Cyber crime levels are growing in South Africa. (Duncan Alfreds, Fin24)
This article first appeared in The Conversation.
LAST year South Africa had the most cyber attacks of any country on the continent. In 2014, losses reached an estimated R5bn annually through cyber crime. The year before, the Norton Report rated South Africa third on the list of the number of cyber victims in the world. Russia and China topped the list.
It is difficult to objectively determine the level of cyber crime in South Africa as there is currently no legal requirement to report cyber-related crimes.
But there is general acceptance that the country faces a major challenge. South Africa’s laws have been improved to deal with emerging threats in cyber space. This was underscored by the recent tabling of the Cybercrime and Cybersecurity Bill.
The number of data protection laws in Africa has also increased. But only after they have been implemented can further studies be done to check how successful they have been.
In addition, the African Union last year accepted the Convention on Cyber Security and the Protection of Personal Information. Though far from perfect, the convention highlights the African Union’s concern with cyber issues. There have not been any real developments over the last year even though most, if not all, member countries have signed the convention.
Criticism of the bill
The South African bill defines a wide range of cyber crimes and proposes a range of penalties for infractions. It also creates a number of cyber structures that would provide a wide range of services.
READ: Concern raised over SA cyber security law
The cyber hub allows anyone to report any cyber crime. All complaints will be investigated. The complainant will receive feedback. The cyber hub will also, for example, provide cyber-awareness campaigns in South Africa.
In theory, the bill is a step forward for South Africa, making the country more cyber-safe. But serious criticism can be levelled at some aspects of it. The most important is the cyber capacity challenge. Does South Africa have the knowledge and expertise in the cyber field to properly implement the bill?
READ: SA-China cyber security pact worries DA
Cybercapacity skills are scarce internationally. South Africa is also facing a challenge.
To properly and efficiently implement the bill, there must be a massive national initiative to develop the necessary skills. For such capacity-building, there needs to be political will. And financial resources are required.
Without these, the bill, if enacted, will only look good on paper, and not have the desired effect.
Another negative aspect of the proposed legislation is the decentralisation of cyber-related responsibilities to a number of government departments. This is likely to create a silo-based approach to cyber governance. It will lead to inefficiencies and duplication of effort. By combining some, or all, of the new structures in the bill, scarce technical resources should be better used.
What are your thoughts on SA's cyber security efforts? Tell us by clicking here.
End users are the weakest link
Most enterprises in South Africa, especially banks, have been hardest hit by cyber crimes. They have launched consumer awareness initiatives and spent large amounts of money on cyber security.
As a result, would-be cyber criminals turn their attention to the weakest link in the cyber chain: The end user, a lucrative and often naïve target. All types of socially engineered attack methods are used to lure the end user into a situation where personal login information is compromised. This happens not only for financial transactions, but also for social networks and other applications.
The business sector, government and non-governmental sector in South Africa have been involved in consumer education interventions, the results of which can be measured in time.
The biggest efforts are centred around phishing. Phishing is a method of deceitfully obtaining personal information such as passwords, identity numbers, credit card details and sometimes – indirectly – money.
Typically, phishing emails request that users obtain, verify or update contact details or other sensitive financial information by clicking on a link in the email that directs users to a spoofed website (a website designed by criminals to fool users into thinking that it is legitimate).
Elsewhere on the continent, Angola and Mozambique have recently been subjected to an increase in phishing attacks. One recent target in Mozambique was a major African financial institution. Customers received an email, appearing to come from a bank in Mozambique. The email subject read “Mensagens & alertas: 1 nova mensagem!” (Messages & alerts: 1 new message!). A URL contained within the body of the text led to a fake version of the bank’s website. It asked the target to enter the banking details that would allow the attacker to take over the account.
One of the main dangers of phishing is the ease with which attackers can set up scam sites. And their modus operandi seems clear – follow the money to unsuspecting consumers.
That is why establishing the legal platform to fight cyber crime is an urgent necessity, accompanied by public awareness campaigns. But South Africa, along with the rest of the continent, still has a mountain to climb in policing cyber crime.
*Basie von Solms is the Director, Centre for Cyber Security, University of Johannesburg.