A few days ago, President Cyril Ramaphosa announced a package of immediate economic reforms and spending plans in an effort to boost South Africa's sluggish economy. This, among others, includes boosting tourism, business travel and agriculture, allocation and use of high-demanded radio spectrum, mining, township economy and the infrastructure projects.
It is needless to prove that all these sectors will heavily depend on the use of modern digital technologies. If these technologies are not protected correctly, all effort and resources spent on these projects will go down the drain. But, who will protect our digital infrastructure, Mr President?
The recent News24 report stated that a single hacker, known as Paladin, has successfully attacked and shut down a number of the SA government’s websites - just confirmed our unpreparedness to shield against even mild cyber-attacks.
The World is getting ready
“The newly-launched US cybersecurity strategy calls for an offensive response against any nation that targets the United States,” National Security Adviser, John Bolton said earlier this month. He added that the first fully articulated cyber strategy in 15 years aims to protect US information systems, improve resilience in cyberspace, and secure infrastructure. He also believes that the strategy will foster American economic growth.
At the same time, the United Kingdom announced that it will set up a cybersecurity force, comprising up to 2,000 members, to tackle the "threat from Russia" and other actors. The authorities planned to invest some 250 million pounds (over USD 330 million) in creating the cyber force, The Times reported on 21 September 2018.
The United States already has a highly resourced Cyber Command, Russian Federation has established Kiber Voyska (Cyber Army), Israel has intelligent Cyber Unit 8200, People’s Liberation Army has a cyber unit deploying up to 100,000 individuals, the UK has the National Cybersecurity Centre, and many other countries have established specifically dedicated cyber protection units or agencies. Even Facebook has its own War Room for the control of the Internet!
Furthermore, all countries serious about their own cybersecurity have established National Computer Emergency Response Teams (CERTs), which are considered as building blocks of an effective strategy for combating cyber threats of any kind.
All this clearly shows that cyberwar is not fiction, but a harsh and dangerous reality!
Who will protect our digital future?
In 2013 South Africa founded the National Cyber Security Advisory Council with the mandate to advise the government on cybersecurity issues. The National Integrated ICT Policy White Paper from 2016 also addresses some aspects of cybersecurity as well as the Protection of Personal Information Act, No 4 of 2013 (POPI Act). Recently, the second draft of the South African Cyber Bill has been tabled in Parliament and is in a process of being enacted.
In order to provide immediate assistance in the wake of an offence, the Cyber Bill provides for the establishment of a point of contact to be available on a 24 hour, 7 days a week basis. This includes the following teams that should be able to assist and facilitate with enforcement and compliance issues: Cyber Response Committee, Cyber Security Centre, Government Security Incident Response Teams, National Cybercrime Centre, Cyber Command, Cyber Security Hub, and Private Sector Security Incident Response Teams.
However, the activates of these entities are hardly known to the corporate and wider public – at least these ones that are not classified. These activities are largely unknown even to researchers who can help in shaping and furthering our cybersecurity strategies and policies.
National Cybersecurity Hub is, for example, mandated with the task to be the central point of collaboration for cybersecurity incidents and serves the South African cyber community through the actions of providing information and assistance in implementing proactive measures to reduce the risks of computer security incidents as well as responding to such incidents and organise cybersecurity awareness campaigns.
However, one of the Hib’s members has recently admitted, at an official workshop, that the entity is woefully under-resourced. For example, the Hub had resources for conducting only one campaign in the whole of 2017! It is almost insignificant.
Furthermore, although South Africa stipulates in its National Cybersecurity Policy Framework that the national CERT should be central points of the public-private cooperation, South Africa has not got its own CERT. This country is currently only a member of the regional AfricaCERT, situated in Ghana, which encompasses 11 countries. Can this AfricaCERT protect South African digital future? Not likely, minding a huge shortage in cybersecurity skills in all these countries.
Moreover, it is also not to expect that private companies will do the government’s job in protecting the country’s digital future. Effective, private-public cooperation, however, could help. In that regard, the National Cybersecurity Policy Framework states that the national CERTs should be central points of the public-private cooperation – but there is no such body in South Africa. Hence, the private-public collaboration in the cybersecurity space is yet to be meaningfully achieved in order to protect our digital future.
It is inevitably time to act decisively. As an old Chinese proverb says, “The best time to plant a tree was 20 years ago. The second best time is now”.
