First published by ISS Today

A new law brings South Africa up to international standards for fighting cybercrime. With a global spike in internet-based offences, partly driven by more people working from home due to the Covid-19 pandemic, it couldn’t come soon enough. 

The country’s well-developed financial infrastructure makes it an attractive target for cybercriminals who use the internet for extortion, fraud, child pornography, human trafficking and selling illicit goods.

Advocate Doctor Mashabane describes South Africa’s Cybercrimes Act as “a groundbreaking and decisive step in the country’s cyber governance and policy space.” Mashabane is director-general in the Department of Justice and Constitutional Development and South Africa’s former Cyber Envoy to the United Nations.

Together with the Protection of Personal Information (Popi) Act 2020, which will be in full effect after 30 June 2021, the new cyber law is a key part of South Africa’s armoury in the fight against cybercrime.

At the act’s core are the offences that constitute cybercrimes. Until now, the absence of a clear definition has hampered investigations and prosecutions of internet-based crimes, with authorities having to rely on the Criminal Procedure Act.

In summary, cybercrime is now defined as including, but not limited to, acts such as: the unlawful access to a computer or device such as a USB drive or an external hard drive; the illegal interception of data; the unlawful acquisition, possession, receipt or use of a password; and forgery, fraud and extortion online. Malicious communications are also criminalised. 

The act also sets out the scope and mechanisms by which investigators can search and seize computer hardware, software and other items such as USB keys or storage devices. It describes how the South African authorities should conduct international investigations and how evidence must be collected, shared and preserved for future prosecutions. 

Cybercrime often transcends borders, so the legislation details how states should cooperate and share information through mutual assistance. In urgent cases, it appears that the law allows officials from another country to apply directly to a South African judge to request cooperation. Some lawyers have indicated privately to the Institute for Security Studies that this could prove controversial if it’s interpreted as a breach of South Africa’s sovereignty. 

The major challenge now is the rapid and decisive implementation of the act. Despite some committed police officers who have championed the cybercrime issue and tried to secure more resources, the South African Police Service’s knowledge, experience and staffing are in short supply. That matters because under the act the police are responsible for setting up a 24/7 point of contact for all cybercrime reporting. 

They will have just a year to establish such a facility once the legislation enters into force. The act puts the SAPS firmly in the driving seat for coordinating both domestic investigations and international requests for cooperation and help. Plugging the capacity gap may well require support from international donors working through Interpol and the private sector in the form of resources, mentoring and knowledge transfer. 

The Cybercrimes Act and the Popi Act are closely connected. The latter underscores data privacy. Balancing security, privacy and personal freedom when swift investigations are needed for cybercrimes may result in legal challenges. These could test the limits of investigative powers and what information prosecutors and judges can access. This has been raised by defence lawyers in other prominent cybersecurity cases internationally.

Organisations that are hacked may not report the crime if it emerges that they failed to take precautions (such as regular software updates). This breach could expose them to sanction under the Popi Act, which obliges companies and other organisations to protect personal data. Although the two laws are meant to complement each other, there may well be conflicts.

Regarding transparency, investigators need access to what is often highly sensitive information to understand the value chain of cybercrime and what experts call the ‘cyber kill chain’ or modus operandi. 

Currently, encouraging entities to disclose their cyber vulnerabilities to police is fraught with mistrust. Indeed it was one of the reasons that cybersecurity references were removed from the original bill. Under the Cybercrimes Act, organisations that are hacked will have to cooperate with investigations and assist in preserving data and providing access.

Policymakers will also have to manage tensions between the law and politics if a foreign state is suspected of committing or commissioning a cyber attack. Although some consider South Africa’s history of non-alignment a form of protection, many countries suffer collateral damage in large-scale incidents such as the December 2020 SolarWinds attack. 

Experience from other countries such as the United Kingdom shows that in addition to police and prosecutors, other stakeholders (such as diplomats and government ministers) claim an interest when foreign states are suspected of being involved. This makes swift prosecution-guided investigations highly complex and sometimes politically sensitive. 

Electronic service providers such as internet companies will have to report cyber attacks within 72 hours, facing a stiff penalty if they don’t. With so much commerce now conducted using the internet, other businesses with online offerings such as retail or financial services may by captured by the dragnet of reporting obligations. 

Many of these problems aren’t unique to South Africa. Other countries such as Zambia are scrambling to get cyber legislation into their statute books and will no doubt face similar challenges. 

Mashabane says the act will further “bolster our engagement at diplomatic and multilateral platforms with a view to developing a global framework on cybercrimes and cybersecurity.” South Africa is already a key player internationally, sitting on numerous UN forums that are considering how best to govern cyberspace. 

International tensions between balancing security and freedom of speech could make achieving that goal an ambitious challenge. By enacting new domestic legislation, South Africa sends an important signal to the world of its commitment. DM

Karen Allen, Senior Research Adviser, Emerging Threats in Africa, ISS Pretoria.