Cybercrimes & Cybersecurity Bill: inter-department coordination; with DIRCO Deputy Minister

Meeting report

The Committee Secretary announced that apologies had been received from the Chairperson and Ms Pilane-Majeke was elected Acting Chairperson.

State Security Agency briefing
Mr Maiendra Moodley DDG: State Security Agency, presented on existing and planned cybersecurity. He said that a number of supporting departments who were members of the Cyber Response Committee (CRC) would be making presentations at the meeting so he did not want to take away from what they would be presenting. Certain elements of the presentation would be supplemented by the presentations from colleagues. His presentation would be from a high-level point of view.

His presentation would look at critical elements of cybersecurity infrastructure, the varied institutional mechanisms, the legislative and policy imperatives and the current status of implementation. Mr Moodley would also share the reflections of the Departments that had walked the journey together, challenges experienced, why the challenges need to be addressed and how the Departments had tried to get there. He referred to the difficulties, dangers, constraints and complexities of cybersecurity operations. Nevertheless, cybersecurity had become a critical element in security.

In 2012, the National Cybersecurity Policy Framework (NCPF) had created a responsibility for the State Security Agency to lead and develop a cybersecurity approach for the country. As more and more elements were becoming digital, and especially web-enabled, and were finding themselves on the internet, cybersecurity became a critical element of counter intelligence up to the point that one looked at how the Internet had developed and the extent to which cybersecurity and cyberthreats were ultimately understood as cybercrime. Intelligence so far as cybercrime was concerned, became critical for SSA to start looking at. The most critical challenge was a coordinated management of cybersecurity across the country. Everybody wanted to do the right thing in dealing with cybersecurity but each one approaches it working in a silo addressing those issues which fell within its mandate. The challenge came when Departments had to hand over information. One of the critical things that SSA had to do was to find a way to deal with that challenge. That was when the Cyber Response Committee (CRC) came about. The next thing that SSA had found was that, when trying to unpack the elements, if one was not dealing with cross-cutting responsibilities and one did not have a hand-over of data, one did not cyber incidents being shared between departments. Integration was critical.

From a financial and budgetary point of view, investing in capacity, infrastructure, resources in each department was prohibitively expensive. There had to be a core investment. Otherwise, one would spend more and more and the returns on investment would not follow.

The various departments had responsibilities in the cybersecurity space and the CRC was intended to facilitate alignment and to ensure that people did not work at cross-purposes. When the cybersecurity problem was analysed, SSA had thought that four or five departments would be the leading players, but they had discovered that other departments also had critical roles to play.

Certain departments needed digital identification to identify student loan recipients, benefit grant recipients and so on. Ultimately, digital identification was essential for every South African citizen, especially citizens who engaged with government in any way. At some point, every South African would have to have a digital ID to eliminate fraud and identity theft.

Mr Moodley explained that he was trying to convey the complexity of the situation and how it reached out in all directions. It was that which explained why it had taken so long to develop cybersecurity for the country.

The critical challenge was around infrastructure and capacity. With the budget constraints, there had never been sufficient funding to make comprehensive developments in cybersecurity. Proper funding and coherent leadership was essential for the outcomes to be delivered. Finding appropriately skilled personnel was a huge challenge as many of the skilled persons would not pass the vetting process.

Breaches had to be regulated so that people could not choose what they wanted to report. Specific information in respect of breaches had to be determined.

The challenges were extensive, starting with personnel, resources and infrastructure. The most difficult issue was that experience and instinct was essential to manage cyber attacks. That took training as well as time. An aggravating factor was that, as soon as young people were trained, they were poached by the private sector that offered better salaries.

There was also the danger that the minute SSA put up a site, everyone would be attempting to hack into that site. The approach was therefore to determine the threats and how to handle them, and that would inform the operational plan.

The budget for Cybersecurity was divided amongst four different departments. National Treasury had been approached so that a more productive way of managing the budget could be determined.

It was also important to run an electronic tripwire, as had been suggested ten years previously, as all government departments had to be monitored and decisions had to be made as to how to deal with the threats. An Internet Service Provider (ISP) could not be shut down because an attack had emanated from one person who used that ISP. Specialist skills were needed to be able to trace the source of hacking. Skills sharing and matrix management across departments would be important.

