"Time to Protect Confidential Information"
Lost amidst the tumult of the past weeks the Minister of State Security, David Mahlobo, wrote an opinion titled "Time to Protect Confidentiality of Information". The Link to the article is: http://www.iol.co.za/business-report/opinion/time-to-protect-confidentiality-of-information-8360516
The main purpose of the Minister’s article is to address criticism relating to his comments indicating that social media needs to be regulated by government. The Minister refers to what he describes as a “…huge outcry from various quarters and outright rejection, all of this without any sound or critical evaluation, or engagement with the view he expressed".
This article takes the Minister up on his invite of a critical evaluation and in turn invites him to engage with interested parties in a true partnership spirit. As this article will demonstrate, engagement with government on anything other than a subservient basis is, regrettably, as rare as common sense in the appointment of Finance Ministers.
The Minister states: "It has consistently been the position of the government that we recognise the importance of the technological advancements and their potential in moving our country forward". The Minister adds "My department is essentially the security risk manager of SA Inc. and therefore we cannot sit idly by when the advancement in technology present both opportunities and threats which we have to appraise the government of.”
Perhaps the Minister would care explain how the facts provided below square with his statements.
Electronic Communications and Transactions Act
Far more importantly, despite incredible technological advances and the Act’s predicted and now easily demonstrable shortcomings and proven impracticality, none of the many previous ministers of Communications or the current minister of Postal and Tele-communications, have done anything about this. To use the words of Minister Mahlobo they have “sat idly by” in the face of the unprecedented changes that advances in technology have brought and the Act has not changed in 15 years.
It should be noted that the Act required that the Minister of Communications (as it was at the time), within 24 months of its promulgation to develop a three year national e-strategy for the Republic, to be submitted to the cabinet for approval. Some 15 years later this has never seen the light of day and cabinet has “sat idly by” while yet another Minister fails in his or her statutory duties.
Minimum Information Security Standard
The Minimum Information Security Standard published in 1996. The acronym is MISS and indeed it is. Already inadequate in 1996 to deal with exponential increase in electronic communications and records heralded by advent of the Internet, MISS remains un-amended and is the standard for information security within government, more than twenty years into the most fundamental societal and economic revolution known to man. Despite the plunder of government databases and coffers by, to quote the Minister, those “with nefarious intentions”, the pillaging of which I am certain was largely electronic, what has been done? Draft regulations based on globally accepted information security standards, were drafted by the National Intelligence Agency (as it was then) as long ago as at least 2009. What has happened in the last 8 years and why have these not been implemented in government?
As the self-proclaimed “security risk manager of South Africa Inc.” may I respectfully suggest to the Minister that he and his predecessors have indeed “sat idly by” while the rapid advancement in technology has allowed the unscrupulous to abuse our information and steal our money.
Protection of Personal Information
It has been globally recognised that the development and implementation of Data Privacy legislation has been the single most important factor in creating awareness of the responsibilities of citizens to protect their personal information, a non-negotiable element in the establishment and maintenance of cybersecurity. If government has recognised the importance of technological advancements and the cybersecurity essential for unlocking the positive potential that it holds, why has it been so “Dhlamini-negligent” or wilfully obstructive in the passage of the Protection of Personal Information Act and its implementation?
The Minister pointedly refers to private and public sector databases being hacked and the “untold catastrophe to governments around the world” yet does not even seem to recognise the irony of titling his article "Time to Protect Confidentiality of Information" in the light of the shameful conduct of his colleagues’ failures to protect the personal information of the most vulnerable in our society in the SASSA debacle. Surely, if government was paying attention and truly “recognised the importance of technological advancement” the attitude within government would have been different?
The disgracefully meagre appropriation of budget to the Information Regulator, which, by negligence or design, almost ensures that the Regulator will not achieve the purposes that the Act seeks to achieve, is a slap in the face of all South Africans who believe in the future of our democracy in the 21st century. It is also in line with a clear strategy to undermine the importance and working of independent institutions in South Africa.
These are but a few of the many instances that demonstrate that the Minister’s statements are as sound as the Presidents reasons for firing the Minister of Finance.
