What is SA’s cyber risk level, and how prepared are we in the case of an attack?

In the absence of any hard figures, and legislation that will require organisations to report breaches, it’s anyone’s guess, but a panel of experts drawn from the banking, telecommunications, and government did offer some indicators at ITWeb Security Summit 2019 this week.

Dr Kiru Pillay, chief director: cybersecurity operations, Department of Telecommunications and Postal Services, said the government’s aim with cyber security, was to create an ‘enabling environment’ through policy framework legislation and, he joked, ‘that dreaded word, regulation’.

There is a national cyber security policy framework, passed by Parliament in 2012, which sets out the overall strategy of government in terms of cyber security.

With the policy framework, said Pillay, two pieces of legislation are important; the Cybercrimes Bill, and the Critical Infrastructure Bill, which will replace the old National Keypoints Bill.

Both these Bills are before Parliament.

“The legislation needs to be passed for the ability to start looking at how we create a collective capacity. The spirit of the National Cyber Security Policy Framework and of the legislation is that cyber security isn’t a government issue, it’s a collective capability across government and industry, he said.

How he sees this playing out is in the establishment of sector-specific CSIRT’s (computer security incident response teams), and the legislation will give them more impetus, or as he put it, more ‘oomph’.

Still, there are likely to be more delays, as the country moves from the fifth to the sixth administration, which means the Bills might be re-examined.

Once the Bills were passed, Pillay said there would be a ‘baseline’ to start looking at regulation, which, sooner or later, would need to be addressed.

Banks leads the way

Susan Potgieter, head: strategic services, at the South African Banking Risk Information Centre (SABRIC), said the banking industry had not waited for regulation and legislation, and a strategic decision was taken in 2010 to establish a sector SIRT.

Nine years later, it was still a ‘work in progress’, said Potgieter.

“You will never reach the top of cyber security readiness, ever, because it’s a moving target. But you need to consistently work and invest in it.”

Still, there has been ‘huge’ progress, said Potgieter. Banks are now collaborating and sharing information, and were not competing around cyber resilience.

Potgieter said Sabric was also planning on releasing a cyber threat landscape report in 2019.

“Everybody wants to know what’s happening in South Africa.”

Panel chairperson Craig Rosewarne, managing director of Wolfpack Information Risk, added that while SA has great policies and people, “there seems to be a lack of leadership drive. There’s also a lack of operationalising, and implementing things. The man of the ground, the person reporting the cyber crime, doesn’t get to see anything. It’s kind of like the elections; you vote for a party, and you expect to see change, but it takes a while to trickle through.”

Mike Silber, general counsel and group head: regulatory, Liquid Telecom, and the treasurer of the Internet Service Providers Association (ISPA), said while many players recognised the need to respond to cyber security incidents, many did not want to be tied into a framework in which they had to pay membership fees.

Do the work

“One of the critical things is for people to take the initiative and do the work. This is not something where you can sit and wait for others. I’ve heard various discussions; ‘Oh no, we need the policymakers, or the regulators’. I’m a firm believer that if you don’t want regulators up in your business, then you’ve got to do it yourself, and make the regulators aware that you have self-regulated well enough that they don’t feel the need to impose on you. As ISPA we’ve done that.”

One initiative that ISPA has been struggling with is the ability to inform its customers when it identifies threats that they are generating on their networks.

“When we start to pick up botnets, we’re unable to switch them off on our customers’ networks. We communicate with them, and they often tell us to leave them alone. We’re doing this for everybody’s benefit; otherwise we have malware leaking onto national networks by people who are unaware of it.”