Policies were useful in guiding standard operational procedures, but it was essential that the lead departments got beyond policies and into practices. The CRC had been helpful in developing a common mindset. The SSA was driving collaboration completely and totally. Each department would be required to focus on their core role in respect of cybercrime. SARS was a member of the CRC as its held critically important information.

SSA had a cybersecurity centre and was monitoring at a high level. Each department would eventually have to be plugged-in so that they could be monitored. Cybercrime was borderless in nature as hackers could disguise the country from which they were working.

SSA also had to determine exactly how breaches were reported to ensure accurate reporting.

Discussion
The Acting Chairperson stated that the State Security Agency had presented a base document and that other departments would focus on their own position in respect of cybercrime. She took the opportunity to welcome Luwellyn Landers, Deputy Minister of International Relations and Cooperation.

The Acting Chairperson asked Mr Moodley from State Security whether he would advise that the Committee took questions or first listened to all the presentations.

Mr Moodley explained that while he had presented an overview and had attempted to show how all departments fitted into the greater scheme of cybersecurity; he had not stolen the thunder of the departments and each one needed to elaborate on its focus. No one would present anything totally new. He suggested the Committee took presentations first and questions later.

South African Police Service (SAPS) briefing
Brigadier Nicolaas van Graan, SAPS Legal Services, said cybersecurity was positioned within the mandate of the State Security Agency while cybercrime was positioned within the mandate of SAPS. The interim cybercrime policy was designed to give guidance to police officials pending the finalisation and enactment of the Bill. The interim policy was not based on the Cybercrimes and Cybersecurity Bill but rather on existing legislative provisions, but SAPS was already working on a comprehensive integrated operational cybercrime strategy that, where applicable, would be aligned with the provisions of the Bill.

SAPS recommended that child pornography offences and cyber terrorism offences, for instance, be included in the concept of “cybercrime”. SAPS proposed that the definition of “investigator” be amended to ensure that investigators were experts on cybercrime. SAPS would require 18 months to compile the Standard Operating Procedures.

Much information could be obtained from electronic devices. If a cell phone or laptop was found on a suspect, SAPS wanted permission to do a preliminary “peep” to see if a warrant was needed to examine the device. The interface between the Bill and RICA needed to be clarified.

Cybercrime was not a unique crime type in the SAPS official statistics. SAPS was therefore unable to determine the extent of cybercrime through crime statistics. However, cybercrime had been declared an operational priority by the National Commissioner.

The Acting Chairperson said that she wanted to take it as a given that all departments had discussed and agreed upon the issues raised in the CRC. She asked if SAPS had discussed its concerns that NPA would be operating in its space and, if so, what conclusions had they reached? She wanted to understand why the Bill had been written in that way in the first place. She had noted that SAPS wanted to facilitate oral applications for search warrants and asked if that practice would not be open for abuse.

Mr S Swart (ACDP) suggested that there were time pressures and the Committee wanted to hear all presentations before questions. He noted that Mr Moodley had said that all presentations supported the base presentation. He, therefore, suggested that all presentations be heard before Members asked questions.

The Acting Chairperson agreed. The departments were asked to mention how the CRC had received the proposals that they were making.

Department of Telecommunications and Postal Services (DTPS) briefing
Dr Kiru Pillay, DTPS Chief Director for Cybersecurity Operations, spoke about the existing and planned cybersecurity infrastructure. DTPS Cybersecurity Operation Centre was physically situated at the CSIR in Pretoria. It was one of the National Cybersecurity Computer Security Incident Response Teams (CSIRTs). At the end of the 2015/16 financial year, the Finance sector had been well represented in the sector-based CSIRTs with at least four active CSIRTs, and others being planned. The Higher Education sector also had an effective CSIRT responsible for universities, museums and research councils.

The Cybersecurity Hub of the DTPS acted as a national point of contact for the coordination of cybersecurity incidents. It received and analysed cybersecurity incidents, trends, vulnerabilities and threats. It disseminated alerts and warnings to its constituents and initiated national cybersecurity awareness campaigns. The Awareness Portal was officially launched in October 2017. Regular cybersecurity campaigns such as on cyberbullying, would be run jointly with stakeholders including the Reserve Bank, State Information Technology Agency (SITA), Microsoft.

