South Africa’s model for countering cyber crimes focuses on retribution whereas that of Australia is a proactive and multifaceted approach
South Africa’s cybersecurity posture, while evolving, according to the Cybersecurity Index report 2024 released earlier this month, is still suboptimal, rendering the country and its citizens more vulnerable than is necessary to cyberattacks.
The digital realm is intricately woven into almost every aspect of our daily lives fostering connectivity, economic growth and even entertainment as well as leisure. But the evolution of technology that enables these conveniences and efficiencies also increases our exposure to a myriad cyber threats requiring a resilient and robust cybersecurity strategy that serves as a guardrail at the nation’s helm.
On the National Cyber Security Index scale, which measures the vulnerability of national jurisdictions against cybercrime, South Africa is ranked 59th out of 93 countries on a scale of most secure to most vulnerable. With a cybersafety score of 57.71 for 2023, South Africa is on a par with Costa Rica, Bangladesh and other developing countries.
Mindful of this poor performance, my research indicates that the Budapest Convention on Cybercrime, followed by most European jurisdictions, is not the most appropriate regulatory framework for South Africa’s cybersecurity landscape. The reason for this conclusion is its focus on retribution rather than the proactive approach adopted by Australia’s Strategic Cyber Security Framework. South Africa developed its own cyber strategy but this initiative has been a low priority.
Australia’s regulatory framework has proven to be effective compared with the Budapest Convention, on which most European jurisdictions model their cyber laws. The Australian Cybersecurity strategy provides a multifaceted approach leveraging eight key pillars, or cyber shields.
These shields are: 1) educating businesses and citizens to protect themselves against cyber threats; 2) safer technology embracing security-by-design into products before use; 3) sharing real time threat intelligence between governments and business as a preventative security control with threats being blocked, curtailing further proliferation; 4) building cybersecurity capability; 5) enhancing cyber resilience; 6) protection of critical infrastructure; 7) investment in the upskilling of the cyber workforce and 8) building strong partnerships with other countries to combat cybercrime.
As far as South Africa is concerned, an urgent concern is the preparedness of critical structure entities such as Eskom, Transnet, the South African Defence Force and the South African Police Services (SAPS) to combat the rising threat of cybercrime and cyberattack.
In 2013, for example, SAPS was hacked by the group Anonymous, resulting in the release of details of 16,000 whistleblowers and victims. The concern is certainly whether the police service has the necessary technology, processes and appropriately trained staff in place who may be trusted with sensitive and sometimes highly classified information.
Would companies feel encouraged to confidently disclose cyber incidents to this government department, as South Africa’s Cybercrimes Act compels victims to do?
The FBI has identified North Korea’s Lazarus Group (also known as APT38) as responsible for the online hacking and theft of many millions in crypto-currencies. Meanwhile Russia’s Kremlin-approved cybercriminal group Zarya (reputedly under President Vladimir Putin’s protection) has been accused of attempting to take over critical infrastructure in the West (notably Canada, the United Kingdom and the United States) through remote cyberattacks.
The borderless landscape of the internet demands not only international cooperation but also that cyber environments urgently learn from each other. Notably, in Fourie v Van der Spuy and De Jongh Inc, the Gauteng Division of the South African High Court held that in a claim for damages from a cyber hack, the claimant was partially responsible for its occurrence because of a lack of diligence and absence of cyber preparedness. An order for the apportionment of damages was authorised against the claimant. It follows that improving our cybersecurity space and culture in general is imperative.
Additionally, just as South Africa’s unique energy needs produced a government minister for electricity, Clare O’ Neil became Australia’s minister for cyber security (although her portfolio was combined with that of home affairs).
Australia’s new task force (comprising 100 top cyber experts) set up by the federal government to essentially “hack[ing] the hackers”. This task force aims to make payment of a ransom demand illegal and ensure that the retention of sensitive personal data be minimised (to prevent its exposure after a hack).
In the infamous case of the Medibank hack that affected almost 10 million customers of the Australian health insurer, the Australian Federal Police (AFP) disrupted the Russian group responsible, operating as a business entity based in Russia. When their demands were not met, those responsible proceeded to publish this sensitive data hacked on the dark web. The group is possibly “REvil” and is believed, again, to be protected by Putin.
As O’Neil points out, a robust strategy is needed for proactively disrupting their operations. In this respect, it is worth noting that federal police commissioner Reece Kershaw confirmed that “the AFP was scouring the internet and dark web for those accessing the information and attempting to profit from it [the data illegally stolen by way of the Medibank hack].”
Finally, on 8 December 2022, O’ Neil announced a blueprint for the development of the country’s 2023-2030 Australian Cyber Security Strategy. In terms thereof, the national government has an obligation to envision a secure cyberspace for a resilient online business community as its vision for 2030. This vision entails “governments protecting against sophisticated cyber threats, businesses protecting their customers, and the community making cyber-aware choices”. Effective cybersecurity demands that reporting obligations must be taken seriously.
To contextualise, in building a resilient and secure cyber secure ecosystem, remediation (effective post-incident review) and exploring opportunities to enhance support to victims of cybercrime are essential cornerstones in this effort.
The snowballing rate of digitisation or digital transformation globally has led to an increasing number of businesses and governments falling victim to cyberattacks.
Unless we are to revert to typewriters and paper files, storing critical data and information on the cloud is the way to go (although clouds have shown themselves not to be infallible). Online banking apps, for example, have greatly exposed the financial sector to huge losses because of their unpreparedness for cyberattacks (essentially crimes committed in cyberspace).
Against this background, the South African legislative framework for preventing cyberattacks is somewhat inadequate and requires significant enhancement for the country to be a serious global player in the fight against cybercrime. Collaborative efforts are essential to combat cyber threats effectively, and South Africa must work more closely with international partners.
The Australian experience has shown that the goal is to enable jurisdictions to join hands in rejecting ransom demands outright. Furthermore, O’Neil and the Australian Specialised Federal Cyber Task Force have set out to encourage companies and government departments to delete non-essential data and proactively disrupt hackers’ activities. Both the East African and Australian experiences have demonstrated the great benefit of involving the public in cybersecurity and crime awareness.
I suggest that exploring and learning from the Australian model, which serves as a beacon of best practices, is immensely valuable and may address shortcomings or deficiencies in the Budapest Convention, on which the Cybercrimes Act is largely based, such as excessive confidence and overreliance placed on punitive measures.
By emulating the Australian approach, South Africa may be able to bridge critical gaps in its current model and fortify its regulatory framework, protect the economy and ultimately safeguard its citizens in an increasingly interconnected world.
Dr Casper Lötter is a conflict and cyber criminologist affiliated with North-West University’s School of Philosophy.