Does SA need a cyber commissioner?
Cyber security, data protection and legal experts have welcomed the Democratic Alliance’s (DA's) call for government to introduce a cyber commissioner to protect personal information handled by the state.
However, while there is consensus that the country urgently needs someone in this role, experts warn that challenges, including a lack of skills and siloed defense systems, could stifle the process.
In July, the DA announced the Cyber Commissioner Bill, officially called the Constitution Twentieth Amendment Bill, which aims to amend the country’s constitution and establish a cyber commissioner as a new chapter nine institution.
The party said South African state departments and critical infrastructure are currently insufficiently protected against cyber threats and lack the necessary tools to defend sensitive public information from breaches.
According to a statement released by the DA through advocate Glynnis Breytenbach, MP, shadow minister of justice and constitutional development: "The cyber commissioner’s powers will include establishing and maintaining cyber security capabilities across all state organs and entities dealing with public information, operating a cyber security hub for reporting, monitoring and investigating incidents and threats, advising the defence force on cyber defence capabilities, and guiding institutions responsible for critical infrastructure regarding cyber security."
The party has introduced the Cyber Commissioner Bill to Parliament and is looking to secure bipartisan support.
Anna Collard, SVP of content strategy and evangelist at KnowBe4 Africa, says: “It's a welcome piece of legislation, as the public sector divisions currently tasked with cyber defence are in different silos, they are under-funded, under-resourced, and lacking in much-needed skills and capacity. This results in significant cyber attacks against our critical infrastructure.”
Stephen Osler, co-founder and business development director of Nclose, notes that current cyber security legislation remains mostly unenforced.
“Addressing cyber threats requires a collaborative effort involving various stakeholders, including government bodies, law enforcement agencies and industry experts. The Bill introduced by the DA can serve as a catalyst for enhanced cooperation between these entities. By fostering partnerships, sharing knowledge and leveraging expertise, the nation can build a stronger defence against cyber threats,” he says.
Olser adds that he hopes this institution would be prioritised and receive requisite budgets to execute its mandate “….and work together with the private sector, law enforcement and educational institutions to address the skill shortages and capacity-building needs".
Ahmore Burger-Smidt, head of regulatory practice (data privacy and cyber) at Werksmans Attorneys, comments that while establishing a properly constituted office dedicated to cyber could be a solution to cyber crime, adding legislation to what already exists could have the opposite effect.
“We have a Cyber Crimes Act in place, which provides for a specialist function. Notably this process remains in limbo. I would question why additional legislation would solve the current impasse. Will there be an inherent conflict in itself?
"The office of the information regulator is doing a splendid job of enforcing POPIA. But, sadly, it seems SAPS is lagging. This then means that one ought to understand the rationale informing the Bill. I do have to question why we cannot use existing legislation to the full extent rather that introducing new legislation. Legislation cannot fix everything that is not performing optimally.”
However, Shamaa Sheik, attorney specialising in knowledge management at Michalsons, says there are three laws that govern data: the Protection of Personal Information Act or POPIA, which requires responsible parties to protect personal data under their control; the Promotion of Access to Information Act or PAIA, which requires organisations to give requesters access to certain data the organisation holds; and the Cyber Crimes Act, which requires organisations to protect data from harm.
“In the current framework, the Information Regulator of South Africa has a dual mandate to enforce POPIA and PAIA. The regulator has also mentioned that organisations should consider the Cyber Crimes Act as part of their compliance frameworks.
“Since the Information Regulator already has oversight of two data laws (POPIA and PAIA), in many ways it makes sense for the regulator to be the cyber commissioner because they would be able to provide a multidisciplinary approach to the issue of privacy, the right of access to information and cyber security in South Africa. However, it is unlikely that will happen,” Sheik concludes.