National Prosecuting Authority (NPA) briefing
Adv Sibongile Mzinyathi, Acting Deputy National Director of Public Prosecutions, introduced the presentation, which was made by Adv Malini Govender, Acting Head of Specialised Crimes Unit.

The Department of Justice and the NPA had overall responsibility to facilitate cybercrime prosecutions and court processes in accordance with the applicable laws. The NPA therefore executed its mandate by prosecuting cybercrime cases and providing guidance to SAPS in investigations including informal requests from foreign law enforcement agencies.

The NPA had identified cybercrime as a crime for which prosecutors had to be trained and prepared to prosecute. Training for prosecutors had been extensive and the prosecution rate of cybercrime was high at the time. Areas of prosecutions included cybersecurity and terrorism, terror recruitment, economic offences, denial of service attacks, intrusive attacks in the private sector, child pornography and related crimes, and all other offences involving the use of information technology.

The definition of data and data traffic in the Cybersecurity Bill was a concern. The question was whether it included email. The NPA noted that it excluded material data and excluded content and subscriber data.

Powers to investigate, search and access or seize were problematic. Searches would be both object-based search and remote searches, but the Bill did not deal with remote searches.

Department of International Relations and Cooperation (DIRCO) briefing
Deputy Minister of International Relations and Cooperation, Luwellyn Landers, commented on the Bill on behalf of DIRCO. He did not provide a written document.

In response to the query received from the Committee, the Deputy Minister stated that Chapter 6 and Chapter 12 did not impact on DIRCO’s functions and mandate. The second part of the Committee’s request had asked DIRCO to highlight its existing capacity and plans to deal with issues that might emanate from the Bill. He noted that several submissions had referred to the fact that there was no international legally binding instrument to which all countries agreed. South Africa was a signatory to the Budapest Convention of 2001. Unfortunately, the Convention was put forward by the European Union, and when member states met in Europe, only Europeans were invited, so South Africa withdrew from the Convention. There was the African Union (AU) Convention and the Ministry had instructed its team to find out why, after three years, South Africa had not signed or ratified the AU Convention. The Deputy Minister hoped to come back with a response on that.

South Africa was the Chairperson of the open-ended Expert Group on Cybercrime, which had met on several occasions and agreement on several issues had been reached, in particular a resolution to extend the mandate to allow for the continuation of discussions on the challenges of cybercrime. South Africa was also working with BRICS partners and others to ensure the development of a legally binding international instrument.

The Deputy Minister appealed to colleagues, including the Portfolio Committee, to put pressure on DIRCO to ensure that it came about. Otherwise, DIRCO had a strange way of doing things and loped along very casually until pressure was put on it. He was appealing to Members to lean on their political principals, who would lean on the Minister who could then lean on DIRCO.

The major powers such as the United States, Russia, China and Germany were opposed to an international convention for a reason that did not make sense, as they said it was not necessary. Such difficulties had been overcome in the past and could be overcome again.

South African National Defence Force briefing
Major-General Bonginkosi Ngcobo, SANDF Defence Intelligence Division, spoke on the role and responsibilities allocated to SANDF and capacity. The Defence Force disagreed with Section 13(1) of the Cybersecurity Policy Framework which spoke of “in the event of a cyber-war”. The Defence Force believed that all countries were currently in a state of cyber-war, so the question was: Who determined that the country was in a state of cyber-war?

In the draft version of the Bill, it had stated that the Cabinet Minister responsible for Defence had to establish a Cyber Command and had to consult with the Cabinet Minister responsible for national financial matters. Clause 55 was the function of Clause 54(3). Clause 55 spoke to exactly what had to be done, and the fiduciary arrangements that had to be established between the Ministers, but the clause had been taken out. Clause 54, as amended, downplayed the role of Defence. The SANDF was concerned about the position.

Major-General Ngcobo raised the concern of the SANDF that there was mandate creep and that constitutional boundaries were being blurred and would cause confusion. In particular, the Defence Force asked for alignment of the provisions dealing with critical infrastructure in the Critical Infrastructure Protection Bill 2017 with that of Clause 57 of the Cybercrimes and Cybersecurity Bill.

