Cybercrimes and Cybersecurity Bill ("Bill")
There is little argument that cybercrimes have increased significantly in recent years and that the necessity for legislation addressing cybercrime and establishing cybersecurity functions is long overdue in South Africa. As long ago as 2002, in addressing the public hearings relating to the ECT Act, representations to government were made in this regard. Government chose to ignore these.
While disappointing it is also inarguable that to date government has failed dismally in its role of leadership relating to cybersecurity and that the inertia that has characterised its policy making in respect of our information society and information economy has been damaging to the aspirations of South Africans. I will not burden this article with the many examples of government’s failure in this regard.
The Cybercrimes and Cybersecurity Bill published for comment some months ago and distributed to readers of Privacy Online publications (in respect of which public comment has now closed) highlights many concerns arising from the Bill in its current form. The comment and objections that I have seen generally indicate that the very wide drafting of the Bill is unacceptable and will probably lead to greater confusion in respect of cybercrimes than is currently the case. A further objection that is loudly made is that the appropriation to law enforcement and national security (The Security Cluster being the proud parents of the Bill) without appropriate protections is completely unacceptable. In this article I briefly highlight objections that have been raised and refer you to comment made by various parties who have provided permission for me to link these comments for your consideration.
The comment provided by myself, Professor Basie von Solms, the Open Democracy Advice Centre and the Open Web Application Security Project can be viewed at:
• Mark Heyink Preface to comment and Commentary on the Bill
• Professor Basie von Solms comment on the Bill
• Open Democracy Advice Centre (ODAC) comment on the Bill
• Open Web Application Security Project (OWASP) comment on the Bill
Lack of consultation
From the outset I have indicated that there has been an improper lack of consultation relating to these very important proposals for law. The Department of Justice and Constitutional Development have been instructed by the Security Cluster to draft the Bill and it is patently apparent little consideration has been given to the constitutional rights of citizens, the realities of information security and the capacity and competence within government to properly implement the legislation. The Bill also conveniently ignores cybersecurity conventions, to which South Africa is a signatory, and the importance of the protection of the constitutional right of privacy.
The lack of organisation and clear thought relating to the drafting and of the Bill and consultation with interested parties is highlighted by the fact that the National Cybersecurity Policy Framework, defining government policy which informs the Bill, only became available halfway through the period for comment. The draft National Critical Information Infrastructure Policy, which is also important in considering the Bill, has not yet been provided despite a request. The National Cybersecurity Implementation Plan remains classified. The covert manner in which the National Cybersecurity Policy Framework and the Bill is being dealt with can only lead to suspicion and runs contrary to government’s much vaunted commitment to transparency and consultation. The same issues that gave rise to objections to eTolls due to the failure of government agencies to engage with citizens properly are magnified in the case of this Bill.
In addition while government assumes a leadership role which, leaving aside its abdication of its responsibility up to now, is correct, it essentially excludes the private sector from any decision-making processes relating to cybersecurity in South Africa. In view of the highly questionable capacity and competence within government to give effect to the Bill’s provisions, this attitude has to be brought into question.
Co-operation between the public and private sector
In its current form the Bill does not address the necessity for public/private partnerships being developed as alluded to in the National Cybersecurity Policy Framework. Rather, it provides for a dictatorial approach in which government, having patently failed in its leadership role over at least the last 15 years in this regard, prescribes information security provisions. A demonstration of the failure to properly address information security within government is aptly provided by the fact that the minimum information security standards which apply to government entities remain unaltered despite being published almost 20 years ago in 1996. Thus the significant shifts in technologies and their application within government have simply been ignored by government and only serves to highlight its proven record of incompetence in this regard.
This aside, what the Bill fails to take into consideration is the appreciation that information security is a well-established and globally recognised discipline. One of its tenents is to seek appropriate security in particular areas. While it is not clear how government will deal with these issues, given the capacity constraints that it currently experiences, it seems as though a “one size fits all” approach may be adopted. This approach will be a fatal flaw and will simply create far more problems than solutions to cybersecurity vulnerabilities and threats.
It is sadly ironic that despite being the supposed custodian of the Protection of Personal Information Act, the Department of Justice and Constitutional Development is a party to the drafting of a Bill which not only ignores the importance of the constitutional right of privacy but actively undermines it. The effect is to give to law enforcement and national security agencies access to information to which they have no right to in terms of our Constitution. If the Bill were to be enacted in its current form it would pave the way to allowing a tyrannical regime not unlike that established in Nazi Germany prior to the Second World War. An illustration of how the perpetuation of the control of information was used to oppress citizens is well documented in the manner in which the Stasi in East Germany used citizens information without restraint between the Second World War and the fall of the Berlin Wall.
Are South Africans willing to give up this democratic freedom which many fought so hard establish and have enshrined in our Constitution?
It is also clear that the drafting allows for the hard-fought amendments to the Protection of State Information Bill (The Secrecy Bill) to be reinstated without being subject to the protections that have been negotiated. These developments are clearly unacceptable in an open democracy.
Cybercrime needs to be combatted. Cybersecurity capacity needs to be established and maintained. Equally the constitutional freedoms of South Africans need to be protected.
The Bill as it stands does not protect our freedoms, does not establish the mechanisms necessary to fight cybercrime and by ignoring the realities of the 21st century world, will, without question, be detrimental to South Africa’s ability to combat cybercrime and South African citizens’ ability to protect themselves from the perpetrators of cybercrime.
Every right-minded South African should oppose the offending provisions of this Bill, The only way to remedy its deficiencies is to scrap it in its entirely and to redraft the Bill with proper consultation, consideration for the critically important role that the private sector plays in cybersecurity and ensuring that the balance between the rights of law enforcement and national security and that of privacy of South Africans is appropriately established.
©Mark Heyink 2015