Cyber Banking Conference

DENISE FOUCHEENDCODER/ ENDCODE.ORG

RESPONDING TO CYBERCRIME:The South African Legal Position

CONTEXT:

Cyber Crime awareness

Forms of Cyber Crime in South African Law

Cyber Crime Challenges to South African Law

How South Africa’s Legal System is Meeting Challenges

Cyberlaw Enforcement in South Africa

Security Recommendations

Cyber Crime?

“The probability of a major cyber attack is not ‘if’ but ‘when’.Oliver Crepin-Leblond, Global Information Highway, United Kingdom

Cyber Crime?

6 most active

3 Russia, China

R2.65 billion

Cyber Crime awareness?

• Internet penetration, mobile devices• Crimes are growing, but little awareness• No multimedia public awareness campaign• No national awareness campaigns – patchwork of initiatives

• CSIR

• SABRIC funded by local banks to track and respond to cybercrime in banking sector• Cybercrime.org.za: an awareness portal intended for informational purposes. • Alertafrica.com raising awareness of cyber threats in SA• ISG Africa

• South African Centre for Information Security

• FPB PROCHILD

• SACSAA South African Cyber Security Academic Alliance NMMU; UJ; UNISA cyberaware.org.za

• No government involvement in existing efforts• No cyber watch centres• Ethiopia: 24-hour national computer security incident response teams

Private sector responses

Private sector responses

Cyber Crime?

• No national cybersecurity awareness framework in place

• Infrastructure for cybersecurity protection strong but awareness is low

• Mobile usage and lack of security awareness - vulnerability

• Although numbers have decreased, cost per victim has risen

• 48% smartphone and tablet users do not take basic precautions

• What information is being shared on social networking platforms

• Perception of lawlessness, ineffective enforcement

• ALL LEVELS OF SOCIETY TO BE ENGAGED

http://blog.logrhythm.com/wp-content/uploads/2013/11/Waking-shark-II.jpg

http://cyberarms.files.wordpress.com/2013/07/bank-cyber-report-card.png

South Africa’s cyberwellness profile

How does the ITU measure us? LEGALCriminal legislation• ECT Act• National Cybersecurity Policy Framework 2012• RICA• POPI ActRegulation and compliance• No specific legislation and regulation related to cybersecurityTECHNICALCIRT• ECS-CSIRT is an officially recognised CIRTSTANDARDS• Approved national cybersecurity frameworks for implementing internationally recognsied

cybersecurity standards through NCPFCERTIFICATION• No frameworks for certification and accreditation of national agencies and public sector

professionals


How does the ITU measure us? ORGANISATION Policy: Officially recognised NCPF approved March 2012Roadmap for Governance: National Cybersecurity Implementation PlanResponsible Agency: State Security Agency for implementing national cybersecurity strategy, policy and roadmapNational Benchmarking: No benchmarking exercises to measure cybersecurity development• and publci sector agencies certified under internationally recognised standards in

cybersecurity.CAPACITY BUILDING• Standardisation development: No R&D programs for standards, best practices or guidelines to

be applied in private or public sector• Manpower development: No educational and professional training programs for raising

awareness with public, promoting courses in higher education and promoting certification of professional in private or public sectors

• Professional certification: No public sector professional certified under internationally recognised certification programs

• Agency certification:: No certified government and public sector agencies certified under internationally recognised standards


How does the ITU measure us? COOPERATION

Intra-State cooperation: partnerships with 24/7 program

Intra-Agency cooperation: : no officially recognised national or sector-specific programs for sharing cybersecurity assets within public sector.

Public Sector partnership: : no programs for sharing cybersecurity assets within the public and private sector

International cooperation: : member of ITU-IMPACT initiative; beneficiary HIPSSA; participated in international effort on cybercrime (EU GLACY project); on finalisation stage of draft AUC Cybersecurity Convention workshop


How does the ITU measure us? PROTECTION OF CHILDREN ONLINE

National legislation: Amendment to Sexual Offences and Related Matters Act; Films and Publications Act

UN Convention and Protocol: Convention on the Rights of the Child; Optional Protocol to the Convention on the Rights of the Child on the Sale of Children, Child Prostitution and Child Pornography

Institutional support: no recognised agency offering institutional support on child online protection

Reporting mechanism: FPB PRO CHILD phone number on website

What is Cyber Crime?

