«1. PURPOSE OF BILL The Cybercrimes and Cybersecurity Bill, 2015 (the ―Bill‖) creates offences and prescribes penalties; * further regulates ...»
DISCUSSION OF THE CYBERCRIMES AND CYBERSECURITY BILL
1. PURPOSE OF BILL
The Cybercrimes and Cybersecurity Bill, 2015 (the ―Bill‖) creates offences and prescribes penalties;
* further regulates jurisdiction;
* further regulates the powers to investigate, search and gain access to or seize
* further regulates aspects of international cooperation in respect of the
investigation of cybercrime;
* provides for the establishment of a 24/7 point of contact;
* provides for the establishment of various structures to deal with cyber security;
* regulates the identification and declaration of National Critical Information Infrastructures and provides for measures to protect National Critical Information Infrastructures;
* further regulates aspects relating to evidence;
* imposes obligations on electronic communications service providers regarding aspects which may impact on cybersecurity;
* provides that the President may enter into agreements with foreign States to promote cybersecurity;
* repeals and amends certain laws; and * provides for matters connected therewith.
2. BACKGROUND In 2011 more than one third of the world‘s total population had access to the 2.1 Internet. It is estimated that mobile broadband subscriptions will approach 70 per cent of the world‘s total population by 2017. The number of networked devices is estimated to outnumber people by six to one, transforming current conceptions of the internet. In the future hyper-connected society, it is hard to imagine a cybercrime or perhaps any crime, that does not involve electronic evidence linked with internet protocol connectivity. Both individuals and organised criminal groups exploit new criminal opportunities, driven by profit and personal gain. Most cybercrime acts are estimated to originate in some form of organised activity, with cybercrime black markets established on a cycle of malware creation, computer infection, botnet management, harvesting of personal and financial data, data sale and selling of financial information. Cybercrime perpetrators no longer require complex skills or techniques. Globally, cybercrime shows a broad distribution across financially-driven acts and computer-content related acts, as well as acts against the confidentiality, integrity and accessibility of computer systems. Globally policerecorded crime statistics do not represent a sound basis for determining the precise impact of cybercrime. According to authors cybercrime is significantly higher than conventional crimes. The use of the Internet to facilitate and commit acts of terrorism is a real occurrence. Such attacks are typically intended to disrupt the proper functioning of targets, such as computer systems, servers or underlying infrastructure, especially if they are part of critical information infrastructures of a country, among others, by means of unlawful access, computer viruses or malware. Some countries are taking steps to implement cyber-warfare and defence strategies.
As part of Government‘s Outcome Based Priorities, the JCPS Cluster signed the 2.2 JCPS Delivery Agreement relating to Outcome 3 on 24 October 2010. This agreement focuses on certain areas and activities, clustered around specific outputs, where interventions will make a substantial and positive impact on the safety of the people of South Africa.
2.4 Currently there are various laws on the Statute Book dealing with cyber security, some with overlapping mandates administered by different Government Departments and whose implementation is not coordinated. The legal framework regulating cyber security in the Republic of South Africa is a hybrid mix of legislation and the common law. Some notable statutes in this regard include, among others, the Electronic Communications and Transactions Act, 2002 (Act No. 25 of 2002), the Protection of State Information Bill, 2010, the South African Police Service Act, 1995 (Act No. 68 of 1995), the Correctional Services Act, 1998 (Act No. 111 of 1998), the National Prosecuting Authority Act, 1998 (Act 32 of 1998), the Regulation of Interception of Communications and Provision of Communication-related Information Act, 2002 (Act No. 70 of 2002), the Prevention and Combatting of Corrupt Activities Act, 2004 (Act No.
12 of 2004), the Films and Publications Act, 1996 (Act No. 65 of 1996), the Criminal Law (Sexual Offences and Related Matters) Amendment Act, 2007 (Act No. 32 of 2007), the Copyright Act, 1978 (Act No. 98 of 1978), the Civil Proceedings Evidence Act, 1965 (Act No. 25 of 1956), the Criminal Procedure Act, 1977 (Act No. 51 of 1977), the Protection of Personal Information Act, 2013 (Act No. 4 of 2013), the Protection from Harassment Act, 2011 (Act No. 17 of 2011), the Financial Intelligence Centre Act, 2001 (Act No. 38 of 2001), and the State Information Technology Agency Act, 1998 (Act No.
88 of 1998), to name a few.
2.5 The Department of Justice and Constitutional Development was mandated to review the cyber security laws of the Republic to ensure that these laws provide for a coherent and integrated cyber security legal framework for the Republic.
2.6 The Bill is part of a review process of the laws on the Statute Book which deal with cyber security and matters related to cyber security. Further legislation may in due course be promoted to address other relevant aspects, inter alia, cryptography, eidentity management and also a possible review of electronic evidence.
3.1 Definitions Clauses 1, 2 and 26, 50 contain various definitions which will be explained in context with the provisions to which they relate.
3.2. Offences 3.2.1 Personal and financial information or data related offences The automation of data processing and the development of non-face-to-face transactions have generated increased opportunities to commit various offences with the personal and financial information or data of a person. This information or data can be the subject of several constitutive acts, namely – * the act of obtaining identity-related or financial information or data;
* the act of possessing or transferring the identity-related or financial information or data; and * the act of using the identity-related or financial information or data for criminal purposes.
