Speech by the Deputy Minister of the Department of Telecommunications and Postal Services,
Honourable Prof. Hlengiwe Mkhize
During the Occasion of the
11th ITWeb Security Summit
At Vodacom World, Midrand
Tuesday, 17 May 2016
Topic: "Cyber Crime within the Telecommunications Field"
Ivo Vegter author, speaker, columnist;
Haroon Meer, founder, Thinkst Applied Research;
Charl van der Walt, founder member and managing director, Sensepost;
Vernon Fryer, chief technology security officer, Vodacom;
John Giles, attorney, Michalsons;
Raj Samani, EMEA chief technical officer, Intel Security
Ladies and Gentlemen,
Colleagues and friends,
We thank you for inviting the Department of Telecommunications and Postal Services to be part of this august audience within the 11th ITWeb Security Summit. This initiative is in line with the spirit of the National Development Plan, Vision 2030 which puts partnership between government, civil society and the private sector at the centre of our growth and development.
Addressing the Challenge of Digital Divide
At the dawn of our democracy, the Information Communication Technology (ICT) Sector was in the main in the hands of the private sector and about 10 percent of the population.
Taking a bird’s eye view of the entire world, the World Information Society, gives statistics that +/- 3 billion people are currently online and the 4.4 billion are without the economic and social benefits of the Internet.
South Africa Connect Policy
Our SA Connect Policy and Strategy, launched in December 2013, will help the country to realise substantial growth as people access ICTs and making use of them daily, particularly mobile phones and the Internet.
The vision for broadband is that by 2020, 100% of South Africans will have access to broadband services at 2.5% or less of the population’s average monthly income. A four-pronged strategy, with both supply- and demand- side interventions will close the identified gaps between the current status of broadband in the country and the vision in the NDP.
Investment in Fibre Infrastructure
Our government’s investment - coupled with private sector investment which we encourage - in network and IT infrastructure signals that South Africa is ready to leapfrog into the 21st century and to promote the digital opportunity that arises from broadband rollout. Partnering with the private sector in the implementation of SA Connect will provide us access to +/- 180000 km of Fibre infrastructure. During the Phase 2 of SA Connect we intend to roll out a further 64000 Km of fibre infrastructure to provide the much needed backbone capacity for the planned Wireless expansion to our rural communities. In the big metro centres, we have invested R40 million in increasing Wi-Fi coverage.
I have just given you an expose of planned broadband penetration so as to show the potential risk within the telecommunications field. Cybercrime is a fast-growing area of crime. More and more criminals are exploiting the speed, convenience and anonymity of the Internet to commit a diverse range of criminal activities that know no borders, either physical or virtual, cause serious harm and pose very real threats to victims worldwide.
The Rise to Cybercrime
For us as government the issue of cybercrime is a contradiction as we aspire to use technology to fast-track Sustainable Development Goals. The ITU is promoting studies which links WSIS Action Lines to Sustainable Development Goals. The development of the information society offers great opportunities. Technical developments have improved daily life – for example, online banking and shopping, the use of mobile data services and voice over Internet protocol (VoIP) telephony are just some examples of how far the integration of ICTs into our daily lives has advanced. However, the growth of the information society is accompanied by new and serious threats. Essential services such as water and electricity supply now rely on ICTs. Cars, traffic control, elevators, air conditioning and telephones also depend on the smooth functioning of ICTs. Attacks against information infrastructure and Internet services now have the potential to harm society in new and critical ways.
The availability of ICTs and new network-based services offer a number of advantages for society in general, especially for developing countries. ICT applications, such as e-government, e-commerce, e-education, e-health and e-environment, are seen as enablers for development, as they provide an efficient channel to deliver a wide range of basic services in remote and rural areas.
Governments across the continent have laid down their vision in the report on The Future We Want for Africa by 2063, adopted by the African Union Heads of States and Government. This vision has already been translated into action. “Agenda 2063” is an approach to how the continent should effectively learn from the lessons of the past, build on the progress now underway and strategically exploit all possible opportunities available in the immediate and medium term, so as to ensure positive socioeconomic transformation within the next 50 years. ICTs are seen as a ghost goal to achieve our noble objectives.
What exactly is Cybercrime?
Cybercrime and cybersecurity are issues that can hardly be separated in an interconnected environment. The fact that the 2010 UN General Assembly resolution on cybersecurity addresses cybercrime as one major challenge underlines this.