The Defence Force had planned a Cybersecurity Defence Indaba.

Discussion
Mr W Horn (DA) requested that when the Department of Justice responded it should also respond to the suggested changes to the Bill. The Acting Chairperson agreed that it would be appropriate as the Department was coordinating the drafting.

Ms G Breytenbach (DA) put a question to the NPA. What were the challenges with regards to remote searches? Could they be catered for as an interception under RICA? Who taught the courses on cybercrime at the College of Justice? Was it inhouse capacity or did they make use of external presenters and, if so, from where were they sourced? She noted that civil claims had increased exponentially over the years. How did SAPS plan to mitigate that, especially with regards to claims against the private citizens that SAPS would be using to assist it? Who would be liable for the actions of those people?

Ms Breytenbach noted that there was no over-arching definition of cybersecurity. She asked DOJ&CD whether it could be achieved and whether a definition was perceived as necessary. Had the Bill been costed, and, if so, was the costing available to the Committee? She wanted to see a detailed implementation plan. She asked the Department to explain the need to create statutory offences for existing common law crimes. She asked if there was a designated judge as required in terms of Section 16(1) of RICA. She noted, from her parliamentary question the previous year that Section 16(1) of RICA was hardly ever used but that Section 205 of the Criminal Procedure Act (CPA) was being abused with regards to cell phones. Was that to be considered? Why was RICA not used?

Mr S Mncwabe (NFP) said some of the presentations were worrying. SAPS seemed not to be ready. SAPS seemed confused. Would it be possible, with the CPA in its current form, for SAPS to execute all the tasks contained in the Bill? He addressed the SANDF. When the Major-General was presenting, he was not sure whether the Major-General had been presenting the position of the Defence Force, or perhaps the position the Defence Intelligence unit. He asked for clarity. What had been the role of Defence Intelligence in the whole process of the Bill? The unit had a specific role in what the Committee was talking about. Everyone knew that in the future wars would be fought through cyber. Defence Intelligence should give the early warnings so that the country would be well-equipped in respect of cybersecurity.

He asked DIRCO about its relationship with SADC. He understood that in Zimbabwe, the country was taking cyber issues so seriously that they had established a Ministry of Cybersecurity. Could they not learn something from the new President of Zimbabwe? The SSA had spoken about Public Private Partnerships (PPP), which was interesting, but what was the relationship with security companies? They were more advanced and had better equipment and guns than the government, but at the same time, they could be a threat to state security. Some of the private companies were foreign-owned. What was the relationship of the PPPs with the Defence Force? They had to bring them closer as they were not accountable to anyone. He had thought that the Private Security Industry Regulatory Authority (PSIRA) would have been at the meeting.

Mr Mncwabe commented that one presenter had stated that cybercrime started with his cell phone and could go to his computer from there. How ready were the state entities to deal with the ever-upgrading cell phone industry? Each day there were new apps (applications). The NPA reflected a state of total readiness to deal with cybercrimes as even prosecutors had been trained. Training prosecutors was good but practicing attorneys were ignorant of the scope of cybercrime. That created a problem in giving justice to the people. The Committee should hear from the law societies, the Judicial Administration and the Office of the Judge President, as to what their understanding was of cybercrimes. Everybody had to be ready when the Act came into operation.

Mr Mpumlwana asked the NPA to suggest a clause in terms of the challenges with international instruments for cooperation with foreign jurisdictions. He told the Defence Force that he did not understand whether SANDF was part of the core cybersecurity. He had thought that cybersecurity rested with the SSA. He understood the SANDF to say that it had the power to defend any threat to the country. He thought that SSA also had the power to defend. He asked if the two entities had met to discuss the matter. There had to be coordination, and would the Defence Force not give the matter to SSA to coordinate? He was also concerned about private security firms as they were owned and staffed by foreigners. People from the Democratic Republic of Congo who had served under President Mobutu had security firms and used highly sophisticated weapons. That was a risk to the country.

