… Revised Bill criminalises cybercrimes …
posted 5 Aug… A new Bill designed to give powers to the State Security, Defence, Police and Telecommunications Ministers to intervene in many aspects of South Africa’s key economic, financial and labour environments and zeroing in on cybercrimes and related offences, is in debate. It also calls upon the financial sector to assist in tracking down fraudsters.
Offences include the circulation of messages that aim at economic harm to persons or entities; that contain pornography or could cause mental or psychological stress; the Bill calls upon the private financial and communications sector and, more specifically, electronic service providers to assist with its objectives. The Bill will also change much in the way how government and SOEs go about their business to reflect the current call for electronic security.
The revised Bill is re-write of that originally tabled in 2015 and rejected as too convoluted and wide ranging on issues that could cause unintended consequences.
Despite placing considerable onus upon the private sector to assist, the IT industry seems to be guardedly welcoming the debate which is about to commence. The original and rejected Cybercrimes and Cybersecurity Bill was tabled in Parliament last February.
The main comment circulating seems to be that this later version is more specific than its earlier counterpart, provides more clarity and has less weight placed upon tedious operational management factors in state structures designed to fight cybercrime.
The Bill is the product of the Department of Justice and Constitutional Affairs (DoJ) and from what has been said, Deputy Minister John Jeffreys seems to be the state official still running with the legislation. He said at a media briefing some months ago, “This Bill will give the State the tools to halt cybercrimes and trained teams to bring to book those who use data as a tool for their crime.”
Originally, when the Bill was tabled in 2015 it caused a storm of controversy. Whilst its objectives to catch criminals and stop the growing invasion institutional attacks were understood, unintended consequences for the media were not foreseen. The new Bill acknowledges that journalists and whistle-blowers have protection under the Protected Disclosures Act.
However, the somewhat draconian powers of seizure of data granted to the authorities will still no doubt worry many service providers insofar as interlocking the proposals into the Protection of Personal Information (POPI) Act and the Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA) are concerned, it has been suggested in hearings.
However, the Minister and other ministerial portfolios concerned, appear to have weighted their decision upon the growing threat of international cybercrime and have continued to call for service providers to assist with the issue caused by a late start.
SA under limelight
Some IT forensic reports indicate that sub-Saharan Africa has the third highest exposure to incidents of cyber fraud in the world and according to those who published this fact, they also claim that incidences of cybercrimes and cybersecurity breaches are escalating globally at 64%, with more security incidents reported in 2015 than 2014 for South Africa.
South Africa is known to be a specific target for cybercrime involving unlawful acquisition of sensitive data relating to clients and/or business operations due to a very high reliance on internet connections by commerce. Large data storage packages proliferate in SA, it is suggested, ranging from the JSE to the banking sector.
ATMs, bank transfers
In the case again of South Africa as part of sub-Sahara Africa, wire transfer fraud accounts for 26 percent of cybercrimes, far ahead of the global average of 14 percent, South Africans being defrauded of more than R2.2bn each year it is estimated.
Banking and financial institutions in South Africa, it is noted in the preamble to the Bill, are particularly exposed, the Reserve Bank having stated back in 2016, “It would be remiss of us in our duty if we ignored the growing risks emerging from the financial services sector’s increasing reliance on cyberspace and the Internet.”
The Bill now before Parliament criminalises unlawful and intentional conduct regarding data, data messages, computer systems and programs, networks and passwords and creates as crimes “cyber fraud, cyber forgery and cyber uttering”.
It criminalises malicious communications – namely messages that result in harm to person or property, such as revenge porn or cyber bullying. The police are given extensive investigation, search and seizure powers in the Bill and an array of penalties, including fines and imprisonment apply, including various prescribed in terms of the Criminal Procedure Act, 1977.
No FICA-type warrants.
It is notable that cyber-crime powers of search and arrest remain with SAPS and not any specific structure or system set up by the new Bill to monitor instances of cybercrime or detect suspicious data attacks.
There remain, however, quite onerous obligations on electronic communications service providers and financial institutions, not only to assist in investigations of cybercrimes but also to report instances of cybercrime. A “framework of mutual co-operation between foreign states” is established in respect international investigation and the prosecution of cybercrime.
Crime fighting structures
The Cybercrimes and Cybersecurity Bill also establishes a Computer Security Incident Response Team, as did its predecessor, to establish contact with the private sector alongside with the already functional Cyber Security Hub responsible to the Minister of Telecommunications and Postal Service.
Finally, on structures, the Minister of Defence is to establish and operate a Cyber Command and appoint a General Officer Commanding.
The Bill also provides for the declaration of what is termed as “critical information infrastructure possessed” by financial institutions – for example databases upon which an attack could possibly represent a national threat. Debate will no doubt flow around who and who not should report and upon what exactly.
The crimes defined
For the technically minded, the Bill In terms of the Bill, the following activities are criminalised: unlawful securing of access to data, a computer programme, a computer data storage medium or a computer system; unlawful acquisition of data; unlawful acts in respect of software or hardware tools; unlawful interference with data or a computer programme; unlawful interference with a computer data storage medium or computer system; unlawful acquisition, possession, provision, receipt or use of password, access codes or similar data or devices.
Also included are cyber fraud; cyber forgery and uttering; cyber extortion and certain aggravating offences; attempting, conspiring, aiding, abetting, inducing, inciting, instigating, instructing, commanding or procuring to commit an offence; theft of incorporeal properties; unlawful broadcast or distribution of data messages which incites damage to property or violence; unlawful broadcast or distribution of data messages which is harmful; unlawful broadcast or distribution of data messages of intimate image without consent.
The Bill imposes a list of penalties and allows for imprisonment for up to 15 years for cybercrimes and the maximum fine that may be levied for failing to timeously report an incident or failing to preserve information is now capped at R50,000, far less than the extraordinarily high penalties for non-disclosure levied in the initial version of the Bill.
The search and seizure powers granted in terms of the new Bill “do not represent increasing the state’s surveillance powers”, Deputy Minister, John Jeffries said, “But if the State cannot seize evidential material to adduce as evidence, it will be impossible to prove the guilt of an accused person.”
Any hearings will obviously focus mainly upon the onuses and impositions imposed in the Bill upon electronic communications service providers and financial institutions, known by an acronym in the Bill as “ECSPs”. A date for further parliamentary briefings by DoJ has yet to be scheduled.
Previous articles on category subject
Cybercrime and Cybersecurity Bill invokes suspicion – ParlyReportSA
Draft Cybercrime Bill drafts industry – ParlyReportSA
Lack of skills hampering broadband rollout – ParlyReportSA