Transcript Cybercrime regulation at a cross

EVALUATION
OF
CYBERCRIME REGULATION
IN
SOUTH AFRICA
BY MURDOCH WATNEY
Why the
topic:
Evaluation
of
Cybercrime
Regulation
in
South Africa?
INDEX
1. INTRODUCTION
2. DEFINING CYBERCRIME
•
•
What is understood with the term ‘cybercrime’?
What are the characteristics of cybercrime that distinguishes it from crimes committed
in the physical world?
3. REGULATION OF CYBERSPACE/ELECTRONIC MEDIUM
•
Can cyberspace be regulated/controlled?
4. THE EFFECTIVENESS OF CYBERCRIME REGULATION FOR LAW
ENFORCEMENT AND NATIONAL SECURITY PURPOSES
• Cybercrime regulation consists of not only laws criminalizing conduct
but also laws providing for the prevention, detection, investigation,
prosecution and sentencing of an accused.
4.1 Cybercrime regulation by means of national laws in South Africa
•
•
Is cybercrime regulation in the format of conduct regulation by means of the common
law and legislation sufficient?
Problems experienced with cybercrime prevention, detection, investigation and
prosecution.
4.2 Cybercrime regulation by means of transnational laws
4.3 Cybercrime regulation by means of the international law
5. CONCLUSION REGARDING CYBERCRIME REGULATION
•
Cybercrime regulation must be seen within a comparative and global context.
1. INTRODUCTION
When it comes to the evaluation of cybercrime
regulation, it must be seen within the context of a
growing
dependence
on
information
and
communications technologies.
Regarding internet penetration
South
Africa:
increase
in
access to bandwidth:
2011: 2, 69 terrabits per
second
2012: 11, 9 terrabits per
second
December 2011: 139
million citizens of
Africa had internet
access,
• In May 2012 it was reported that internet penetration is
now nearing 20%.
o 6 million South Africans access the internet on
computers, laptops and tablet devices.
 Out of this group 5, 42 million also have internet access by
means of cellphones.
o 7,9 million South Africans connect to the internet
using cellphones.
 Of this group 2,4 million do not have internet access via
computers.
• Dependence on ICT today cannot be measured
statistically, e.g. government, companies/organisations
and consumers alike are dependant on ICT’s, e.g.
electricity grid, water supply, air transport, using ATM
etc.
•
The growth in internet penetration and ICT dependence are positive developments,
but with it comes the following concerns:
o Firstly security measures must be in place but it is not infallible and breached, the
o The conduct must be criminalized and there must be laws in place for crime
prevention, detection, investigation and prosecution.

The dependence on ICTs result in vulnerabilities and weakness to crime.
• Early 2012, Michael Moran, acting assistant director cyber
security and crime at Interpol, said at a Kaspersky Lab Cyber
Conference, that “ We need better laws to deal with
cybercrime”.
o Cybercrime has evolved into an ‘economy’ that runs ‘parallel’
to that of the (lawful) main-stream economy and is worth
billions; it is referred to as a ‘shadow’ industry.

•
The creation of malware is financially motivated. The growth of malware is illustrated as
follows: In 1994 one virus was written every hour; in 2006 it was one virus every minute and
2011 one virus every second.
Although violent, sexual and other physical crimes in South Africa need attention, cybercrime
which are in many instances white-collar crimes, affect the economy, for example: where a
company is subjected to extortion, then the company suffer losses which may result in job losses;
where a DDoS attack is launched against the website of a bank, the credibility of the bank is
affected. A lot of our socio-economic problems will be addressed if our economy is strong;
investors will also not easily invest in a nation-state where cybercrime is not addressed
2. DEFINING CYBERCRIME
Question: What is understood with ‘cybercrime’?
Answer:
• There exists no universal definition for cybercrime.
o Why do one need a universal definition of cybercrime?
• In 2002 when the Electronic Communications and Transactions Act 25 of 2002
was implemented, cybercrime was not defined.
o
I defined ‘cybercrime’ as any unlawful conduct involving a computer or computer system or
computer network irrespective of whether it is the object of the crime or the instrument or
incidental to the crime commission.

