New Cybercrimes Bill Doesn’t Replace Caution

South African Institute of Professional Accountants
4 March 2019

New Cybercrimes Bill Doesn’t Replace Caution
Authored by: Ragiema Thokan-Mahomed, Legal, Ethics and Compliance Executive at the South African Institute of Professional Accountants (SA)

South Africa’s new Cybercrimes Bill is currently under consideration by the National Council of Provinces, having been greatly simplified after its previous draft. While other laws have defined cybercrime as it relates to their particular domain, the new bill is the first to articulate the complete range of activities that constitute cybercrime and penalties for those perpetrating them. It also describes legal and policing responsibilities and powers, obligations of electronic communications service providers and financial institutions, assistance given and received in foreign cybercrime investigations, and several other subjects.

The bill is a welcome addition and brings South African law into alignment with international legal trends. However, just detecting a systems breach and subsequent crime is incredibly difficult. Then there’s the costly and time-consuming matter of identifying the criminals, tracking them down and bringing them to justice. This becomes especially difficult when they are based in other countries. International agreements and foreign enforcement agencies are then required to coordinate amongst themselves using the correct protocols. Yet, after all this, the damage is already done and usually cannot be reversed. So while the new bill is vital, the best approach is still to be vigilant about systems and data security before the fact.

On the defensive
The weakest link in information security is people. Organisations and individuals alike must be particularly aware of social engineering, which is any technique used to deceive a computer system’s users into surrendering their login information, downloading a malicious program or phishing. An example is an email that appears to be from a trusted source, like one’s bank, that either asks for the information directly based on a convincing need or persuades the user to click a seemingly innocent link. While visiting the link, a malicious program is downloaded and runs silently in the background, either capturing login information or damaging data. The only way to overcome these threats is by conditioning staff to never give out their login credentials – or any other sensitive information – through emails or web pages, and never to click links without checking that the author is who they say they are.

When sending critical information to a trusted party, say by email, always make sure it is encrypted using a public/private key system. The keys are effectively two serial numbers the recipient generates with a special program, giving only the public key to the sender. The public key can only encrypt messages and the private key can only decrypt them. So a hacker who gets hold of the public key won’t be able to read the sender’s encrypted message anyway. However, the recipient must always protect their private decryption key. It’s also best to generate new keys for each message. While this takes some training, it’s worth it to ensure that confidential information cannot be intercepted after it is sent.

Apart from encouraging these skills, organisations should engage the services of a security expert to carry out readiness audits on their system security at least twice a year. Larger entities should also invest in threat detection systems that can monitor network traffic and data access for unauthorised activity. Some newer systems are AI-enabled so they can intelligently learn activity patterns normally associated with data tampering or fraud, and raise the alarm as they occur.

Designated Point of Contact
No matter how careful a person or organisation is, they may still fall victim to cybercrime. So they will inevitably need both legal and police assistance to resolve the issue. An outstanding feature of the Cybercrimes Bill is the establishment of a designated Point of Contact, which the Cabinet member responsible for policing is obliged to establish, equip, operate and maintain. Although the form of this entity is not specified, one could imagine a dedicated enforcement unit with a call centre.
The types of assistance offered will include technical advice and assistance, liaising with international enforcement agencies, the provision of legal assistance, identifying and locating an article or suspect involved in cybercrime, and assistance in carrying out enforcement procedures specified in the bill. Such an entity would hopefully offer the public a reasonably rapid response once they become aware of a crime.

 A two-pronged approach
Last year, the South African Banking Risk Information Centre (SABRIC) reported that South Africa has the third highest number of cybercrime victims worldwide, resulting in around R2.2 billion loss each year. It’s obvious that a stronger stance on cybercrime is needed, starting with better awareness and responses by individuals and businesses alike. Where these fail, the new Cybercrimes Bill provides a solid legal platform for bringing the wrongdoers to justice.