Personal or financial information or data can be obtained, for example, via illegal access to computer devices and data bases, the use of phishing or interception tools, or through illicit acquisition, such as dumpster diving, social engineering, theft and online buying of information or data of another person. For example, ―phishing‖ has recently become a key crime committed in cyberspace and describes attempts to fraudulently acquire sensitive information (such as passwords or other personal or financial information or data) by masquerading as a trustworthy person or business (e.g. financial institution) in a seemingly official electronic communication. Examples of personal
information or data which is targeted in cyberspace are the following:
* Address particulars, phone numbers, dates of birth and identity numbers: This information can in general be used to commit identity theft if it is combined with other information or data. Having access to information such as a date of birth and address of a person can help the perpetrator to circumvent verification processes. One of the greatest dangers related in this regard is the fact that it is currently available on a large scale on various databases.
* Passwords for non-financial accounts: Having access to passwords for accounts allows perpetrators to change the settings of the account and use it for their own purposes. They can, for example, take over an e-mail account and use it to send out e-mails with illegal content or take over the account of a user of an auction platform and use the account to sell stolen goods.
Financial information or data is a popular target in cyberspace. Financial information or data which is targeted in cyberspace are information regarding saving accounts, credit cards, debit cards and financial planning information.
Personal or financial information or data are mostly used to commit financial cybercrimes.
The following offences aim to address personal or financial information or data related
(a) Clause 3(1) criminalises the intentional and unlawful acquiring by any means, the possession of or provision to another person, of the personal information of a person for purposes of committing an offence provided for in the Bill.
(b) Clause 3(2) criminalises the intentional and unlawful acquiring by any means, the possession of or provision to another person, of the financial information of a person for purposes of committing an offence provided for in the Bill.
(c) Clause 3(3) criminalises the intentional and unlawful use of the personal or financial information of another person to commit an offence under the Bill.
(b) In terms of clause 3(4), a person is guilty of an offence, if he or she is found in possession of personal or financial information of another person in regard to which there is a reasonable suspicion that such personal or financial information– * was acquired, is possessed, or is to be provided to another person for purposes of committing an offence under the Bill; or * was used or may be used to commit an offence under this Bill, and if he or she is unable to give a satisfactory exculpatory account of such possession.
For purposes of this clause, clause 3(7) defines – "personal information" means any ‗personal information‘ as defined in section 1 * of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013); and ―financial information‖ means any information or data which can be used to * facilitate a financial transaction.
3.2.2 Unlawful access Since the development of computer networks, their ability to connect have been used by hackers for criminal purposes. Hackers need not be present at the crime scene, they just need to circumvent the protection securing the database, network or computer device. Illegal access threatens interests such as the integrity of data, a computer device, a computer network, a database or an electronic communications network. The legal interest is infringed, not only when a person unlawfully interferes or commits other unlawful acts in respect of data, a computer device, a computer network, a database or an electronic communications network, but also when a perpetrator, for example, merely accesses a computer network. Illegal access does not require that the offender accesses system files or other stored data. The criminalisation of illegal access represents an important deterrent to many other subsequent acts against the confidentiality, integrity and availability of data, a computer device, a computer network, a database or an electronic communications network, and other computer-related offences. It is vital to distinguish between illegal access and subsequent offences, since the other offences have a different focus of protection. In most cases, illegal access is not the end goal, but rather a first step towards further crimes, such as interfering with or intercepting data.
To address this, clause 4(1) criminalises the unlawful accessing of the whole or any part of data, a computer device, a computer network, a database, a critical database, an electronic communications network or a National Critical Information Infrastructure.
Clause 4(3) defines "access" as to include, without limitation, the following: To make use of, to gain entry to, to view, display, instruct, or communicate with, to store data in or retrieve data from, to copy, move, add, change, or remove data or otherwise to make use of, configure or reconfigure any resources of a computer device, a computer network, a database, a critical database, an electronic communications network or a National Critical Information Infrastructure, whether in whole or in part, including their logical, arithmetical, memory, transmission, data storage, processor, or memory functions, whether by physical, virtual, direct, or indirect means or by electronic, magnetic, audio, optical, or any other means. Clause 4(4) provides that for purposes of this section, the actions of a person, to the extent that they exceed his or her lawful authority to access data, a computer device, a computer network, a database, a critical database, an electronic communications network or a National Critical Information Infrastructure, must be regarded as unlawful.
3.2.3 Unlawful interception of data The use of Information Communications Technologies is accompanied by several risks related to the security of information transfer. Unlike classic mail-order operations, datatransfer processes over the Internet involve numerous providers and different points where the data transfer process could be intercepted. Wireless networks, for example, allow persons to connect to the Internet from anywhere inside a given radius, without the need for cable connections. However, this also allows perpetrators the same amount of access if adequate security measures are not implemented which will allow access to, inter alia, passwords, bank account information and other sensitive information. The criminalisation of the unlawful interception of data aims to protect the integrity, privacy and confidentiality of data within a computer device, a computer network, a database or an electronic communications network as well as data which is being sent to, over or from the aforementioned. The unlawful interception of data builds on the offence of illegal access, where further actions are taken by the perpetrator in order to acquire data unlawfully.
Clause 5(1) provides that any person who intentionally and unlawfully intercepts data to, from or within a computer device, a computer network, a database, a critical database, an electronic communications network, or a National Critical Information Infrastructure, or any part thereof, is guilty of an offence.