Mr M Maila (ANC) noted that all presenters had referred to skills development. Linked to that, there was the issue of hacking. When he listened to the SSA Cyber Head, he thought that he was listening to a hacker. If skills were developed, was the country creating more hackers? It was a case of setting a thief to catch a thief. Was there legal and illegal hacking? He asked about digital IDs and if Home Affairs had any role to play in that.

Mr Horn understood that the implementation and governance of the Bill, once it became an Act, would rest with the SSA or its Minister. He asked for the views of all departments given the fact that, by its very nature, SSA operated in secrecy. In terms of the current dispensation, the SSA was not publicly accountable to the people of South Africa or Parliament. The Joint Standing Committee on Intelligence briefings were not disclosed. His opinion was that the SSA, through the powers that it received through the Bill, could use that power to the detriment of the country, rather than for securing the Constitution. He was not saying that it would happen but, as the Bill stood, there were no safeguards against such likelihood. It would not be possible to find out if there was abuse of powers. Chapter 11 of the Bill stated that the Minister had to consult with Cabinet colleagues, but he did not need their consent. Section 57 contained the definitions of when and how declarations had to be made. He believed that the vagueness of the definitions had to raise alarm bells in terms of oversight. The definition was so wide and undefined and without checks and balances or opportunity for oversight. The Defence Force had raised the issue, but he asked how other departments felt.

The Acting Chairperson agreed that the definition of cybercrime had to be addressed by the Department of Justice. The drafting had to be looked at in the context of the discussions of the day. The issue of private security had been clearly expressed. Should the Committee be concerned about when it came to the security of the country? The Committee needed to look into the role that private security companies were playing. Was there anything to discuss on some of the concerns of SAPS. She was concerned about the fact that SAPS had procedures to address cybercrime in all provinces but not Gauteng when a lot of crime took place in Gauteng as it was the economic hub of South Africa. DTPS had indicated that it had a monitoring role. Had it looked at coordinating its services? The Department had to be careful that there was no duplication of monitoring or other services.

DIRCO had indicated that the AU Protocol had not been ratified. South Africa had ratified so many things over the years. What was the cost effectiveness of ratifying protocols, etc. What did it cost to ratify the Convention? She thought that it might be necessary to ratify the AU Protocol. If it was going to delay the Committee then, DIRCO needed to ratify with the AU only. South Africa was further ahead and more advanced than the rest of the world, as usual. How much was it going to cost the country? Clause 54(2) needed to be amended. That process needed to be guided by the departments.

Responses
South African Police Service
Brigadier van Graan responded that the role of private persons working for the police on cybercrimes would have to be spelt out. They would not be required to “carry boxes” but to give expert assistance. They would not work on their own but would have to work with police and would have to act under the authority of the police. He agreed with Mr Mncwabe that SAPS frequently used the Criminal Procedures Act but that was the only piece of legislation they had. A J51 had been adapted to allow the seizure of data. On the cybercrime footprint in Gauteng, he explained that, in 2011 when digital forensics units were developed, the roll-out had commenced at SAPS headquarters in Johannesburg and so it had been managing Gauteng cybercrime while SAPS rolled out in the rest of the country. Gauteng would be the last province to get its own digital forensics unit.

Telecommunications and Postal Services
Dr Pillay said that the question of WhatsApp, digital platforms and mobile applications could be responded to by looking at each sector creating capacity. Organisations that were well represented or secure organisations, such as the South African Banking Risk Information Centre (SABRIC), had secured the sector and conducted information campaigns while monitoring the digital environment. The mobile phone sector would have to secure digital platforms in a similar way by securing the sector and conducting awareness campaigns. That capacity needed to be established.

SSA and DTPS had different mandates with regards to monitoring but similar constituencies. The two entities worked very closely but tried to minimise overlap. SSA looked at national threats facing the country. DTPS looked at threats facing the private sector. They did, nevertheless, overlap.