Cybersecurity plays an important role in the ongoing development of information technology, as well as Internet services. Enhancing cybersecurity and protecting critical information infrastructures are essential to each nation’s security and economic well-being. Making the Internet safer (and protecting Internet users) has become integral to the development of new services as well as government policy. Deterring cybercrime is an integral component of a national cybersecurity and critical information infrastructure protection strategy.
The Nature of Cybercrime World-Wide
New trends in cybercrime are emerging all the time, with estimated costs to the global economy running to billions of dollars. In the past, cybercrime was committed mainly by individuals or small groups. Today, we are seeing highly complex cybercriminal networks bring together individuals from across the globe in real time to commit crimes on an unprecedented scale.
Criminal organizations are turning increasingly to the Internet to facilitate their activities and maximize their profit in the shortest time. The crimes themselves are not necessarily new – such as theft, fraud, illegal gambling and sale of fake medicines – but they are evolving in line with the opportunities presented online and therefore becoming more widespread and damaging.
Within cybercrime investigations, close cooperation between the countries involved is very important. The existing mutual legal assistance agreements are based on formal, complex and often time-consuming procedures, and in addition often do not cover computer-specific investigations. Setting up procedures for quick response to incidents, as well as requests for international cooperation, is therefore vital.
The Magnitude of Cybercrimes in Africa
African countries such as Angola and Mozambique have recently been subjected to an increase in phishing attacks, which is another form of cybercrime wherein personal information such as passwords, identity numbers, and credit card details is deceitfully obtained.
One recent target in Mozambique was a major African financial institution. Customers received an email, appearing to come from a bank in Mozambique. The email subject read “Messages & alerts: 1 new message!”. A URL contained within the body of the text led to a fake version of the bank’s website. It asked the target to enter the banking details that would allow the attacker to take over the account.
In Nigeria the Cybercrimes Act 2015 was signed into law on May 15, 2015. The Act has been highly coveted in the nation’s telecommunications sector as a step in securing the sectors $40 billion worth, according to Nigeria’s Bureau of Public Enterprises (BPE) statistics in the third quarter 2014. The Nigerian Cybercrime Act prescribes, henceforth, any crime or injury on critical national information infrastructure, sales of pre-registered SIM cards, unlawful access to computer systems, Cyber-Terrorism, among others will be punishable by this Act.
The Nigeria Communications Commission (NCC) factsheets show the number of internet users in Nigeria has grown to 83.3million as at February 2015. Furthermore, the number of active mobile subscribers increased to 145.5million, giving Nigeria a teledensity of over 85% based on a population figure of 170million. These are some of the reasons that necessitate the need for the regulation of the Nigerian cyber-world.
Cybercrime in South Africa
In 2014 South Africa had the most cyber-attacks of any country on the continent. In 2014, losses reached an estimated R5 billion annually through cybercrime. The year before, the Norton Report rated South Africa third on the list of the number of cyber victims in the world. Russia and China topped the list.
According to the South African Banking Risk Information Centre (SABRIC), South Africa is losing more than R1 billion each year to cyber-crime. The South African cyber-crime has increased by almost 30% since 2013, according to studies made by SABRIC. Our country is one of the top targets for cyber-crime in Africa. This is due to South Africa's comparatively high levels of Internet connectivity, its wealth and high GDP per capita.
Recent incidents of hate speeches in South Africa makes it incumbent that I address the matter in this speech and that we as South Africans address this in our daily interactions at work, with our families and in social settings. The spat of hate speech incidents that we see on social media is really questionable especially after 22 years into our hard earned democracy.
Section 17 of the proposed Cybersecurity and Crime Bill creates criminal offences for anyone who “makes available, broadcasts or distributes… a data message which advocates, promotes or incites hate, discrimination or violence against a person or a group of persons”. This may be a message to a specific person or to the general public.
The Bill further provides that this should be understood as:
any data message representing ideas or theories, which advocate, promote or incite hatred, discrimination or violence, against a person or a group of persons, based on (a) national or social origin; (b) race; (c) colour; (d) ethnicity; (e) religious beliefs; (f) gender; (g) gender identity; (h) sexual orientation; (i) caste; or (j) mental or physical disability.
The South African Government’s Response to Cybercrime
Combating cybercrime involves the adoption of appropriate legislation against the misuse of ICTs for criminal or other purposes and activities intended to affect the integrity of national critical infrastructures. At the national level, this is a shared responsibility requiring coordinated action related to prevention, preparation, response and recovery from incidents on the part of government authorities, the private sector and citizens.
