The Cyber Crimes and Cyber Security Bill (cyber security Bill) has been mishandled. This is according to attorney Mark Heyink, speaking at ITWeb Security Summit 2016, at Vodacom World in Midrand yesterday.
Heyink was involved with the highly-criticised Bill since before it was opened to public comment and he believes there are still a number of critical issues with the Bill. This includes the fact that critical information was missing when it went out to public comment.
"At the time that it was published for public comment, the National Cyber Security Policy Framework remained classified, until about halfway through that period of three months. The National Critical Information Infrastructure Policy was only published after comment, and yet it is dealt with in the Bill. So how do we actually deal with those things when there is no transparency?"
He added there has been no clear white paper, green paper process in terms of the Bill that lawmakers are used to in other areas of legislation.
"This Bill is extremely wide and government still needs to consult even more widely then they have."
Heyink is part of the expert committee appointed to consult on the Bill but says he does not believe it is particularly expert.
"There is a dearth of information security people on the committee and it's critical, if we as lawyers are to draft proper legislation, that we need input from the information security community and from specialists in certain other areas. But for whatever reason, the wisdom has been that the lawyers must deal with this and not involve information security specialists. I think it is very, very wrong."
Slow process
There is no denying the legislation is long overdue and that enormous growth in cyber crime has necessitated the Bill becoming urgent, he noted.
"From a security perspective, we are no longer in a position where we are guarding physical things like borders or homes or buildings. The enemy is within and it is coming at us from all sorts of different attack surfaces that we have never even envisaged before.
"We know that security is critical for all South Africans; every single one of us as citizens understand our physical security. However, we don't have that same awareness insofar as our information is concerned."
He said it's essential when dealing with cyber security "that we don't create law that allows unscrupulous business or overzealous government to do what they like".
However, capacity and a lack of proper training and education remain an issue in SA, he pointed out.
"There is a dire lack of information security expertise in our country and yet we create a Bill that criminalises some of the things that those people are doing in good faith, and have to do to protect our economy and the various business interests in our economy."
There is a lack of education in terms of cyber crime across police, prosecutors and even judges, he commented.
"It's virtually impossible to lay a charge relating to cyber crime, or try get a prosecutor that understands it."
He said for any cyber security law to succeed, the process needs to be tackled as a multi-disciplinary initiative.
"Lawyers can't do this on their own, just as information security specialists cannot do things on their own."
Share