National Prosecuting Authority
Adv Malini Govender replied about remote searches, her reference to RICA and about the College of Justice. She did not want to get too technical, but it was a very technical discussion. The challenge was that if one looked at Clause 26 and Clause 27, it was premises and object-based or article-based. Clause 38 dealt with interception of data and then made reference to RICA. The challenges were that the search and seizure procedure did not cover remote search and seizure. The only provisions in law that dealt with a remote process by which one could listen to conversations, intercept and/or monitor conversations, was through RICA. The problem with RICA was that it talked about real time communication-related information or indirect communication, but it was limited to oral conversations or oral communications and it limited the obtaining of directive for the interception of a telecom service provider or postal service. For example, ISPs were excluded. It did not cover content and data searches. She had suggested that RICA would need to be extended to cater for remote searches to take place.

The College of Justice fell under the Department of Justice. The service providers were in house and had been trained by the University of Pretoria. The College used NPA prosecutors, three in house presenters and accessed service providers who were skilled in that area. Those people might be associated with law firms or had their own digital forensic companies and had testified in court and so could take prosecutors through the entire process.

Adv Mzinyati responded to Mr Mpumlwana’s question by referringe to Clause 44 of the Bill which referred to mutual assistance. That was an already existing process in the International Co-operation in Criminal Matters Act where engaging with international jurisdictions was through the normal process which started with a letter of request until it reached the Executive Authority in the Department of Justice. The Act was sufficient to ensure that international cooperation was obtained. On international instruments broadly, DIRCO could give consideration to expediting the country’s involvement and ratifying of the AU protocol. Everyone with an interest in the Bill would confirm that that would be a positive step.

Even though the protocol had not been ratified, the next step would be to domesticate the provisions of the protocol into the local laws, but he was excited that work on cybersecurity legislation had commenced. The work in progress was in alignment with the international protocols.

Department of International Relations and Cooperation
Adv Doc Mashabane, DIRCO Chief Director for UN Political Peace and Security Unit, replied that the AU Convention came into existence in August 2014 but if one looked at the Convention, it would not solve the country’s challenges. It was, however, a good thing to have and DIRCO would go ahead and ratify it. It did not appear to have cost implications. The big challenge was that globally no legal instruments existed. The international community was, ideologically and politically, sharply divided. The division was not in terms of numbers, but mainly ideology. The Europeans had negotiated the Budapest Convention, which South Africa had been part of. However, only Council Members could attend political meetings. BRICS countries were developing a response but were painstakingly slow. It would, however, provide a global response mechanism.

The NPA had raised the point that the only thing available for international cooperation was the Mutual Legal Assistance Act. In cases where there were no such agreement, that posed a challenge. The challenge was that the Western countries, Europe and the US were not interested in a global instrument. Europeans thought that everyone should go to Budapest, despite the political challenges in that regard. Adv Mashabane was afraid that when the Bill had been started, it was overly-influenced by the Budapest Convention. When the political decision had been taken to pull out of the Convention, there had been no questions about the implications of the withdrawal on the Bill and the Bill had not been recalibrated.

Zimbabwe had appointed a Minister for Cybercrime which was more related to monitoring of social media networks and the control of human rights space. AU offered an opportunity for creating a protocol. The country needed to sort out its internal processes as DIRCO had no pedestal to stand on globally until that was resolved. A global instrument would help to address internal issues.

Department of Defence
Adv Ntsoele of the Department of Defence responded to why Section 55 had to be reinstated in the Bill. The question was whether the deep-sea cabling would solve the problems of monitoring globally and the answer was in the negative. The first iteration was the Budapest Convention. It was a taste of copywriting and so on. South Africa was chopping and changing with a bit of Russia, a bit of Germany etc. However, the problem to be addressed was that, if the AU Convention was ratified, what about SADC? Which legal instrument would assist the country in what it was doing? Did they have an international model?

Clause 55 was the functioning of Clause 54(3). Clause 55 spoke to exactly what had to be done, and the fiduciary arrangements between the Ministers had to be established, but it had been taken out. Clause 54, as amended, downplayed the role of Defence and the SANDF was prepared to assist in re-writing the clause that was supposed to represent the Defence mandate.

The question of mandate creep was valid. When she and the Defence Force team had done a clinical analysis, from 2015 to 2017, it had been clear that there was a lot of mandate creep, but the debate belonged to a level higher than the Committee as there was a need to go back to Constitution and unpack the mandates and determine what pieces of legislation were relevant and what were the roles of the people. They had to consider other legislation. They could not later come to Section 23 and 24 of POPIA (Promotion of the Protection of Information Act) and then be concerned about the impact on the Act. There was a lot of mandate creep.

