Cybercriminals thrive on silence
South Africa is extremely prone to cyberattacks, but with no effective requirement on companies to disclose systems breaches, and few avenues for victims to pursue these crimes, it remains a shadowy threat to the economy.
A recently published cybercrimes and cybersecurity Bill could change that, although the state’s capacity to implement the ambitious proposals outlined in it is already being questioned.
High-profile cybercrimes have been in the headlines repeatedly, most recently with the theft of data, including nude photographs and credit card details, of millions of users of the adultery website Ashley Maddison. The attack was preceded by the devastating hack of Sony Pictures late last year, which the United States government has blamed on North Korea.
Other high-profile cases include the breach of the US-based health insurer Anthem, which exposed the private data of a reported 80-million customers and employees.
This week, Apple said it was cleaning up its iOS app store after several of its apps, including an older version of TenCent’s WeChat, were found to have been infected with malware, according to a Reuters report.
These cases will not be the last of their kind as the world grows more connected by smart devices.
The problem is no less acute in South Africa. A 2013 report by the anti-virus firm Norton revealed that the third-largest number of cybercrime victims were in South Africa, after Russia and China.
Cybercrime, according to the report, was estimated to be costing the global economy $113-billion at the time and South Africa an estimated $300-million.
A more recent report from Allianz Global Corporate & Specialty insurance estimated that cybercrime costs the global economy about $445-billion a year.
According to Professor Basie von Solms, the director of the Centre for Cyber Security at the University of Johannesburg, South Africa is prone to cyberattacks, judging by the data gleaned from international reports. But it is hard to get an accurate picture of the extent of the problem because companies are not yet required to report security breaches.
Meanwhile, cybercriminals are upping their game. A recent mid-year security report by the technology company Cisco highlights the increasing sophistication of cybercriminals and their agility in adapting and using malware – malicious software – in cyberattacks.
One form of malware is ransomware, which, Cisco said, encrypts users’ files, targeting everything from financial files to family photographs, and provides the keys for decryption only after users pay a ransom. The report illuminates the lengths to which cybercriminals go in orchestrating their schemes, including researching the ideal amounts that their victims would be prepared to pay.
They price their ransom at levels that are not high enough to force victims to report the crime but at levels that encourage them to pay up to get the data back and, of course, at levels that makes the attack profitable.
In an effort to “maintain a good reputation in the marketplace”, cybercriminals will set up elaborate support services to help their victims decrypt their files once they have paid the ransom, according to the report.
Greg Griessel, a consulting systems engineer for security solutions at Cisco South Africa, said the firm has had requests from local companies to help them deal with this kind of attack. But, he added, they are reluctant to disclose that their systems have been breached.
The proposed law will create greater transparency about breaches and will also establish a legal framework through which to pursue the criminals, he added.
Griessel said attacks are becoming increasingly well targeted as criminals infiltrate social networks such as Facebook. This increases the likelihood that victims will follow malicious links in emails if they appear to come from trusted sources or networks.
Worldwide, small and medium-sized companies are the most vulnerable to attack, Van Solms said, because they do not have the money or the expertise to protect their networks.
Under the Protection of Personal Information Act (Popi), companies are required to inform their clients if their personal information has been compromised, and companies must report any breaches to the information regulator. Although the Act has been signed into law, no commencement date has been set and the regulator has yet to be established.
Cyberattacks can cripple a business, said Gillian Wolman, the head of litigation at Risk Benefit Solutions. The insurance group has seen more companies approaching it for financial cover against cyberattacks, including from clients who have experienced breaches such as ransomware attacks, she said.
She added that the penalties under the Popi Act for companies and directors who fail to secure client data can be severe – up to R10-million in fines or 10-year jail terms.
The draft cybersecurity and cybercrime Bill creates not only a wide range of offences related to cybercrime but also proposes a national cybercrime centre, to which all electronic communication service providers would have to report any breaches. Although the Bill is a “not a bad document”, Van Solms said, the government does not have the technical capacity to implement or enforce it.
Cybercrime is typically a “borderless” crime, with attackers often in other countries, and it is not clear whether South Africa has the capacity to pursue criminals in other jurisdictions, he said.
For the proposed law to be successful, it will require a “revolutionary model for cybersecurity capacity building in South Africa”, he said, and a public-private partnership between the government and the industry.
The spokesperson for the justice department, Mthunzi Mhaga, said it is acknowledged that the government has limited expertise to deal with cybercrime and cybersecurity. But chapter six of the draft Bill, which outlines official structures to deal with cybersecurity, obliges government departments to develop the capacity and expertise to deal with these threats, he said.
To bridge the gap within government, the Bill also provides that people with the required skills can be appointed to these structures from outside the government, he added.
“Cybercrime almost always has a transnational element,” he said, and international co-operation is essential in cybercrime investigations.
Typically this is based on international or regional conventions.
South Africa has signed the European Convention on Cybercrime – but has not yet ratified it – and the African Union Convention on Cyberspace Security and Personal Data Protection.
He said the Bill is in line with international legislation on cybercrime and contains provisions to facilitate international co-operation.
It also allows the president to enter into agreements with foreign states for mutual assistance and co-operation in the investigation and prosecution of offences and gives South African courts expanded jurisdiction to try them, he added.