The past few years has seen policy uncertainty being pronounced or taking center stage on the affairs of various countries. This happened across borders. Take, for example, the unthinkable election of Mr. Donald Trump as the president of the United States of America. Further, look at the havoc wreaked on the economic outlook of South Africa (SA) by, inter alia, credit ratings downgrades. Everywhere, domestically or internationally, challenges attributed to policy uncertainty sprung up. This, inter alia, led to a trust deficit between the citizenry as against the government of the day. Amongst the tiny bits of positives to emerge out of these uncertain times is the collective power of the people or rather the strong voice of civil society groups (in influencing policy direction).
The afore-mentioned trust deficit between government and various stakeholders is still prevalent even to this day in SA. All the above about policy uncertainty and trust deficit is meant for the purpose of or meant to be a prelude to a discussion about some of the challenges which surrounded or attendant to certain two key (and) topical pieces of legislation currently before the parliament of SA. These being: The Cybercrimes and Cybersecurity Bill [B-2017] (Cybercrimes Bill) and the Critical Information Infrastructure Protection Bill [B-2015]. The discussion and clarification herein will draw substantially from the Cybercrimes Bill.
Around 2015 it was recognized that cybercrime and threats were on the rise in SA. For instance, it was statistically reported that cybercrime had become the 4th most reported economic crime. This happened regardless of the fact that SA had or has many legislations dealing with various parts or instances related to cybercrime and threats. As a result, it was then resolved that a draft Bill be put in place, to amongst others, harmonize and consolidate the existing pieces of legislation into one. The result of this being the Cybercrimes Bill (which went through rigorous public consultation processes and) is currently before parliament. The proposed Cybercrimes Bill coincided with the proposed amendments to the National Key Points Areas Act (No. 120 of 1980) by the Critical Information Infrastructure Protection Bill .
Both bills, in certain respects (are or) were almost identically to each other. Thus, one cannot be faulted for querying the separation of the two from each other. Or seeking to know the difference therefrom. This emerged from one of the roundtables on the Cybercrimes Bill hosted by a certain financial institution. In certain jurisdictions, there is no such distinction between the two. One of the key and hotly contested provision of both bills is the one which talks to issues of being deemed a ‘Critical Information Infrastructure’ for the purposes of complying or falling within the purview of both bills. This provision has risen tempers, especially in the private sector, as being deemed as such (Critical Information infrastructure) then mean that you will be under the supervision of the State Security Agency (State Security). For various reasons the credibility of State Security is not as it used to be or simply questionable at most.
The banking sector or banks rather, which of lately has allege to be under siege from various fronts including politicians, also falls under the Cybercrimes Bill and thus can be deemed as a Critical Information Infrastructure for the purposes of the Bill. Fortunately for the sector, prior 2016 its capable representation understood the technicalities as well as the unintended consequences of the Bill and constantly fought for the best interests of the sector by pushing for banks to continue being regulated by the South African Reserve Bank with respect to cyber-related matters. The South African Banking Risk Information Centre (SABRIC) and the Right2Know Campaign civil society group also played an important role in this regard. The latter (Right2Know) was and is still critical of both Bills as it deems the same to still be lacking in various material respects (See Right2Know Campaign submission on the Cybercrimes and Cybersecurity Bill, 10 August 2017). For more information on some these relevant efforts see the case of The Right2Know Campaign and others v The Minister of Police & The National Deputy Information Office of the South African Police Services [Case No: 2013/32512].
Beside some of the above concerns, the banking sector, SABRIC and Righ2Know are supportive of the principle of both pieces of legislation. A refined draft of the Cybercrimes Bill was published for public comments around August 2017 by the Portfolio Committee of Justice and Correctional Services. In this version, it seems as if though the concerns of the private sector (particularly banks) with regard to the procedure of deeming certain institutions Critical Information Infrastructure have been addressed or at most a very useful appeal mechanism has been provided for therein. Such an appeal mechanism is (very consultative in nature and) inclusive of all the key stakeholders and thus I submit that it will not be open to abuse. Before we look at this provision it is key to note that central to the private sector’s concern or understanding rather was the fact that ideally institution which are prone to cyber warfare or in need to be deemed critical are state or government institutions (and such are protected by the National Key Points Areas Act or by the proposed Critical Information Infrastructure Protection Bill which amongst others aims to “provide for the identification and declaration of infrastructure as critical infrastructure.”).
As already stated elsewhere in this article, the current version of the Cybercrimes Bill brings forth a certain measure of comfort and reassurance to the private sector (in relation to the objectivity of the process of deeming certain institutions as Critical Information Infrastructure). I submit that this is evident from the wording of Chapter 11 (Critical Information Infrastructure Protection) as well as its various provisions. For instances, in terms of Section 57(1)(a) – (3)(h), prior deeming a certain infrastructure as Critical Information Infrastructure, the cabinet member responsible (or State Security) for doing such is required to consult all the relevant stakeholders and affected parties. Furthermore, financial institutions are also afforded an “opportunity to make written representations” on any aspects relating to the cabinet member’s intention to declare such an institution (see Section 57(3)(h). Lastly, such institutions have the right to have their representation considered and thereafter be supplied with written reasons on the outcome or decision.
In addition to both the rights to make presentations and thereafter be furnished with a written decision, the affected parties under Chapter 11, has an added right to dispute such a decision. If this was then to happen, then at the initiative of the cabinet member (State Security) involved and working with the affected party and or regulator, has to try and settle the dispute by reaching a consensus within a given period (30 days). Should this not yield the desired results then such a dispute can be taken for arbitration before an experienced arbitrator (see Section 57(7)(f). Again, if either party is not satisfied with the outcome of the arbitration then such a party can then appeal to the High Court. Due to the consultative mechanism built on the entire processes under this chapter up until the appeal mechanism at the end thereof, I submit that the Cybercrimes Bill is not easily opened to abuse for whatever reasons.
Regardless of the above, there is still some lingering sense of uncertainty and questions regarding both Bills or the need therefore. In response to this and in an attempt to further educate the relevant stakeholders as well as the general public, both the Department of Justice and Constitutional Development (DoJ) as well as the Civilian Secretariat for Police Services (Civilian Secretariat) has initiated various processes and or roadshows in an attempt to quell such uncertainty and provide clarity where needed. In one of these roadshows held at the Financial Services Board some time in 2017, a question was raised, after a presentation by the Civilian Secretariat on both Bills, as to the difference between the Cybercrimes Bill and the Critical Information Infrastructure Protection Bill. The response, in short, was to the effect that the latter aims at protecting the physical integrity of the Critical Information infrastructure as opposed to data or information housed within the same which is then to be protected by the former.
In short, and as evident from the above discussion, both the Cybercrimes Bill and Critical Information Infrastructure Protection Bill are very similar to each other in that both deals with issues around declaration of the status of Critical Information Infrastructure as well as the protection thereof. In that regard both bills are set to work in parallel with each other (as well as the legislation which deals with disaster areas’ management). Although with respect to the previous as well as current version of the Cybercrimes Bill concerns have been raised and noted, I submit that such are not necessarily material especially when one has regard and appreciation of the content of Chapter 11 and its various provisions.
Cybercrimes and Related Matters Bill – Consultation Document (February 2015)
Cybercrimes and Cybersecurity Bill [B-2017]
Critical Information Infrastructure Bill [B-2015]
National Key Points Act 102 of 1980
Right2Know Campaign submission on the Cybercrimes and Cybersecurity, 10 August 2017
The Right2Know Campaign and Others v The Minister of Police & The National Deputy Information Office of the South African Police Services [Case No: 2013/32512]