It is a narrow definition.
• In 2012 the Draft National Cybersecurity Policy Framework
(NCPFP) for South Africa, cybercrime is defined.
o ‘Cybercrime’ means illegal acts, the commission of which
involves the use of information and communication
technologies (ICT).
o ‘ICT’ means any communication device or application including
radio, television, cellular phones, satellite systems, computers,
network hardware and software and other services such as
videoconferencing.

Problem with a wide definition: It may include conduct that fall within the physical world, for example, the socalled ‘facebook’ rapist, Thabo Bester used the social media to lure woman who were interested in the TV and
entertainment industry to meet him which resulted in robbery and murder.
Defining cybercrime
• Prof M Gercke who compiled a report
commissioned
by
the
International
Telecommunications Union (ICT) Development
Sector’s ICT Applications and Cybersecurity
Division titled: “Understanding Cybercrime: A
guide for developing countries” which was
published in March 2011 confirmed the lack of an
uniform recognised definition of cybercrime but
suggested:
o Cybercrime should be seen as an umbrella
concept that includes various forms or categories
of unlawful conduct.
 A distinction between the different categories of
cybercrimes are important when it comes to deciding
whether instituting investigation is for law enforcement
or national security purposes.
Defining cybercrime
• When defining cybercrime, the characteristics of
cybercrime must be kept in mind as it differs from a physical
crime and present investigative challenges.
o It is committed within an electronic medium (cyberspace) with the
emphasis on the intangible.
o In many instances the investigating agency needs the assistance of an
intermediary, for example the service provider to investigate the crime.

How is the evidence within an electronic medium collected?


Conduct regulation alone is ineffective when it comes to cybercrime investigation.
A country cannot only have substantive laws, that provide for conduct regulation, but
need also procedural laws that provides for the collection of the evidence.
 Traditionally a re-active approach to crime commission, but today a
pro-active approach to crime commission which may result in
violation of human rights.
o Cybercrime is the consequence of globalisation; in many instances the
perpetrator of the crime is not within the borders of South Africa but
the effect of the crime is felt in South Africa.
 Due to the borderless nature of crime, many issues inherent to the
borderless crime commission have to be address, for example:


