Catching the cybercrooks
SA has enough laws for the prosecution of industrial criminals, but needs more policing — and the banks’ example should be studied
You don’t have to be a tech geek to be aware of the chaos that cybercriminals are wreaking in this country. There are numerous local examples — from the recent spate of WhatsApp scams to the R42m stolen from the Postbank in 2012. It’s a plague that costs this country over R1bn/year. Fortunately, our politicians are aware of the problem. But unfortunately, their response just doesn’t cut the mustard.
Government plans a new law relating to this issue, and intends to submit the Cyber Crimes & Related Matters Bill to parliament by June this year for a vote. However, my organisation, the SA Institute of Race Relations, isn’t convinced this legislation is the panacea for the problem. There are already a number of technology-related laws that address cybercrime.
The problem is that the existing rules just aren’t being enforced properly. In other words, it’s not that we don’t have the tools – it’s that we aren’t using them.
But we have experienced some recent successes. The people who hacked the Postbank systems were identified and arrested within months. This demonstrates that it is possible to act against cybercriminals.
Tackling problems like card skimming — where fraudsters use devices to harvest the details and security codes of cards by copying information in their magnetic stripe — is trickier.
But the police appear to be gaining traction in their effort to stem this crime: between 2010 and 2015, 892 skimming devices were confiscated, and last year card fraud dropped 45.6% to R48.5m.
Not many people know this, but South Africans have taken a global lead in thwarting cybercrime. For example, portable credit card readers, which let you pay your dinner bill at the table instead of seeing your card disappear into a back room, were invented in SA precisely to prevent skimming.
But there is another form of cybercrime most people forget about: industrial espionage.
A few years back, Vusi Mavimbela, a former national intelligence director-general, spoke of how many SA companies had become victims of cyberspies, who hack their information and then sell it to competitors.
Many companies brush off this threat, naively. It appears some SA companies are ambivalent about the reality of industrial espionage and thus, state security operators say, rarely take advice about surveillance counter-measures seriously.
So, looked at holistically, you’d have to say there’s no point in passing a new cybercrimes bill. For one thing, government hasn’t done enough to even recruit sufficient “cyberinspectors” to police the current laws. The private sector has stepped in, appointing its own inspectors.
SA’s big banks, and numerous other companies, already have dedicated teams battling cybercrooks. So, for example, they spend their hours blocking phishing e-mails, taking down spoof websites and trawling through thousands of transactions to see which might be suspicious. They’re quick, too. For example, when a spoof website has been picked up, the banks have typically shut it down within 45 minutes, irrespective of where it’s based. All transactions using Internet banking are now encrypted too.
Some companies in other sectors, which don’t have the same volume of Internet transactions, have little interest in establishing organs such as the SA Banking Risk Information Centre or in building their own anti-cybercrime outfits.
Still, this in itself is no reason to pass an entirely new law. Government should rather implement the current rules better, and work with the banks to see whether their systems can be applied in other sectors.
We already have too many laws that are reactive, ill-conceived and unnecessary.
All this does is stifle entrepreneurship, innovation and business growth.
Prof Dagada is a policy fellow at the SA Institute of Race Relations