The highly-criticised national Cyber Crimes and Cyber Security Bill (cyber security Bill) may be what SA needs to effectively combat cyber crime, says Graham Croock, director of IT audit, risk and cyber lab at BDO South Africa.
The legislation has not yet been implemented, as parliament still has to make a decision on it.
Those against the Bill say it is too wide and more consultation is needed. Some believe the law would be excessive because SA already has at least four pieces of legislation and one policy that can be used to fight cyber crime.
Currently, there is the Electronic Communications and Transactions Act 2002, the Regulation of Interception of Communications and Provision of Communication-Related Information Act 2002, as well as the Protection of Personal Information Act and the National Cybersecurity Policy Framework.
However, Croock and Lucien Pierce, a partner at Phukubje Pierce Masithela Attorneys, say while each of these pieces of legislation have elements that address cyber crime, "they are just not adequate enough to deal with the highly complex and multijurisdictional methods that cyber criminals now utilise in this day and age".
"It would require a seasoned lawyer to extract the relevant provisions of the pieces of legislation and to craft a satisfactory charge sheet or summons for some of today's complex cyber crimes."
Croock gave the example of a hacker who breaches security systems, then steals intellectual property, sells clients' personal information, makes all the company's computers slaves in a botnet, and incapacitates the computer network by using ransomware.
"The lawyer would have to be an expert on each of the pieces of legislation and rely on portions of each of the above laws to address each of the different types of crimes committed in this context," says Croock.
"It is for this reason that firstly, our laws need to be modernised, and secondly, the requisite of having one comprehensive law that is able to account for any of these circumstances."
Croock says the cyber security Bill will put SA on par with other related international laws such as the Council of Europe's Budapest Convention on Cyber Crime.
"Through the [cyber security] Bill, one comprehensive piece of legislation is formulated which can address the realities of present day cyber crime by creating offences and prescribing penalties related to cyber crime, regulating jurisdiction, as well as the powers to investigate, search and gain access to or seize items in relation to cyber crime."
Wide scope
The proposed Bill was drawn up by government as a reaction to increasing cyber crime in the country.
According to David Mahlobo, minister in the State Security Agency (SSA), SA loses up to a billion rand annually due to cyber crime.
He says the cyber security Bill aims to give SA a co-ordinated approach to cyber security, as suggested by Croock.
The Bill also creates about 50 new offences related to data, messages, computers and networks. An example of a new offence would be if someone uses personal or financial information to commit an offence, hacking, unlawful interception of data, as well as computer-related forgery and uttering, extortion or terrorist activity.
In terms of the Bill, penalties can range from one year to 25 years imprisonment, or a fine of R1 million to R25 million.
Invasive power
Freedom of expression and advocacy group Right2Know (R2K) called for the cyber security Bill to be scrapped on the grounds it gives government too much power.
The advocacy group listed seven deadly sins of the Bill on its Web site, which include handing over control of the Internet to the ministry of state security, granting backdoor access to any network, and increasing the state's surveillance powers. It says it is even more invasive than RICA.
Law firm Michalsons also previously noted the Bill gives the South African Police Service and the SSA extensive powers to investigate, search, access and seize anything (such as a computer, database or network) wherever it might be located, provided they have a search warrant.
Share