Address by the Deputy Minister of Justice and Constitutional Development, the Hon JH Jeffery, MP, at the South African Banking Risk Information Centre (SABRIC) Stakeholder Dinner, held at Shepstone Gardens, Johannesburg, 27 October 2016
MD of the Banking Association and Chair of SABRIC Board, Dr Coovadia
SABRIC Board Members,
Ladies and gentlemen, friends
Einstein once commented that –
“Computers are incredibly fast, accurate… and stupid. Human beings are incredibly slow, inaccurate… and brilliant. Together they are powerful beyond imagination.”
I’m sure many of us have, on occasion, felt as if it should be the other way round.
But what is true is that humankind and technology, in harmony with each other, are indeed powerful beyond imagination.
Technological advances over the past 150 years have been gone beyond our wildest imagination. The telephone is only 140 years old, yet it’s as if telephone and cellphone banking has been around forever.
We have come a long way indeed, in a very short space of time. And with great technological advances, sometimes come greater risks.
As for computers, the Z1, created by Konrad Zuse in his parents' living room between 1936 and 1938, is considered to be the first electro-mechanical binary programmable computer. Tim Berners-Lee, who is credited with inventing the World Wide Web, implemented it on Christmas Day 1990 when he undertook the first communication between a client and server using the HTTP (Hypertext Transfer Protocol) on the Internet.
Banking, of course, has been with us for much longer, like the merchant banks that Italian grain merchants invented in the Middle Ages. In Amsterdam in the early 16th century cashiers worked out that they could charge customers a fee for keeping their wealth safe.
Banking has modernized since then, but whilst new technology has certainly made modern banking much more accessible and convenient, it also brings with it new challenges, like malware creation, computer infection, phishing, botnet management, harvesting of personal and financial data, data sale and the selling of financial information.
Technology in the wrong hands can cause unimaginable havoc.
Many of you may know that last week US bank regulators outlined new cyber security standards meant to protect financial markets and consumers from online attacks. Leading banks will be expected to use the most sophisticated anti-hacking tools on the market and to be able to recover from any attack within two hours. These new measures are aimed at raising cyber security to a top priority.
Closer to home, Riskmap 2016, an international report on the most significant underlying trends in global risk and security, undertaken by global consultancy Control Risks, states that “the five African nations with the highest number of active malicious IP addresses are South Africa, Egypt, Kenya, Tunisia and Botswana."
The report lists various factors behind our country’s high risk for cyber-crime – such as our comparatively high levels of internet connectivity and South Africa’s high GDP per capita compared to that of other nations in Sub-Saharan Africa.
Bank-related crime is not new – whether its cheque fraud, ATM bombings or cash-in-transit heists. SABRIC was established in 2002 as a separate company to address these very issues. And the prevention of bank-related crime becomes all the more important as technology advances.
So what can we do? And what can we do from the side of government in partnership with the private sector, and the banking sector in particular?
The development of new proposed legislation to enhance cybersecurity is a necessity. It is a milestone towards building safer communities as envisaged in the National Development Plan.
We are committed to putting in place measures to effectively deal with cybercrimes and address aspects relating to cybersecurity, which adversely affect individuals, businesses and Government alike.
Cybercrime activities are growing fast and evolving at a pace, becoming both more aggressive and technically proficient. As such, it is a major and growing threat to South African businesses.
The Department of Justice and Constitutional Development has been tasked with the review and alignment of cybersecurity laws to ensure that these laws are aligned with the National Cybersecurity Policy Framework (NCPF) and provide for an integrated cyber security legal framework for the Republic.
The new proposed Cybercrime and Cybersecurity Bill gives effect to this mandate.
Cybersecurity plays an important role in the ongoing development of information communication technology.
Enhancing cybersecurity and protecting critical information infrastructures are essential to each nation's security and the economic well-being of a country.
Making the internet safer and protecting internet users have become integral to the development of new services as well as governmental policy.
Deterring cybercrime is a vital component of a national cybersecurity and critical information infrastructure protection strategy. This includes the adoption of appropriate legislation against the misuse of information communications technologies for criminal purposes. The new Bill aims to advance these objectives.
The Bill was made available for public comment during September 2015. Comments were taken into account in the finalisation of a further draft of the Bill.