• South African law has no formal definition

• Internationally there is little consensus

• Consider the following:• “Unlawful conduct involving a computer or computer system or computer

network, irrespective of whether it is the object of the crime or instrumental in the commission of the crime.” (Cyberlaw @SA III)

What Constitutes a Cyber Crime?

• Electronic Communications and Transactions Act 25 of 2002 (ECT Act) Chapter 13 criminalises various acts:• Hacking

• Denial of Service attacks

• Unauthorised access to and tampering with information

• Fraud, forgery, extortion related to a computer

• Other cyber crimes include:• Distribution, creation, possession of child pornography in digital format

• Identity theft

• Cyber-stalking

• Phishing

• Online gambling

• Falsity with regard to accreditation by Accreditation Authority

• Failure by critical database administrator to take remedial action

• Obstructing cyber inspectors’ functions

Cyber Crime Challenges for SA Law

• No single existing government agency to manage all aspects of cybersecurity and cybercrime

• Policy developmentDepartment of Communications

Department of State Security

• Curbing and prosecuting crime

Department of State Security

DoJ & CD

Department of Police

• Responsibility for prosecution of cybercrime and court processes

• RICA implementationDoJ & CD

• Implementation cybersecurity measures

• Develops, implements regulations on cybercrimeDepartment of State Security

• Co-ordination and implementation of cyber-defence measuresDepartment of Defence & Military

Veterans

• Development, coordination, implementation of national capacity development programmes on a national cybersecurity research and development agenda

Department of Science & Technology

• Prevention, investigation, combating of cybercrimeMinistry of Police


• Crime across international borders• Jurisdictional issues

• Relying on international assistance

• Importance of global coherent cyber crime laws

• Digital evidence is different• Evidence is information

• Admissibility of electronic evidence

• Protecting the veracity of electronic evidence

• Need for ISP participation

• Many perpetrators, many victims

• No physical presence

• Domestic laws govern investigation


• Intelligence gathering in the digital world• Equipping investigators with cyber skills

• Ability to act swiftly

• Participation of ISP

• Flexible laws to keep pace with technology

• New types of crimes • Denial of Service Attacks

• Hacking

• cyberstalking

Information SystemRequest

Request

Request

Request Request

Request

Request

Request

DoS Attack

Can existing South African common

law accommodate Cyber Crime?• Nullum crimen sine lege Principle

• No crime without (prior) criminal prohibition

• South Africa’s living, adaptable common law

• E.g., common law crime of theft can be applied to cyber crime theft

• S v Van den Berg 1991: electronic fraudulent misrepresentation still fraud as per common law

• S v Howard 2005: “property” in crime of malicious damage to property no longer needs to be physical

Need for specific legislative provisions for cyber crimes to include new crimes and be clear about illegality

How is South Africa’s Legal System

meeting these challenges?

What is South Africa’s position domestically?

Substantive Laws

• ECT Act prohibits:• Unauthorised access to information or interception of

information s86(1);

• Unauthorised intentional interference resulting in modification, rendering ineffective or destruction of information s86(2);

• Overcoming security measures which protect data, including the sale, distribution or possession of a device that is meant to be used to overcome security measures s86(3) s86(4);

• A complete or partial denial of service attack s86(5);

• Computer-related extortion, fraud and forgery s87; and

• Attempt, and aiding and abetting in any of the abovementioned acts s88




Substantive Laws• CPA & ECT Act

• Together with the Consumer Protection Act 68 2008, the ECT Act regulates unsolicited communications (SPAM)

• POPI• Stringent requirements imposed on collecting and processing personal information• electronic direct marketing prohibition

• The Films and Publications Act• The Films and Publications Act 65 of 1996 imposes a statutory obligation on ISPs to prevent the

distribution of child pornography in South Africa

• The National Gambling Act• The National Gambling Amendment Act 10 of 2008, which has been adopted but not promulgated

regulates online gambling and casinos against dishonest operations• Until the promulgation of the Amendment Act, online gambling is currently prohibited for South

African residents




Procedural Laws• RICA:

• Minister of Communications responsible for: • directives to ensure electronic communication service providers must make their systems interceptible and store

information• Prescribing technial, security and functional requirements of interception facilities

• Implemented state surveillance (data collection) as an investigatory method for serious crime committed on the Internet

• Direct and indirect communication included• Interception, data retention, decryption and monitoring are included as methods of surveillance.

