SA’s new cybercrime law poses tricky challenges
Anew law brings South Africa up to international standards for fighting cybercrime. With a global spike in internet-based offences, partly driven by more people working from home because of the Covid-19 pandemic, it couldn’t come soon enough.
SA’s well-developed financial infrastructure makes it an attractive target for criminals who use the internet for extortion, fraud, child pornography, human trafficking and selling illicit goods.
Advocate Doctor Mashabane, the director-general in the Department of Justice and Constitutional Development, describes the Cybercrimes Act as “a ground-breaking and decisive step in the country’s cyber governance and policy space”. Mashabane is SA’s former Cyber Envoy to the United Nations.
Together with the Protection of Personal Information (POPI) Act 2020, which will be in full effect after 30 June 2021, the new cyber law is a key part of South Africa’s armoury in the fight against cybercrime.
The absence of a clear definition of cybercrime, until now, has hampered investigations and prosecutions of internet-based crimes, with authorities having to rely on the Criminal Procedure Act. The Act defines it as including, but not limited to, acts such as: the unlawful access to a computer or device such as a USB drive or an external hard drive; the illegal interception of data; the unlawful acquisition, possession, receipt or use of a password; and forgery, fraud and extortion online. Malicious communications are also criminalised.
The Act also sets out the scope and mechanisms by which investigators can search and seize computer hardware, software and other items such as USB keys or storage devices.
Cybercrime often crosses borders, so the law details how states should cooperate and share information. In urgent cases, it appears, officials from another country can apply directly to a South African judge to request cooperation. This could prove controversial if it is interpreted as a breach of sovereignty.
The challenge now is rapid implementation. Despite police officers who have championed the cybercrime issue, the South African Police Service’s (SAPS’s) knowledge, experience and staffing are in short supply.
That matters because, under the Act, the police are to set up a 24/7 point of contact for all cybercrime reporting. SAPS has a year to establish such a facility, once the legislation is in force.
The Cybercrimes Act and the POPI Act are closely connected. The latter underscores data privacy. Balancing security, privacy and personal freedom when swift investigations are needed for cybercrimes may result in legal challenges. These could test the limits of investigative powers and what information prosecutors and judges can access.
Hacked organisations may not report the crime if they failed to take precautions (such as regular software updates). This breach could expose them to sanction under POPI, which obliges them to protect personal data.
The two laws are meant to complement each other, but there may be conflicts.
On transparency, investigators need access to what is often highly sensitive information to understand what experts call the “cyber kill chain” or modus operandi.
Currently, encouraging entities to disclose their cyber vulnerabilities to police is fraught with mistrust. Indeed it was one of the reasons that cybersecurity references were removed from the original bill. Under the Cybercrimes Act, organisations that are hacked will have to cooperate with investigations and assist in preserving data and providing access.
Policymakers will have to manage tensions between the law and politics if a foreign state is suspected of committing or commissioning a cyberattack. Some consider SA’s history of non-alignment a form of protection, but many countries suffer collateral damage in large-scale incidents such as the December 2020 SolarWinds attack.
Electronic service providers such as internet companies will have to report cyberattacks within 72 hours. With so much commerce being online now, other businesses with online offerings such as retail or financial services may have to report too.
Mashabane says the Act will “bolster our engagement at diplomatic and multilateral platforms with a view to developing a global framework on cybercrimes and cybersecurity”. SA is already a key player internationally, sitting on numerous UN forums considering how best to govern cyberspace.
Enacting new domestic legislation signals SA’s commitment.