If the perpetrator committed the crime from within the South African borders and the
effect/result was felt outside South Africa, may South Africa prosecute or must the
perpetrator be extradited to the country where the effect of the crime was experienced?
If a cyber-attack is launched against South Africa, may South Africa retaliate by launching
an attack itself?
3.
REGULATION
OF
CYBERSPACE/ELECTRONIC MEDIUM
Question: Can cyberspace/electronic medium
be regulated?
Answer:
•
•
The draft NCPF refers to ‘cyberspace.’
‘Cyberspace’ refers to the space where communications take place.
o ‘Cyberspace’ denotes the “place” where communication on the internet takes place. It is
“a place without physical walls or even physical dimensions – where ordinary telephone
conversations “happen, where voice mail and email messages are stored and sent back
and forth, and where computer-generated graphics are transmitted and transformed, all
in the form of interactions, some real-time and some delayed among countless users,
and between users and the computer itself.” Cyberspace exists everywhere that there
are telephone wires, coaxial cables, fiber-optic lines or electromagnetic waves.
 Cyberspace/electronic medium contrasted to physical world.
•
It is not cyberspace but the physical infrastructure within South Africa that enables
the electronic medium that is regulated, the internet.
A nation-state such as South Africa can only regulate the internet (infrastructure)
within its territorial borders.
As soon as a crime is committed across the South African borders, South Africa will
need assistance in the collection of evidence and prosecution of the perpetrator.
•
•
4. THE EFFECTIVENESS OF CYBERCRIME REGULATION
4.1 Cybercrime regulation in South Africa by means of the
common law and legislation
Question: Do the common law and legislation in South Africa
provide for cybercrime for LAW ENFORCEMENT PURPOSES?
Answer:
 Regarding the common law in respect of cybercrime:
In respect of common law crimes, the crimes of fraud or theft will mostly be
applicable.
• Initially I was of the opinion that the common law was not flexible enough to
accommodate ICT.
• Case law and the interpretation of the relevant sections in the Constitution
confirm that I was wrong in my assumption.
o In Nissan v Marnitz NO and Others 2005(1) SA 441 (SCA) held that a person
who receives money into his bank account in his name, knowing that he is not
entitled thereto and who uses it commits theft. The transaction is done
electronically and the credit which is owned by the bank, exists electronically
and constitutes a cash value in money.
 What is the position if the bank customer accidently transfers the money
to the wrong account?
o In S v Ndebele and Another (SS 16/10) [2012] ZAGPJHC 42 the court stated
that the property, electricity is intangible and can be stolen.
 Where an employee emails information to the competitor,
did the employee commit theft of information?
 If A takes B’s SIMcard out of her cellphone and make
phone calls using the SIMcard in her phone, did A commit
theft of airtime?
• Regulation of Interception and Provision of CommunicationRelated Information Act 70 of 2002 provides for the use
of surveillance methods to collect evidence and
statutory crimes.
If A is arrested at the ATM where A inserted a skimming
device, then A may be prosecuted for the following: a
statutory offence in terms of s 86(3) read with s 89(1) of the
ECT Act and s 49 (unlawful interception) read with s 51
(penalty clause) of RICA.
Other legislation:
• Criminal Law (Sexual Offences Act and Related Matters) Amendment Act 32
of 2007 provides inter alia for sexual offences against children and specifically
sexual grooming via for example facebook.
 Child pornography defined in the Films and Publications Act 65 of 1996
as well as Sexual Offences Act.
• Protection of Harassment Act 17 of 2011 came into operation end of 2011
provides for protection against harassment (stalking) where the complainant
for example receives emails that the complainant feels may be harmful.
• Online gambling in terms of the National Gambling Act of 2008 has not yet
been implemented.
o

Illegal since no online gambling provider has been issued with a license.
Question: Does legislation in South Africa provide for
cybercrime FOR LAW ENFORCEMENT PURPOSES?
Answer:
 Regarding legislation for law enforcement
purposes:
There is a variety of legislation that provide for different
statutory crimes, for example:
• Electronic Communications and Transactions Act 25 of 2002
provides in chapter 13 for 3 categories of statutory crimes;
aimed at conduct criminalization.
o If A is found with 5 counterfeit (cloned) credit cards, then
prosecute A for the following statutory offences: in terms of
86(1) (unauthorised access) read with s 89 (1) (the penalty
clause) as well as s 88(2) aiding and/or abetting person(s)
unknown to the state) read with s 89 of the ECT Act?
 Problematic is the sentencing penalty which is very
lenient.
o May A be charged for the common law crime of theft of
identity of the person(s) whose cloned credit cards he has
in his possession?

South Africa may have to consider possible legislation governing theft of
identity in line with US; also being investigated by the EU.
 Regarding legislation FOR NATIONAL SECURITY PURPOSES
• Protection of Constitutional Democracy Against Terrorist and Related
Activities Act 33 of 2004 protection of national security, such as terrorism.
• Here one will have to keep in mind the proposed National Cybersecurity
Policy Framework Act.
Question: What about the proposed draft National
Cybersecurity Policy Framework (NCPF) for South Africa?
Answer:
• The purpose of the NCPF is to protect the national cybersecurity by securing
the national critical information infrastructure.
• The key focus areas will be matters related to cyber warfare, cyber intelligence
and cybercrime.
•
•
•
The NCPF will be established by the Justice, Crime Prevention and Security
Cluster (JCPS) which will be responsible for measures to address national
security in terms of ‘cyberspace’; measures to combat cybercrime, overview
and updating of existing substantive and procedural laws; and measures to
build confidence and trust in the secure use of ICTs.
The Department of State Security will establish a central authority, the
Cybersecurity Coordinating Centre where all computer incident response
teams (CSIRTs) in South Africa will report incidents.
When it comes to national security, a multi-layered approach must be
employed with different role-players such as companies, private persons being
involved but human rights protection in still paramount.
o Take note of the USA position in respect of national cybersecurity
legislation.
• This is a commendable proposal.
• However, South Africa must look at the protection of the national
information infrastructure comparatively and from the perspective that
the threat may come from outside the borders of South Africa.

