Cyber law is become something of a grey area as national and international laws overlap, cyber crimes take place across borders, and even the definition of acts such as cyber warfare are murky, delegates at the ITWeb Security Summit 2019 heard.

Speaking on cyberlaw and governance in an age of cyber-attacks and cybercrime, Trishana Ramluckan, researcher, and Dr Brett van Niekerk, senior lecturer, the University of KwaZulu-Natal, said the Internet created legal challenges around jurisdiction and state sovereignty.

“Cyber security is becoming an international problem with a political agenda, but the problem is a lot of legislation is at a national level,” said van Niekerk.

Because cyber-space has no physical borders, it becomes difficult to govern, and challenging to investigate and prosecute cyber crimes, they said. Citing cases such as the 2016 Standard Bank hack, in which money was withdrawn from ATMs in Japan, van Niekerk said that because the physical part of the crime happened overseas, South African investigators had to request assistance from Japan.

In addition, acts such as cyber war are not clearly defined and are subject to interpretation. Despite several works on the subject, “there is still no adequate, widely accepted definition of cyber warfare,” said Ramluckan. “And if we can’t define it, it becomes harder to legislate. Everyone defines cyber war differently. Key words used to define war are ‘use of force’ and ‘state sovereignty’ – but how can we prove use of force and an impact on state sovereignty in cyber?”

She noted that general misuse of terms such as cyber war could have legal impacts. Insurance companies have refused to pay out in cases like the Maersk NotPetya attack, because they considered it an act of war.

In cases where national and international laws on cyber crime and protection of privacy overlap, compliance becomes a challenge, they noted. “For example, you have the EU’s General Data Protection Regulation (GDPR), EU ePrivacy Regulation and PI, so which law takes precedence, and how do we decide which international laws to comply with? Hypothetically, once POPI is implemented and we have involvement of a UK subject, which law should apply?

“You may maintain sovereignty and not sign an international law, but ultimately you are affected by it. It’s still a grey area,” she said. In this case, POPI could have to be re-tabled to align with the GDPR,” she stated.

Another problem facing countries like SA, was which country’s legislation it should align with. For example, while South African corporate data may reside in US-based data centres, the country is also growing its trade with China. “When these countries begin a trade war, where do we position ourselves?” asked Ramluckan.

Local cyber crime legislation currently in place may not be sufficient, and SA might have to consider a broader range of legal works to cover cyber war, cyber crime and protection of information in line with international legislation, they said.