SCOTT TIMCKE: Neglected cybersecurity puts development at risk

SA faces an increasing number of cyberattacks that harm its economy, society and international reputation.

In recent months several high-profile breaches have exposed the vulnerability of the public and private sectors to sophisticated hackers. However, the government has been slow to respond and reluctant to invest in cybersecurity capabilities. This is a serious mistake that undermines SA’s aspirations to be a leader in a multipolar world.

In August the Snatch group extracted about 200 terabytes of data from department of defence systems in a hack. The State Security Agency was also hacked before the Brics summit that same month.

Both incidents were initially denied by state authorities until media investigations forced them to concede. Such face-saving exercises are detrimental to the public interest. They also reveal a lack of transparency and accountability in government’s handling of cybersecurity issues. Little wonder that Pansy Tlakula, chair of the information regulator, is reportedly launching an investigation into the second incident.

SA firms are also under pressure, with spyware attacks reportedly increasing by 19% this past year. Cyberattacks on critical infrastructure such as water, energy, telecommunication and health systems, pose a serious threat.

These attacks can disrupt society, as seen in 2021 when hackers paralysed some of Transnet’s port facilities. However, the SA government has thus far failed to hold cyberattackers accountable through indictments and charges. It appears that the state lacks investigative and prosecutorial capacity.

The state also appears to lack the capacity to lead the prevention of cyberattacks by driving the adoption of standards and addressing the dramatic cybersecurity skills deficit. Cybersecurity has largely been left to security agencies, but securing public infrastructure is the responsibility of the entire state.

Wiretapped phone

This lack of state capability contrasts with the government’s aspirations, which as part of the now expanded Brics bloc are to build a multipolar international system. Driven by a growing disenchantment with the current international system, the Brics countries have openly prioritised cybersecurity since the 2013 eThekwini declaration and action plan.

The plan called for creating “universally accepted norms, standards and practices” to ensure a “peaceful, secure, and open cyberspace” for all. The urgency of this declaration was evident later that year when the Snowden revelations exposed that the US had wiretapped the personal phone of then Brazilian president Dilma Rousseff.

The Brics have launched several initiatives to support their developmental approach to cybersecurity, such as the Digital Economy Partnership, the Partnership on New Industrial Revolution, and the Institute of Future Networks. These initiatives seek to foster co-operation and regulation among the Brics countries in the use of information and communication technologies and cross-border data flows.

Despite the attention to research and new norm-setting, on the home front SA seems to lack a plan for the disruptions cyberattacks can cause. For example, the draft Critical Infrastructure Protection Regulations ignore cybersecurity completely. It lacks even minimal monitoring or evaluation of cybersecurity risk. In effect, these regulations are outdated and inadequate before they are even enacted. This is worrying, as cyberthreats are a burden the sluggish SA economy cannot continue to bear. 

Skills deficit

A successful SA cybersecurity strategy would require more than paperwork. Public investment is needed to sharpen the state’s ability to identify and attribute blame when attacks happen, regardless of whether they target the public or private sectors. This is the basis for a credible response.

A successful strategy would also require addressing the cybersecurity skills deficit in more proactive ways. For example, a qualification framework that provides alternative routes into cybersecurity through reskilling workers already in workplaces would not be constrained by the pace of hiring new personnel.

Policymakers may be reluctant to invest more in cybersecurity after a year of weak tax collection. But as the 2021 Transnet hack demonstrated, the burdens of broken critical systems are eventually felt most acutely by the poor. Adequate investment into cybersecurity capabilities can protect the public and private sectors from the severe damage hostile actors can inflict on the economy.

Cybersecurity deserves more attention and resources from government. SA cannot afford to be complacent or defensive about its cyber vulnerabilities, it must act decisively to enhance its cyber resilience. Until then the poor state of cybersecurity readiness will prevent government from achieving its goal of participating in the reshaping of the global order.

• Dr Timcke is a senior research associate at Research ICT Africa, a research associate at the University of Johannesburg Centre for Social Change, and an affiliate of the Centre for Information, Technology & Public Life at the University of North Carolina.