The Portfolio Committee was briefed by the Department of Telecommunications and Postal Services (DTPS) on the current state of and way forward regarding cybersecurity in South Africa. There was also a briefing by the South African Banking Risk Information Centre (SABRIC) on the banking sectors experience of and response to cybersecurity.
The DTPS explained the establishment and work of the Cybersecurity Hub which was launched in 2015 and said that it was making good progress but that a lot of work still needs to be done and cooperation between the various stakeholders was key to accomplishing that work. The need for sectoral level intervention regarding cybersecurity was emphasised. The Department also explained that it was trying to obtain membership with FIRST to ensure international cooperation regarding cybersecurity and that it had many awareness campaigns planned to educate the public on cybersecurity including cybersecurity month for October of this year.
SABRIC informed the Committee that the Banking Sector Computer Security Incidence Response Team (CSIRT) was operational, working well and it is willing to assist with the creation of other sectoral CSIRTs. SABRIC also emphasised the importance of education on cybersecurity and explained that they are creating awareness via numerous platforms including community radio and newspapers. SABRIC noted that they do in fact measure up in comparison to international organisations of a similar nature and are even assisting other countries such as Australia.
The overall emphasis was on the need for widespread and effective education on cybersecurity threats and how citizens can protect themselves which both SABRIC and DTPS acknowledged as a priority.
Members asked why the Budapest Convention on Cybercrime was not ratified, what kind of resources are necessary as a country to become a member of FIRST, who heads the government CIRT, who is doing the cybersecurity survey, who has the overall responsibility for cybersecurity, what they do when a threat is brought to their attention, how do the banks measure up in comparison to international organisations of their kind, if there is cooperation with the Department of Home Affairs, how safe the pins given by the banks are and how the most vulnerable are made aware of threats.
The Chairperson conveyed apologies from the Minister and Director General and explained that although the Committee was still waiting on some people the meeting would start in the meantime.
Ms M Shinn (DA) asked whether the Cybersecurity Hub was invited and present.
The Chairperson replied that the Cybersecurity Hub was present and welcomed everyone to the meeting. She then gave a brief introduction to the topic of cybersecurity and its importance explaining that proactive measures and promoting awareness are increasingly necessary especially for the ordinary public and those who are less tech savvy. She said that the Committee looked forward to the presentations on cybersecurity and handed over to the Department of Telecommunications and Postal Services (DTPS) introducing the delegation as follows:
Mr Tinyiko Ngobeni, DDG: Infrastructure Support, DTPS
Mr Kinu Pillay, Chief Director: Cybersecurity Operations, DTPS
Ms Kalyani Pillay, CEO, South African Banking Risk Information Centre (SABRIC)
Remarks by Deputy Minister
Prof Hlengiwe Mkhize, Deputy Minister of Telecommunications and Postal Services, described cybersecurity as a societal issue that has to do with people. She explained that digitised networks have been created and that it comes with a responsibility to ensure people are secure in those electronic spaces. She also noted a responsibility to create an enabling environment through capacity building and explained that a lot of work is done jointly with other stakeholders to this end. She said that the Department was learning a lot from SABRIC and is working on creating awareness about the need to secure one’s information and the need to be vigilant, especially where broadband is being rolled out.
DTPS Briefing on cybersecurity
Mr Ngobeni explained that this was their first time briefing the Committee on the issue of cybersecurity so they intended to give as much information as possible focusing on four key issues:
-The cybersecurity landscape: international and national landscape and perspective on cybersecurity as well as policy and legislative frameworks for cybersecurity.
-Security Incidence Response Teams: the Cybersecurity Hubs daily operations, incident resolution and service offerings. Focusing on how the teams are set up and how they work.
-Stakeholder engagement: report on stakeholder engagement and the establishment of Sector Computer Security Incidence Response Teams (CSIRTs).
-Cybersecurity awareness:how to keep the public aware and informed.
Mr Ngobeni explained that cybersecurity is a broad term but looks mainly into how networks can be secured, how to protect information and how to deal with breaches of that security. Cybersecurity cuts across various levels and activities. The focus is to minimise the vulnerability of systems and citizens. Preventing threats is the goal but how to coordinate the various stakeholders in responses to attacks in order to minimise the damage is incredibly important. From an International perspective countries are moving towards a digital age which has many advantages in terms of efficiency. It is anticipated that by 2025 more than 50%of the GDP for industrialised countries will be directly related to the “digital economy”this development also comes with increased risks of cyber-attacks. Cybersecurity is number three in the top ten risks even ahead of natural disasters.
