Cybersecurity: The spooks, the worms and the net
At a recent breakfast briefing on cybersecurity hosted by Neotel and the Mail & Guardian, information security consultant Beza Belayneh referred to cybercrime in South Africa as a "crisis", and called on the government to make it a national security concern.
He said the state needs to respond to cybercrime to prevent loss of life in the same way that it responded to the HIV and Aids pandemic. Cybercrime is a problem, but to equate it with HIV and Aids is inappropriate and insensitive. It has not and will not lead to loss of life at the levels caused by Aids. In fact, according to cyberwarfare expert and academic Thomas Rid, no recorded cyber attack has led to loss of life, injury or damage to a building.
Other comments made at the breakfast also require examination. Siyabonga Cwele, the minister of state security, commented on South Africa's vulnerability to cyber-terrorism and cyberwarfare.
But the main cybersecurity threats in South Africa are not related to national security at all: they are criminal and, more specifically, related to fraud. Phishing is the most common form of attack, with the distribution of malware, such as worms, being the second-biggest problem.
So then why are the spooks needed to fight the worms? While there is no denying that cybercrime is a terribly serious issue, there are unexamined implications for users' internet rights if we simply accept that this criminal matter is so grave that it should be escalated to the level of a threat to national security, and that therefore the department of state security should become the lead agency on cybersecurity matters.
The best defences against cybercrime are technical and social in nature. The fight against phishing requires the widespread use of anti-spam software and user education; this encourages users to change their behaviour and not provide sensitive information to criminals.
Such threats can be dealt with effectively through an information policy that protects information systems from unauthorised access, use, disclosure, disruption and/or destruction, rather than through a national-security policy.
Cybersecurity policy framework
Yet it appears that the problem has already been escalated to a national-security threat – the government's cybersecurity policy framework has been transferred from the department of communications to that of state security. The framework is due for release in August, although no public comment has been sought on it. This should sound warning bells.
Many of the statements made at the breakfast are typical of the sort of hyperventilations elsewhere (especially in the United States) that create public panic and pave the way for policy overreactions that securitise and militarise cyberspace.
These overreactions often lead to emergency measures that erode civil liberties – especially privacy and rights to freedom of expression and association – and such erosions soon become normalised as permanent ways of life.
In the words of Brunel University's Mark Neocleous: "Whatever example we use, the pattern is the same: an 'emergency' occurs in which 'security' is threatened; existing emergency powers are exercised and new ones put into place; these are then gradually 'stretched' beyond their original scope; this stretching is gradually justified and legitimised, until the police and security forces are exercising the powers way beyond their original context, to the extent that they become part of the everyday functioning of the rule of law: the emergency becomes permanent, the exceptional becomes the rule, and the sun fails to set on the sunset clauses."
A nexus has developed in other countries between the security industry and governments. The former hypes cybersecurity threats to ensure larger government budgets and hence more expenditure on consultancies, while governments hype them to increase internet controls.
Cwele's warnings about the country's vulnerability to cyberterrorism overrate the threat. It is difficult to mount a cyber attack that threatens critical national infrastructure, and their outcomes remain unclear; as a result, terrorists have stuck largely to physical attacks of the analogue variety.
In attempting to justify increasing their powers over the internet, governments often refer to the cyber attacks on Estonia in 2007 and Georgia in 2008, when the countries' major institutions were subjected to distributed denial-of-service attacks. The Russian government was accused of being behind the attacks, but investigations traced them to Russian "hacktivists" and criminal botnets.
A scientist at the Nato Co-operative Cyber Defence Centre of Excellence has stated that the immediate impacts of the attacks were minimal to nonexistent, and that no critical services were permanently affected. Yet cybersecurity policies continue to be developed based on dread risks or worst-case scenarios that will probably never occur as feared, leading to misallocations of public resources.
The one cyber attack that came closest to cyberwarfare, although it didn't fulfil all the criteria, was launched by the government that has been shouting the loudest about the threat of cyber warfare – the US.
Soon after taking office, President Barack Obama ordered a cyber attack to disable Iran's nuclear systems, using the Stuxnet worm developed by the US and Israel. But such attacks are highly resource-intensive, making them relatively unpopular warfare choices.
South Africans need to be particularly vigilant when examining whether cybercrime should be securitised. National-security offences are generally punished much more harshly than ordinary crimes, and the state security organs are particularly secretive, making them even more susceptible to abuse.
Furthermore, South Africa has a broad definition of national security, drawn from human-security conceptions of national security. The evidence is that this definition has allowed intelligence agencies to become, effectively, state watchdogs over society, leading to inappropriate interventions in aspects of the country's politics. Fears that new state powers over the internet may be abused are not unjustified.
It is instructive to look at the government's previous efforts to regulate communications networks on national-security grounds.
The 2002 Regulation of Interception of Communications and Provision of Communication-related Information Act was one of a basket of laws passed after the 9/11 attacks on the US. It allows intelligence agencies to intercept communications, including internet traffic, providing they have a warrant from a judge (an "interception direction", in the language of the Act).
Last week, however, several organisations released a set of international principles on the application of human rights to communications surveillance. The Act falls short of many of these principles. For instance, it forbids the establishment of networks that are not capable of surveillance. This means that users cannot hold a single phone conversation or send a single email without the expectation of it being intercepted.
Apart from the implications for users' rights to privacy and expression, the requirement that network operators build "back doors" into their networks as a matter of course creates network insecurity: these back doors can (and have) been used, not just by the state, but by criminals, to hack into networks.
As a result, the international principles say that "in order to ensure the integrity, security and privacy of communications systems, and in recognition of the fact that compromising security for state purposes almost always compromises security more generally, states should not compel service providers or hardware or software vendors to build surveillance or monitoring capability into their systems".
Even more seriously, there is no provision in the Act for people whose communications have been intercepted to be informed of the warrants, even after the investigations are complete: a crucial safeguard to prevent abuse, as the principles note.
Moreover, the public is provided with too little information to be able to monitor whether the Act is achieving its intended results – information such as the number of warrants that have resulted in convictions.
A recent court case revealed how the Act can be abused to threaten privacy and the right to media freedom. In 2010 crime-intelligence officers duped the designated judge into signing an order to tap the phones of Bheki Cele, then the national police commissioner, and two Sunday Times journalists who were reporting on a controversial lease deal implicating Cele.
Cybersecurity is a relatively new issue for policymakers, but already it has proved susceptible to premature securitisation. Unless overstatements on cybersecurity are challenged, and there is a proper debate backed up by empirical evidence of the source and nature of the threats, control of the internet will, slowly but surely, creep into the hands of the spooks. And that will be the beginning of the end for internet freedom.
Professor Jane Duncan is the Highway Africa chair of Media and Information Society at Rhodes University