Hands off cyber security, ICASA told
South African telcos, Internet service providers, industry bodies and analysts are largely of the view that the Independent Communications Authority of SA's (ICASA's) forays into cyber security will bear hard upon the already overburdened telecommunications regulator.
Today and tomorrow, ICASA is holding public hearings in respect of the discussion document which was published to solicit written submissions regarding the authority's role and responsibilities in the regulation of cyber security.
The regulator says the publication of the discussion document was perpetuated by the proliferation of Internet interconnections and increased data services that have led to a significant growth of cyber attack incidents, often with disastrous consequences.
Cyber security is currently the realm of the Department of Justice and Constitutional Development, which drafted the Cyber Crimes Bill. The Bill is nearing the stages of becoming law, as it was passed by the National Assembly in November last year.
ICASA received 11 submissions in response to the invitation contained in the discussion document.
Duplication and waste
In its written submission to ICASA, Cell C, SA's third biggest mobile operator, says it agrees with the regulator that cyber security is an important and necessary area for regulation.
"However, in our view, it [cyber security] is not an area that ICASA needs to become involved in, nor is it appropriate for ICASA to become involved here," says Cell C.
"It is Cell C's considered view that ICASA's role, as mandated in law, is to regulate the electronic communications, broadcasting and postal sectors and not to regulate cyber security, and that to do so would, in fact, result in unnecessary duplication and waste of resources.
"It is inappropriate for ICASA to take on other functions that are not only directly related to its functions, but that are already catered for by a plethora of other authorities. It would be wasteful of ICASA's already limited resources to extend itself into cyber security," it adds.
In its submission, SA's biggest mobile network operator, Vodacom, says it shares the authority's view that the regulatory functions of ICASA have to evolve as technologies evolve.
However, it says: "The authority should be mindful that 'command and control' interventions by national regulators are unlikely to be effective in borderless ICT ecosystems where many of the players in the value chain are unlicensed. Indeed, heavy-handed interventions may have unintended adverse outcomes in the form of depriving users of applications and content and constraining innovation.
"Although the collaboration between various governmental institutions and sectors will be of paramount importance to manage cyber security related concerns, the authority should guard against assuming functions and roles in relation to cyber security which are being dealt with by other regulatory bodies," says Vodacom.
MTN submitted that ICASA should play a role with respect to cyber security by engaging with the ICT sector and providing technical and industry expertise.
However, it says: "It will not be appropriate for the authority to take a lead in regulating cyber security since the Department of Justice and Constitutional Development has initiated the Cyber Crimes and Cyber Security Bill and is best placed to regulate such matters."
Telkom says it supports a regulatory framework which promotes regulatory certainty with a clear delineation of roles and responsibilities between regulatory authorities with regard to identifying cyber crimes, protecting consumers against cyber crimes and response mechanisms.
Meanwhile, the Internet Service Providers Association (ISPA) is of the view that cyber security is not directly related to convergence in the broadcasting, broadcasting signal distribution and telecommunications sectors.
"ISPA does not believe that the authority has a clear mandate at all in respect of cyber security," it says in its written submission.
It adds that the Department of Justice and Constitutional Development and the National Prosecuting Authority have an overall responsibility for facilitating cyber crime prosecution and court processes in accordance with the applicable laws.
Jon Tullett, research manager for IT services for Sub-Saharan Africa at IDC, comments that SA has a National Cyber security Policy Framework (NCPF) and the Cyber Crimes Bill in place, and ICASA should certainly have a role within that, interpreting national cyber security policy requirements into telecom policy and facilitating or centralising oversight and communications with the telecom industry.
"But to be frank, ICASA is very late with cyber security here; the NCPF and Cyber Crimes Bill will be four years old this year. This consultation process is several years overdue.
"Cyber security is a very different role for ICASA than its established functions such as spectrum reallocation, which is, of course, a much more urgent fish to fry. The telco players have long since established their own security practices with teams overseeing operational security, privacy, law enforcement, surveillance, and so on.
"If ICASA is going to establish a role in cyber security, it will need to align with the capabilities that are already in the field, and it needs to demonstrate an ability to lead, co-ordinate and act much faster; security threats and practices evolve a lot faster than telecoms policy."
For World Wide Worx MD Arthur Goldstuck, it is a difficult question at this stage in SA's digital evolution, as there is a great need for regulatory involvement in cyber security policy, but also a great resource constraint on a body like ICASA adding this area to its already vast responsibilities.
"The more appropriate home for security regulation is in financial services, as that is where the greatest threat lies. The ideal would be for a cross-agency body that takes into account the communications sector, which is currently ICASA's ambit; the financial services sector, largely under the Financial Services Board; the interests of consumers, now under the National Consumer Commission; and the broader information protection environment, under the Information Regulator.
"None of them would be an effective home, in themselves, to develop and regulate cyber security policy. However, all need to be involved, which suggests a new regulatory initiative."
Nonetheless, Lucien Pierce, partner at Phukubje Pierce Masithela Attorneys, believes ICASA has a role to play in cyber security.
He explains that the legislation which governs ICASA deals with aspects of cyber security. For example, he notes that one of the objectives of the Electronic Communications Act is ensuring "information security and network reliability".
"Taking into account what the Electronic Communications Act says, and considering examples of the hacking of broadcasting services and the growth in issues such as fake news, ICASA undoubtedly has an important role to play in cyber security," Pierce notes.
However, he says: "As much as I believe that ICASA has an important role to play, it would be prudent to avoid the duplication of resources with other government departments involved in South Africa's cyber security plans."