•
Although South Africa must have a national cybersecurity framework in
place, cybersecurity will ultimately have to be addressed on an
international (global) level.
However, in respect of South Africa’s role within the African Union, the
draft African Union Convention on the Establishment of a Credible Legal
Framework for Cyber Security in Africa must also be kept in mind.

•
Part 3 provides for combatting cybercrime.
 Of the 35 African countries that ratified the UN additional protocol on child pornography,
only South Africa has legislation in place.
 Gercke also said developing countries need to have cybercrime legislation and enforcement
in place.
Also take note: It is not always easy to establish the type of cybercrime, for
example regarding a ‘cyber attack’ the following will have to be addressed:
o
When does a ‘cyber attack’ constitute cyber-war, cyber-terrorism or information
warfare?
 Which type of cyber attack was launched on the nation-state, Estonia in 2007?
 Some authors draw a distinction between ‘cyber attacks’ and cyber exploitation.
 Cyber exploitation is for example espionage which is defined as an
intelligence-gathering activity.
− Motive: theft of intellectual property.
 Distinguish between different types of espionage: military, political and
industrial espionage.
 May a nation-state such as South Africa defend itself
against a cyber attack?
o Article 51 of the United Nations Charter provides for self-defence
against an armed attack.
- Debatable whether an ‘armed attack’ will include a cyber attack.
- A cyber attack launched against systems that run the prisons or airports or utilities that run
power grids or water systems can have devastating consequences.


Customary international law provides for self-defence.
Does self defence include a pre-emptive action, in other words may a
nation-state defend itself against forces that present an imminent danger
of attack?
- Some nation-states today are threatened by terrorism, for example the
9/11 US attacks.
 Much of the organisation of the 9/11 US attacks were done online
outside the US.
o The legal position in the USA regarding cyber attacks:
 In 2011 the United States (US) Congress authorised the use of a military
response to a cyber attack.
 In Aug 2012 the Senate rejected the Cybersecurity Act of 2012 saying it
infringes constitutional rights.
o In 2012 Germany announced that it had a cyberwarfare unit to defend itself
against hackers and attacks from other nations.
o Israel and the US have admitted to creating the capacity for offensive
cyberwarfare (to defend against cyber attacks).
Question: How effective/successful is the
prevention, detection, investigation and
prosecution of cyber crime?
Answer:
South Africa:
The problems does not lie with cybercrime
laws, but the practical problems experienced
with cybercrime within the territorial borders
of South Africa.
• Are the victims of cybercrimes reporting the
crime?
o
A victim such as a bank would rather not report it since it will run the risk of customers losing
confidence in the security of the bank and would affect negatively affect their intellectual
property (trade name).
• A lack of investigative enforcement capacity
exists.
o
There is a need for a specialized police unit.
o
The perpetrators are in may instances more technologically advanced than law
enforcement agencies.
• Cybercrimes are not easy to investigate.
For example: The use of skimming devices at ATMs to clone
credit cards and the use of the cloned (counterfeit) credit cards
are faceless crimes as the perpetrator responsible for the
skimming of the card and/or the person using the counterfeit
card do not interact physically with any person and therefore
they are not easily identified. In many instances the crime is
committed by so-called ‘card-not-present’ fraud where the
fraudulent purchases are made over the internet, by telephone
or fax.
o At this stage it is mostly the ‘runners’ who are convicted but not the
mastermind behind the syndicate.
• If convicted, the light sentencing may not
achieve the objectives of sentencing.
• Above is exacerbated if the crime is
committed across borders, e.g. so-called
4-1-9 scams (fraud).
Problems experienced with cybercrime
USA:
• The problems with cybercrime prevention was
illustrated last year when members of LulzSec, online
activists, hacked into and launched DDoS attacks
against US agencies, such as the FBI and the senate.
• It was reported on 18 June 2012 (press.co.nz) that US
companies are taking retaliatory action by using
‘strike-back’ or ‘active defence’ technology against
hackers since they feel frustrated by the legal system.
o The companies have accepted that they cannot prevent
hacking, but should have measures in place to detect it as
soon as possible.