• ECT Act:• Provides for secure electronic transactions; cryptography services; authentication of service providers;

consumer protection; protection of critical databases; domain name authority and administration; and establishment of a cyber inspectorate

• Gives weight to evidential weight to data messages in court of law• Provides for the regulationof Public Key Infrastructures and authentication and accreditation of electronic

signatures• Under review: electronic evidence




On the Cards

• Draft Cyber Security Policy 2010• Cabinet passed the National Cyber Security Policy Framework in March 2012 but is not

publicly available

• Guidance on how to secure cyberspace is not available

• Draft stated milestones for establishing CSIRT (Computer Security Incident Response Team) and CSERT (Computer Security Emergency Response Team) end March 2012

• Mandate challenges: milestones not met. Feb 2012 decision that State Security should take over responsibility from Department of Communications for drafting policy on cybercrime

• Framework proposes co-operation between government, private sector and civil society




On the Cards

• Draft Cyber Security Policy 2010

• Facilitate the establishment of relevant structures in support of cybersecurity

• Ensure reduction of Cybersecurity threats and vulnerabilities

• Foster cooperation and coordination between government and private sector

• Promote and strengthen international cooperation on Cybersecurity

• Build capacity and promote a culture of cybersecurity

• Promote compliance with appropriate technical and operational Cybersecurity standards




On the Cards• Draft Cyber Security Policy 2010

• National Cybersecurity Advisory Council appointed October 2013• coordinates cybersecurity policies and interventions at operational and strategic levels, co-

ordinated national approach to cybersecurity

• Computer Incident Response Teams (CSIRT) • identify, analyse, contain, mitigate, report on cybersecurity threats in various sectors• National CSIRT, Government CSIRT, Sector CSIRT

• Faster co-operation between government, private sector and citizens• Strengthen international co-operation• Skills development and innovation• Building capacity for law enforcement, judiciary, civil society requirements• Promoting culture of cybersecurity through development programmes that address

government, business and user needs



What is South Africa’s position internationally?

• The South African Constitution• the Constitution of South Africa states that when interpreting the Bill of Rights a court, tribunal or forum

must take note of international law and may consider foreign law s39(1)

• The EU Convention on Cybercrime• Signed by South Africa

• Addresses crime committed over electronic media

• The only international cybercrime treaty

• Requires signatory countries to create domestic cyber crime law (procedural and substantive)

• Harmonises the approach that signatory countries take to the legal provisions that they create

• International co-operation and assistance is important for the collection of electronic evidence and criminal investigation



What is South Africa’s position internationally?

• The CoE Convention on Cybercrime (Budapest Convention)• Only international agreement addressing cybercrime

• First international treaty harmonising national laws

• Oct 2014: ratified by 44 states, 9 have ratified, signed by Canada, Japan, US, SA

• The SADC Model Law on Cybercrime• Harmonisation of SADC region country policies towards cybercrime

• Primarily identifying cybercrime offences to be included in domestic laws

• African Union Convention on Cybersecurity and Personal Data Protection• Adopted June 2014

• Criticised as not acknowledging weaknesses of African security sector mecanims

• No requirement of strong judicial oversight to strengthen privacy protection

• National sovereignty and discretion over international law

• Does not outline minimum threshold that national legal frameworks and lws should ocmply with



Discussion Topics:

• Online Identity Theft• No direct legislative

provisions

• Often considered a type of fraud

• May be prosecuted under the common law regarding fraud, or the ECT provisions regarding fraud

• High rate of online ID theft in SA may require its own legal provision



Discussion Topic:

• Personal Information

• The Protection of Personal Information Act 4 of 2013

• Promulgated but not in effect (information regulator provisions and definitions in effect)

• Related to identity theft

• Aims:

Protection of PI processed by private and public bodies

Minimum requirements for processing of PI

Establishment of Information Regulator

Codes of Conduct

Rights protection against SPAM and automated decision-making

Regulate cross-border flow



Discussion Topic:

• Phishing

• Online Fraud

• Social Engineering

• Related to Identity Theft

• Affects banking industry

• Affects individuals

EMC Infographic: Consumer Online Identity Risk



Discussion Topic:

• Phishing

• Estimated losses (SA)• USD $222 million

• Phishing has increased 31% in SA for the same time last year

• (EMC website)

The top 10 countries targeted

by phishing in 2013:

United States

United Kingdom

Germany

India

South Africa

Canada

Netherlands

Colombia

Australia

Brazil

South African Cyber Law Enforcement

How are cybercrime provisions enforced?

