Will legislation protect your virtual space? Discussing the draft Cybercrime and Cyber Security Bill

January 27th, 2016
x
Bookmark

cyber crime

By Dingaan Mangena

It is estimated that offences with cyber elements cost South Africa (SA) in excess of R 1 billion a year. In terms of the medium term strategic framework for government for the period 2014 – 2019, insofar as it relates to the outcome ‘All people in South Africa are and feel safe’ – measures to address cyber security are identified as an area of priority.

There are various laws dealing with cyber security, some with overlapping mandates administered by different government departments and the implementation of which is not coordinated. The legislation, which is currently in place, when viewed collectively does not address SA’s cyber security challenges adequately. The Department of Justice and Constitutional Development (DOJ&CD), was mandated to analyse the laws of the Republic of SA in order to determine –

  • the adequacy thereof when they are compared with legislation of other jurisdictions, and international and regional instruments;
  • whether there are any gaps which may impact on cyber security in general;
  • whether the current laws make adequate provision for the investigation and prosecution of cybercrime; and
  • whether it is feasible to consolidate all provisions relating to cybercrime and cyber security in a single law.

The outcome of this analysis is that:

  • The legislation dealing with cybercrime is ‘silo-based’ in that it only criminalises cybercrime in relation to certain government departments or state bodies; the Electronic Communications and Transactions Act 25 of 2002 (the ECTA), being the exception. The common law is used to prosecute some of the offences but needs to grapple with new concepts such as intangible data. Furthermore, our cybercrime laws are not in line with those of the international community, which is essential for purposes of international cooperation, which is mostly based on reciprocal laws.
  • Procedural laws in SA have not kept pace with the more intrusive and complex investigative measures, which are needed to investigate cybercrime.
  • The laws dealing with electronic evidence are, in general, sufficient for the purposes of criminal proceedings.
  • Jurisdiction in relation to cybercrime in SA is dealt with differently in our laws. In general, our laws afford broad jurisdiction to criminal acts, which affect national security in SA, while jurisdiction is significantly narrower in ordinary criminal cases.
  • There is at present no coordinated
    approach relating to cyber security in SA.
  • There is no legislation which specifica­lly provides for the protection of critical information infrastructures in SA.
  • SA is not a party to any international or regional instruments that deal specifically with cooperation in cybercrime matters.
  • There are no specific obligations on electronic communications service providers in order to assist with the reporting and prevention of cybercrime.
  • There is limited sharing of information between government and the private sector on cyber threats.

The draft Cybercrimes and Cyber Security Bill (GN 878 GG39161/2-9-2015) aims to address these and other shortcomings.

The Bill contains 11 chapters. The various chapters deal with the following aspects:

Clauses 1, 2, 26 and 50 contain various definitions of a technical nature, which are necessary for the interpretation of the Bill. Furthermore, definitions were inserted in various clauses of the Bill in order to aid in the interpretation of those clauses.

In terms of ch 2 of the Bill, various new offences are created in order to address illegal conduct in cyberspace; some of which do not currently exist in terms of SA law. Furthermore, various other common law and statutory offences, which are currently used to prosecute conduct relating to cybercrime are adapted by the Bill in order to make them more ‘usable’ for the prosecution of cybercrime. The penalties in respect of all these new offences are also increased substantially.

Clause 21 further criminalises the harbouring or concealing of persons who commit offences in terms of the Bill. Any attempt, conspiring, aiding, abetting, inducing, inciting, instigating, instructing, commanding, or procuring to commit offences in the Bill are also criminalised in terms of clause 22. Clause 23 provides that a court must consider it an aggravating circumstance if offences in terms of the Bill are committed in concert with other persons or where persons in trust commit certain offences provided for in the Bill.

Jurisdiction in respect of all offences which can be committed in cyberspace is expanded substantially in terms of ch 3 of the Bill.

Insofar as the investigation of cybercrime is concerned, the provisions of ch 2 of the Criminal Procedure Act 51 of 1977, are currently applied in the investigation of cybercrime, in conjunction with the provisions of the Regulation of Interception of Communications and Provision of Communication-related Information Act 70 of 2002 (RICA). The Criminal Procedure Act, is adequate insofar as real evidence is concerned, but it has various shortcomings in respect of digital evidence. RICA relates mainly to the interception of communications and the storing of call-related information and it too has various shortcomings in the investigation of cyber-related offences. Chapter 4 of the Bill, therefore, contains various provisions that are designed to investigate cyber-related offences.

Clauses 26 to 37 regulate aspects relating to the search and seizure of evidence. Clause 38 of the Bill prohibits a person from disclosing any information which he or she obtained in the exercising of his or her powers or the performance of his or her duties in terms of the Bill except insofar as it is authorised by the clause. Clause 39 provides for the interception of data. Clause 40 of the Bill provides for the expedited preservation of data. Clause 41 provides for the issuing of a disclosure of data direction by a judicial officer after considering an application by a law enforcement agency.