Experience problems with espionage and extortion (e.g. data are
encrypted and the perpetrator prepared to decrypt after payment).
o US security professionals
cybercrime/security legislation.
want
stricter
4.2
Regulating cyber crime by means of
transnational laws
• Across borders crimes can only be dealt with by means of
harmonised laws.
• Countries realize that they needed transnational laws since
many cyber crimes are committed outside its territorial
borders (multi-jurisdictional crimes).
o Espionage or terrorism or cyber-attacks.
• There is no international treaty regulating cybercrime.
• There is a transnational treaty, namely the CoE Convention
on Cybercrime of 2001 adopted in 2001 and came into
operation in 2004.
o It was signed by most of the CoE member countries and 4 nonEuropean countries, namely Canada, US, Japan and South
Africa.
o It is a commendable instrument as it provides harmonisation of
cyber crime laws.

It provides for guidelines to establish cybercrime laws and have always
available point of contact to assist cybercrime investigators in other
countries.
 When it comes to transnational regulation of
the internet, it is increasingly clear that
regulation and co-operation between states
are complicated and frustrated by political,
economic, diplomatic and/or cultural issues.
The following examples will illustrate some of the problems
experienced with cybercrime regulation on a transnational level:
i. Regarding the Cybercrime Convention:
• The Convention of Cybercrime does not enjoy global
recognition as it is perceived by some as a European
instrument.
• Although most CoE members signed it, Russia did not sign it.
o
Russia’s objection focused on its sovereignty.
• South Africa may have signed it, but has not ratified it and it is
unlikely it will.
o South Africa joined in 2012 the economic organisation,
BRICS which consists of Brazil, Russia, India, China and
South Africa.
ii. Regarding the issue of ‘extradition’ of cyber crime
perpetrators of across border crimes:
• Why can the perpetrator not be put on trial in the country from
where the crime originated and of which country the perpetrator
is a national rather than the country where the effect of the
crime was experienced?
o
o
International law distinguish between subjective and objective territoriality.
Section 90 of the ECT Act
McKinnon case compared to the
LulzSec hacker
(United Kingdom cases)
Roach case
(South African case)
Mckinnon: In 2005 the US government requested the
extradition of McKinnon, a UK citizen. McKinnon
allegedly hacked between Feb 2001 and March 2002
into 97 US military, navy and NASA computers and
caused a lot of damage. It has been an ongoing dispute
whether McKinnon should be extradited, e.g. will he have
a fair trial etc?
Clearly, allegedly a member of LulzSec, an online
hacking organisation, and 3 others launched DDoS
attacks against various US governmental agencies, such
as CIA, Serious Organised Crime Agency etc.in 2011,
will stand trial in the UK.
Roach threatened in 2011 to unleash foot
and mouth disease on British live-stock if
he was not paid $4 million. He also
threatened a similar attack on the US. He
wanted to use the money to compensate
farmers who were forced off their farms in
Zimbabwe. He was convicted of
attempted extortion, money laundering
and illegal possession of ammunition and
sentenced. He is serving 5 years
imprisonment.
iii. Regarding
the
Draft
Declaration
of
Fundamental Freedoms presented in 2011 at
the OSCE (Organisation of Security Cooperation in Europe) summit, the following
was highlighted:
• The US Secretary of State presented a draft of
the Declaration on Fundamental Freedoms in
the Digital Age which protects freedoms such
as freedom of expression in respect of Facebook
and other social media.
o Talking about human rights on the internet is
important:
 The so-called ‘Arab Spring’ revolutions started with the
creation of groups on Facebook and Twitter.
 But social media can be abused as was seen 2011 in
London with the riots.
 There is a fine line between surveillance and censorship.
• Russia rejected the draft declaration.
o Why would Russia reject it?
 It may be speculated that some nationstates may feel that so-called ‘superpower’ nation-states are super-imposing
legal issues on them.
- The consequence is that legal proposals, even
commendable proposals, are then in a dead-locked
situation.
Regulating cyber crime by means of
international law
• Why do the internet-connected nation-states
need regulation on an international level?
4.3
o Cyber crime is a global issue and should be addressed on
a global level.
o It will be addressed under the auspices of the United
Nations (UN) which will be a central ‘authority.’



