Tag Archive | deputy minister john jeffreys

Cybercrime and Cybersecurity Bill invokes suspicion

Cybercrime Bill stated as invasive

…sent to clients 28 Jan…   A new law to assist in enforcing South Africa’s fight against cybercrime, hacking and unlawful interception of data is about to be tabled in Parliament. As expected, the proposals are not without considerable misgivings in the private sector and involve claims that the state may have designs upon the control of free speech and/or are intent upon the control or manipulation of cyberspace.

The draft Cybercrime and Cybersecurity Bill (C&C Bill) has now been approved by Cabinet, the draft having been published for comment as far back as September 2015.  Industry players are deeply involved and the next platform for their involvement moves to the actual wording of the document that will form the basis for regulations.

Agents for the state

The legislation states that the proposals are designed to give powers to the State Security, Defence, Police and Telecommunications Ministers, which powers will not only extend into many aspects of South Africa’s key economic, financial and labour environments but will impose responsibilities on service providers.

The Bill clearly states it will call upon the private sector for compliance into order to meet its objectives and will also change the way the public service goes about its business to reflect the call for security.  Cross hairs are to zero in on the criminalisation of cyber-facilitated offenses including circulation of messages aimed at economic harm, contain pornography or could cause mental or psychological harm.

Parliamentary stage

The next stage of public sector involvement will be extensive parliamentary hearings, no doubt involving joint portfolio committees, to cover the many aspects involved.  Also to allow for further submissions on deep concerns in the private sector regarding compliance and intrusion of free speech rights.

The long and quite complicated process of drafting such legislation has been undertaken by the Department of Justice and Constitutional Development.  It is stated that the proposals are of an umbrella approach towards legislation already in the ambit of the new Bill, the objective of which is to extend any new regulations over a wide range of business endeavours and activities “in the public interest”.

Long history

The process started at a point in the cybercrime history log which seems a century ago.  A government gazette articulated what was necessary. “I, Mbangiseni David Mahlobo, Minister of State Security, hereby publish the National Cybersecurity Policy Framework as approved by Cabinet in March 2012 for public information.”

The long journey has finally resulted in a 130-page draft which firstly creates offences, prescribes penalties and regulates for powers to investigate, gain access, search and seize items. It gives such powers to the South African Police Service (SAPS) and the State Security Agency (SSA).

Future structures

The Bill then proposes that structurally the Minister of Police establish both a National Cybercrime Centre and appoint a director in charge – a person currently serving with the SSA – and similarly appoint such a director in charge for a “point of contact centre” for cybercrime activity, outreach and contact.

Monitoring all structures will be a Cyber Response Committee (CRC) made up of 13 experienced persons chaired by the DG, Dept. of State Security.

Any interventions at this level will be, by nature of the vastly changing business environment and the global challenge of the subject matter of the Bill, “which will form the critical point of balance between the forces of state control and public endeavour”.

Ground troops

Initially, the Minister of State Security is to appoint a director in charge of a proposed Cyber Security Centre, such person also serving with SSA and for the Minister to establish Government Security Incident Response teams, also appointing a person from the State Security Agency as the head of each specialised investigating team.

Finally, on structures, the Minister of Defence is to establish and operate a Cyber Command and appoint a General Officer Commanding.

Furthermore, provision in the Bill is made for the Minister of Telecommunications and Postal Services to establish and operate a Cyber Security Hub and appoint a director of same. It is in this area that assumedly the main interface between private and public sectors will take place.

Key points

An example of a database to be protected is given in the Bill as the Home Affairs database and the mandate for dealing with cybercrime clearly includes the fact that foreign states and South Africa will be co-operating to investigate possible offences.

Also, powers are granted to the President who may enter agreements with foreign states to promote cybersecurity. The proposals make it quite clear that international crime fighting and the local protection of cyberspace are to be woven together. This will involve changes to the anchor Electronic Communications and Transactions Act, particularly where the Act deals with attempts to deal with abuse of information systems.

