On 24 May 2018, the news broke that a data leak exposed the personal records of almost a million South Africans. This is not the first time. In October 2017, the biggest data breach in the country’s history occurred with the “Master Deeds” breach which affected almost the entire population, again exposing sensitive information such as ID numbers.
The probable consequence? Identity theft. A crime in terms of our common law that leads to billions of rands being lost from our economy through scams every year. It is not a guarantee that being one of the millions affected will automatically make you a victim of identity theft, but most people only realise that they are when it’s too late.
The options of what can be done with personal information such as your ID number and passwords, are endless – the one more frightening than the next. Most people only realise that they are a victim when they receive a letter of demand for debt that they did not sign up for or when they find out from Home Affairs that they are married to a person they have never met before. It sounds ridiculous, but it happens – daily.
Today, with 21-million internet users countrywide, South Africans are more exposed than ever to internet crime. We do everything over the internet: our work, our personal and social lives, our baking and even interact with institutions such as Home Affairs and South African State Security Agency (Sassa). There is not a single aspect of our lives that is not exposed to the internet and therefore not a single aspect of our lives that remains private or inaccessible. It’s a terrifying thought.
To prevent the loss of billions of rands and to protect the public, banks, private companies and even certain state-owned enterprises (although not close to all of them) spend millions in own revenue to privately secure their systems against such attacks and fraud. Most of them really try all they can. Despite this, they still get hacked.
Similarly, South African municipalities have lost a fortune to internet fraud. This is money that should go to delivering services to citizens and unlike the private sector most of them can hardly afford any cyber security.
For its part, the South African government had three basic things to do in an attempt to prevent some of this: come up with a proper cyber security strategy, fix our laws and put resources behind it.
As a starting point, it had the perfect guide for doing this in the Budapest convention and its protocols, but after a delay of more than 16 years since signing it, it still does not want to ratify the document to make this international treaty binding on us in terms of the global community. The official reason for this: it’s a European Union instrument.
It then tabled a bill in Parliament that deals with internet crimes. Round one was in 2015. They withdrew it. Then they tabled a second and improved but nowhere near perfect version in 2017 and this law too has still not been passed. Its aim, like the Budapest convention, is to define the highly technical crimes related to cyber security.
It is also doubtful whether this piece of legislation will make it through the National Council of Provinces (NCOP) before the general election, thereby postponing it until at least 2020 and delaying it for another year or two.
What protection is there then for victims under our current law? Common theft, identity theft, fraud… these remain crimes in terms of the South African law and have been for quite some time already. However, the technical nature of the investigation and the crime itself does not make it as simple a set of offences to deal with.
The Minister of Police, Bheki Cele, last month in response to a parliamentary question indicated that the Hawks unit on cyber crime – the only unit in South African Police Service (SAPS) with the specialised ability to investigate these crimes – has an annual budget of R9-million.
Of this, R7.6-million is capital assets, just over R1-million is for goods and services and a total amount of R800,000 is reserved for salaries. This salary can probably pay a single brigadier as its only permanent staff member, having to deal with all specialised crimes related to cyber. This does not seem all that accurate a reflection of its true capacity, but be that as it may, the support given to this unit is most certainly not sufficient.
Naturally, one has to have a lot of respect for those within unit – there is no doubt that they work day and night with a case load that increases exponentially every year. This is not how SAPS should treat dedicated expertise if it wants to retain it, especially in a field where expertise is a rare commodity.
Furthermore, the serious lack of resources given to this unit towards building the capacity to properly deal with these crimes does not only make it literally impossible for it to deal as quickly with the case load as should be the case, but it shows a disregard for the South African public, its privacy and security.
SAPS has since indicated that it aims to train a few of its members to handle the basics of investigations, which would be a welcome development if they can see this through. However, according to the Minister of Police, if it wants to capacitate the Hawks unit to the extent that it aims to, it will need an additional R20.2-million annually for the salaries alone. Indications are that this amount is a very conservative calculation.
Even so, SAPS does not yet have a cent of this money. It has confirmed its intention to request National Treasury for a grant, but a year before a general election it is highly unlikely that the ANC will channel that kind of money in that direction to prevent crimes that can’t be seen whilst there are food parcels to be handed out and a decent portion of schools, municipalities and health care facilities under their jurisdiction that need the customary pre-election patching up instead.
On a positive note, as recently as June 2017 the Special Investigations Unit (SIU) signed a memorandum of understanding with France to collaborate on capacity building in terms of cyber crimes. This, albeit late, should be welcomed. The unfortunate thing is that in terms of the SIU Act, this unit does not embark on investigations without a promulgation by the President. It is therefore no replacement for a properly capacitated unit within SAPS itself.
These cyber crimes, and much worse than the government cares to admit, has happened and could happen on a daily basis. Where it hasn’t happened yet, I can guarantee you that there is someone out there with the ability to make it happen. It is a serious situation, which has been largely ignored because neither the crime nor its immediate consequences can be seen.
More importantly though, is that in the 21st Century cyber technology poses a serious and urgent treat to our rights to freedom, security and privacy. Why has our government then done so little to limit the damage since 2001 and why has it continued to do so little to change this in the new Budget?
One thing is clear: the capacity to firstly prevent, but also to investigate and effectively prosecute cyber crimes should be a priority for any government that really cares about the security and rights of its citizens and we should no longer put up with the ANC’s blatant disregard for this. DM
George Michalakis MP is DA NCOP Member on Defence and Military Veterans