The Minister refers to “Competencies” in his article. The vagueness of his wording in addressing the issue is revealing. I challenge citizens to try to report, have investigated and prosecuted crimes in terms of the cybercrime provisions in the Electronic Communications and Transactions act. Well, good luck. Despite the escalation of a matter of this nature to the Deputy Minister of Justice, I still await the pleasure of meeting with senior members of the Hawks and the NPA to consult with them on the matter- two years after the incident. The urging and warnings that have been addressed to government over the past decades in this regard have gone unheeded, it has simply neglected or refused to take seriously the dearth of skills (particularly within government at all levels, from the cabinet down) necessary to realise the Ministers expressed wish “…that South Africans have only positive experiences whenever they do business in cyberspace, in all its facets.”
The Minister cites the example of the Cybersecurity Hub (incorrectly referred to by the Minister as the Cyber Centre) to support his argument that capacity is being built. I have been very aware of the Cybersecurity Hub and have visited it on several occasions. I see impressive technology but the Hub is essentially not operational. The most recent information posted on the website dates back to October 2016!
Providing misleading information to hide our inadequacy as a country in this regard is not helpful. We need to admit our shortcomings before we can address them. Perhaps the Minister should heed his own admonitions relating to “fake news”.
Cybercrimes and Cybersecurity Bill
In 2002 I, among others, recognised the inadequacy of the cybercrime provisions in the Electronic Communications and Transactions Act, welcome as they were. At the time I called for the issue of cybercrime to be addressed as an urgent matter. Fifteen years later it is a burning issue, our citizens are exponentially victims of cybercrime and we still do not have legislation enacted to deal with the many abuses the technological advancement has spawned. I and many others have not changed our tune in this regard, but addressing cybercrime in the Cybercrimes and Cybersecurity Bill as it stands, comes at a prohibitive price to our civil liberties and democratic rights. What is offered by government is to provide “cybersecurity” by granting overbroad powers to law enforcement and national security agencies- a recipe for disaster. The political rhetoric of the nature in the good Ministers article, emphasises protecting citizens from cybercrime, but this is merely a smokescreen for the introduction of bad cybersecurity law that will give unnecessarily wide powers to law enforcement and national security agencies.
The Minister states that while there are some who have the noblest intentions, there are those "who have nefarious intentions and sadly they are slowly but surely plying their trade". This is true and in drafting legislation one must assume that there will be others with less noble intentions than the good Minister who would use overbroad law to their political and economic advantage.
What the Minister completely ignores is the context of cybersecurity in South Africa. If we don’t address the educational and capacity issues we will not have the persons required to properly execute and uphold the law and it will then be abused by those with power. Until then we can continue to expect law enforcement agencies and prosecutors, who by enlarge do not understand the nuances of electronic evidence and dealing with digital equipment, to fail in their responsibilities to citizens. This is but one of many areas that skills development has been urgent for years but in respect of which government has “sat idly by”.
Further, the majority of the cybersecurity skills lie in the private sector and until government recognises that significant effort is required to facilitate the “engagement” that the Minister professes to seek, meaningful public private partnerships, essential for effective nationwide cybersecurity, will not be fostered.
I recognise that government has an important role as leader of the initiatives necessary to combat cybercrime but it has failed to do the basics and it has little credibility in the cybersecurity space. The dictatorial approach and wording of the Act suggests that government does not seek to govern cyberspace but rather it is intent on ruling cyberspace. It is quite simply the wrong approach that will not achieve the cybersecurity that citizens deserve.
The Minister’s response to the criticism of his authoritarian approach to Social Media evidences a defensiveness of a weak policy that he now seeks to support with bad law.
In defending his statements relating to the regulation of social media, the Ministers statement indicating that- government has consistently recognised the importance of technological advancements and their importance to South Africa- is simply not borne out by indisputable facts.
Engagement with government on the issues relating to cyberspace is notoriously difficult. Even when engaged by government to advise its representatives, the barriers to actually talking to let alone advise decision makers are virtually insurmountable. I have been in the position of trying to engage with government for a long time and been appointed by it to advise on cybersecurity over the past three years and my comment is not merely anecdotal.
Events of the past weeks have shown us how important consultation is and how devastating the failure to consult meaningfully can be to South Africans. I implore the Minister not to “sit idly by” but to seek proper engagement and not simply ignore comment from persons who have much to offer. The failure to do this by government has cost us catastrophically dearly already.