South Africa’s Cyber Crimes Act ‘not yet active’
This means the legislation cannot be used in prosecuting any of the high-profile cyber attacks the country faced in recent months, says DFIR Labs principal forensic analyst Jason Jordaan.
During a recent meeting with ITWeb, IBM’s Antoinette Eckersley also noted enforcement is the biggest challenge, since the Act has not been promulgated.
Commenting on the implications of the Act not legally being in force, Jordaan explains. “Basically, it means that until the Act commences, we cannot investigate or charge people for committing any of the offences defined in the Act, and the longer it takes for the Act to commence, the longer it takes to bring perpetrators to book for any of the offences defined in the Act.”
Noting the need for the Cyber Crimes Act, law firm Michalsons says cyber crime is on the increase, and the Act aims to keep people safe from criminals, terrorists and other states.
It also consolidates cyber crime laws into one place. Essentially, it aims to stop cyber crime and improve the security of the country.
South Africa has witnessed high-profile cyber attacks and cyber crimes in the public and private sectors increasing at an alarming rate in the wake of the COVID-19 pandemic.
A Trend Micro report rankedSA in the top 30 most-targeted countries for malware attacks and top 20 for COVID-19-related e-mail threats.
A survey conducted by ITWeb and KnowBe4,foundSA is in the firing line of cyber attackers. It revealed that locally, nearly a third (32%) of organisations in the government and education sectors have been hit by ransomware.
More recently, a report published by Interpol reveals the African region experienced attacks against critical infrastructure and frontline services during the pandemic, most prominently in SA and Botswana.
The report notes the cyber attack on Life Healthcare Group, which manages 66 health facilities, is a key example.
Criminalising cyber crimes
In 2015, the Department of Justice and Constitutional Development initiated the process to establish decisive policy in the form of the Cyber Crimes Bill, responding to the country’s lack of legislation in this area.
The initial draft Bill was not well received, with critics saying it was too broad and open to abuse, and a threat to the fundamental spirit of the internet, which is open and democratic.
Subsequent changes to the Bill, including the removal of some of the security obligations, saw it drop the “security” part of the originally named Cyber Crimes and Cyber Security Bill.
In November 2018, it was adopted by the National Assembly, and transferred to the National Council of Provinces for agreement, to eventually reach the president to be signed into law.
President Cyril Ramaphosa in June signed the Cyber Crimes Bill, making it an Act of Parliament.
Jordaan explains that while the Act is now the country’s cyber security law, it is not yet active.
“The law only becomes active and thus in force when the state president announces a commencement date in the Government Gazette. This is similar to the situation we found ourselves with when the Protection of Personal Information Act was signed into law, but various sections had different commencement dates, which were years after the Act actually become law.”
“While the state president is responsible for determining the commencement date for the Act, he generally makes the decision in conjunction with the relevant government ministries that are affected by an Act. In the case of the Cyber Crime Act, this is likely to be the ministry of police and the ministry of justice, along with both the South African Police Service (SAPS) and the National Prosecuting Authority (NPA).
“The Act places a number of obligations on both the SAPS and NPA, and while I cannot confirm this, based on previous experience, the delay in setting a commencement date for an Act is to allow affected departments to essentially get themselves ready to comply with the Act. I do know there is considerable work going on behind the scenes to get us into a position where a commencement date can be announced for this Act.”