Cyber-crime clamps on way with tough new bill
Experts cautious as they see good and ‘draconian’ elements in plan
NEW cyber security laws to give the government far-reaching powers to clamp down on any information they deem critical are not unlike those of the controversial Protection of State Information Act, experts say.
A bill to counter South Africa’s R1-billion cyber-crime industry seeks to prevent cyber attacks that could cripple the nation.
Security experts cautiously welcomed the Cyber Crimes and Cyber Security Bill, but said privacy and constitutional rights were at stake.
Experts compared the bill to the controversial Protection of State Information Act , which was attacked by freedom of speech activists.
The 128-page draft bill, tabled two weeks ago in parliament, is out for public comment.
Norton’s Symantec 2013 cyber crime report estimates that South African citizens and businesses lose up to R3-billion a year in cyber-crime fraud and attacks.
The bill targets phishing, hacking, illegal interception of data, theft and purchasing personal information online. It also covers malware, like viruses, worms and Trojan horses.
Leading cyber crime expert Professor Basie von Solms said while the bill was a step in the right direction, there were issues that had to be addressed.
“Overall, this bill is the first piece of legislation of its kind in South Africa and is long overdue,” he said.
“However, there is no point having the legislation if no one is going to enforce it. There is no way the government can implement this without assistance from other sectors.
“One of the major benefits is a 24-hour contact point [a hub] that will investigate cyber crime.
“This is great news but the fact remains that you need manpower and specialist skills for implementation,” Von Solms said.
The bill states that various security centres and response teams must be established under government departments and agencies.
These would include state security, police, the telecommunications ministry, and the military.
The bill also gives the state security department power to declare what is considered national critical information and requires protection. This would include data deemed to be important for the protection of security, defence and international relations.
The provision would cover airports, the Johannesburg Securities Exchange, Eskom, and hospitals, as well as most transport-related functions such as traffic lights, railway stations, fuel storage, and food systems, Von Solms said.
“One needs to understand that if any of these centres is hacked, the country could fall to its knees and be crippled.
“You are dealing with faceless criminals and will need the best of the best investigators.
“The government will then have to educate prosecutors and police on how to investigate and prosecute.”
Cyber security consultant and information attorney Mark Heyink said the balance between the constitutional right to privacy and provisions of the bill had to be addressed.
“[It is] in my view dictatorial as opposed to cooperational in dealing with the establishment of appropriate cyber security approaches,” he said.
NMMU Professor Frans Marx said the current bill gave the government draconian powers to ban anything they declared critical information.
It also provided for inspectors and gave power for searches and seizures, in some cases without warrants.
Marx said the part of the bill consolidating piecemeal legislation on criminalising hacking, spreading of malware and computer-related fraud was to be welcomed.
That was also the case for criminalising acts such as copyright infringement, computer-related espionage, and terrorist activity.
But, Marx said, the part of the bill “dealing with the establishment of, one can almost say, a myriad of cyber security structures involving different ministries and the provisions relating to national critical information infrastructure protection is worrying”.
The cyber security structures would also be expensive to create, and could create possible limitations on free reporting on matters deemed critical to state security.
“The state, through the Cyber Security Centre, has almost unlimited powers to declare any information infrastructure or part of it as national critical information structures,” he said.
Comment closes on November 30.