks daily in the country.
South Africa – along with Africa in general – lags behind when it comes to cybersecurity, and its government faces various cybersecurity challenges, including lack of ICT skills and co-ordination between inter-governmental departments. The country has attempted to improve and strengthen its cybersecurity legislation and policies, however, but many gaps remain. This vulnerability is to the ultimate detriment of citizens.
Cybersecurity regulatory and policy development in South Africa
In 2012, the South African Cabinet adopted a National Cybersecurity Policy Framework (NCPF) to set out a focused and coherent approach to ensure the security of the country’s cyberspace.
The NCPF aims to address the lack of co-ordination between various governmental bodies, the lack of an effective regulatory framework to support the country’s cybersecurity, inadequate public awareness, and lack of ICT capacity, skills and resources. The NCPF outlines policy guidelines related to cybersecurity in SA and requires government to develop detailed cybersecurity policies and strategies.
The NCPF aims to address national security in terms of cyberspace security, for example cyber-warfare, cyber-crime, cyber-terrorism, and cyber-espionage. It also aims to review existing laws relating to cybersecurity, as well as to implement measures to build confidence and trust in the secure use of the country’s ICTs.
Under the NCPF the Cybersecurity Hub was established. The hub is South Africa’s National Computer Security Incident Response Team (CSIRT); it’s a decision-making body that identifies and counters cybersecurity threats. The CSIRT also creates public awareness around cybersecurity threats and education through up-to-date alerts and a portal on its website. The Cybersecurity Hub works in co-ordination with various sector CSIRTs such as telecoms, retail, finance, health, and higher education.
Departments and organisations involved in cybersecurity
There are various governmental departments and organisations working in tandem to reinforce South Africa’s cybersecurity. These include the Centre for Scientific and Industrial Research (CSIR), the State Information Technology Agency (SITA), the State Security Agency (SSA), the South African Police Service (SAPS), the Hawks, the South African National Defence Force (SANDF), and the Department of Communications and Digital Technologies (DCDT). The Department of Defence (DOD) is responsible for the overall co-ordination, accountability and implementation of cyber-defence measures in South Africa, as a core function of its constitutional mandate.
Cybersecurity policies and bills established by the NCPF
The Cybersecurity Response Committee (CRC) – a strategic body chaired by the State Security Agency and responsible for overseeing the implementation of the NCPF – has finalised the development of the following (draft) policies and Bill (see next point):
- National Critical Information Infrastructure Policy (led by the State Security Agency)
- National Cybercrime Policy (led by the South African Police Service)
- The Cybercrimes Bill (led by the Department of Justice and Constitutional Development).
The Cybercrime Bill
The first draft of the Bill was published in 2015; the Cybercrime Bill was updated in 2017 and was introduced in parliament a month later. The Bill was initially twofold as it dealt with cybercrime and cybersecurity. However, during the public participation period concern about citizens’ privacy and freedom of expression emerged, resulting in the Portfolio Committee on Justice and Correctional Services removing all clauses in the Bill pertaining to cybersecurity.
The latest version of the Bill, called The Cybercrime Bill (which only deals with cyber-related crimes, including evidence gathering, penalties, and jurisdiction of the courts) was passed by the National Assembly in November 2018. The Cybercrime Bill is currently in the process of being enacted into law.
The Cybercrime Bill established many new offences, such as hacking, ransomware, cyber-extortion, and unlawful interception of data. The Bill provides South African courts with additional powers if offences are committed outside the Republic. The Bill also places obligations on service providers and financial institutions to report offences to the police within 72 hours, and that they need to preserve any evidence related to the offence.
Once the Bill is enacted, it will repeal Chapter 9 and sections 85, 86, 87, 88 and 90 of the Electronic Communications and Transactions Act, No 25 of 2002 relating to cybercrime offences.
Where South Africa falls short – and where it’s way ahead
According to Ewan Sutherland, in Governance of Cybersecurity – The Case of South Africa, the Protection of Personal Information (POPIA) Act of 2013 ensures data privacy, but its policies are only being implemented slowly and it has “overly wide exemptions for national security” – which includes cybersecurity. Sutherland goes on to state that South Africa lacks government cybersecurity co-ordination (between national and municipal levels, as well as with outsourced vendors).
There is also lack of adequate assessments of cybersecurity risks and insufficient transparency. Furthermore, the NCPF is complex and is being implemented at a slow pace; there is also limited parliamentary oversight due to its technical complexity. Finally, there’s the major challenge of raising and maintaining cybersecurity culture amongst South Africans, and to persuade citizens to adopt good practice for cybersecurity.
Although South Africa lags behind in certain aspects of cybersecurity, the steps its government is taking to solve these issues must not be ignored – it should be noted that South Africa is one of only 28 countries globally to have a cybersecurity policy in place. It is a matter of time before the NCPF’s implementation – as well as the Cybercrimes Bill – becomes a reality.