/ 19 February 2015

Securocrats serious about cyberwarfare

Securocrats Serious About Cyberwarfare

Shortly after 9/11, the South African government introduced measures to fight terrorism in the country, including a Bill allowing the monitoring and interception of communications. It became the Regulation of Interception of Communications and Provision of Communication-Related Information Act (Rica) of 2002. It replaced the Interception and Monitoring Prohibition Act of 1992, which did not deal adequately with technological advances.

Rica regulates interception of communications, including internet traffic, making it illegal for communications to be intercepted except according to the Act. This provides for a designated judge to issue interception directions requested by the defence force, intelligence services or police, on crime-related or national security grounds. Interception directions are undertaken by the Office of Interception Centres (OIC).

The Act requires all communications networks to be capable of surveillance. It places the obligation on all service providers to assist the state in monitoring and intercepting communications. It obliges service providers to store communication-related information at their own expense. All cellphone users must register their SIM cards and provide proof of residential address and identity numbers.

The Act forbids the interception of local communications without a judge’s permission. Such orders can only be issued if there are reasonable grounds to believe a serious offence has been, is being or will probably be committed, that there is an actual or potential threat to public health or safety, national security or compelling national economic interests.

The interception centres carrying out these orders report to the minister of state security and Parliament’s joint standing committee on intelligence. The designated judge also provides the committee with an annual report, which becomes publicly available when the committee’s report is released. Furthermore, intelligence activities are certified as being constitutionally and legally compliant by the inspector general of intelligence, who reports to Parliament. The combination of executive, legislative and parliamentary oversight places checks and balances on the state’s monitoring and interception capabilities.

But, argues Privacy International, the grounds for issuing interception directions are too vague: the judge merely needs to be satisfied there are reasonable grounds to believe an offence has been, is being or will be committed. This may not be constitutional: it allows law enforcement officers to speculate.

There is no provision in the Act for people whose communications have been intercepted to be informed once the investigation is completed, or if the judge turns down the application for an interception.

Other democracies have established independent commissions to oversee all monitoring and interception activities. They undertake full, public reporting processes. In South Africa, parliamentary reports are written by the judge who took the decisions, which is not healthy. The Act also fails to recognise the right of journalists to protect their sources.

A key flaw in South Africa’s law is lack of public oversight. The public is provided with too little information to monitor whether the Act is achieving its intended results: to fight off genuine threats to national security.

Whereas 826 interception orders were granted between 2006 and 2010, in a report to the joint standing committee, the director of OIC reported about three million interceptions undertaken in the past three and a half years. This implies that each interception involves many intercepts, suggesting these interception order scopes are broad.

The joint standing committee on intelligence report was damning about levels of disorganisation in the security services. It also raised concern that the provision for emergency interception of communication measures in Rica could have been abused.

A total of 3 217 emergency interceptions were undertaken over 19 months in 2010 and 2011. In these, authorities intercepted communications without a judge’s permission: the interception was urgent, and the judge was informed retrospectively. Significantly, the number of emergency directions is larger than the number of interception directions applied for, which raises the question of whether these interceptions were justified in all cases, or whether the emergency interception provision in Rica is being abused to short-cut the process of applying for a direction. The lack of information about these figures makes it impossible to answer this question definitively.

The lack of transparency meant the system could be abused. In 2010, Sunday Times journalist Mzilikazi wa Afrika had his phone calls intercepted by the Hawks and was arrested for fraud and defeating the ends of justice because he had in his possession a fax allegedly written by Mpumalanga Premier David Mabuza. Given the flimsiness of the case against Wa Afrika, it is impossible not to conclude that police, with a vested interest in shielding Mpumalanga’s leadership, cooked up a case to intimidate Wa Afrika as a journalist.

Later it emerged that intelligence officers duped the judge into signing an order to tap the phones of the then police commissioner general, Bheki Cele, as well as Wa Afrika and another Sunday Times journalist, Stephan Hofstätter, both reporting on a controversial lease deal in which the general was implicated. According to court papers, intelligence officers lied about who the cellphone numbers in the application belonged to.

Significantly, the Act does not cover intelligence from foreign signals, or intelligence derived from communication from outside South Africa, whether it passes through or ends in the country. These signals can be intercepted without a direction. This legal lacuna has been criticised for creating space for violating the right to privacy on national security grounds. Because much internet traffic comes from outside the country, interception of information can take place without judicial oversight; it is open to abuse.

The National Communications Centre (NCC) has bulk monitoring capacity. In the investigation by the then inspector general of intelligence, Zolile Ngcakani, into the National Intelligence Agency surveillance of businessman Saki Macozoma in 2005, it was found that the NCC’s bulk-scanning facilities had been used to keep at least 13 South African politicians, businessperson and officials in the public service under surveillance – in spite of the fact that the NCC was meant to confine itself to surveillance of foreign signals.

Secrecy prevents exposure of the extent of South Africa’s surveillance capacity. Yet the available information suggests local bulk-monitoring capacity exists; the government actively supports its development. WikiLeaks has identified two South African-based companies, Vastech and Seartech, involved in the production of mass-surveillance technology.

Vastech, established in 1999, manufactures equipment to enable the interception of phone calls and internet traffic on a massive scale. Its equipment was uncovered in listening rooms in Egypt and Libya after their governments fell. Vastech’s Zebra Strategic Network Monitoring system allows for “massive passive solutions for law enforcement”.

Vastech says its operations are legal and that it would not sell its technology to any country that was the target of international sanctions. Yet Privacy International has asked the government to investigate the legality of Vastech’s activities in Libya.

Privacy International also found that the South African government, through the department of trade and industry, has provided funding to Vastech, in spite of the fact that the company could not by any stretch of the imagination be considered to be in a development phase and thus eligible for government support.

According to 2012’s Defence Review, the military needs to defend critical infrastructure and protect information and intellectual property as a strategic resource.

It needs to defend command-and-control systems and frustrate the ability of opposing forces to exploit the electromagnetic spectrum for warfare purposes.

The review argued for information warfare capabilities to be developed to defend information systems; its recommendations went beyond defence into developing an offensive military capability in cyberspace to contribute to information superiority. These recommendations included developing the military’s capability to disrupt, destroy, deny and exploit communication assets of the opposing force. To achieve this, the review panel proposed establishing an information warfare centre.

These developments strongly suggest that South Africa is serious about developing its cyberwarfare capabilities and was willing to put copious resources into this effort, in spite of dubious reasons for doing so.

Jane Duncan is a professor in the department of journalism, film and television at the University of Johannesburg. This is an edited extract from her new book The Rise of the Securocrats: The Case of South Africa, published by Jacana Media.