Security & Cryptography

There is not a great deal of legislation or regulation in South Africa dealing with cybersecurity but it is an area in which far greater Government involvement can be anticipated over the short-to-medium term. South Africa is currently experiencing an uptick in cybercrime and phishing as the country manages to achieve higher levels of Internet penetration and lower electronic communications costs. The combination of a large and inexperienced user base and greater international connectivity is fertile ground for cybercrime.

Electronic Communications and Transactions Act 25 of 2002

The ECT Act deals with a number of aspects of electronic communications security:

  • Chapter IV requires that any public body which accepts electronic filing or payments and issues out document electronically may specify by way of Notice in the Government Gazette, inter alia, the control process and procedures applied to ensure adequate integrity, security and confidentiality of data messages or payments.
  • Chapter V contains a prohibition on offering cryptography products or services in South Africa prior to registering with the Department of Communications as a cryptography provider under section 29.
  • Under Chapter VI an authentication service provider looking to be accredited as a provider of advanced electronic signatures must, inter alia, demonstrate that its hardware and software systems and procedures adhere to “generally accepted security procedures”. The Minister of Communications is further empowered to make regulations setting out information security requirements or guidelines.
  • Under Chapter VII (Consumer Protection) a supplier offering goods or services for hire or sale by way of an electronic transaction is required to specify on their website the security procedures and privacy policy of that supplier in respect of payment, payment information and personal information. Where offering electronic payments a supplier is also required to utilise a payment system that is sufficiently secure with reference to accepted technological standards at the time of the transaction and the type of transaction concerned.
  • Chapter IX provides for the security of “critical databases”.
  • Chapter XIII creates a number of cybercrimes relating to unauthorised access to, interception of or interference with data, and computer-related extortion, fraud and forgery.

National Cybersecurity Policy

The Department of Communications issued a Notice of Intention to make South African National Cybersecurity Policy (Feb 2010) on 19 February 2010. The objectives of the Policy include

– establishing institutional advisory structures;

– promoting confidence and trust in the use of ICTs through improved cybersecurity

– promoting compliance with appropriate technical and operational cybersecurity standards.

The draft has not been finalised. According to reports the matter will come before Parliament for consideration during 2011.