As a result of comments received, I believed it was necessary to appoint a working group consisting of persons with different areas of expertise to further refine the Bill and to address any concerns raised in respect of the Bill during the public consultation process. This was to ensure as much consensus as possible on the Bill before it is introduced into Parliament.
Many of you here have contributed to shaping the Bill that is on the table and have been part of the processes leading up to the Bill.
The last meeting of the working group was last month and the Bill will shortly be tabled in Cabinet for approval for introduction into Parliament.
Once the Bill goes to Parliament, there will be further public consultation and all stakeholders, such as yourselves, will have a further opportunity at making inputs into the draft legislation before it is enacted.
The offences provided for in the Bill aims to protect the confidentiality, integrity and availability of computer data and systems by means of the offences of unlawful access, interception of protected data, malware-related offences, interference with data and computer systems and password-related offences.
It criminalises cyber-facilitated offences by means of the offences of fraud, forgery, uttering and extortion, which were adapted specifically for the cyber environment.
No piece of legislation will ever be a silver bullet that eradicates cybercrime overnight, but we do believe that the proposed offences will, to a large extent, address the current shortcomings in our law and will facilitate the effective prosecution of cybercrimes.
An amendment has been effected to the Protection of Personal Information Act in order to deal with identity theft. The issue of criminalising the collection of personal information seems to be the one area where I foresee further inputs being made when the Bill goes to Parliament – by, on the one hand, banks, and civil rights protectors, on the other.
Jurisdiction in respect of all offences which can be committed in cyberspace is expanded substantially in terms of the Bill, mainly to deal with cybercrime which originates from outside our borders. The Bill aims to put in place specialised procedures, with sufficient checks and balances to protect the right of an accused person and other users of information communication technologies, to deal with the investigation of cybercrimes. Since many cybercrimes emanate from another country, the Bill also provides for procedures which will facilitate mutual assistance with other countries in the investigation of cybercrimes.
The Bill further provides for the establishment of a 24/7 Point of Contact. The aim of this structure is to facilitate immediate mutual assistance in cybercrimes which originate from outside, or which was committed or facilitated within South Africa. The Bill places obligations on electronic communications service providers and financial institutions to report prescribed categories of cybercrimes which come to their attention to the South African Police Service and to preserve information which may assist with the investigation of the crime in question.
The implementation of the South African cybersecurity initiative is dependent on capacity building, information sharing and co-operation between Government Departments and the private sector.
The private sector is required to establish nodal points to facilitate information sharing between Government and the private sector on cybersecurity incidents.
Special recognition is given to any computer security incident response team (CSIRT) which is established for a sector and provision is made for regulations to be issued to further facilitate the effective function of such a response team.
Information infrastructures are an essential part of the overall infrastructures supporting modern society. Critical information resources are supplied and operated in partnership between Government and the private sector and even in some instances across borders.
There are many critical sectors whose operations depend on information and communication technologies, amongst others, the financial sector, and it is therefore essential to protect these sectors from threats in cyberspace.
We are confident that the Bill will put in place the required building blocks necessary to address cybercrime in South Africa and to ensure that critical information infrastructure is protected against unwanted conduct in cyberspace.
We can only fight cybercrime in partnership with the private sector.
With regards to the conviction rate for cybercrimes, conviction rates exceed the targets set. For example the 2016/17 target is 74%. For example, Quarter 2, that being July to September 2016, has a 95% conviction rate (i.e. 52 convictions). For the year to date, being April to September 2016, the conviction rate is 94% (i.e. 119 convictions).
But getting back to Einstein: I’m sure there will never be consensus as to whether computers or humans are the smarter ones. But one thing is certain, for technology to advance it needs people. For people to advance we need technology. Together they are powerful beyond imagination.
I want to leave you with an observation made by the late Steve Jobs in an interview with Rolling Stone. He was asked about how technology can empower people, how it can change their lives and if he had as much faith in technology as when he started his career. He said -
Technology is nothing. What's important is that you have a faith in people, that they're basically good and smart, and if you give them tools, they'll do wonderful things with them. It's not the tools that you have faith in — tools are just tools. They work, or they don't work.
It's not a faith in technology. It's faith in people.
I thank you.