Cyber Banking Conference

RESPONDING TO CYBERCRIME:
The South African Legal Position
DENISE FOUCHE
ENDCODER/ ENDCODE.ORG

CONTEXT:
Cyber Crime awareness
Forms of Cyber Crime in South African Law
Cyber Crime Challenges to South African Law
How South Africa’s Legal System is Meeting Challenges
Cyberlaw Enforcement in South Africa
Security Recommendations

Cyber Crime?
“The probability
of a major cyber
attack is not ‘if’
but ‘when’.
Oliver Crepin-Leblond, Global Information Highway, United Kingdom

Cyber Crime?
6 most active
3 Russia, China
R2.65 billion

Cyber Crime awareness?
• Internet penetration, mobile devices
• Crimes are growing, but little awareness
• No multimedia public awareness campaign
• No national awareness campaigns – patchwork of initiatives
• CSIR
• SABRIC funded by local banks to track and respond to cybercrime in banking sector
• Cybercrime.org.za: an awareness portal intended for informational purposes.
• Alertafrica.com raising awareness of cyber threats in SA
• ISG Africa
• South African Centre for Information Security
• FPB PROCHILD
• SACSAA South African Cyber Security Academic Alliance NMMU; UJ; UNISA cyberaware.org.za
• No government involvement in existing efforts
• No cyber watch centres
• Ethiopia: 24-hour national computer security incident response teams

Cyber Crime?
• No national cybersecurity awareness framework in place
• Infrastructure for cybersecurity protection strong but awareness
is low
• Mobile usage and lack of security awareness - vulnerability
• Although numbers have decreased, cost per victim has risen
• 48% smartphone and tablet users do not take basic precautions
• What information is being shared on social networking platforms
• Perception of lawlessness, ineffective enforcement
• ALL LEVELS OF SOCIETY TO BE ENGAGED

http://blog.logrhythm.com/wp-content/uploads/2013/11/Waking-shark-II.jpg

http://cyberarms.files.wordpress.c
om/2013/07/bank-cyber-report-card.
png

South Africa’s cyberwellness profile
How does the ITU measure us?
LEGAL
Criminal legislation
• ECT Act
• National Cybersecurity Policy Framework 2012
• RICA
• POPI Act
Regulation and compliance
• No specific legislation and regulation related to cybersecurity
TECHNICAL
CIRT
• ECS-CSIRT is an officially recognised CIRT
STANDARDS
• Approved national cybersecurity frameworks for implementing internationally recognsied
cybersecurity standards through NCPF
CERTIFICATION
• No frameworks for certification and accreditation of national agencies and public sector
professionals

ORGANISATION
Policy: Officially recognised NCPF approved March 2012
Roadmap for Governance: National Cybersecurity Implementation Plan
Responsible Agency: State Security Agency for implementing national cybersecurity strategy,
policy and roadmap
National Benchmarking: No benchmarking exercises to measure cybersecurity development
• and publci sector agencies certified under internationally recognised standards in
cybersecurity.
CAPACITY BUILDING
• Standardisation development: No R&D programs for standards, best practices or guidelines to
be applied in private or public sector
• Manpower development: No educational and professional training programs for raising
awareness with public, promoting courses in higher education and promoting certification
of professional in private or public sectors
• Professional certification: No public sector professional certified under internationally
recognised certification programs
• Agency certification:: No certified government and public sector agencies certified under
internationally recognised standards

COOPERATION
Intra-State cooperation: partnerships with 24/7 program
Intra-Agency cooperation: : no officially recognised national or sector-specific
programs for sharing cybersecurity assets within public sector.
Public Sector partnership: : no programs for sharing cybersecurity assets
within the public and private sector
International cooperation: : member of ITU-IMPACT initiative; beneficiary
HIPSSA; participated in international effort on cybercrime (EU GLACY
project); on finalisation stage of draft AUC Cybersecurity Convention
workshop

PROTECTION OF CHILDREN ONLINE
National legislation: Amendment to Sexual Offences and Related Matters
Act; Films and Publications Act
UN Convention and Protocol: Convention on the Rights of the Child; Optional
Protocol to the Convention on the Rights of the Child on the Sale of
Children, Child Prostitution and Child Pornography
Institutional support: no recognised agency offering institutional support on
child online protection
Reporting mechanism: FPB PRO CHILD phone number on website

