Calls for finalisation of Cyber Security Bill

Simnikiwe Mzekandaba
By Simnikiwe Mzekandaba, IT in government editor
Johannesburg, 10 Jun 2024
SA ranks 59th globally in terms of cyber security maturity.
SA ranks 59th globally in terms of cyber security maturity.

Demand for the finalisation of SA’s legislative framework on cyber security has again escalated, with security experts urging speedy action.

This, as the country does not have a framework to decisively deal with cyber security, after the cyber security aspects were removed from the Cyber Crimes Act.

ITWeb last week hosted the Johannesburg leg of Security Summit 2024, bringing together local and international cyber security experts, CISOs, stakeholders and business decision-makers.

The experts participated in panel discussions during the summit, unpacking the state of SA’s cyber threat landscape and the legislative frameworks.

Jacqueline Fick, CEO of VizStrat Solutions, who is among the experts charged with drafting the Cyber Security Bill, shared that although the process to get the Bill finalised is under way, it needs to be fast-tracked.

In terms of cyber security maturity, SA is ranked at number 59 globally and is likely to go up in the ranking, according to Fick. However, a hindering factor could be that state institutions have of late suffered large-scale cyber attacks; for example, the Department of Justice and Constitutional Development (DOJ).

Additionally, there have been major ransomware attacks, she stated, noting this only speaks to those that have been reported.

“I am very positive that if we have things like our strategy in place, which we need to fast-track, push for our Cyber Security Bill to be finalised, together with the Cyber Crimes Act and work on the implementation thereof, we might just go up a little bit from number 59.”

Ayanda Peta, CISO of African Rainbow Minerals, pointed to three areas that need to be prioritised to ramp up the response to cyber threats: resilience, cyber hygiene and functional legislation.

“We’ve got the Cyber Security Bill coming up. This Bill needs to be followed by a clear directive around critical infrastructure…we need a separate directive from the State Security Agency, for instance, highlighting the importance of critical infrastructure.

“We’ve seen the ripple effects that cyber threats have on organisations or companies that deal with critical infrastructure and contribute largely to the country’s GDP. It’s a big issue when they are impacted.

“From a legislation point of view, we’ve come a long way from 1996, when we just had the minimum information security standards, to where we are now with the incoming Cyber Security Bill.

“We’ve seen a clear focus around financial institutions that are quite important when it comes to protecting that cyber landscape.”

Initially introduced as the Cyber Crimes and Cyber Security Bill, SA’s Cyber Security Bill is still in development phase.

The Cyber Crimes and Cyber Security Bill was first published by the DOJ in 2015, updated in January 2017 and introduced in Parliament on 22 February 2017.

After public consultation, it was decided to remove cyber security aspects of the Bill and have a standalone Cyber Crimes Act, which was published in 2018 and signed into law by the president in May 2021.

South Africa’s Cyber Crimes Act came into partial operation on 1 December 2021.

Law firm Michalsons explains that after the cyber security aspects of the Bill, the country is in the process of creating the Cyber Security Bill. In developing this Bill, public and private sector players all have to participate.

Given the importance of securing information in cyberspace, the law will play a role in regulating how that is done in SA, according to the law firm.

In addition, the Cyber Security Bill is anticipated to have a big impact on financial and other institutions that have infrastructure that might be declared as national critical information infrastructure, as well as electronic communication service providers.

Munyaradzi Silomonye, cyber crime operations officer at Interpol, said most of the cyber crime happening in the African region occurs via business e-mail compromise through phishing attacks, as well as fake investment and jobs scams.

Zoning in on SA, he said ransomware attacks are targeted at private organisations. “A private company working with Interpol indicated there were 300 cases of ransomware attacks targeting SA. Meanwhile, another private company indicated that about 78% of companies in SA suffered ransomware attacks or attempts.

“Without creating communities that try to find these threats, we cannot succeed in addressing cyber threats in our region. The private sector and police need to work together,” Silomonye concluded.