George Michalakis says ANC govt’s cyber security leaves much to be desired
South Africa needs a Cyber Commissioner
15 November 2022
October is cyber security awareness month. In September 2022, cyber defense firm EasyDMARC’s research found that only 51% of South African insurance companies are prepared against phishing, spoofing and spamming attacks. The same survey showed that only 18 of the country’s 38 banks using DMARC’s services have put up defence mechanisms that ward off 100% of phishing attempts.
Kaspersky also found that during the first four months of this year, ransomware attacks in South Africa have doubled compared to 2021. For many years now, South Africa has also had the third highest number of cybercrime victims in the world.
The government, with all the funds and personal information that its departments hold, is no exception. On the contrary – government’s cyber security leaves much to be desired, with the only province investing sensibly in such security currently being the Western Cape.
Recent developments such as the Cybercrimes Act should be welcomed. However, as the DA and others warned during the legislative process: implementation problems render this progress almost worthless. The national cyber security framework was last approved by government more than 10 years ago and for political reasons the government still sides with countries like Russia and China against the ratification of the Budapest Convention.
-->
Why does this matter? Because every day, already struggling South African individuals and businesses see thousands, if not millions, stolen from them at a time. In many instances the municipalities and government institutions don’t even notice that they have been hacked and robbed, and there is no singular plan to deal with any of this.
Government’s cyber security efforts are spread across various government departments, from Science & Innovation to the State Security Agency, Police, Defence, Justice, Communications & Digital technologies and the GCIS. There is simply no way to assess and hold anyone to account for the cyber security framework, or the lack thereof. And it does not get the funding it deserves, because it results in a crime that cannot be seen. How foolish, given it is a crime that can be felt, often severely.
What we need is a single entity accountable to Parliament – rather than individual state departments – that serves as an umbrella agency to coordinate and develop our cyber capabilities and security. This will require not only government support, but close partnerships with the private sector and our universities.
When our constitution was adopted in 1996, cyber technology did not play the role it now does in our daily lives and in the functioning of business and the state. Yet, cyber threats affect our fundamental rights as set out in the Bill of Rights and even the very existence of our constitutional democracy and its critical infrastructure.
-->
The DA therefore proposes through a constitutional amendment to Parliament a Cyber Commissioner as a new chapter 9 institution, which will be accountable not to cabinet, but to Parliament directly. The commissioner will be a qualified cyber security expert, serving one non-renewable term of 7 years. This institution will replace various other entities that are currently funded, but functioning at different levels of efficiency, such as the Information Regulator, SITA and the Cybersecurity Hub. It will also function as an advisory body to the SANDF on matters of cyber warfare and assisting the specialised unit within the Hawks with the necessary cyber forensic expertise that it lacks.
Concerns may be raised around funding of this institution. However, the funding of the entities it will be replacing will make up for a large portion of the required budget. Furthermore, when taking into consideration that cyber threats cost our economy billions of rands a year, a reasonable investment into such an entity will save the country much more than it can possibly cost.
We propose that such a chapter 9 institution should, under the authority of the Cyber Commissioner, exist of five departments: technology & innovation, security, communications, financial & critical infrastructure and information protection. These departments will look like this:
Technology & innovation – to partner with tertiary institutions and will be responsible for training of new experts and the development of South African cyber security technology;
-->
Security – to consist of cyber forensic experts and, in partnership with the private sector, a reservist force should be built up to assist during crises.
Communications – to be responsible for creating public awareness and the cyber hub.
Financial & critical infrastructure – to partner with the private sector, providing advice, issue minimum guidelines and standards for cyber security to specific sectors and formulating incentives for businesses and the public for increased cyber security.
Information protection – to be responsible for ensuring that information – specifically private individuals’ information – in government’s possession, such as at Home Affairs or the Master’s office, schools and hospitals, is safeguarded. It will also take over the interception capabilities of the SSA, which currently already has to apply for a court order in terms of RICA.
-->
Such an institution will not require thousands of civil servants, but rather a core group of experts in the field who can be retained and who can help us build capacity. It will be directly accountable to parliament, but must contribute to our collective security, not compromise it.
These details will be tabled in an enabling Bill before Parliament once the Constitutional amendment is adopted. Furthermore, these proposals should be seen as a framework, which must still be developed further with experts in the field. What we will be tabling before Parliament now, is the establishment of such a Commissioner and the broad framework of its duties. The DA believes there is a real need for our country to have a competent, independent institution on which to build our collective cyber security capabilities.
We therefore invite public submissions on our proposal to establish a Cyber Commissioner in the Constitution, a step that is long overdue for our modern world.
All interested parties are encouraged to make submissions to [email protected] by 9 December 2022.
George Michalakis is a DA MP and the party’s spokesperson on Security and Justice in the National Council of Provinces