In cyberwar terms, South Africa is a big, fat sitting duck. Now, you could argue that is true across all spheres of defence, and you'd be right.
South Africa is vulnerable to attack by land, air and sea, and will continue to be so for the foreseeable future. While NATO countries talk about the need to spend 5% of GDP on defence in what is basically wartime, and consider 2% a bare minimum in times of peace, SA is way, way below 1%, with inflation set to keep eating away at even that.
What military capability the democratic government inherited from a very defence-focused apartheid regime has dissipated, including its reputation, and what little remains from those days is not fit for purpose in the modern battleground.
So, yes, South Africa is near defenceless in general, which is a conversation it needs to have with itself. And yet, even compared to that, it is particularly vulnerable to a full-blown cyberwar, which is perhaps the most imminent threat it faces.
SA is a big target, in that the first-world part of the economy offers a large attack surface. It is fat, in the sense that it would be strategically and tactically important for a range of different countries for a range of different reasons. And it is a sitting duck because it can't fight back.
Since Russia's full-scale invasion of Ukraine, but especially since Israel started bombing the hell out of Iran, that bit has become important. In the long-ago good old days (2021), the threat of cyberwar was calculated with reference to all kinds of diplomatic and economic factors, such as the international opprobrium an attacker would face. As of mid-June 2025, the question military strategists are asking themselves comes down to: how big a stick have we got? Much like with nuclear weapons, deterrence is the name of the game.
Notably, there doesn't seem to be a huge amount of discussion on the international scene anymore about whether anyone would be crazy enough to actually launch a total digital war, the kind that seeks to shut down electricity and water and banking, to either topple the government or open the way for conventional invasion. Fifteen years after the targeted military sabotage of Stuxnet, often called “the world's first digital weapon”, the proliferation is such that it is considered only a matter of time.
In a destabilised world, power trumps all, and displaying power is important.
In retrospect, it is clear that military planners thought about cyberwar as something that would be covert, or at least undeclared, which would necessarily reduce the scale of operations.
In the harsh sunlight of 2025, it is hard to figure out what they were thinking, because nobody seems to be worried about the niceties of keeping war legal anymore, or even of violence. In a destabilised world, power trumps all, and displaying power is important.
Which means South Africa is cyber-toast. It has barely paid lip service to establishing a military cyber command, and unless it is really, really, utterly implausibly magnificent at keeping secrets, it has no digital attack capability at all. It is a risk-free target.
Or it would be, but for its friends.
The big caveat here is that we've learnt to be leery of military analysts. Ukraine was supposed to fall within days, and Iran was supposed to be able to defend its airspace much more effectively than it did.
Still, best evidence and all that. There is a sort of informal consensus ranking of cyberwar capability, and South Africa's allies, and allies-of-allies, are right up there. The US invariably tops such lists; it has poured vast amounts of money into developing the infrastructure to build digital weapons.
But Russia and North Korea have actually engaged in cyberwar-type operations, and have (successfully, they think) fended off the West in skirmishes, making them battle-tested in ways other countries are not.
Also, we only recently learnt the scale of North Korea's infiltration of coders into US and European software enterprises, and we still don't know what they may have achieved while embedded there.
Iran is now spoken of in the hushed tones reserved for the terminally ill, but is still thought to have considerable digital offensive capability.
Then there is China. Nobody really knows what goes on in the most secret recesses of China's military establishment, but nor does anyone think it is benign. Where the US deters with its posture, China deters through mystery. This has proven quite successful.
China may have learnt that trick from Israel, which is also invariably on the list. Its policy of ambiguity extends to cyberwar capability too. But when pagers and walkie-talkies started exploding, there was a rapid revaluation among its friends and foes alike on how large its cyber capability envelope may be.
The other country that invariably features is France. The European Union is still on the passive-defence side of the spectrum, thanks to Germany's apparent revulsion at the idea of cyber offence, but France has been more aggressive, and could possibly hold its own if things got no-holds.
With the exception of Israel, South Africa is on warm to friendly terms with all those countries, even, right this second, the US. Should South Africa be attacked, all bar Israel may use aggression against South Africa as cover for a demonstration of their abilities. Perhaps not of their top tier weapons, but of stuff they have in reserve that is suffering from time decay, the equivalent of degrading munitions. Thing is, if you look at that list, it is hard to think of another country that would not have an enemy on the list of countries that could seek to avenge South Africa.
You could say that SA achieves cyber deterrence by way of a mixed bunch of acquaintances who are spoiling for a fight.
That is better than being dependent on a single defender, as a Europe now beret of certain American protection can attest. But it is a whole lot better than being entirely defenceless, as is the case for most countries in an ever more dangerous world.
Share