ANALYSIS: What SA is doing to make a dent in cybercrime
This article first appeared on The Conversation.
Last year South Africa had the most cyberattacks of any country on the continent. In 2014, losses reached an estimated R5 billion annually through cybercrime. The year before, the Norton Report rated South Africa third on the list of the number of cyber victims in the world. Russia and China topped the list.
It is difficult to objectively determine the level of cybercrime in South Africa as there is currently no legal requirement to report cyber-related crimes.
But there is general acceptance that the country faces a major challenge. South Africa's laws have been improved to deal with emerging threats in cyber space. This was underscored by the recent tabling of the Cybercrime and Cybersecurity Bill.
The number of data protection laws in Africa has also increased. But only after they have been implemented can further studies be done to check how successful they have been.
In addition, the African Union last year accepted the Convention on Cyber Security and the Protection of Personal Information. Though far from perfect, the convention highlights the African Union's concern with cyber issues. There have not been any real developments over the last year even though most, if not all, member countries have signed the convention.
Criticism of the bill
The South African bill defines a wide range of cybercrimes and proposes a range of penalties for infractions. It also creates a number of cyberstructures that would provide a wide range of services.
The cyberhub allows anyone to report any cybercrime. All complaints will be investigated. The complainant will receive feedback. The cyberhub will also, for example, provide cyber-awareness campaigns in South Africa.
In theory, the bill is a step forward for South Africa, making the country more cyber-safe. But serious criticism can be levelled at some aspects of it. The most important is the cyber capacity challenge. Does South Africa have the knowledge and expertise in the cyber field to properly implement the bill?
Cyber capacity skills are scarce internationally. South Africa is also facing a challenge.
To properly and efficiently implement the bill, there must be a massive national initiative to develop the necessary skills. For such capacity-building, there needs to be political will. And financial resources are required.
Without these, the bill, if enacted, will only look good on paper, and not have the desired effect.
Another negative aspect of the proposed legislation is the decentralisation of cyber-related responsibilities to a number of government departments. This is likely to create a silo-based approach to cyber governance. It will lead to inefficiencies and duplication of effort. By combining some, or all, of the new structures in the bill, scarce technical resources should be better used.
End users are the weakest link
As a result, would-be cyber criminals turn their attention to the weakest link in the cyber chain: the end user, a lucrative and often naïve target. All types of socially engineered attack methods are used to lure the end user into a situation where personal login information is compromised. This happens not only for financial transactions, but also for social networks and other applications.
The biggest efforts are centred around phishing. Phishing is a method of deceitfully obtaining personal information such as passwords, identity numbers, credit card details and sometimes - indirectly - money.
Typically, phishing emails request that users obtain, verify or update contact details or other sensitive financial information by clicking on a link in the email that directs users to a spoofed website (a website designed by criminals to fool users into thinking that it is legitimate).
Elsewhere on the continent, Angola and Mozambique have recently been subjected to an increase in phishing attacks. One recent target in Mozambique was a major African financial institution. Customers received an email, appearing to come from a bank in Mozambique. The email subject read "Mensagens & alertas: 1 nova mensagem!" (Messages & alerts: 1 new message!). A URL contained within the body of the text led to a fake version of the bank's website. It asked the target to enter the banking details that would allow the attacker to take over the account.
One of the main dangers of phishing is the ease with which attackers can set up scam sites. And their modus operandi seems clear - follow the money to unsuspecting consumers.
That is why establishing the legal platform to fight cybercrime is an urgent necessity, accompanied by public awareness campaigns. But South Africa, along with the rest of the continent, still has a mountain to climb in policing cybercrime.
Basie von Solms is director at the Centre for Cyber Security, University of Johannesburg.