Exploring South Africa’s Cybersecurity Legal Framework regulating Information Confidentiality, Integrity, and Availability

Abstract

The discussion critically evaluates the effectiveness of laws dealing with cyber threats within the context of the South African cybersecurity landscape. It deals with the legal response to non-state cyber operations to national security and law enforcement by means of the domestic law and not with state or state-sponsored cyber operations which falls within the remit of the international law. Globally the digital ecosystems of all countries face a common denominator, namely the threat of cyber operations and how to deal with it effectively. There are various cyber operations, but the discussion mainly deals with cyber operations that target the confidentiality, availability and integrity of information and the effectiveness of the South African cybersecurity legislation in protecting information. The effectiveness of the following legislation will be deliberated: • The Protection of Personal Information Act (POPIA) 4 of 2013. POPIA does not define a data breach, nor does it indicate the time in which the breach must be reported to the Information Regulator (IR). In 2021 the Department of Justice and Constitutional Development (Department) suffered a ransomware attack. The breach was reported to the IR. In July 2023 the Department became the first institution to be fined for failure to comply with an enforcement notice. • The Cybercrimes Act 119 of 2021. The ransomware attack suffered by the Department in 2021 constitutes a cybercrime, but how effective is the Cybercrimes Act to facilitate the investigation and prosecution of the threat actor(s) who orchestrated the attack? Should there not be guidelines in respect of a ransomware attack prescribing a compulsory reporting obligation or discouraging payment of ransom. The first line of defense to offensive non-state cyber operations is a robust and resilient cybersecurity legal framework. Although a government cannot eliminate all possible threats, it can mitigate the risks, and this can be achieved by means of a comprehensive cybersecurity strategy. A country should have a cybersecurity strategy and it will be determined if for example the 2023 United States of America cybersecurity strategy could serve as guidance to South Africa. Why is your paper of interest to the conference participants? Use this space to persuade the reviewers why they should select this abstract for the conference : In today’s digital world, one cannot ignore the importance of cybersecurity. One single security breach may result in the exposure of the personal information of millions of people. Cybersecurity legislation is therefore essential to ensure the protection of government departments, institutions, businesses and individuals against malicious cyber operations.