The Independent Communications Authority of South Africa (ICASA) intends to conduct an inquiry to determine its role and responsibilities in relation to cyber security in the country.
The regulator published a Government Gazette on 28 September containing a discussion document outlining the plans for the inquiry and what it aims to achieve from the exercise.
"In order to fulfil its mandate of promoting the interests of consumers with regard to price, quality and the variety of electronic communications services and ensuring information security and network reliability, the authority decided to solicit views and obtain information that will assist it to define its role in the cyber security environment," the regulator says.
Interested parties are invited to give written submissions by 30 November.
"The authority as an ICT regulator intends to play a significant role in the national cyber security effort of the country. While cyber security is a shared responsibility of government, the private sector and individuals alike, the authority recognises that only national government is in a position to lead a collective nation cyber security effort. However, given the constantly changing ICT environment and the dynamics of cyber security, the role of the authority has to be assessed and if there is a need for evolution, it should be applied," ICASA explains.
"The aim of this discussion document is to explore the evolving role of ICT regulators in the governance of cyber security in different countries, with the aim of deciding whether the authority should adopt similar roles taking into account the confines of South African law.
"Cyber security ensures the public continues to enjoy the benefits ICTs bring by managing the vulnerabilities and the risk of exploitation. Government, regulators, private sector organisations and individual users all have a responsibility to make efforts in creating a safe cyberspace," ICASA adds in the document.
Regulator's role
Adrian Schofield, ICT veteran and programme consultant at IITPSA, says insofar as ICASA is the regulatory authority for the portfolios of the departments of telecommunications and postal services and communications, it would be appropriate for the authority to conduct such an inquiry, providing it is carried out with an "open mind" and is not intended to reinforce preconceived notions.
"There is always merit in having a dialogue with the affected parties before tabling any regulation or legislation. The merit is decided by the willingness of the parties to reach consensus on appropriate outcomes.
"In this case, it is important that any subsequent regulation facilitates better cyber security practices in South Africa, incorporating international standards and best practice. This is a globalised environment and any national regulation must take that into account," he says.
However, Arthur Goldstuck, MD of World Wide Worx, disagrees, saying that a body focused on only two specific industries, broadcasting and telecommunications, is an inappropriate vehicle for overseeing such a complex arena.
"There seems little point in a narrow industry inquiry that should be part of a bigger discussion, in the context of a cross-industry inquiry.
"The pressure presently on ICASA to resolve numerous outstanding issues around licensing and allocation of spectrum further underlines the inappropriateness of tasking it with this responsibility, which is arguably far bigger than the one it already has," Goldstuck says.
"ICASA has [in the past] conducted surveys and issued commentary on cyber security issues. It should be cognisant of these, in the context of most South Africans becoming vulnerable to cyber attacks and malware through their use of the Internet and mobile phones. This is an appropriate context for it to play a role, but only a subsidiary role under a broader cyber security initiative. By focusing only on cyber security in telecommunications, it is tackling the problem piecemeal.
"Network reliability is core to ICASA's role, so it does have a role to play in information security in the context of network reliability and consumer protection, but it must be understood that information security is as much a business and industry issue as it is a consumer protection concern," Goldstuck adds.
Jon Tullett, research manager for IT services, Sub-Saharan Africa at IDC, says it is a good thing that ICASA is reviewing its role, but this needs to be addressed and coordinated from a higher level.
"We do after all have a National Cyber Security Policy Framework (NCPF), though it doesn't make much explicit mention of ICASA; presumably its role will be defined in accordance with that framework. What, for example, should delineate the role of the communications regulator from the information regulator who oversees privacy issues?" he questions.
"South Africa tends to take a very long-winded approach to ICT policy formulation and enactment. Cyber security is a fast-evolving field and it's harming the economy today. While we shouldn't rush into ill-advised policies, we do need to move a bit faster. Unfortunately, this is a case in point; that NCPF was gazetted in 2015, but it appears ICASA is only starting to think about its role in 2018," Tullett adds.
Schofield says one could argue that ICASA is somewhat late in commencing the investigation into its role in cyber security. "However, this may be a good thing, as many of the issues around cyber security have matured, giving the stakeholders a clearer picture of the matters that should be regulated and those that should not."
ICASA says the discussion document serves as the first step of consultation with stakeholders in the sector. Following its publication, the public will be given an opportunity to submit comments, and should it be deemed necessary, a public hearing will be convened and thereafter a findings document will be published.
Share