Maj-Gen Ngcobo responded that he had presented the position of the Department of Defence and not a position specific to Defence Intelligence, although Defence Intelligence was mandated to lead in terms of cybersecurity and therefore the position of DoD would be that of Defence Intelligence. However, the Department of Defence, as a whole, had participated in the Bill.

On whether Defence Intelligence was the only entity mandated to conduct cyber defence, he had to answer in the negative. However, he wanted to take the Committee back to the understanding of defence. All departments were involved in defence in one way or another, not necessarily in the conventional sense of fighting. For example, agriculture had a role to play. However, the Department of Defence was the last line of defence. In the domain of cybersecurity, there was no first line and last line. There were no layers. Response to any attack had to be immediate. It could not first go down a line of departments. He quoted from the NCPF (National Cybersecurity Policy Framework) Paragraph 16(5) which stated that the Department of Defence and Military Veterans had overall responsibility for coordination, accountability and implementation of defence measures in the Republic as an integral part of its national defence mandate. To that end, the Department would develop policies and strategies pursuant to its core mandate, that did not take responsibilities from SSA or any other government department

State Security Agency
Mr Moodley observed that most of the Departments at the meeting were represented by legal representatives or management per se, but not by their Cybercrime Response Committee representative. The presentation that he had given had been seen three times by the Cybercrime Response Committee and all representatives had agreed with the content. He was emphasising the point because there was a clear lacuna between some of the presentations and the base document that SSA had started with. Without being disingenuous, he did not want it to appear that the presenters had come unprepared. That was untenable. Everything in the SSA presentation had been given to the other departments to approve on three occasions, and the minutes could be provided to verify the fact. The only person in the room who attended meetings of the CRC was Dr Pillay.

The issue of monitoring was interesting as the question was how to ensure proper oversight and that, at any point in time, everyone was keeping an eye on the intelligence services. If the SSA Cybercrime Centre went down, SSA needed to have a back-up cybersecurity centre. In the event of an attack, the first thing that went down would be a monitoring centre – hence the perceived “overlap” between SSA and Telecommunications. DTPS and SSA would both get feed at their monitoring centres, both would check it and if SSA did not respond, DTPS would respond and vice versa. There was overlap but the two centres did not chase the same fire while others were burning. Enemies would attack at one point but distract the monitors with other attacks elsewhere.

The NPA was not part of the process and that was an oversight. The CRC had been very clear about how they had addressed the process. The entire process had been going on for more than ten years and they had to stop enlarging structures, talking about mandates and trying to re-institutionalise things. The CRC was an attempt to get beyond that. Now it was critical to get things moving and to keep the country safe.

He noticed that no one had spoken of the costing of the Bill for the implementation plan. The money was being dealt with in terms of a Cabinet Memo where they were trying to put together a consolidated costing with proper plans and milestones which would be submitted to National Treasury. It was not helpful for everyone to try and raise money for dealing with cybercrime. They had to be fiscally responsible. He pointed out that his salary came at the cost of buying TB drugs or cancer treatment etc. He took the entire task to heart. They were going to Treasury because they wanted Treasury to scrutinise the amount.

Public Private Partnerships (PPPs) and internet security were interesting as private security liked to call themselves risk management companies as did units in legal firms. They did not carry guns but did the hacking. The big four auditors were international auditors and that was a threat as they would have unfettered access to all the data when conducting an audit. When they came in, they drew out all the data. It was sitting in a multi-national cloud. There had been a proposal to put government information in a cloud belonging to an American company. SSA had rejected the proposal as it did not want to put data in a cloud that it could not control. That was a threat. SSA ran hacking tests for government sites as each person working for SSA had been vetted. Vetting was a major challenge.

The other issue was the original equipment manufacturers (OEMs), basically the IT companies. Those companies did not have the required skills to do the work. He referred to his work at SITA when OEMs sent people from Pakistan to work on the SITA system. How did one vet them? SAPS, Home Affairs, Justice and other departments stored identity information on the system as it was intended to be cross-cutting and everyone could plug into the system to facilitate apprehension, rehabilitation etc. The way that the system had been architected to find a person, and the way that everyone else had architected the system, had been totally different. The system meant that departments could not access information from each other. The system was currently very, very bad and anything, or any error, could happen.

