SA's first cyber security policy has been called unclear, as it fails to mention how the Department of Communications (DOC) will roll out and manage national and sector-based computer security incident response teams (CSIRTs).
This follows a 30-day period of public comment on the draft cyber security policy, which communications minister Siphiwe Nyanda gazetted on 19 February.
Chief director of ICT security at the DOC, Jabu Radebe, highlighted these were the biggest concerns during the department's cyber security colloquium, held in Midrand last week.
“In terms of cyber security, there is no clear line regarding how standards should be enforced and ensuring that companies comply with those standards,” said Radebe.
Multi-stakeholder approach
He added that one of the major complaints was the lack of clarity within the policy and the fact that no roles have been defined to determine responsibilities. In addition, it has left questions as to what the relationship would be between the national and sector CSIRTs.
“There were issues around the advisory council and how it would be constituted,” explained Radebe. “And there were issues around funding for CSIRT research and development.
“In terms of the policy, some of the issues do not necessarily reside only with the DOC - it's important to bring in other stakeholders. We will also be engaging with academia and the Department of Trade and Industry to assist us in what resources will be utilised to further this cause. It's a multi-stakeholder approach.”
The DOC has called for collaboration between government and the private sector, saying cyber security has become a government priority and that the draft policy aims to tighten up online security.
The Information Security Group (ISG) of Africa has been spearheading the movement for years to employ CSIRTs to deal with online threats, and has applauded the move by government to establish the policy, which is expected to be approved in two months' time, according to the DOC.
ISG Africa will work with government to drive skills development in the CSIRTs. The DOC also plans to develop a National Cyber Security Advisory Council, which aims to advise the communications minister on policy and public-private partnerships.
The establishment of the CSIRTs and advisory council will begin immediately after the policy is approved, according to Radebe.
No silver bullet
UJ IT professor Basie von Solms said it is impossible to secure the Internet completely from cyber threats. “Like general crime, we will never eliminate cyber crime because the Internet is constantly expanding; the best we can do is to lower the risk.”
He added that according to a 2009 UK cyber crime report, cyber criminals complete an online crime every 10 seconds. “Law enforcement agencies worldwide are losing the battle against cyber crime. However, even though we are not winning, we are certainly not giving up either.”
Von Solms called for voluntary information security management standards such as ISO SANS 27002 to be enforced as mandatory for businesses. “I challenge the government and the National Cyber Advisory Committee to enforce minimum standards of security practices for businesses. It will go a long way to address security for businesses and end-users.”
Responding to Von Solms, Ian Campbell, head of the ISG Africa response team, said the goal should not be to strive for a perfect solution or policy but rather to make the Internet safer. Campbell called for transparency and a clear picture of what cyber crime is costing the country.
“Right now we don't have any proper legislation or statistics around a true picture of what cyber crime is actually costing the country. CSIRTs are the equivalent of a fire station. I think what the concerning situation is, is that SA currently has no fire stations, and the risk means that the entire place could burn down and we have no way yet to respond.”
Share
