In the absence of legislation that addresses cyber crimes, South Africa has become a safe haven for cyber criminals, said Corien Vermaak, cyber security specialist at Cisco.

Vermaak made the comments at ITWeb Security Summit 2019, taking place at the Sandton Convention Centre in Johannesburg this week.

The cyber security specialist stressed that a lack of formal cyber crimes legislation is not a good position for the country to be in, which is why she lobbies for the Cyber Crimes Bill to be adopted.

“If we don’t understand that in a digital future, organisations, companies and countries will not invest in territories where they are not safe-guarded from a prosecution point of view, our economy will suffer.”

Considering that SA has been very late in adopting legislation fighting cyber crimes, Vermaak urged Parliament and government to wake up to the fact that this legislation is needed, must have bite and be mature.

Lagging behind

In 2015, the Department of Justice and Constitutional Development (DOJ) initiated the process to establish decisive policy in the form of the Cyber Crimes Bill, responding to the country’s lack of legislation addressing cyber crimes.

Initially dubbed the Cyber Crimes and Cyber Security Bill, the piece of legislation received backlash, with several critics saying it was too broad, open to abuse and threatened the fundamental democratic spirit of the Internet.

After multiple reiterations and drafts, the Bill was revised and the DOJ tabled a new version before Parliament's Portfolio Committee on Justice and Correctional Services in October 2018.

Last November, the Bill was passed by the National Assembly, and transferred to the National Council of Provinces for agreement, whereby it will eventually reach the president to be signed into law.

Vermaak told conference delegates that adopting the Cyber Crimes Bill process has been characterised by slow progress.

She noted the country has relied on the Electronic Communications and Transactions (ECT) Act for quite some time, but this Act only effectively acknowledges that a computer can be used in the facilitation of a crime, but does not formalise any of this.

Explaining SA’s position in response to cyber crimes, Vermaak pointed out the country has seen some structures being put in place by government. This, she added, is on the back of international pressure.

Some of SA’s responses to cyber crime include the ECT Act, the publication of the National Cyber Security Policy Frame, the Cyber Security Hub, as well as being a signatory to a few international treaties, including the Budapest convention.

“We had intent to adopt legislation with regards to cyber crime,” she highlighted.

Internationally, the US plays according to what is done in the European Union (EU) when it comes to cyber crime, stated Vermaak.

“We have the cyber crimes directive; we have US and EU cyber crimes frameworks that are seen as model legislation to which these countries subscribe. Then there is quite a few particular international bodies being established that look at regulating this from a global perspective, with knowledge sharing, input and threat analytics, all of which can only be done with collaboration not only within government but also the private sector.”

Stumbling blocks

Vermaak noted budgetary constraints, change in leadership within the administration, redrafts, and most recently the elections, contributed to the setback in adopting the cyber crimes policy.

Further, the most significant part in the delay, late last year, was the fact that the critical infrastructure bodies joined forces in raising an objection against protecting critical infrastructure, she said.

“We are ready to criminalise the use of a computer, interference of data, the use of hardware and software, and manipulation of data, but are not ready to protect critical infrastructure?

“How can we say we are mature from a cyber crimes and security perspective if we do not put an obligation to secure critical infrastructure in a mature way.

“We have no formative legislation that forces the banks and critical infrastructure institutions, like Transnet, Eskom and water services, to secure their telecommunication infrastructure in a mature way. That does not drive us to an international level of being a big player in protecting our critical infrastructure.

“I don’t think we realise and put weight to the fact that we have some real constraints; however, this is holding us back as a developing country to adopt this legislation in a mature way. How can we say we are mature from a crime perspective if we don’t put obligation on critical infrastructure from a protection point of view?

“Globally, some of the largest breaches happened in electronics and power grids. This happens in territories where there is mature obligation to secure. I think as a South African populace, we should consider ourselves lucky.”

What’s next?

Vermaak said it is hoped the Bill will be accepted, but only if it is the criminal Bill.

We would then as an industry consolidate and look at the drafting of the protection of national critical infrastructure, she added.

The National Council of Provinces needs to approve the Bill as it stands, she advised.

“If we suffer any blows or objections at the National Council of Provinces, the Bill will go back into draft and it will not be signed by president Cyril Ramaphosa. This will be a big blow for the progression of cyber crime within SA.

“If all goes well and the president signs the Bill, possibly, depending on where we are in regards to the security elements, we might have a compliance suspension timeframe, as we’ve had with POPIA.

“Globally, the pressure is increasing for countries to accept legislation with regards to cyber crime and digital privacy, and it benefits us in no way if we don’t do this in a mature manner,” she concluded.