Regulation, protection and privacy need some work in a digitally dominant world
Harnessing the economic benefits of the fourth industrial revolution is fraught with risk
By the time the World Economic Forum (WEF) has run its three-day course in Cape Town, thousands of pieces of data will have been collected from delegates’ hotel bookings, airport Wi-Fi traffic, online taxi services and bank transactions. Indeed, anyone conducting business in SA on any given day is feeding the voracious appetite of tech firms for big data.
Harnessing the economic benefits of the fourth industrial revolution (4IR) has shaped the theme of the 2019 meeting of the top minds doing business in Africa. The possibilities seem boundless. President Cyril Ramaphosa, as chair of a presidential commission, has promised a national 4IR strategy by 2020 to position SA as a global competitive player in the fourth industrial revolution.
Yet such a narrow view risks overlooking critical blind spots. In particular, the threats posed by cybercriminals, with the potential to exploit digital technology to undermine democracies, shape political narratives, hijack key infrastructure and (in extreme cases) provoke a real-world military response to a cyber attack.
Furthermore, criminals may well be in other countries subject to different laws. Those criminals could in fact be machines. Autonomous, anonymous and unaccountable.
Also, viewing 4IR through a narrow commercial prism overshadows the possibility of big data being weaponised and abused for disinformation campaigns, the likes of which we have already seen in the case of Cambridge Analytica. The emergence of 5G technology will enable the distribution of such messages to happen in real time, provoking real-time responses whether these come in the form of lively debate or violent reaction.
In July, City Power’s computer systems were hacked using ransomware, providing a salutary reminder to customers that their personal data is now a valuable commodity that can be traded, exchanged and monetised across borders and without trace. Furthermore, during the 2019 elections in SA, the security services were on high alert amid fears of cyber interference threatening to influence the result of the presidential race.
As the leading economy in the region, many experts including those from the Centre for Cybersecurity at the University of Johannesburg, believe SA needs to equip itself better to withstand such threats and not get carried away with the 4IR hype. SA also needs to use its international stature to be part of the global conversation on how to police the global cyber sphere and build cyber defences and robust policies on issues such as data sovereignty and access to information.
Top-level discussions are already under way with 25 leading nations at the UN, to develop the rules of engagement for this brave new digital world. But representatives from Latin America and Africa have been noticeably silent.
In SA there has been some progress. The new Cybercrimes and Cybersecurity Bill broadens the reach of the law across borders. Yet it has still not been enacted into law. It allows for suspects to be extradited — so long as extradition treaties are in place — so it rules out vast swathes of the planet.
But law enforcement seems to be lagging behind the tech wizards. In 2012, the cabinet approved a National Cybersecurity Policy Framework. As part of that plan, the SA Police Service was mandated to come up with a cybercrime police strategy. Yet seven years later, despite it having been drafted and approved, it is still not in place.
The strategy would not only bring standards of forensics, crime detection and reporting into alignment with global benchmarks, but also include the development of an SA- based research institute to monitor new threats right across Africa.
As with so many other countries in the global South, SA struggles with capacity, in particular having enough people with the know-how and technical skills to keep pace with the criminals. The resources to fund a professionally driven cybercrime response team, aligned with international standards enshrined in the Budapest and Malabo conventions on cybercrime, are also lacking.
One imaginative funding avenue that has been proposed is the Criminal Asset Recovery Account. The seized assets of criminal enterprises would be ploughed back into cybercrime law enforcement. But potentially there is also a role for the private sector to help grow that capacity, ensuring that Africa does not become a “soft target” or proxy, in geopolitically sensitive cyber battles between powerful individuals, corporations or states.
The misuse of 4IR technology may not be the story that leaders at the WEF want to hear. This is not a call to undermine or overshadow the exciting potential that rapid digitisation offers. But policing data and the criminals intent on abusing it, forces hard questions about balancing regulation, protection and privacy in a world where digital dominance is a reality.
• Karen Allen is a senior research adviser on emerging threats in Africa for the Institute for Security Studies. Anton du Plessis is the executive director of the Institute for Security Studies.