The nitty gritty

Where the C&C Bill ventures into the private sector there will no doubt be, and certainly has been to date, plenty of debate.  The Bill as proposed, broadly and perhaps too grandly, allows for the imposition of obligations on electronic communications service providers (ECSPs) and financial institutions in respect of aspects “which may impact on cybersecurity”.

The difference between obligations and compliance seems a fine line but already the Dept. of Telecommunications has set up a website on https://www.cybersecurityhub.gov.za/ to try and clarify issues.

At what point?

The general obligations of ECSPs are a set out in the draft bill but an obligation is proposed that as soon as a ECSP “becomes aware of an offence being committed on its network”, the matter must be declared to the National Cybercrime Centre.

The offences are enumerated in the Bill but it is possible that clarity is required, according to stakeholders who have voiced opinions so far, as to who decides at and at what level the retention of a suspicion becomes an offence or to restate the problem, at what point does a suspicion become a reportable fact.

Proposed offences include unlawful interception of data; unlawful access, personal information and financial information-related offences; unlawful acts in respect of software or hardware tools; unlawful acts in respect of malware; unlawful acquisition, possession, provision, receipt or use of passwords, access codes or similar data or devices; computer-related fraud and computer-related extortion.

Extensive powers

Most focus on the fact that the Bill’s clause 58 gives the State Security Minister powers to determine what should be included in a “national critical information infrastructure”.

The Bill goes on to state that should it “appear” to the Minister that any information presented is of such “strategic nature” that any interferences, loss, damage, immobilisation or disruption which may result in prejudice to the “security, defence, law enforcement or international relations of South Africa; or prejudice the health and safety of the public; interfere or disrupt any essential service’, then the Minister may implement the powers granted by the Bill.

The “Apple” problem

Broadly speaking, also included is any malevolent act which “causes any major economic loss, destabilises the economy of South Africa or creates any form of public emergency’’ with the proviso that the organisation must “at its own cost take steps to the satisfaction of the Cabinet minister” to comply with a state request.

Any “affected organisation may be given the right to be afforded an opportunity to make representation” but, to repeat, players in the industry note that a great amount of responsibility has been delegated without clear definitions of what is reportable.

The background

The seriousness of the Bill and the recognition that cybercrime must be dealt with firmly is measured by the background given to the Bill.    It is estimated that cyber-related offences currently exceed a value of more than R1bn annually. This is escalating at speed, the Department of Justice states.

In general terms, one of the tasks of the Cybercrime Centre is stated in the revised draft as informing all of cybercrime trends and creating an environment which enables parties to report cybercrime without being suspected of whistle-blowing with the accompanying commercial disadvantages.

In other words, the fear with the original draft expressed by the Right2Know campaign that the draconian powers of seizure worried many in the IT industry and that lack of protection for whistle blowers was out of kilter with free speech requirements, may have to some extent been responded to.

Heavy hand of the law

Still, fines of up to R10m and/or 10 years’ imprisonment are involved following a guilty verdict for unlawfully accessing or intercepting “a national critical information infrastructure” involving “critical data”, which makes for a tricky scenario for ECSPs handling traffic and journalists handling information.

This is in the light that an ECSP could be liable on conviction to a fine of R10 000 for each day on which such failure to comply with disclosure requirements continues, it was noted.    To be specific, some fifty offences are detailed in the areas of data, messages, computers, and networks.

This is serious talk.   Whilst national cybersecurity needs are recognised as paramount, as the latest draft explains, the extent of state powers in the hands of uncontrolled and misdirected state effort gives concern to many in the ECSP business community, particularly in the light of the public nature of the internet.

No warrantless searches

On the other hand, whilst the C&C Bill gives SAPS and SSA extensive powers to investigate, search, access and seize assets wherever they might be located, the search powers granted are not emanating from the proposed Bill.

Search powers are only possible provided the search entity has a search warrant granted in the normal way, the department says.  SSA will be purely looking, they say, for data that has a feature of malevolence and commits crime in terms of the need to protect the State and its citizens.