What is Cyber Crime?
• South African law has no formal definition
• Internationally there is little consensus
• Consider the following:
• “Unlawful conduct involving a computer or computer system or computer
network, irrespective of whether it is the object of the crime or
instrumental in the commission of the crime.”
(Cyberlaw @SA III)

What Constitutes a Cyber Crime?
• Electronic Communications and Transactions Act 25 of
2002 (ECT Act) Chapter 13 criminalises various acts:
• Hacking
• Denial of Service attacks
• Unauthorised access to and tampering with information
• Fraud, forgery, extortion related to a computer
• Other cyber crimes include:
• Distribution, creation, possession of child pornography in digital format
• Identity theft
• Cyber-stalking
• Phishing
• Online gambling
• Falsity with regard to accreditation by Accreditation Authority
• Failure by critical database administrator to take remedial action
• Obstructing cyber inspectors’ functions

Cyber Crime Challenges for SA Law
• No single existing government agency to manage all
aspects of cybersecurity and cybercrime

• Policy development
Department of Communications
Department of State Security
• Curbing and prosecuting crime
Department of State Security
DoJ & CD
Department of Police
• Responsibility for prosecution of cybercrime and court
processes
• RICA implementation
DoJ & CD
• Implementation cybersecurity measures
• Develops, imp Department of State Security lements regulations on cybercrime
• Co-ordination and implementation of cyber-defence
Department of Defence & Military measures
Veterans
• Development, coordination, implementation of national
capacity development programmes on a national
cybersecurity research and development agenda
Department of Science &
Technology
Ministry of Police • Prevention, investigation, combating of cybercrime

• Crime across international borders
• Jurisdictional issues
• Relying on international assistance
• Importance of global coherent cyber crime laws
• Digital evidence is different
• Evidence is information
• Admissibility of electronic evidence
• Protecting the veracity of electronic evidence
• Need for ISP participation
• Many perpetrators, many victims
• No physical presence
• Domestic laws govern investigation

• Intelligence gathering in the digital world
• Equipping investigators with cyber skills
• Ability to act swiftly
• Participation of ISP
• Flexible laws to keep pace with technology
• New types of crimes
• Denial of Service Attacks
• Hacking
• cyberstalking
Request
Request
Request Request
Information
System Request
Request
Request
Request
DoS Attack

Can existing South African common
law accommodate Cyber Crime?
• Nullum crimen sine lege Principle
• No crime without (prior) criminal prohibition
• South Africa’s living, adaptable common law
• E.g., common law crime of theft can be applied to cyber crime theft
• S v Van den Berg 1991: electronic fraudulent misrepresentation still fraud as
per common law
• S v Howard 2005: “property” in crime of malicious damage to property no
longer needs to be physical
Need for specific legislative provisions for cyber crimes to include new crimes
and be clear about illegality

How is South Africa’s Legal System
meeting these challenges?
What is South Africa’s position domestically?
Substantive Laws
• ECT Act prohibits:
• Unauthorised access to information or interception of
information s86(1);
• Unauthorised intentional interference resulting in
modification, rendering ineffective or destruction of
information s86(2);
• Overcoming security measures which protect data, including
the sale, distribution or possession of a device that is meant
to be used to overcome security measures s86(3) s86(4);
• A complete or partial denial of service attack s86(5);
• Computer-related extortion, fraud and forgery s87; and
• Attempt, and aiding and abetting in any of the
abovementioned acts s88

Substantive Laws
• CPA & ECT Act
• Together with the Consumer Protection Act 68 2008, the ECT Act regulates unsolicited
communications (SPAM)
• POPI
• Stringent requirements imposed on collecting and processing personal information
• electronic direct marketing prohibition
• The Films and Publications Act
• The Films and Publications Act 65 of 1996 imposes a statutory obligation on ISPs to prevent the
distribution of child pornography in South Africa
• The National Gambling Act
• The National Gambling Amendment Act 10 of 2008, which has been adopted but not promulgated
regulates online gambling and casinos against dishonest operations
• Until the promulgation of the Amendment Act, online gambling is currently prohibited for South
African residents