Mr Ngobeni moved on to the policy perspective explaining that resolution 58 of the International Telecommunication Union (ITU) encourages the creation of National Computer Security Incident Response Teams (CSIRTs). The African Union 2014 Convention on Cybersecurity and Personal Data Protection aims to harmonise the laws of African states in terms of cybersecurity but South Africa has not signed it yet. Locally, we have the cybersecurity framework which guides government and allocates responsibilities to various government entities and there is the Cybercrimes and Cybersecurity Bill before Parliament so there is a lot of work happening on different levels. He noted that the fundamental issue is the need for cooperation between various stakeholders when it comes to cybersecurity because it has to be a collaborative effort.
To set out an aligned approach to cybersecurity, in March 2012 the government approved the National Cybersecurity Policy Framework (NCPF) which outlines broad policy guidelines on cybersecurity and requires government to develop detailed cybersecurity policies and strategies. This aim was to remedy the previously uncoordinated way in which cybersecurity was being handled, inadequate regulatory framework and lack of awareness. Cybersecurity is continuously evolving because as the threats evolve, defensive measures must evolve too.
Mr Ngobeni explained that the Cybersecurity Hub is central to all the coordination on cybersecurity matters. There is a lot of cooperation with various agencies for example law enforcement because many incidents have criminal elements but the Hub is the central point. In October 2015 the Cybersecurity Hub was officially launched but it is continuously developing and improving, benchmarking itself against international agencies of its kind.
He emphasised the need for cooperation between various stakeholder including government, the private sector and the public. Awareness and education was a key concern as well as the need to provide guidance on how to protect oneself. The Hub is working on creating a body of knowledge regarding cybersecurity that people can access. Awareness is a continuous responsibility as there is a need to move away from being mainly reactive towards being proactive. Due to resource constraints and in an effort to maximise effectiveness, the Department is working closely with private stakeholders and education institutions. They are creating an online bank of information but are aware that not everyone has internet access so they are also looking at different platforms and means of communications such as mass media and community radio. There is also a need to focus on children and the unemployed, who are very vulnerable to scams. October will be Cybersecurity Awareness month where there will be a lot of cybersecurity campaigns and initiatives. A series of booklets dealing with cybersecurity has been launched in hardcopy and online and is in the process of being translated from English into other languages. Stakeholder engagement is a priority and has been taken very seriously.
Mr Ngobeni explained the various kinds of threats (see presentation pages 18 and 20-28) and then described the Cybersecurity’s six step incident handling process.
-Report and registration: provide an incident number etc.
-Verification and classification: initial assessment and determination of the natureof the issue.
-Prioritisation and assignment: refer it to the necessary expert.
-Notification: advise the person on what to do.
-Closure: record outcome and how it was resolved in order to learn and improve.
Mr Ngobeni noted that many cyber attacks focus on a specific sector so there is a need to understand and address cybersecurity at a sectoral level. At a sectoral level there must be coordination so they can defend themselves. The Department is currently doing a survey to assess the situation regarding cybersecurity in order to improve it and then outlined the capacity building plans regarding cybersecurity which include research groups and skills building though internships. He said that international cooperation was key and that they were trying to acquire membership with FIRST (FIRST is an international confederation of trusted computer incident response teams who cooperatively handle computer security incidents and promote incident prevention programs). In conclusion he informed the Committee that they are also looking at the development of South African software and cybersecurity tools.
The Chairperson then handed over to SABRIC.
South African Banking Risk Information Centre briefing
Ms Pillay said that she wanted to explain some of the work being done in terms of cybersecurity in the banking sector as cyber criminals often target financial institutions. She explained that SABRIC works closely with SAPS, CSIR and DTPS and that in 2010 it began working on the banking sector CIRT which has now been operational for about two years. SABRIC has openly shared its work with DTPS which has been used as a reference for other sectors who are now developing their CIRTS.