At a briefing for the media, the Justice and Constitutional Development Department in Pretoria Deputy Minister of Justice and Constitutional Development, John Jeffery, gave a further assurance that what is about to arrive in Cape Town “will not give any powers to the State Security Agency (SSA) to control the internet or spy on local users”.

Criminal data

The search and seizure powers granted in terms of the latest draft of the C&C Bill around the interception of data “do not represent increasing the state’s surveillance powers”, the Minister said.

“As part of the final draft of the bill, it says that to prove an offence in a court of law, data must be seized as evidential material.  If the State cannot seize evidential material to adduce as evidence, it is impossible to prove the guilt of an accused person. “

The criminal procedure act is currently used to investigate cybercrimes, Minister Jeffery said, and to this end the Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA) “are already in the tool box”.

Anchor still RICA

The C&C Bill is merely extending the RICA from that aspect, he said, which already has basic general principles in place to protect persons against unlawful interception of communications. “There is thus no extension of the so-called ‘surveillance powers’ of the State”, he added.

He confirmed that previous versions of the Bill, whilst stating a person who fell foul on the issue of state information that was classified as secret could go to jail for 10 years without the possibility of a fine, now, the final draft of the Bill acknowledges that journalists and whistle-blowers have protection under the Protected Disclosures Act.

Minister Jeffrey said was satisfied that the C&C Bill, now headed towards its final shape, gives the State the tools to halt crime and bring those who used data as a tool of crime to book.

 Defining data

He concluded, “Data is merely a means to commit offences such as fraud, damage of programmes and computer systems, extortion, forgery and uttering. It can also be used to commit murder by remotely switching of a respiratory system or terrorism by overloading the centrifuges of a nuclear station or remotely opening the sluices of a dam which causes large scale flooding.”

Much of what will come up in the parliamentary hearings of submissions will most likely involve the space occupied by the ECSPs and their responsibilities as perceived by the State. Furthermore, the role to be played by any business institution using large amounts of data needs to be clarified as far as areas of compliance are concerned.

Previous articles on category subject

Draft Cybercrime Bill drafts industry – ParlyReportSA

South Africa on international cybersecurity – ParlyReportSA

Broadband allocation could involve SABC – ParlyReportSA

Posted in Communications, LinkedIn, Security,police,defence, Special Recent Posts, Trade & Industry0 Comments


This website is Archival

If you want your publications as they come from Parliament please contact ParlyReportSA directly. All information on this site is posted two weeks after client alert reports sent out.

Upcoming Articles

  1. MPRDA : Shale gas developers not satisfied
  2. Environmental Bill changes EIAs
  3. Border Mangement Bill grinds through Parliament

Earlier Editorials

Earlier Stories

  • Anti Corruption Unit overwhelmed

    Focus on top down elements of patronage  ….editorial….As Parliament went into short recess, the Anti-Corruption Unit, the combined team made up of SARS, Hawks, the National Prosecuting Authority and Justice Department, divulged […]

  • PIC comes under pressure to disclose

    Unlisted investments of PIC queried…. When asked for information on how the Public Investment Corporation (PIC) had invested its funds, Dr  Daniel Matjila, Chief Executive Officer, told parliamentarians that the most […]

  • International Arbitration Bill to replace BITs

    Arbitration Bill gets SA in line with UNCTRAL ….. The tabling of the International Arbitration Bill in Parliament will see ‘normalisation’ on a number of issues regarding arbitration between foreign companies […]

  • Parliament rattled by Sizani departure

    Closed ranks on Sizani resignation….. As South Africa struggles with the backlash of having had three finance ministers rotated in four days and news echoes around the parliamentary precinct that […]

  • Protected Disclosures Bill: employer to be involved

    New Protected Disclosures Bill ups protection…. sent to clients 21 January……The Portfolio Committee on Justice and Constitutional Affairs will shortly be debating the recently tabled Protected Disclosures Amendment Bill which proposes a duty […]