Procedural Laws
• RICA:
• Minister of Communications responsible for:
• directives to ensure electronic communication service providers must make their systems interceptible and store
information
• Prescribing technial, security and functional requirements of interception facilities
• Implemented state surveillance (data collection) as an investigatory method for serious crime committed
on the Internet
• Direct and indirect communication included
• Interception, data retention, decryption and monitoring are included as methods of surveillance.
• ECT Act:
• Provides for secure electronic transactions; cryptography services; authentication of service providers;
consumer protection; protection of critical databases; domain name authority and administration; and
establishment of a cyber inspectorate
• Gives weight to evidential weight to data messages in court of law
• Provides for the regulationof Public Key Infrastructures and authentication and accreditation of electronic
signatures
• Under review: electronic evidence

On the Cards
• Draft Cyber Security Policy 2010
• Cabinet passed the National Cyber Security Policy Framework in March 2012 but is not
publicly available
• Guidance on how to secure cyberspace is not available
• Draft stated milestones for establishing CSIRT (Computer Security Incident Response
Team) and CSERT (Computer Security Emergency Response Team) end March 2012
• Mandate challenges: milestones not met. Feb 2012 decision that State Security should
take over responsibility from Department of Communications for drafting policy on
cybercrime
• Framework proposes co-operation between government, private sector and civil
society

On the Cards
• Facilitate the establishment of relevant structures in support of cybersecurity
• Ensure reduction of Cybersecurity threats and vulnerabilities
• Foster cooperation and coordination between government and private sector
• Promote and strengthen international cooperation on Cybersecurity
• Build capacity and promote a culture of cybersecurity
• Promote compliance with appropriate technical and operational Cybersecurity
standards

On the Cards
• National Cybersecurity Advisory Council appointed October 2013
• coordinates cybersecurity policies and interventions at operational and strategic levels, co-ordinated
national approach to cybersecurity
• Computer Incident Response Teams (CSIRT)
• identify, analyse, contain, mitigate, report on cybersecurity threats in various sectors
• National CSIRT, Government CSIRT, Sector CSIRT
• Faster co-operation between government, private sector and citizens
• Strengthen international co-operation
• Skills development and innovation
• Building capacity for law enforcement, judiciary, civil society requirements
• Promoting culture of cybersecurity through development programmes that address
government, business and user needs

What is South Africa’s position internationally?
• The South African Constitution
• the Constitution of South Africa states that when interpreting the Bill of Rights a court, tribunal or forum
must take note of international law and may consider foreign law s39(1)
• The EU Convention on Cybercrime
• Signed by South Africa
• Addresses crime committed over electronic media
• The only international cybercrime treaty
• Requires signatory countries to create domestic cyber crime law (procedural and substantive)
• Harmonises the approach that signatory countries take to the legal provisions that they create
• International co-operation and assistance is important for the collection of electronic evidence and
criminal investigation

What is South Africa’s position internationally?
• The CoE Convention on Cybercrime (Budapest Convention)
• Only international agreement addressing cybercrime
• First international treaty harmonising national laws
• Oct 2014: ratified by 44 states, 9 have ratified, signed by Canada, Japan, US, SA
• The SADC Model Law on Cybercrime
• Harmonisation of SADC region country policies towards cybercrime
• Primarily identifying cybercrime offences to be included in domestic laws
• African Union Convention on Cybersecurity and Personal Data Protection
• Adopted June 2014
• Criticised as not acknowledging weaknesses of African security sector mecanims
• No requirement of strong judicial oversight to strengthen privacy protection
• National sovereignty and discretion over international law
• Does not outline minimum threshold that national legal frameworks and lws should ocmply with

Discussion Topics:
• Online Identity Theft
• No direct legislative
provisions
• Often considered a type of
fraud
• May be prosecuted under
the common law regarding
fraud, or the ECT
provisions regarding fraud
• High rate of online ID theft
in SA may require its own
legal provision

Discussion Topic:
• Personal Information
• The Protection of Personal Information Act 4 of 2013
• Promulgated but not in effect (information regulator provisions and definitions in effect)
• Related to identity theft
• Aims:
 Protection of PI processed by private and public bodies
 Minimum requirements for processing of PI
 Establishment of Information Regulator
 Codes of Conduct
 Rights protection against SPAM and automated decision-making
 Regulate cross-border flow

