Getting to grips with the Cybercrimes Act
The commencement of some sections of South Africa’s new Cybercrimes Act and the Protection of Personal Information Act (POPIA) will go some way to helping in the fight against the growing international cyber crime scourge, but ultimately, it is up to every digital technology user and organisation to play their part in dealing with the problem.
That was the consensus of the speakers at a recent Mimecast and ENSafrica webinar that examined the implications of the new Act and discussed how organisations could best navigate the current cyber threat landscape without inadvertently finding themselves on the wrong side of the new law.
Mimecast Cybersecurity Expert Mikey Molfessis said the sophistication and extent of cyber attacks, including ransomware attacks, is increasing internationally and locally. Those that hit the headlines are only the tip of the iceberg – and many organisations that fall prey to attackers fail to recover their data even after paying the ransom, usually in untraceable cyber currencies such as Bitcoin. The company’s latest State of Email Security 2022 report reflected an ongoing deterioration in the problem. Sixty percent of respondents said they were hurt by a ransomware attack in 2021, up from 47% in 2020.
This was why the introduction of the Cybercrimes Act was to be welcomed, said specialist technology lawyer and Director – Technology, Media and Telecommunications at law firm ENSafrica, Ridwaan Boda. According to Boda, the Cybercrimes Act is aimed at bringing South Africa in line with global trends in cyber crime law, and to address weaknesses in local legislation that failed to codify the changing cyber threat landscape.
“Part of the government’s thinking in introducing this legislation is to make it more difficult for cyber criminals to operate or perpetrate crimes on South Africans, and also to give the relevant law enforcement authorities more power in order to act against and investigate alleged offenders,” Boda explained.
He added, however, while the Act gave some degree of direction to the law enforcement authorities as to how to respond to reported cyber crimes, questions remained over their capacity to do so.
Boda noted that while the 2012 National Cybersecurity Policy Framework defined cyber crime as “illegal acts, the commission of which involves the use of information of communications technologies”, this definition was too vague to enable law enforcement authorities to investigate and act against alleged offenders. The definition also did not have any legal status or effect.
This has now changed, with the Act codifying a host of offences such as cyber fraud; cyber forgery and uttering; cyber extortion; the theft of incorporate property including patents; and other aggravated offences.
In addition, the Act recognises unlawful and intentional crimes such as unlawful access (to networks); unlawful interceptions of data including acquisition, capturing and copying; unlawful acts in respect of software and hardware tools; and unlawful interferences with data or a computer program as offences.
The Act also specifically addresses issues around the dissemination of malicious data messages. So, for example, data messages that incite damage to property or violence (think of the cheerleaders of last year’s riots); data messages that threaten persons with damage to property or violence (think of politicians tweeting disliked journalists’ addresses); and data messages of intimate images (think of a jilted boyfriend texting intimate photos of former girlfriend to his mates) are now all recognised as criminal actions.
The penalties for conviction of any of these cyber crimes range from one to 15 years imprisonment, or a fine, or both.
While the introduction of the cyber crimes legislation was to be welcomed, Boda warned that it came with potentially unintended consequences in which “ordinary people” could find themselves being classified as cyber criminals. For example, an IT team within an organisation perpetrating a denial-of-service attack against cyber criminals trying to hack their network, albeit as an act of self-defence, could find themselves being charged with an offence.
Similarly, an organisation could be held liable for the illegal actions of an employee in various ways.
“This is where the organisations’ policies and procedures become quite critical. Not only do they have to state quite clearly where to draw the line in terms of ensuring organisational security, but also in terms of acceptable use policies by employees and what the organisation deems acceptable behaviour,” Boda said.
While he regarded the Act as a good step forward, he said organisations and the people within them had to act as the first line of defence against cyber criminals rather than relying on the law enforcement agencies to take steps against perpetrators after the fact. Once an organisation has suffered an attack, damage to reputation has already been done and resulting downtime cannot be recovered.
According to Molfessis, organisations needed to implement robust cyber resilience strategies. This includes having a security awareness programme for all staff members, implementing layered security that secures all attack vectors and ensuring various security solutions are integrated to share threat intelligence, so as to identify, understand and mitigate risks and prevent harmful attacks.
“Organisations also need to have the right recoverability in place to continue with business in the event of a successful attack,” Molfessis added.
Boda noted that while IT security is the responsibility of everyone in an organisation, in terms of King IV, IT governance is a board responsibility.
“The board has to ensure that all those in the organisation, from IT to risk to legal to HR, who have to develop and implement cyber security policies, and train staff on these issues, have the means to do so. Cyber security must start at the very top and then percolate through the organisation to the very bottom,” he concluded.