It has been said that cyberspace is becoming a “place
where a lot of forces are fighting for leadership.”
Global intervention may address the allegation that some
nation-states are trying to regulate the internet to their own
benefit and super-impose their laws onto other nation-states.
Global intervention may ensure global communications on
issues such as China requesting recently in 2012 an
independent DNS rooter and not a central DNS rooter will
have censorship implications and should be discussed on a
global level.
• On a global level we need harmonised
cybercrime laws.
 The CoE Cybercrime Convention will not provide
a harmonised instrument.
 As illustrated, some nation-states may oppose
legal proposals made by other nation-states due to
political, and/or diplomatic and/or cultural and/or
economic differences.
• Also some countries may have national and
even transnational cybercrime laws, but it is
not enforced.
o Why are the laws not enforced, for example
developing countries in Africa?
 Not enough expertise, financial resources.
o Possible solution of non-enforcement is to apply
extra-territorial jurisdiction.
 Which proposals have been made on an
international level?
• Proposals that may be considered in the short
term:
1) Code of conduct:
o In 2011 nation-states such as China, Russia, Tajikistan and
Uzbekistan requested the UN General Assembly for a code
of conduct regarding the use of information technology.
 The aim is for countries to co-operate to combat
criminal and terrorist activities and for nation-states
to vow not to use technology to carry out hostile
acts of aggression.
-
Nation-state may for example give a commitment that if a
national of that nation-state launches for example a cyber attack
that the nation-state will prosecute such a perpetrator.
• Proposals that may be considered in the long
term:
2) Start negotiating a global Cybercrime Treaty.
o There is a need for harmonised cybercrime
laws; and
o Co-operation between nation-states regarding
cybercrime prevention, detection, investigation
and prosecution.
3) Maybe discuss the possibility of an International
Cybercrime Court.
o Judge Stein Schjolberg of Sweden has complied
a paper advocating the implementation of an
International Cybercrime Court in May 2011.
5.
CONCLUSION
REGARDING
CYBERCRIME
REGULATION
• Each country must have national laws in place for the purpose of law
enforcement and national security.
o South Africa has it in place and is enforcing it.
o If South Africa is compared within the context of the African Union,
South Africa should be commended on trying to keep up to date with
ICT legal developments.
 However, theft of identity will have to be addressed by legislation.
 Sentencing need urgent attention; it is too lenient.
o The investigation will have to be re-looked: better training will have
to be provided.
• Cybercrime regulation must be done comparatively to ensure
harmonised laws.
• Across border/multi-jurisdictional cybercrime regulation is now at a
cross-road and discussions regarding cybercrime and issues related to
it will have to be done on a global level.
• It appears that due to political, economic, cultural and diplomatic
differences the global world cannot agree on a transnational level and
under the auspices of the United Nations, better progress may be
made.