South Africa must pay more attention to cybercrime – 14 January 2014
Efforts such as the South African Police Service’s (SAPS) recent ‘Safer Festive Season’ campaign may have increased public awareness of threats such as armed robberies and cash-in-transit heists, but how many South Africans considered their vulnerability to cybercrime during the recent holiday season?
Internet penetration in the country is rapidly increasing. According to recent reports, the City of Tshwane intends to provide free Internet access to residents so that ‘every household, every street and every corner’ has Wi-Fi connectivity. Across South Africa, the use of mobile devices with Internet access has grown exponentially. People are using the Internet to engage in social and political activity, access government services, purchase goods and services and also to conduct financial transactions. According to a research survey conducted by First National Bank and Rand Merchant Bank’s eBucks rewards programme, more South Africans would have purchased holiday gifts online during this festive season than during previous years.
While the increased reliance on the Internet offers many benefits, it also provides new opportunities for criminals to exploit cyber-security vulnerabilities. This has become a significant problem in South Africa. The US Federal Bureau of Investigation (FBI) listed South Africa as sixth most active cybercrime country in the world and informal consensus places it third behind Russia and China. At one cyber-security forum last year, information security consultant Beza Belayneh noted that cybercrime in South Africa is a crisis that the government should respond to in the same way that it has responded to the HIV and AIDS pandemic.
A recent study by Wolfpack Information Risk found South Africa’s annual loss resulting from cybercrime in three sectors to be R2.65 billion. While comprehensive statistics are not currently available, examples of recent high-profile incidents confirm that cybercrime is a growing and significant problem in South Africa. For example, a criminal syndicate reportedly used malware known as ‘Dexter’ to attack a wide range of local retailers and steal tens of millions of rands. The malware was used to intercept payment details from point-of-sale terminals and create fraudulent duplicate cards.
Given the current threat landscape, South African policymakers should develop a cogent and multilayered response to cybercrime. Such a response begins with the government allocating clear cyber-security roles and responsibilities to particular entities. The Cabinet took a step in that direction by approving the Cyber Security Policy Framework on 11 March 2012, which identifies areas of responsibility for governmental departments and tasks the State Security Agency with overall accountability for the development and implementation of cyber-security measures.
To facilitate collaboration and the sharing of cyber threat information in real time, it is essential to have 24/7 cyber-watch centres. While South Africa has yet to establish a government-sponsored watch centre, local banks have funded the South Africa Banking Risk Information Centre (SABRIC) to track and respond to cybercrime in the banking sector.
South Africa should also develop robust Computer Emergency Readiness Teams (CERTs) to respond to cyber incidents, provide technical assistance to hacked businesses and disseminate timely notifications regarding current and potential threats. Currently, the Computer Security Incident Response Team (CSIRT) only offers limited assistance on cyber-security issues to government entities.
To keep up with evolving and sophisticated cybercrime threats, law enforcement, prosecutors and public sector cyber professionals must receive training on current trends and techniques. Such training should be augmented by the establishment of a cyber-security curriculum in the education system. The University of Johannesburg has partnered with the Academy of Computer Science and Software Engineering to create the Centre of Excellence in Cyber Security, the first such facility in Africa dedicated to fighting cybercrime. This centre, which should be replicated around the country, now offers a certificate in cyber-security.
Raising public awareness is equally critical and can serve as a powerful frontline defence. South Africa has developed a patchwork of awareness campaigns, funded by both the public and private sector. For example, the Wireless Access Providers’ Association, the Council for Scientific and Industrial Research, the University of Fort Hare, the Nelson Mandela Metropolitan University and the University of Pretoria have all developed campaigns to educate the public on cybercrime threats. Policymakers should fund robust multimedia public awareness campaigns, especially during critical periods such as the festive season.
Cybercrime laws should also be updated and strengthened. As the nature of criminality evolves, so too should the laws. For example, South Africa recently enacted the Protection of Personal Information (POPI) law, which places stringent requirements on local entities in that hold personal information of citizens. POPI also seeks to crack down on unsolicited electronic direct marketing, a tactic that is often used in phishing scams.
While South Africa’s laws should address its unique challenges, they should also be harmonised with the laws of other countries. The African Union (AU) has proposed a Convention on Cyber Security, which is to be voted on in January 2014. This Convention would focus on areas such as defining key cyber terminologies in legislation; developing principles and provisions related to cyber legislation and harmonising cyber legislation and provisions for the AU.
As many South Africans build higher walls, gates and electric fences to prevent crimes in the physical world, they should not lose sight of their growing vulnerability in the virtual world. While there is no silver bullet to prevent cybercrime, South Africa should continue to pursue a multilayered and collaborative approach to counter cybercrime.
Eric Tamarkin, ISS consultant