The State Security Agency (SSA) has announced strategic and senior managerial appointments it says will assist in prioritising the finalisation of the National Security Strategy, including the Cyber Security Policy.
The SSA previously said the policy will be finalised this month, but was unable to confirm by time of publication whether it will be able to meet this deadline.
The National Cyber Security Policy Framework was approved by Cabinet in March 2012. The framework outlines policy positions that are intended to address national security threats in cyberspace, combat cyber warfare, cyber crime and other cyber ills, and develop, review and update existing substantive and procedural laws to ensure alignment.
The policy fell under the Department of Communications’ (DOC’s) mandate for three years, before it was passed on to the SSA for development.
Professor Jane Duncan, Highway Africa chair of the Media and Information Society at Rhodes University, noted this transfer from the DOC to SSA illustrates that the problem of cyber breaching has been escalated to a national security threat.
According to the SSA, the Cyber Security Policy will see a number of structures and institutions established for coordinating the work of various security cluster departments that are working on a wide range of issues.
“The policy framework identifies specific areas of responsibility by a number of government departments, and the SSA is tasked with overall responsibility and accountability for coordination, development and implementation of cyber security measures in the country, as an integral part of its mandate,” says the agency.
The importance of national cyber security has been highlighted recently, with scandals such as the UK allegedly spying on foreign delegates, including SA, at the 2009 G20 summit; the SAPS Web site hack; and system breaches at a number of government entities, such as the South African Revenue Service, Postbank and the Alfred Ndzo District municipality.
Director at Web.Tech.Law Paul Jacobson says he is unsure how viable and sustainable such a framework will be, as government will in effect have to “police the Internet”. He notes he is uncertain of what exactly the framework will entail and what government hopes to achieve through its implementation, but for the moment he remains unconvinced.
“If it is the intent of government to have access to all communication or basically control all the information that goes in and out, it raises some serious concerns of misuse,” says Jacobson.
He says companies and individuals have a right to protect their information, and in many cases it is vital that personal information be protected; for example, in cases of client confidentiality. “Allowing government access to private information requires a certain amount of trust in them, and I think it is safe to say, [general trust in government] is a little on the weak side at the moment.”
Jacobson notes that both cyber criminals and those who want to legitimately protect information will continue to use increasingly sophisticated encryption methods to do so, despite the implementation of the Cyber Security policy.