• S90 ECT Act• Jurisdiction founded: where crime is committed, act of preparation:

result felt; citizen or permanent resident; ship or aircraft registered in SA

• Cyber Inspectors• The ECT Act makes provision for the appointment of cyber inspectors to

monitor and inspect, search and seize upon warrant, any premises or information system with regards to cybercrime investigation s82.

• However, no such inspectors have yet been assigned

• The Act is being amended

Lack of national effort:• UK has 11 centres for cyber skills development linked to universities

• India sponsoring training of 500 000 “cyber warriors”

• South Korea produces 5 000 cyber specialists annually

• Kenya National Cybersecurity Strategy 2014

• Few prosecutors understand cybercrime


What Penalties Exist?

• The courts can had out the following sentences:

Fine or imprisonment

max. 12 months

Unauthorised access to information or interception

of information

The sale, distribution or possession of a device that is

meant to be used to overcome security measures

Unauthorised intentional interference resulting in modification, rendering

ineffective or destruction of information

Last year, 54 individuals appeared

in the Nigel Magistrates Court for

having allegedly defrauded thousands

of individuals of almost R15 million as

part of an inter-continental syndicate


What Penalties Exist?

• The courts can hand out the following sentences:

Fine or imprisonment

not more than 5 years

Overcoming security measures which protect data

Computer-related extortion, fraud and forgery

A complete or partial denial of service attack



Discussion Topic: ECT Act Amendments on the horizon

• Aligns with international trends and NCPF March 2012

• ECTA Amendment Bill – deletion of S89 Penalties section

• S45 unsolicited commercial communications: max R1 mill; 1 year

• S84(2) confidentiality: max R2 mill; 2 years

• S86 unauthorised access: max R10 mill; 10 years

• S87 fraud, extortion: max R10 mill; 10 years

• S88 aiding, abetting: R5 mill; 5 years

Justice, Crime, Prevention and Security cluster to establish a Cybersecurity Hub to allocate resources to deal with incidents

Recommendations

Performing assessments, implementing policies:• ICT Acceptable Use policy• Electronic Communications policy• Information Security policy• Encryption policy• Electronic Evidence policy• Privacy policy• Monitoring and interception policy• Records Management policy• Records Retention policy• Employment contracts• Social media policy

http://pmmanuals.com/wp-content/uploads/2012/07/pvp.jpg

Contribute to policy-making at a sector and country level

EndCode’s expertise

EndCode has expert participation in:

• BRICS Cybersecurity Expert Group

• Global Cybersecurity Centre at Oxford University

• Council of Europe Cybercrime Group

• Cybercrime Institute (Germany)

• Drafting of Cybersecurity Model Laws for SADC

• Cybersecurity Policy Development (South Africa)

• ICT Policy Review (South Africa)

References

• S v Van den Berg 1991 (1) SACR 104 (T)

• http://www.cnbcafrica.com/news/southern-africa/2014/09/20/identity-theft-financial-institutions/

• http://www.emc.com/collateral/fraud-report/rsa-online-fraud-report-012014.pdf

• http://www.emc.com/infographics/consumer-online-identity-risk.htm

• http://researchspace.csir.co.za/dspace/bitstream/10204/5941/1/Dlamini_2012.pdf

• http://www.usatoday.com/story/tech/2014/10/29/pew-survey-cyber-attack/18114719/

http://www.cnbcafrica.com/news/southern-africa/2014/09/20/identity-theft-financial-institutions/

http://www.emc.com/collateral/fraud-report/rsa-online-fraud-report-012014.pdf

http://www.emc.com/infographics/consumer-online-identity-risk.htm

http://researchspace.csir.co.za/dspace/bitstream/10204/5941/1/Dlamini_2012.pdf

Denise Fouche

[email protected]

endcode.org

THANX, QUESTIONS?

mailto:[email protected]

Cyber Banking Conference

Law

cyber incidents

cyber security issues

awareness of cyber threats

major cyber attack

south african law

internet security incidents

crime challenges

awareness portal