Cybercriminals thrive on silence

South Africa is extremely prone to cyberattacks, but with no effective requirement on companies to disclose systems breaches, and few avenues for victims to pursue these crimes, it remains a shadowy threat to the economy.

A recently published cybercrimes and cyber­security Bill could change that, although the state’s capacity to implement the ambitious proposals outlined in it is already being questioned.

High-profile cybercrimes have been in the headlines repeatedly, most recently with the theft of data, including nude photographs and credit card details, of millions of users of the adultery website Ashley Maddison. The attack was preceded by the devastating hack of Sony Pictures late last year, which the United States government has blamed on North Korea.

Other high-profile cases include the breach of the US-based health insurer Anthem, which exposed the private data of a reported 80-million customers and employees.

This week, Apple said it was cleaning up its iOS app store after several of its apps, including an older version of TenCent’s WeChat, were found to have been infected with malware, according to a Reuters report.

These cases will not be the last of their kind as the world grows more connected by smart devices.

The problem is no less acute in South Africa. A 2013 report by the anti-virus firm Norton revealed that the third-largest number of cybercrime victims were in South Africa, after Russia and China.

Cybercrime, according to the report, was estimated to be costing the global economy $113-billion at the time and South Africa an estimated $300-million.

A more recent report from Allianz Global Corporate & Specialty insurance estimated that cybercrime costs the global economy about $445-billion a year.

According to Professor Basie von Solms, the director of the Centre for Cyber Security at the University of Johannesburg, South Africa is prone to cyberattacks, judging by the data gleaned from international reports. But it is hard to get an accurate picture of the extent of the problem because companies are not yet required to report security breaches.

Meanwhile, cybercriminals are upping their game. A recent mid-year security report by the technology company Cisco highlights the increasing sophistication of cybercriminals and their agility in adapting and using malware – malicious software – in cyberattacks.

One form of malware is ransomware, which, Cisco said, encrypts users’ files, targeting everything from financial files to family photographs, and provides the keys for decryption only after users pay a ransom. The report illuminates the lengths to which cybercriminals go in orchestrating their schemes, including researching the ideal amounts that their victims would be prepared to pay.

They price their ransom at levels that are not high enough to force victims to report the crime but at levels that encourage them to pay up to get the data back and, of course, at levels that makes the attack profitable.

In an effort to “maintain a good reputation in the marketplace”, cybercriminals will set up elaborate support services to help their victims decrypt their files once they have paid the ransom, according to the report.

Greg Griessel, a consulting systems engineer for security solutions at Cisco South Africa, said the firm has had requests from local companies to help them deal with this kind of attack. But, he added, they are reluctant to disclose that their systems have been breached.

The proposed law will create greater transparency about breaches and will also establish a legal framework through which to pursue the criminals, he added.

Griessel said attacks are becoming increasingly well targeted as criminals infiltrate social networks such as Facebook. This increases the likelihood that victims will follow malicious links in emails if they appear to come from trusted sources or networks.

Worldwide, small and medium-sized companies are the most vulnerable to attack, Van Solms said, because they do not have the money or the expertise to protect their networks.

Under the Protection of Personal Information Act (Popi), companies are required to inform their clients if their personal information has been compromised, and companies must report any breaches to the information regulator. Although the Act has been signed into law, no commencement date has been set and the regulator has yet to be established.

Cyberattacks can cripple a business, said Gillian Wolman, the head of litigation at Risk Benefit Solutions. The insurance group has seen more companies approaching it for financial cover against cyberattacks, including from clients who have experienced breaches such as ransomware attacks, she said.

She added that the penalties under the Popi Act for companies and directors who fail to secure client data can be severe – up to R10-million in fines or 10-year jail terms.

The draft cybersecurity and cybercrime Bill creates not only a wide range of offences related to cybercrime but also proposes a national cybercrime centre, to which all electronic communication service providers would have to report any breaches. Although the Bill is a “not a bad document”, Van Solms said, the government does not have the technical capacity to implement or enforce it.

Cybercrime is typically a “borderless” crime, with attackers often in other countries, and it is not clear whether South Africa has the capacity to pursue criminals in other jurisdictions, he said.

For the proposed law to be successful, it will require a “revolutionary model for cybersecurity capacity building in South Africa”, he said, and a public-private partnership between the government and the industry.

The spokesperson for the justice department, Mthunzi Mhaga, said it is acknowledged that the government has limited expertise to deal with cybercrime and cyber­security. But chapter six of the draft Bill, which outlines official structures to deal with cybersecurity, obliges government departments to develop the capacity and expertise to deal with these threats, he said.

To bridge the gap within government, the Bill also provides that people with the required skills can be appointed to these structures from outside the government, he added.

“Cybercrime almost always has a transnational element,” he said, and international co-operation is essential in cybercrime investigations.

Typically this is based on international or regional conventions.

South Africa has signed the European Convention on Cybercrime – but has not yet ratified it – and the African Union Convention on Cyberspace Security and Personal Data Protection.

He said the Bill is in line with international legislation on cybercrime and contains provisions to facilitate international co-operation.

It also allows the president to enter into agreements with foreign states for mutual assistance and co-operation in the investigation and prosecution of offences and gives South African courts expanded jurisdiction to try them, he added.

These are unprecedented times, and the role of media to tell and record the story of South Africa as it develops is more important than ever. But it comes at a cost. Advertisers are cancelling campaigns, and our live events have come to an abrupt halt. Our income has been slashed.

The Mail & Guardian is a proud news publisher with roots stretching back 35 years. We’ve survived thanks to the support of our readers, we will need you to help us get through this.

To help us ensure another 35 future years of fiercely independent journalism, please subscribe.

Lynley Donnelly
Lynley Donnelly
Lynley is a senior business reporter at the Mail & Guardian. But she has covered everything from social justice to general news to parliament - with the occasional segue into fashion and arts. She keeps coming to work because she loves stories, especially the kind that help people make sense of their world.

Tension over who’s boss of courts

In a letter, Chief Justice Mogoeng Mogoeng questions whether Justice Minister Ronald Lamola has acted constitutionally

SABC sued over ‘bad’ clip of Ramaphosa

A senior employee at the public broadcaster wants compensation for claims of ‘sabotage’

Soundtrack to a pandemic: Africa’s best coronavirus songs

Drawing on lessons from Ebola, African artists are using music to convey public health messaging. And they are doing it in style

In East Africa, the locusts are coming back for more

In February the devastating locust swarms were the biggest seen in East Africa for 70 years. Now they’re even bigger

Press Releases

New energy mix on the cards

REI4P already has and will continue to yield thousands of employment opportunities

The online value of executive education in a Covid-19 world

Executive education courses further develop the skills of leaders in the workplace

Sisa Ntshona urges everyone to stay home, and consider travelling later

Sisa Ntshona has urged everyone to limit their movements in line with government’s request

SAB Zenzele’s special AGM postponed until further notice

An arrangement has been announced for shareholders and retailers to receive a 77.5% cash payout

20th Edition of the National Teaching Awards

Teachers are seldom recognised but they are indispensable to the country's education system

Awards affirm the vital work that teachers do

Government is committed to empowering South Africa’s teachers with skills, knowledge and techniques for a changing world

SAB Zenzele special AGM rescheduled to March 25 2020

New voting arrangements are being made to safeguard the health of shareholders