Ahmore Burger-Smidt – director, head of data privacy and cyber crime practice at Werksmans.
While the recently enacted Cyber Crimes Act is a world-class piece of legislation, South Africa is finding it difficult to enforce the law.
So said Ahmore Burger-Smidt – director, head of data privacy and cyber crime practice at Werksmans – speaking yesterday during the ITWeb Security Summit 2022 event in Johannesburg.
Burger-Smidt was giving an update on the Cyber Crimes Act, which was signed into law by president Cyril Ramaphosa in June 2021.
The Act creates cyber crimes as new criminal offences under South African law. These relate to unlawful access to a computer system or computer data storage medium, as well as unlawful interception of data and/or processing of unlawfully intercepted data.
Burger-Smidt stressed that the new law is vital for SA, which is increasingly being targeted by cyber criminals.
However, she pointed out that while the law puts SA at par with its global counterparts, the country lacks adequate skills to properly investigate and prosecute cyber-related offenses.
“For me, if I look at the Cyber Crimes Act, it is a world-class piece of legislation that we are sitting with. We are very good, as a country, at producing excellent pieces of legislation. However, the problem comes with the enforcement of the legislation and keeping the legislation up to date,” Burger-Smidt told delegates at the Sandton Convention Centre.
“So even though we have an excellent piece of legislation, our problem is to enforce that legislation. There is a problem with the implementation or execution of the legislation because we need the skills. It’s about the absolute shortage of skills in South Africa to enforce this legislation.”
She pointed out the Cyber Crimes Act refers to a specific cyber unit to be established to enforce the law within the South African Police Service (SAPS).
The Act regulates the powers of the SAPS to investigate cyber crime or other offences that are committed or facilitated by cyber means.
It also aims to ensure the SAPS is adequately capacitated and trained to deal with cyber crimes, and ensure the effectiveness and capacity of the SAPS to investigate cyber crimes, as well as the National Prosecuting Authority to prosecute the transgressions in the cyber world.
“I am aware there are a handful of absolutely highly-skilled and qualified individuals in the SAPS that understand cyber crime and the legislation, but the extent of cyber crime requires a detailed investigation and that’s where the problem is.”
Burger-Smidt noted that some of these crimes are difficult to investigate because the perpetration of the illegal act is “by no means computer-dependent but merely computer-enabled”.
An example of such criminal activity is the “advance fee scheme”, which has become one of the more common forms of online fraud. This includes lottery fraud, romance scams and inheritance schemes.
“The advance fee fraud is referred to colloquially as the ‘419 Scam’, being named after provision 419 in the Nigerian Criminal Code which criminalises advance fee fraud.
“Nigeria is notorious for being a hub of this type of fraud. It is a common form of online fraud and has mushroomed over the years, to include pyramid schemes, get-rich-quick schemes, fraudulent business opportunities, fake educational qualifications, financial advice scams and lottery scams.
“One of the more famous scams was the Banco Noroeste scam, where a Brazilian banker bought a fake airport for $242 million from Nigerian fraudsters. However, while its sensational facts make for compelling reading, it is by no means a cyber crime.”
Burger-Smidt’s comments come as SA is experiencing a barrage of cyber attacks, with a number of organisations recently being caught flat-footed.
The Security Summit speaker said there are four specific reasons why the Cyber Crimes Act legislation is important – the first one being data exposure.
“There are a number of [data exposure] examples in SA, such as Momentum Metropolitan, Experian, Lombard Insurance, Office of the Chief Justice, Absa and the UIF COVID-19 Relief Fund Scheme – these are data exposures that have happened over the past few years.”
The second is system intrusion, with organisations such as Nedbank, JSE company Omina, Life Healthcare Group, PostBank and Stefanutti Stocks falling victim.
Thirdly, is compromised websites, which hit organisations like South African online stores, the SABC and the ANC Youth League.
The last one is cyber crime, with businesses such as Tracker SA, Department of Justice and TransUnion falling prey, she said.
“If you look at the South African environment, in 2021, South Africa had a total of 230 million threat detections. Globally, SA has the third-highest number of cyber crime victims.”
According to Burger-Smit, the average cost of a data breach in SA stood at $3.21 million in 2021. On average, South African organisations take 177 days to identity a security breach and 51 days to contain it. The root causes of security breaches in SA are malicious attacks (48%), system glitches (26%) and human error (26%).
Above all, targeted ransomware attacks are also increasing in the country.
“Globally, we have to enhance our legislative landscape in order to curb these threats…we need to ensure we do not work in isolation in this virtual world we are living in nowadays.”
She explained that in the virtual world, there are cyber-enabled crimes, which are traditional crimes that are facilitated and amplified by the internet, as well as cyber-dependent crime – sophisticated attacks against computer networks and software.
“This is why we need the cyber crimes legislation. We can’t, as an economy, function in isolation. Cyber security is a growing concern for governments, with the push for universal access to the internet, the increasing ubiquity of social networks and the growing reliance on digital government service, and given a growing range of threats from foreign powers, terrorists and criminals.”