At the regional and international level, this entails cooperation and coordination with relevant partners. Given the risk that we find our country in, our government had to take extra ordinary measures to ensure that the situation is under control. The inter-ministerial approach which includes our department, State Security Agency (SSA) and all the Justice Cluster Ministries, is one of our strategic interventions which aims at zero tolerance.
It is a little known fact that only 28 countries in the world have a cyber security policy in place. South Africa is one of them. We recognise the importance of Cyberspace to our growth and as an imperative for the historic developmental challenges we are faced with. To this end we have developed a comprehensive Cybersecurity Policy as embodied in the National Cybersecurity Policy Framework (NCPF), which guides our Cybersecurity strategy at a national and International level.
National Cybersecurity Policy Framework (NCPF)
In March 2012, Cabinet approved a National Cybersecurity Policy Framework (NCPF) which seeks to, amongst others, deal with the following:
a. Centralise coordination of Cybersecurity activities within SA so as to have a coordinated approach to cybercrime, national security imperatives and enhance the information society and knowledge based economy;
b. Strengthen intelligence collection, investigation, prosecution and judicial processes, in respect of preventing and addressing cybercrime, cyber terrorism and cyber warfare;
c. Anticipate and confront emerging cyber threats, in particular threats to National Critical Information Infrastructure and coordinate responses thereto;
d. Foster cooperation and coordination between Government, the private sector and civil society including ensuring that South Africa becomes a critical contributor to international cooperation on Cybersecurity matters.
e. Develop skills, Research and Development capacity, promote Cybersecurity culture and promote compliance with appropriate technical and operational Cybersecurity standards.
We also have the Cybersecurity Response Committee (CRC) which is a strategic body chaired by the SSA responsible for priority setting and overseeing the implementation of the NCPF.
Cybercrimes and Cybersecurity Bill
Government published the Cybercrimes and Cybersecurity Bill on 28 August 2015. The Cybercrimes and Cybersecurity Bill aims to keep the people of South Africa safe from criminals, terrorists and other states. It also consolidates South Africa’s cybercrime laws into one place. Essentially, it aims to stop cybercrime and improve the security of South Africa. The Cybercrimes and Cybersecurity Bill creates many new offences (about 50). Some are related to data, messages, computers, and networks.
The Cybercrimes and Cybersecurity Bill gives the South African Police Service and the State Security Agency (and their members and investigators) extensive powers to investigate, search, access and seize just about anything (like a computer, database or network) wherever it might be located, provided they have a search warrant. Foreign states and South Africa will co-operate to investigate cybercrimes.
The Cybersecurity Hub
We have launched the Cybersecurity Hub on 30 October 2015. The Hub is situated at www.cybersecurity.co.za. In short the functions of the hub will be among others to:
• Receiving incident reports from stakeholders and establishing clear incident management processes.
• Disseminating information to stakeholders about threats and attacks as a pre-emptive measure as well as mitigating procedures against emerging attacks
• Creating an archive of lessons learnt to ensure ease of access in dealing with future threats and vulnerabilities
• In the case of cyberbullying involving Cybersecurity Hub legal entities and assisting with escalating attacks to the relevant authorities
• And chairing of scheduled meetings with reporting and trending attacks and incidents for the specific period.
The hub is a point of reference for citizens in as far as cybersecurity issues are concerned providing a repository of information regarding the do’s and don’ts of Internet for children, best practice guide for parenting on the Internet and how the average South Africans can protect themselves against malicious attacks, identity theft and online financial security. The hub will create platforms to allow parents to share information on how to manage their children online and also provide links to Internet resources to assist both children and parents.
Most enterprises in South Africa, especially banks, have been hardest hit by cyber-crimes. They have launched consumer awareness initiatives and spent large amounts of money on cyber security. As a result, would-be cyber criminals turn their attention to the weakest link in the cyber chain: the end user, a lucrative and often naïve target.
All types of socially engineered attack methods are used to lure the end user into a situation where personal login information is compromised. This happens not only for financial transactions, but also for social networks and other applications.
The business sector, government and non-governmental sector in South Africa have been involved in consumer education interventions, the results of which can be measured in time.