Ms Pillay explained that the CIRT was working well but that there is always still work to be done to improve. She then described the CIRT noting that every single bank participates on the steering committee. SABRIC assists banks with crime risk mitigation and has a risk repository to learn from and track the kinds of risks. She said that their customer awareness programmes are advanced and they do extensive communication with the public on various platforms. She noted that the perception that the banks do not do enough to protect their clients is inaccurate, banks are serious about preventing risks and criminals go for the banks clients instead of the actual bank because it is easier.
She then explained the various ways in which criminal’s fish for banking details explaining that they can not stop the threats but must be able to withstand them and recover form them which they are in fact able to do. Attacks against a bank itself is very serious and they are the same globally. The threats are continuous but none of the attacks have been successful thus far. She concluded by assuring the Committee that SABRIC will continue its work regarding cybersecurity and cooperate with whoever needs its assistance.
The Chairperson thanked the presenters for their presentations and opened the meeting up to questions.
Mr C Mackenzie (DA) pointed out that there is a narrative out there that banks are evil in light of the currency manipulation scandal. He asked Ms Pillay what measures they have in place to deal with that sort of thing. He also asked why the Budapest Convention on Cybercrime was signed but not ratified and asked what kind of resources are necessary as a country to become a member of FIRST. He emphasised that cyber criminals exploit the vulnerable and ignorant and therefore education is the best way to combat cybercrime.
Ms M Shinn (DA) asked Ms Pillay how much the CIRT cost to run and who funded it. She asked the Department how much the cybersecurity hub costs and what the launch planned for 2020 is if they already officially launched in 2015. She also asked why there is no mention of the cybersecurity hub on the DTPS website, who heads the government CIRT, who is doing the cybersecurity survey and who has the overall responsibility for cybersecurity?
Ms J Killian (ANC) asked SABRIC what they do when a threat is brought to their attention, how do they alert the sector and clients and how did they measure up in comparison to international organisations of their kind.
Ms N Ndongeni (ANC) asked how effective the work of the cybersecurity hub is given that the integrated law on cybersecurity has yet to be enabled in Parliament.
The Chairperson noted that the involvement of Home Affairs would be important regarding identity theft. She asked how safe the pins given by the banks are and how the most vulnerable are made aware of threats.
Mr Ngobeni replied that the Budapest Convention was an EU regional convention and that South Africa would be more inclined to sign and ratify a global convention. He agreed that engagement with Home affairs is crucial and explained that the Department has a close working relationship with their counterpart. Regarding awareness campaigns, he said there was still a lot of work to be done but that they are looking at using a variety of platforms. Regarding the budget, R19 million is allocated to the hub which is a limited budget so collaboration with the private sector is crucial.
Mr Pillay explained that FIRST membership imposes quite a few obligations but that they have budgeted for them, are working on it and intend to apply for membership in the next financial year. The hub can not educate the public on its own so they look for partnerships and have identified 30 organisations to partner with. Regarding the launch in 2020, it would be the launch of a fully functional national coordinating CSIRT as it is still young and developing at the moment. The website was upgraded with “.gov.za”and once we are secure it will be launched again. The survey is the first scientific survey regarding cybersecurity in the country, it was developed by the hub and the results should be in soon. He noted that the initial analysis about developing software in South Africa yielded positive results and that legislation emerging from the NCPF will give the cybersecurity hub more teeth.
Ms Pilllay explained that SABRIC uses numerous platforms to create awareness including social media, community radio, magazines, mainstream and community newspapers, videos and going out and speaking to people. She did not have the exact cost of the CSIRT but the banks pay for it. She explained that the CSIRT works on a collaborative model and is of a high standard. They are even helping other countries like Australia establish similar organisations. She concluded by saying that bank pins are highly encrypted and therefore very safe.
The Chairperson said all questions were answered and thanked everyone for the work they are doing. She agreed with Mr Mackenzie that the vulnerable are hardest hit and highlighted the effectiveness of community radio, encouraging the use of that platform. She concluded by saying that it is up to the Committee to monitor and ensure oversight.
The meeting was adjourned.
Download as PDF
You can download this page as a PDF using your browser's print functionality. Click on the "Print" button below and select the "PDF" option under destinations/printers.
See detailed instructions for your browser here.