In the shadows of the cyber colossus
Will legislation, in the form of the Cyber Crimes and Cyber Security Bill, reduce the risk associated with cyber crime?
It might come as a surprise that South Africa is not always rated near the bottom in international surveys. According to various reports, the country comes out either third or sixth in the world of top cyber crime hotspots.
Online sources that make this claim quote either a Columinate or an FBI report to back up their statements; my attempts at sourcing the reports directly failed. Perhaps my Googling effort was not strong; in any case, our very own government claimed - on the release of the Cyber Crimes and Cyber Security Bill for public comment - the country is losing R1 billion annually due to cyber crime. So, no matter where SA ranks, it's pretty clear something needs to be done.
In light of this, the Cyber Crimes and Cyber Security Bill, which was gazetted in August 2015 and was open for comments until 30 November 2015, is a much needed piece of legislation and is designed to bring SA into the 21st century. Who can say no to that? Like most legislation, it's a dull, 128-page read that someone would peruse only for financial gain or if they have a nagging suspicion that special interest groups and the state may not have their best interests at heart.
Motivated by the latter, I fortified my resolve and proceeded to read the Bill. I could only persevere to page 53 of 128 before succumbing to narcolepsy. Fortunately, the restorative properties of the power nap did the trick, and upon return to normal brain function, I managed to soldier on through the document, albeit not as thoroughly as planned.
The Bill, in its current form, has many critics, and the issues have be covered extensively in other articles. A brief summary of the main criticisms are about:
* The criminalisation of movie and music sharing, which is a copyright violation, not a crime. (One would have thought spammers deserved this more than copyright infringers, but they get off scot-free);
* Journalists' concerns about protection for whistle-blowers and themselves, and the consequences for the publication of "state secrets" that may be in the public interest;
* The requirements for a warrant being issued under the Act being vague; and
* The militarisation of SA cyber space, with the directive for the newly established Cyber Command to build offensive capabilities.
However, the biggest concern is the numerous bodies to be set up under the Act to guard against cyber crime and cyber attacks, prepare cyber defences and responses, and manage a state of readiness, while ensuring public private co-ordination will be under the control of the State Security Agency (SSA).
This is the very same intelligence agency that jammed cellphones "by accident" in Parliament and had its laptops and R15 million, or was it R50 million, cash stolen from its ultra-secure headquarters in Pretoria during the Christmas holidays. Apparently, the thieves had keys to the safe and the cameras never worked. Mission impossible style espionage.
There are two points I did not see coverage of in my readings. One is whether section 6 of the Bill will criminalise cyber security research, and the development of security analysis tools by anyone other than the state. The Bill makes it a criminal offense merely to have software that may be used to perpetuate a crime, as defined in the Act, although there is a reference to intent. From my reading, a person could be arrested just for running a tor node (The Onion Router).
The other point is that usually a specific warrant is required to search or seize "articles", defined in the Act as " any data, a computer device, a computer network, a database, a critical database, an electronic communications network or a National Critical Information Infrastructure or any part thereof, or any other information, instrument, device or equipment". These could include cellphones, cameras, laptops, etc.
But, section 32 gives the authorities the right to riffle through a person's "articles" if you are arrested on any offense, not just ones committed under the Act. Not all arrests require a warrant. This brings to mind the incident when the JMPD was searching high and low for pigspotter and seizing people's cellphones at road blocks.
One can only speculate about what would have happened if the modern state had been in place around the time of the invention of the printing press and the postal service.
What does the Bill mean for individuals and corporate SA? The short answer is legislation will not reduce the risk associated with cyber crime. It only grants the state, rightly, more power to deal with offenders. But, at the same time, it extends the state's power to intercept digital communications, potentially stifle criticism and hurt security research.
Rights and responsibilities
When it comes to cyber security, individuals readily understand the need for protection against theft of data or identity, online fraud such as stolen credit card details, and terrorism. However, few appreciate the need to take some responsibility themselves.
In plain old-fashioned crime, if a man is robbed, it's not the fault of the people who built his house or who provide him with electricity and running water, nor the manufacturer of his wallet. Things are definitely more complex in the digital age, but individuals should begin to take some responsibility for their own actions.
For corporates, the reality is they should not rely on the state to do for them what they should do for themselves, and that is to secure their networks and infrastructure to ensure they're protected against cyber attacks.
Of more significance for corporates is that the Bill will allow the state to compel communication service providers to assist law enforcement, by intercepting traffic without notification; and services providers can be forced to hand over private keys, making reliance on a third party security provider a risk.
The naive argue they have nothing to hide. But, what companies don't have to hide today is maybe something they'll need to hide tomorrow. Laws, the state and society are not static. And this attitude does not take into account the competency of those who have access to a company's communications and data.
The bungling of, and alleged corruption in, the SSA should make any CIO take notice of the provisions of the Act. What does it take for an organised crime syndicate or another nation state to access SSA facilities and systems if physical access to their head office was so easily breached?
One only has to recall the recent events around the "state authorised" cellphone grabber device found in the hands of organised crime to realise the state is not immune to breaches of cyber or other security.
As for the activities of nation states, Snowden's leaks have shown that the US government, via the NSA, routinely gathers intelligence about other governments' negotiating positions and strategies on global matters. It was revealed, for example, the NSA was spying on other governments at the Copenhagen Climate Summit, in 2009; SA's trade delegation to the World Trade Organisation; and the anti-abortion strategy of the Pope at the UN, among others.
It's no wonder minister of trade and industry Rob Davies' attempts to negotiate a better deal under Agoa failed so dismally. Only a naive person would think the surveillance and tracking capabilities of the most powerful nations on earth are not being used to protect and extend their economic interests and to assist their own industries on the world stage.
The Bill will allow the state to compel communication service providers to assist law enforcement.
But, even if it is assumed the state will not abuse its power, and that there are competent people at the SSA, and that a company's interests and the US's are aligned, the company will need to consider how such laws will impact on its ability to export its products and services to other countries. In the US, Apple and Google regularly fight to keep their clients' data secure and out of government hands.
This is not out of altruism alone, or at all, but to protect their revenue and customer loyalty. The chilling effect of the revelations of the US government's surveillance operations have resulted in lost revenue in their cloud and other service offerings, as foreign corporates seek to protect their valuable data and corporate strategies from economic espionage.
This has affected the way products and services are designed and delivered, and is particularly relevant in the cloud era. Products and services must be designed in such a way that providers do not hold the means to decrypt customer data. Hopefully, this is not itself going to be considered a crime.
Another concern is the paragraph under the section of the responsibilities of the (to be established) Security Hub, which states the hub will be required to "investigate the activities of cryptography service providers in relation to their compliance or non-compliance with relevant legislation, and issue orders to cryptography service providers in order to ensure compliance". I am not sure what relevant legislation it is referring to, but let's hope the state does not break cryptography.
All this means SA needs to upskill when it comes to cyber security. Corporate SA needs to put a process in place to develop cyber security professionals. It needs to ensure cyber security capacity and capabilities are produced locally, and not rely on products and services of foreign countries to deal with the security.
Fortunately, the aim of developing skills and growing awareness is one of the aims of the Cyber Response Committee, to be set up in terms of the Bill. In section 61, paragraph 6(g)(vi), it states one of the aims of the committee is to "promote and provide guidance in respect of the development and implementation of... cyber security training, education, research and [implementation of] development and skills development programmes".
Whatever the future holds, it's only going to get more interesting for cyber security professionals.