South Africa prepares to enact Cybercrime Act…

First published by The ISS today

A new straight brings South Africa up to international standards in the fight against cybercrime. With a world peak in internet crime, partly due to more people working from home due to the Covid-19 pandemic, it couldn’t happen soon enough.

The country’s well-developed financial infrastructure makes it an attractive target for cybercriminals who use the Internet for extortion, fraud, child pornography, human trafficking, and the sale of illicit goods.

The lawyer, Dr Mashabane, describes South Africa’s cybercrime law as “a revolutionary and decisive step in the country’s cybergovernance and political space”. Mashabane is the director general of the Department of Justice and Constitutional Development and a former South African cyber envoy to the United Nations.

With the protection of personal information (Popi) Law 2020, which will come into full force after June 30, 2021, the new Cybercrime Act is a key part of South Africa’s arsenal in the fight against cybercrime.

At the heart of the law are the offenses that constitute cybercrimes. Until now, the lack of a clear definition has hampered the investigation and prosecution of internet crimes, with authorities having to rely on criminal procedure Law.

In summary, cybercrime is now defined as including, but not limited to, acts such as: illegal access to a computer or device such as a USB key or external hard drive; illegal interception of data; unlawful acquisition, possession, receipt or use of a password; and online counterfeiting, fraud and extortion. Malicious communications are also criminalized.

The law also defines the scope and mechanisms by which investigators can search for and seize computer hardware, software and other items such as USB drives or storage devices. It outlines how South African authorities should conduct international investigations and how evidence should be collected, shared and preserved for future prosecutions.

Cybercrime often transcends borders, so legislation details how states should cooperate and share information through mutual assistance. In urgent cases, the law appears to allow officials from another country to approach a South African judge directly to seek cooperation. Some lawyers have privately told the Institute for Security Studies that it could be controversial if interpreted as a violation of South Africa’s sovereignty.

The major challenge now is the rapid and decisive implementation of the law. Despite some committed police who have championed the issue of cybercrime and tried to secure more resources, the knowledge, experience and personnel of the South African police are lacking. This is important because by law, the police are responsible for setting up a 24/7 point of contact for all cybercrime reports.

They will only have one year to set up such a facility once the legislation comes into force. The law places the SAPS firmly in the driver’s seat of coordinating domestic investigations and international requests for cooperation and assistance. Closing the capacity gap may well require the support of international donors working by Interpol and the private sector in the form of resources, mentorship and knowledge transfer.

The law on cybercrime and the Popi law are closely linked. The latter emphasizes data privacy. Balancing security, privacy, and personal freedom when prompt investigations are needed for cybercrimes can lead to legal challenges. These could test the limits of investigative powers and the information prosecutors and judges can access. This has been raised by defense attorneys in other important areas of cybersecurity case internationally.

Hacked organizations may not report the crime if it is found that they did not take precautions (such as regular software updates). This failure could expose them to sanctions under the Popi law, which obliges companies and other organizations to protect personal data. Although the two laws are meant to complement each other, there may be conflicts.

When it comes to transparency, investigators need access to often very sensitive information to understand the cybercrime value chain and what experts call the “cybernetic destruction chain” or modus operandi.

Currently, encouraging entities to disclose their cyber vulnerabilities to law enforcement is fraught with mistrust. Indeed, this is one of the reasons why references to cybersecurity were removed from the original bill. Under the Cybercrime Act, hacked organizations will have to cooperate with investigations and help preserve and provide access to data.

Policymakers will also have to manage the tensions between law and politics if a foreign state is suspected of having committed or sponsored a cyberattack. Although some see South Africa’s history of non-alignment as a form of protection, many countries suffer collateral damage in large-scale incidents such as the events of December 2020 solar winds offensive.

The experience of other countries such as the UK shows that in addition to the police and prosecutors, other stakeholders (such as diplomats and ministers) claim an interest when foreign states are suspected of being involved. This makes rapid prosecution-guided investigations very complex and sometimes politically sensitive.

Electronic service providers such as internet companies will have to report cyberattacks within 72 hours or face severe penalties if they fail to do so. With so much commerce now being conducted via the internet, other businesses with online offerings such as retail or financial services may be caught in the net of reporting obligations.

Many of these problems are not unique to South Africa. Other countries like Zambia are scrambling to incorporate cyberlaws into their law books and will no doubt face similar challenges.

Mashabane says the act goes even further “strengthen our engagement within diplomatic and multilateral platforms with a view to developing a global framework on cybercrime and cybersecurity”. South Africa is already a key player internationally, sitting on many forums who think about the best way to govern cyberspace.

International tensions between security and freedom of expression could make achieving this goal a daunting challenge. By enacting new national legislation, South Africa is sending an important signal of its commitment to the world. DM

Karen AllenSenior Research Advisor, Emerging Threats in Africa, ISS Pretoria.

Previous Marketa Stock Valuation Extremely Bullish (NASDAQ:MQ)
Next The Potential of E-Commerce Industry in Bangladesh |