Clauses 42 and 43 make provision for a procedure to preserve other evidence relating to a cybercrime. Clause 44 regulates access to certain information and the provision of unsolicited information to foreign law enforcement agencies, as well as the receipt of such information from foreign law enforcement agencies. Clauses 45 to 48 regulate aspects relevant to requests for and the provision of foreign assistance and cooperation in the investigation of cybercrime.

South Africa does not currently have an institutionalised 24/7 point of contact relating to cooperation in criminal matters. Chapter 5 of the Bill provides for the establishment of a body within government, more specifically the South African Police Service (SAPS), which will act as a 24/7 point of contact in order to request cooperation from other countries or to provide cooperation to other countries in cyber criminal matters.

Chapter 6 of the Bill gives statutory recognition to the various bodies, which need to be established. The Bill aims to coordinate their functioning in relation to each other.

  • Clause 51 of the Bill establishes the Cyber Response Committee, which is the coordinating body to implement government policy relating to cyber security.
  • Clauses 52 and 53 aim to establish the Cyber Security Centre and Government Security Incident Response Teams in the State Security Agency, respectively.
    • The Cyber Security Centre is the body in control of the Government Security Incident Response Teams. The functions of the Cyber Security Centre are, among others, to facilitate the operational coordination of cyber security incident response activities regarding national intelligence and the protection of National Critical Information Infrastructures (NCII).
    • The Government Security Incident Response Teams are the operational structures which must, among others, implement measures to deal with cyber security matters impacting on national intelligence and national security and the protection of NCII.
  • Clause 54 aims to establish the National Cybercrime Centre as a dedicated structure within the SAPS to deal with the operational coordination of cyber security incident response activities with regard to the prevention, combatting and investigation of cybercrime.
  • Clause 55 aims to establish the Cyber Command within the South African National Defence Force to facilitate the operational coordination of cyber security incident response activities regarding national defence and to develop measures to deal with cyber security matters impacting on national defence.
  • Clause 56 provides for the establishment of the Cyber Security Hub, within the Department of Telecommunications and Postal Services. The functions of the Cyber Security Hub are, among others, to coordinate general cyber security activities in the private sector and to provide best practice guidance on Information and Communications Technology security to government, electronic communications service providers and the private sector. The Cyber Security Hub must oversee the Private Sector Security Incident Response Teams established in terms of clause 57.
  • Clause 57 establishes Private Sector Security Incident Response Teams. One of the functions of a Private Sector Security Incident Response Team is to ensure information-sharing between the private sector and government, via the Cyber Security Hub, on cyber threats and measures, which have been implemented to address the cyber threats.

The Bill further provides for the functions, responsibilities and accountability, of these structures.

Chapter 7 of the Bill contains provisions relating to NCII, which could be either state owned or privately owned. Clause 58 of the Bill provides for the identification and declaration of NCII and for the implementation of measures to secure such information infrastructures. Clause 59 deals with the establishment of the NCII Fund, which is to be utilised mainly for the implementation of disaster management measures in respect of NCII in disaster situations. Clause 60 deals with the auditing of NCII to ensure compliance with the implementation of security measures.

Chapter 8 of the Bill deals with aspects relating to evidence. Clause 61 aims to regulate the admissibility of affidavits by experts in relation to technological aspects involving data, computers and electronic communications networks. Clause 62 deals with the admissibility of evidence obtained as a result of a direction requesting foreign assistance and cooperation. Clause 63 provides for the admissibility of data or a data message in evidence, in criminal proceedings.

Chapter 9 of the Bill (clause 64) imposes obligations on electronic communications service providers to report cyber related offences, which come to their knowledge and which were committed on their electronic communications systems, to the SAPS and to mitigate the impact of cyber offences. In terms of this clause electronic communications service providers must further –

  • take reasonable steps to inform its clients of cybercrime trends, which affect or may affect the clients of such an electronic communications service provider;
  • establish procedures for its clients to report cybercrimes with the electronic communications service provider; and
  • inform its clients of measures which a client may take in order to safeguard himself or herself against cybercrime.

Chapter 10 of the Bill provides that the President may enter into any agreement with any foreign state or territory regarding –

  • the provision of mutual assistance and cooperation relating to the investigation and prosecution of cybercrimes; and
  • cooperation relating to various other aspects, which may impact on cyber security.
  • Chapter 11 deals with various miscellaneous aspects, namely –
  • the repeal and amendment of laws (clause 66);
  • the making of regulations to further regulate aspects provided for in the Bill (clause 67); and
  • the short title and commencement (clause 68).

In terms of clause 66 various provisions of other laws are repealed as a consequence of the provisions of the Bill. Various current offences on the Statute book are assimilated in the Bill. It is therefore not necessary to have a duplication of offences.

Clause 68 also aims to effect amendments to the Criminal Law (Sexual Offences and Related Matters) Amendment Act 32 of 2007, in order to deal with cybercrimes involving child pornography.

  • Comments closed on 30 November 2015. The DOJ&CD, intends to introduce the Bill into Parliament early in 2016.

Dingaan Mangena LLB (UJ) is an attorney at the Department of Justice and Constitutional Development in Pretoria.

This article was first published in De Rebus in 2016 (Jan/Feb) DR 33.

X
De Rebus