Draft cyber policy welcomed but criticised in South Africa
Legal experts have welcomed the Department of Communications' (DOC's) draft policy on cyber security, but point out that the private sector has not been incentivised to participate.
Gazetted on 19 February, the policy outlines the DOC's intentions to tighten up coordination of cyber security throughout all sectors of the country, in line with international trends as set out by a United Nations General Assembly resolution passed in 2001. Public comment is due around 20 March.
The policy also aims to bridge the technological and legal divide, to ensure the country collaborates with other states to support its cyber security initiatives – something that is not being done.
It calls for the development of interventions to address cyber crime through partnerships between government, businesses and civil society.
Recognising that the issue of cyber security goes beyond the DOC's mandate, the policy calls for the creation of a National Cyber Security Advisory Council. This body would advise the communications minister on policy, promote coordinated public private partnerships, and provide oversight regarding the implementation of national cyber security initiatives.
The policy also calls for the creation of computer security incident response teams on a national level and for specific sectors in order to identify, analyse, contain and mitigate threats.
Dominic Cull, a lawyer with Ellipsis Regulatory Solutions, says the policy is needed and is a step in the right direction. “But where are the cyber inspectors called for in the ECT Act [Electronic Communications and Transactions Act] that was passed into law in 2002?”
Mike Silber, a member of the Internet Service Providers' Association management committee, agrees that the policy is a step in the right direction, but points out that it lacks detail on how it will encourage the private sector to participate.
“What we have to see is if government is just going to impose a set of regulations on business, or will it also adopt a carrot approach? It would have been helpful if government had said it will help fund the computer security incident response teams,” he notes.
Silber says the creation of these teams, especially on a sector level, is a good idea, but the composition and funding has not been detailed. He also says there is little, or no, mention of strengthening organisations that are already in place, such as the police's cyber crime unit. “Government already has some top quality people in place in units such as that, and they require the funding and resources needed to continue what they are doing,” he says. No comment has been received from the DOC.