By Graham Croock, Director, IT Audit, Risk and Cyber Lab, BDO Johannesburg and Lucien Pierce, Partner, Phukubje Pierce Masithela Attorneys.
South African law already has at least four pieces of legislation and one policy that can be used to combat cybercriminals. It is for this reason that a few information security industry players have argued that the addition of one more cybersecurity law, such as the Cybercrimes and Cybersecurity Bill, would be excessive.
In the Information Security industry, there is an argument that laws such as the Electronic Communications and Transactions Act 2002, the Regulation of Interception of Communications and Provision of Communication-Related Information Act 2002, as well as the Protection of Personal Information Act and the National Cybersecurity Policy Framework, are sufficient to combat the growing scourge of cybercrime.
However, the reality remains that whilst each of these pieces of legislation have elements that address cybercrime, they are just not adequate enough to deal with the highly complex and multijurisdictional methods that cybercriminals now utilise in this day and age. It would require a seasoned lawyer to extract the relevant provisions of each of the above pieces of legislation and to craft a satisfactory charge sheet or summons for some of today’s complex cybercrimes.
Consider a hacker who breaches a company’s security systems, steals its intellectual property then sells its clients’ personal information and makes its computers slaves in a botnet, and incapacitates its computer network by using ransomware. The lawyer would have to be an expert on each of the pieces of legislation and rely on portions of each of the above laws to address each of the different types of crimes committed in this context.
It is for this reason that firstly, our laws need to be modernised, and secondly, the requisite of having one comprehensive law that is able to account for any of the circumstances as mentioned.
The recent R300 million Standard Bank credit card “hack” is a prime example of the multijurisdictional nature of cybercrimes. The bank could have possibly had its South African systems hacked by cybercriminals to steal the credit card information. Small time criminals based in Japan may have withdrawn the cash whilst hackers based anywhere in the world from Turkey, to Russia, and Brazil or the United States may well have masterminded the heist.
Therefore, without a single comprehensive cybercrime and cybersecurity law, that is able to prescribe the complex issues that arise out of cybercrime, organisations that are victims of cybercrime and the organs of state tasked with investigating them, are going to have a much more difficult job on their hands. For this reason we need the Cybercrimes and Cybersecurity Bill— a piece of legislation that will be on par with other similar international statutes such as the Council of Europe’s Budapest Convention on Cybercrime.
Through the Cybercrimes and Cybersecurity Bill, one comprehensive piece of legislation is formulated which can address the realities of present day cybercrime by creating offences and prescribing penalties related to cybercrime, regulating jurisdiction, as well as the powers to investigate, search and gain access to or seize items in relation to cybercrime. The Cybercrimes and Cybersecurity Bill also facilitates the regulating aspects of international cooperation in respect to cybercrime investigations, it promotes best practice which requires that points of contact exist in various countries to provide speedy assistance and investigation of cybercrime. It also makes provision for the formation of a number of public and private sector structures in South Africa, that are intended to collaborate and assist with addressing cybersecurity and cybercrime.
South African organisations would do well to embrace, and acquaint themselves with the Cybercrimes and Cybersecurity Bills. It is fundamental that our police force be equipped with the capabilities and authority to investigate the consequences of cybercrime as well as the ability to quickly request and receive the assistance of police elsewhere to investigate crimes that happen outside of our country.
The Cybercrimes and Cybersecurity Bill is a necessary piece of legislation that will go a long way to enhancing South African organisations in their ability to fight cybercrime, wherever the criminals may be.