SSA had the ability to send secure information and would share the information with those who requested it.

Skills development and hacking was a difficult issue as when one had the skills, what one did with those skills was up to one’s conscience. It was like becoming a locksmith. SSA vetted everyone who was trained. However, it was possible for anyone to learn to hack by finding information on how to do it through Google. A cell phone could now allow people to access data anywhere. People who used default passwords were vulnerable. How was info stored? Everyone could plug into cyberspace and store the information differently from the way that others did. That meant that appropriate service architecture was urgently required.

The Chairperson said that SSA had a lot of work to do in mainstreaming or the country could not monitor what the Bill was intended to monitor.

Department of Justice and Constitutional Development (DOJ&CD) briefing
Adv Sarel Robbertse, State Law Adviser, DOJ&CD, said that it was not possible to provide definitions of cybercrime. Twenty years previously, the only legislation on cybercrime related to unlawful access. The situation had evolved. Through the Bill, SADC protocol and international law, specific crimes had been prescribed and recognised as crimes and had been divided into two categories. Firstly, there were crimes against the integrity of information systems. Secondly, there were crimes facilitated by information and communications technologies. Cybersecurity was not something that was fixed. When the systems became more powerful and more complex, cybersecurity followed in order to cater for what was necessary to offer protection.

In response to the question of whether statutory law was needed to prescribe offences, he stated that some offences in the Bill were recognised under common law, such as forging and uttering, computer-related fraud and cyber extortion. The elements of the Bill had been adapted as required but offences were not always similar to common law offences. In some cases, persons had been convicted under common law. But fraud in common law meant a misrepresentation to a person that caused harm whereas in the cyber domain there was no misrepresentation to a person as systems were automated. DOJ&CD, therefore, submitted that prescription of offences was necessary to cater for cyber-specific offences.

The development of a comprehensive implementation plan was premature as the Bill still had to be adopted by Parliament. A lot of work had been done to be ready to implement the Bill. The departments had worked on Standard Operating Procedures (SOPs) and had made progress on that. When there was more certainty about the Bill, the complete implementation plan would be addressed and implemented.

On RICA and Section 16 of the Bill, he confirmed that there was a designated judge. Section 16 dealt with the interception of indirect communications which took place after approval by the designated judge. The difference between data in the Bill and RICA, was that Section 38(1) and Section 38(2) of the Bill provided for the use of RICA for interception of indirect communication. RICA referred to communication over a telephone line but communications that might be indirect communication, such as indirect email and stored communication on a computer or server, was no longer seen as communication over a telephone line and RICA did not apply. Section 205 of the Criminal Procedure Act dealt with obtaining call-related information outside RICA and was used by the law enforcement agencies. Section 18 and 19 of RICA did allow for similar prosecutions but another section in RICA provided for other legislation to be used, unless the information was provided on a continuous basis. RICA was being reviewed and those issues could be addressed, but there was a court challenge on aspects of RICA.

Conclusion
The Chairperson said that CRC needed to consolidate what had been presented that day. She was worried when the Department of Justice said that one could not define cybercrime. It seemed that the departments were doing something that they did not understand themselves. A definition was required. Protection was being built for the individual, but what about an attack on the state? No one had mentioned that cybercrime could be seen as treason. Other things had to be brought in so that the Bill could assist in protecting the State.

The Chairperson said SAPS was concerned about certain clauses. Those needed to be taken back to CRC. SAPS was concerned about Clause 24 in which the Minister had to devise Standard Operating Procedures within 60 days. The Committee was not going to allow the time to be extended but CRC could look at how the 60 days could be extended, if required, so that all departments reached consensus.

The Chairperson noted that South Africans were complaining that their phones were being tapped. Did SSA tap the phones, or was it someone else? How should that be addressed? CRC should consider the matter and provide the Committee with an answer.

She thanked everyone for their presentations and participation that day. She informed the Members that the meeting the following day had been cancelled.

Meeting adjourned.