Discussion Topic:
• Phishing
• Online Fraud
• Social Engineering
• Related to Identity Theft
• Affects banking industry
• Affects individuals
EMC Infographic: Consumer Online Identity Risk

Discussion Topic:
• Phishing
• Estimated losses (SA)
• USD $222 million
• Phishing has increased 31% in SA for
the same time last year
• (EMC website)
The top 10
countries targeted
by phishing in
2013:
United States
United Kingdom
Germany
India
South Africa
Canada
Netherlands
Colombia
Australia
Brazil

South African Cyber Law Enforcement
How are cybercrime provisions enforced?
• S90 ECT Act
• Jurisdiction founded: where crime is committed, act of preparation:
result felt; citizen or permanent resident; ship or aircraft registered in SA
• Cyber Inspectors
• The ECT Act makes provision for the appointment of cyber inspectors to
monitor and inspect, search and seize upon warrant, any premises or
information system with regards to cybercrime investigation s82.
• However, no such inspectors have yet been assigned
• The Act is being amended
Lack of national effort:
• UK has 11 centres for cyber skills development linked to universities
• India sponsoring training of 500 000 “cyber warriors”
• South Korea produces 5 000 cyber specialists annually
• Kenya National Cybersecurity Strategy 2014
• Few prosecutors understand cybercrime

What Penalties Exist?
• The courts can had out the following sentences:
Fine or
imprisonment
max. 12
months
Unauthorised access to
information or interception
of information
Unauthorised intentional
interference resulting in
modification, rendering
ineffective or destruction
of information
The sale, distribution or
possession of a device that is
meant to be used to
overcome security measures
Last year, 54
individuals appeared
in the Nigel
Magistrates Court for
having allegedly
defrauded thousands
of individuals of
almost R15 million as
part of an inter-continental
syndicate

What Penalties Exist?
• The courts can hand out the following sentences:
Fine or
imprisonment
not more
than 5 years
Overcoming
security measures
which protect data
Computer-related
extortion,
fraud and forgery
A complete or
partial denial of
service attack

Discussion Topic: ECT Act Amendments on the horizon
• Aligns with international trends and NCPF March 2012
• ECTA Amendment Bill – deletion of S89 Penalties section
• S45 unsolicited commercial communications: max R1 mill; 1 year
• S84(2) confidentiality: max R2 mill; 2 years
• S86 unauthorised access: max R10 mill; 10 years
• S87 fraud, extortion: max R10 mill; 10 years
• S88 aiding, abetting: R5 mill; 5 years
Justice, Crime, Prevention and Security cluster to establish a Cybersecurity
Hub to allocate resources to deal with incidents

Recommendations
Performing assessments, implementing policies:
• ICT Acceptable Use policy
• Electronic Communications policy
• Information Security policy
• Encryption policy
• Electronic Evidence policy
• Privacy policy
• Monitoring and interception policy
• Records Management policy
• Records Retention policy
• Employment contracts
• Social media policy
http://pmmanuals.com/wp-content/uploads/2012/07/pvp.jpg
Contribute to policy-making at a sector and country level

EndCode’s expertise
EndCode has expert participation in:
• BRICS Cybersecurity Expert Group
• Global Cybersecurity Centre at Oxford University
• Council of Europe Cybercrime Group
• Cybercrime Institute (Germany)
• Drafting of Cybersecurity Model Laws for SADC
• Cybersecurity Policy Development (South Africa)
• ICT Policy Review (South Africa)

References
• S v Van den Berg 1991 (1) SACR 104 (T)
• http://www.cnbcafrica.com/news/southern-africa/
2014/09/20/identity-theft-financial-institutions/
• http://www.emc.com/collateral/fraud-report/rsa-online-fraud-report-
012014.pdf
• http://www.emc.com/infographics/consumer-online-identity-risk.
htm
• http://researchspace.csir.co.za/dspace/bitstream/10204/5941/1
/Dlamini_2012.pdf
• http://www.usatoday.com/story/tech/2014/10/29/pew-survey-cyber-
attack/18114719/

Denise Fouche
denise.fouche@endcode.org
endcode.org
THANX, QUESTIONS?

Cyber Banking Conference

More Related Content

What's hot

Viewers also liked

Similar to Cyber Banking Conference

More from Endcode_org

Recently uploaded

Cyber Banking Conference

Editor's Notes