With the Personal Information Protection Act 2020 (Popi), which will come into full force after June 30, 2021, South Africa’s new cybercrime law is a key part of the country’s arsenal in the fight against crime. cybercriminality. (Image: Hypnobay on Pixabay (public domain))
Despite significant implementation challenges, the new legislation demonstrates the country’s commitment to global cybersecurity.
First published by The ISS today
A new law brings South Africa up to international cybercrime standards. With a world peak in internet breaches, in part driven by more people working from home due to the Covid-19 pandemic, it couldn’t happen soon enough.
The country’s well-developed financial infrastructure makes it an attractive target for cybercriminals who use the Internet for the purposes of extortion, fraud, child pornography, human trafficking and the sale of illicit goods.
Lawyer Dr Mashabane describes South Africa’s cybercrime law as “a revolutionary and decisive step in the country’s e-governance and political space.” Mashabane is Director General of the Department of Justice and Constitutional Development and former South Africa’s cyber envoy to the United Nations.
Together with the protection of personal information (Popi) Act 2020, which will come into full force after June 30, 2021, the new Cybercrime Law is a key part of South Africa’s arsenal in the fight against cybercrime.
At the heart of the law are offenses that constitute cybercrimes. So far, the lack of a clear definition has hampered the investigation and prosecution of internet crimes, with authorities having to rely on criminal proceedings. Act.
In summary, cybercrime is now defined as including, but not limited to, acts such as: unlawful access to a computer or device such as a USB stick or external hard drive; illegal interception of data; illegal acquisition, possession, receipt or use of a password; and online counterfeiting, fraud and extortion. Malicious communications are also criminalized.
The law also defines the scope and mechanisms by which investigators can search and seize computer hardware, software and other items such as USB drives or storage devices. It describes how South African authorities should conduct international investigations and how evidence should be collected, shared and retained for future prosecutions.
Cybercrime often transcends borders, so legislation details how states should cooperate and share information through mutual assistance. In urgent cases, it appears that the law allows officials from another country to approach a South African judge directly to seek cooperation. Some lawyers have privately told the Institute for Security Studies that it could prove controversial if interpreted as a violation of South Africa’s sovereignty.
The major challenge now is the rapid and decisive implementation of the law. Despite some committed police officers who have championed the issue of cybercrime and tried to secure more resources, the knowledge, experience and staff of the South African Police Service is scarce. This is important because, by law, the police are responsible for establishing a 24/7 point of contact for all cybercrime reports.
They will only have one year to set up such a facility once the legislation comes into force. The law places the SAPS firmly in the driver’s seat of coordinating national investigations and international requests for cooperation and assistance. Closing the capacity gap may well require the support of international donors working through Interpol and the private sector in the form of resources, mentoring and knowledge transfer.
The Cybercrime Law and the Popi Law are closely related. The latter emphasizes the confidentiality of data. Balancing security, privacy, and personal freedom when rapid investigations are needed for cybercrime can lead to legal challenges. These could test the limits of investigative powers and the information that prosecutors and judges can access. This has been raised by defense attorneys in other prominent cybersecurity scholars. case internationally.
Organizations that are hacked may not report the crime if it is found that they did not take precautions (such as regular software updates). This breach could expose them to penalties under the Popi Law, which requires businesses and other organizations to protect personal data. Although the two laws are meant to complement each other, there may well be conflicts.
Regarding transparency, investigators need access to often very sensitive information to understand the cybercrime value chain and what experts call the “cyber kill chain” or the modus operandi.
Currently, there is mistrust in encouraging entities to disclose their cyber vulnerabilities to the police. Indeed, this is one of the reasons that references to cybersecurity were removed from the original bill. Under Cybercrime Law, hacked organizations will have to cooperate with investigations and help preserve data and provide access.
Policymakers will also need to manage the tensions between law and politics if a foreign state is suspected of having committed or ordered a cyber attack. Although some see South Africa’s story of non-alignment as a form of protection, many countries suffer collateral damage in large-scale incidents such as the one in December 2020. Solar winds attack.
Experience from other countries like the UK shows that in addition to police and prosecutors, other stakeholders (such as diplomats and government ministers) claim an interest when foreign states are suspected of be involved. This makes rapid prosecution-driven investigations very complex and sometimes politically sensitive.
Electronic service providers such as internet companies will be required to report cyber attacks within 72 hours, facing a severe penalty if they fail to do so. With so much commerce now carried out via the Internet, other businesses with online offerings such as retail or financial services may be caught in the net of reporting obligations.
Many of these problems are not unique to South Africa. Other countries like Zambia strive to incorporate cyber legislation into their legislation and will undoubtedly face similar challenges.
Mashabane says act will go further “Strengthen our engagement on diplomatic and multilateral platforms with a view to developing a global framework on cybercrime and cybersecurity”. South Africa is already a key player at the international level, sitting on many forum who are thinking about the best way to govern cyberspace.
International tensions between balancing security and freedom of expression could make achieving this goal an ambitious challenge. By enacting new national legislation, South Africa is sending an important signal to the world of its commitment. DM
Karen Allen, Senior Research Advisor, Emerging Threats in Africa, ISS Pretoria.
More about this article: Read More
This notice was published: 2021-06-09 09:41:33