Private, public partnerships needed to boost cyber security
SA's private infosec companies have more than a decade of knowledge and experience in safeguarding South Africans from internal and external threats.
Johannesburg alone has many infosec companies protecting banks, investment firms, mines and similar, which is why a stronger emphasis on, and partnerships between public and private enterprises, are needed.
Large corporates have the experience that empowers them to engage with public departments of a similar scope and size. These entities have been investing in knowledge and staff for more than a decade, far more than government has invested and procured.
Government can catch up and gain in knowledge transfer through engaging these private enterprises, and although contracting within government department is not a new concept, the future cyber security infrastructure can be staffed much like in the US, where both public servants and private contractors work together.
So said Christo Goosen, chapter lead at OWASP and a panelist at the ITWeb Security Summit 2016 to be held at Vodacom World from 27 to 29 May.
Speaking of what needs to change in terms of cyber security laws in SA, Goosen says he could produce an endless list of necessary changes.
"A big issue in public-private partnerships lies in a statement under the section of Private Sector Security Incident Response Teams, that says: 'Each sector must, within six months from the date of the publication of a notice referred to in subsection (1)(a) at own cost establish one or more Private Sector Security Incident Response Teams for that sector'."
Much of the law lays the cost of implementing provisions of the law on private companies and all interaction must go through government-appointed staff, he explains.
"One of my biggest issues with cyber security laws in SA is the terms and wording of these laws," says Goosen. "When investigating the cybercrimes and cybersecurity act we found that many of the terms were not accurate. Technical terms are important to prevent legal loopholes and exploiting the law."
He cites an example of such an incorrect term, as the declaration of a "critical database" in the law, which "means a computer data storage medium or any part thereof which contains critical data".
"If you consider that a data storage medium could also describe a hard drive, USB flash drive, CD, DVD, and suchlike, then this definition is completely vague and open to interpretation."
Another interesting term, he says, is "traffic data" which is described as "data relating to a communication indicating the communication's origin, destination, route, format, time, date, size, duration or type of the underlying service".
"As we know from the NSA revelations in America, the common terminology in the USA would be metadata instead of 'traffic data'. Our government would benefit from using international and common terminology."
Probably the most alarming part of cyber security laws in South Africa, he says, is the lack of protection of privacy.
"This is a difficult issue to deal with, but privacy when dealing with cyber security is important to the citizens of the country, companies with trade secrets, and journalists. It is important that we protect the privacy and constitutional rights of citizens and institutions of South Africa. It is imperative that we protect whistle-blowers and journalists, as they perform an essential service to a country."
An additional major issue with cyber security laws in SA he believes, is that they were spearheaded by the State Security Agency.
"Although State Security must be involved in the process, the secrecy and classifying of documents does not facilitate an open and transparent process. The time for comments on the Cyber Bill was short and before the year's end, and the State Security Agency only published the law's viability study within the comments period. The public needs and wants protection from cyber threats, but the SSA must allow the public to be informed and involved in the process."
According to Goosen, there are several factors that should be top considerations when drafting these laws. "Punishment should match the crime. Increasing punishment merely on the fact that it was committed electronically does not justify punishments greater than committing murder. In addition, privacy should be considered, as well as partnering with all relevant parties (private infosec companies, privacy and IT lawyers, universities, security services)."
He says there should be independent organisations to oversee application of the law, accountability on the side of the organisations created under such a law, and journalists, free-speech and whistle-blowers, should be protected, as should security / IT researchers and academics. "There should be investment into both private and public infrastructure."
At the moment, the laws are plagued by inaccurate definitions and wording, little accountability on government servants / departments and high punishments for general public. "Guilty until proven innocent rather than innocent until proven guilty (In IT proof is easily manufactured, presented to a paper-based judicial system and ill-equipped members of SAPS must investigate).
He added that companies found with gross security negligence should be held accountable, and the country needs to be equipped with the next generation of cyber defenders. "Finally, strengthening and building capacity for SA's existing infrastructure, is needed."
On the plus side, Goosen said recently his organisation received notice that the justice department will revise the bill further and requested experts to advise them. "We will potentially be involved in advising redrafting of this bill."