The cost of cybercrime, globally, is estimated to be between 0.8% and 1.5% of GDP, according to Noëlle Cowling, a researcher and lecturer in the Department of Strategic Studies and cyber programme lead at the Security Institute for Governance and Leadership in Africa, both located at Stellenbosch University.

In the light of South Africa’s 2018 economic growth rate of 0.8%, this number is quite alarming, she told the ITWeb Chief Information Security Officer Round Table, held in Cape Town on the eve of the annual ITWeb Security Summit.

Bringing together a group of senior security professionals from major retailers, financial institutions and other large corporates, the round table event was sponsored by Puleng Technologies.

Prof. Elmarie Bierman, director and founder of the Cyber Security Institute, said the most serious cyber threat, ahead of terrorism, espionage and even organised crime, comes from nation states.

Cowling said South Africa is wholly unprepared to deal with emerging cyber threats. There’s no national cyber strategy, too much reliance on reactive Computer Security Incident Response Teams, not enough proactive cyber intelligence, an over-emphasis by the government on surveillance and interception capabilities, a lack of cyber skills both in the public and private sectors, and the Information Regulator is under-capacitated.

“Both the public and private sectors appear to underestimate the serious threat posed by data breaches as well as the monetisation of data by criminals,” she said.

“We’re in a stage that we call the ‘cold cyber war’,” Bierman said. “It’s like you see all of these countries, they show off. Moreover, we saw several instances, like the one a few weeks ago, where Israel actually retaliated with kinetic force, after they were victims of a cyber-attack.”

South Africa doesn’t really have a Cyber Command, and tends to take a defensive approach, as the peacekeepers of Africa. “I think that’s the wrong way to do it,” said Bierman.

She said although the World Economic Forum ranks cyber-attacks among the most likely and most impactful threats, South Africans don’t have national intelligence on the criminal networks active in the country and must rely on international vendors for information. “We don’t even have the capability in South Africa to say listen, this is our threat profile, from a defence point of view, from a military Cyber Command perspective. So, we need to strategise around that.”

Delightfully vague

“We’re horribly exposed,” agreed Cowling, noting that South Africa is good at making policies and laws, but not excellent at implementing them. She relayed that a colleague describes South Africa’s national cyber policy framework as “delightfully vague”.

She believes we could take a leaf out of Estonia’s book. That small Baltic state, which less than 30 years ago was part of the Soviet Union, still lives under constant fear of both cyber warfare and physical invasion by Russia. It has not only made its entire government electronic, but it created ‘data embassies’ in Luxembourg with full diplomatic immunity, from where its government could continue to operate, and even launch counter-attacks.

Cowling adds that war has changed. There are no clear boundaries between war and peace anymore. Hybrid threats that incorporate information warfare are on the rise, both from state and non-state actors, and they target both the public and private sector. Increasingly, nation-states, organised crime groups and terrorist groups collaborate in cyber warfare.

“Africa is currently the new world battleground,” Cowling said, “largely because of the number of failed states on the continent, weak states, we have a number of terrorist groups that are very active in the African space, as well as organised crime.” She says organised crime groups like South Africa because it has all the infrastructure they need to live and work – good communications, decent education, a robust financial system, but weak government, with corrupt officials. South Africa makes a good operation base for crime in Africa.

There are many emerging cyber threats, ranging from “sextortion” and virtual kidnapping to cryptocurrency scams. Even plain old ransomware remains very lucrative. The first version of CryptoLocker generated in excess of €300 million, said Bierman. “Think of that as a company. They keep office hours. They don’t work on weekends. Imagine their research and development capabilities, and the money around that, just to keep developing new versions that can get around anti-virus systems.”

Bierman notes that there is no essential difference between online and offline crime. Criminals go where the money is. If your data can be monetised, they will go after your data, and if your people have access to this data, they will target your people.

“We have advanced, persistent threat groups from several countries that are active in South Africa,” Bierman says.

She advises that security professionals spend time on dark Web forums and learn how to infiltrate groups that pose security threats. The focus ought to be on a cyber intelligence approach, instead of just reactive, defensive security operations, and South African companies cannot expect to look to government for much help.

* The ITWeb Chief Information Security Officer Round Table, held on 22 May 2019 in Cape Town, on the eve of the annual ITWeb Security Summit, was sponsored by Puleng Technologies. Puleng's Security Blueprint is focused on providing its customers with a client-centric strategy to manage and secure the two most valuable assets an organisation has: its data and users, while facilitating IT and business with a platform to build an efficient, collaborative and integrated cyber security programme.