Strategic Partnerships Against Cybercrimes
The country’s long term vision, National Development Plan, Vision 2030, always encourages us to work in strategic partnerships to realise whatever developmental goal which will take our country forward. Even in the instance of ensuring that our country is safe online we work with various partners to ensure that all the bases are covered. Some of the authorities and Industry Bodies that we work with include:
• DOJ&CD - Department of Justice & Constitutional Development - Cyber Safety Provides information on cyber safety, online security, spam and scam emails and examples of fraudulent documents - Includes 419 and lottery scam letters also known as 'advanced fee fraud'.
• ECS-CSIRT - Electronic Communications Security - Computer Security Incident Response Team Handles computer security incidents and promote incident prevention programs to strengthen defenses and help reduce the impact of future attacks against Government assets and critical infrastructure.
• FPB - Film and Publication Board - Pro Child, a public service for reporting (anonymously), any child pornography or sexual abuse images discovered accidentally on the internet. This may also include child grooming activities hosted in chat rooms. FPB also disseminates news and safety tips.
• ISPA - Internet Service Providers' Association - The representative body for ISP's that governs its members with a Code of Conduct. Provides information on spam and scams, and a facility to 'Lodge a Complaint' against an ISPA member or 'Request a Take-Down' of infringing information.
• SABRIC - South African Banking Risk Information Centre - The representative body for the banking industry to combat organized crime. Provides information on Phishing, Card skimming and ATM fraud, and Identity/Personal Information Theft.
• SAPS - South African Police Service - Youth Desk South Africa's national police force publishing tips and advice on Internet Safety and cyberbullying for children and parents. No official online reporting facility has been made available to the public yet.
• SARS - South African Revenue Service - Scams and Phishing Attacks Provides information on reporting suspicious or fraudulent activities and includes examples of the latest phishing/scam emails in which the SARS brand is being abused.
• UJ Centre of Excellence in Cyber Security – An initiative undertaken by the University of Johannesburg and the Academy of Computer Science and Software Engineering to address cybercrime in SA and Africa. Includes a Cybercrime reporting facility.
African Union’s Stance on Cybersecurity
After realising that it’s Member States of the African Union realised an increase in access to broadband Internet, the African Union also realised that cybercrimes are leaping to new heights making it only rational to act now rather than later. Being wired to the rest of the world means a country is now within the perimeter of cybercrime, making the continent’s information systems more vulnerable than ever before.
The Extra-Ordinary Conference of African Union Ministers in charge of Communication and Information Technologies meeting here in South Africa from 2-5 November, 2009 requested the African Union Commission to develop jointly with the United Nations Economic Commission for Africa, a convention on cyber legislation based on the Continent’s needs and which adheres to the legal and regulatory requirements on electronic transactions, cyber security, and personal data protection. By endorsing this declaration, the African Union Commission together with UNECA started working on the convention on cyber legislation. South Africa as the member African Union is also bound by the decisions of this convention.
Article 24 of the convention talks to Member Sates developing their National cyber security framework.
1. National policy
Each State Party shall undertake to develop, in collaboration with stakeholders, a national cyber security policy which recognizes the importance of Critical Information
Infrastructure (CII) for the nation identifies the risks facing the nation in using the all hazards approach and outlines how the objectives of such policy are to be achieved.
2. National strategy
State Parties shall adopt the strategies they deem appropriate and adequate to implement the national cyber security policy, particularly in the area of legislative reform and development, sensitization and capacity-building, public-private partnership, and international cooperation, among other things. Such strategies shall define organizational structures, set objectives and timeframes for successful implementation of the cyber security policy and lay the foundation for effective management of cyber security incidents and international cooperation.
Article 25 of the convention talks to Member Sates developing Legal measures.
1. Legislation against cybercrime
Each State Party shall adopt such legislative and/or regulatory measures as it deems effective by considering as substantive criminal offences acts which affect the confidentiality, integrity, availability and survival of information and communication technology systems, the data they process and the underlying network infrastructure, as well as effective procedural measures to pursue and prosecute offenders. State Parties shall take into consideration the choice of language that is used in international best practices.
Moving ahead with our close working cooperation amongst various sectors in our economy we should strive for our home grown tools and initiatives which will help us eradicate these cybercrimes. We need to encourage the development of CERTs across different sectors whilst also promoting local software development.
The relationship with academia and research house is of critical nature and cannot be overlooked. Our work at the Cybersecurity Hub enables us to have a multi-stakeholder approach to partnerships.
We will continue to strengthen our relationship with the Department of Science and Technology which continuously capacitates government with research outcomes which will help us to analyse these online threats and eventually bring all cyber-attacks to zero.
I thank you.