A news conference to announce a big law enforcement action against transnational organised cybercrime at the Europol headquarters in The Hague, Netherlands, on May 16 2019. Picture: REUTERS/EVA PLEVIER
A news conference to announce a big law enforcement action against transnational organised cybercrime at the Europol headquarters in The Hague, Netherlands, on May 16 2019. Picture: REUTERS/EVA PLEVIER

The process of finalising legislation dealing with cybercrime has been long and tortuous but it has never been needed as much as now when more and more people work remotely from home.

Even though level 3 of the Covid-19 lockdown under the government’s risk-adjusted strategy to combat the pandemic has allowed retailers and many other businesses to resume operations, many companies are still operating on a work-from-home basis with employees accessing their work’s computer system remotely.

This heightens the risk of cyberattack, especially for small and medium enterprises that have not invested in expensive security. The lockdown has also seen an increase in online access to banking and other services.

Just this week private hospital group Life Healthcare reported that it was the target of a cyberattack, with Nedbank and fertiliser maker  Omnia Holdings also falling victim in February and March this year, respectively.

Interpol itself has warned that cyber criminals are attacking the computer networks and systems of individuals, businesses and even global organisations at a time when cyber defences might be lowered due to the shift of focus to the health crisis.

The first line of defence is obviously the strong protective walls built into computer systems, but there also needs to be a robust legislative framework to investigate and prosecute the criminals responsible for breaching them.

This has been lacking in SA for a long time. The country has the third-highest number of cybercrime victims in the world, with banks being prime targets, according to consultancy house Accenture. The World Economic Forum estimated that SA businesses lost R5.8bn in 2015 due to cybercrime.

The Cybercrimes Bill, which is now in the hands of the National Council of Provinces, consolidates existing provisions dealing with cybercrime from a number of other laws and creates new provisions. It was first published in the government gazette in December 2016 as the Cybercrimes and Cybersecurity Bill.

Before its adoption by the National Assembly in November 2018, however, the provisions dealing with cybersecurity were removed, leaving a stand-alone bill, the Cybercrimes Bill. The cybersecurity section will be dealt with separately by the state security department because it requires the setting up of new structures.

Admittedly, the prolonged recess of parliament in the first half of 2019 to allow for the general election delayed the processing of the bill, but prospects of its early adoption by parliament dimmed earlier this year as the justice & correctional services department, the National Council of Provinces’ select committee on security & justice, and parliament’s legal advisers proposed new amendments to the bill.

This means that the bill will have to revert to the National Assembly for confirmation and creates further delay, though it is promising that the select committee has almost completed its work.

The Cybercrimes Bill creates offences and penalties for cybercrime, some of them new offences. It criminalises the distribution of data which is harmful, provides for interim protection orders, regulates the powers to investigate cybercrimes and imposes obligations to report them.

The bill makes it an offence to unlawfully and intentionally access data, a computer program, a computer data storage medium and a computer system as well as to unlawfully intercept data and be in possession of such data.

It also deals with the unlawful interference with data or a computer program as well as with cyberfraud, forgery, uttering and extortion, among other things. Another offence would be the unlawful acquisition, possession, provision, receipt or use of a password or access code.

Penalties for the various offences range from fines to imprisonment up to 15 years.

Provision has been made for the police minister after consultations to publish standard operating procedures. These operating procedures are to be observed by the SA Police Service and others in the investigation of an offence or suspected offence.

The first step will be to get the bill onto the statute books as soon as possible but then there will be the challenge of building capacity in the police force and the National Prosecuting Authority to implement it.

Both are necessary if SA is to keep pace with technological developments and international standards and have the tools to effectively combat cybercrime.