Internet for All; Cybersecurity; Electronic Communications Amendment Bill: discussion

Meeting report

Internet for All

Mr Robert Nkuna, Director General: Department of Telecommunications and Postal Services (DTPS), said that following the International Telecommunications Union (ITU) conference held in Durban recently, South Africa had been elected on to the Council of the ITU, and that a member from the Independent Communications Authority of South Africa (ICASA) had been elected a member of the radio regulations board of the ITU. In 2019, the ITU would be holding a symposium on 5G -- the fifth generation of cellular mobile communications -- for countries from Africa, and South Africa was pushing that the meeting should also discuss the digital economy on the 5G spectrum. The last African preparatory meeting for the next World Radio Conference would be held in South Africa in June or July next year. The world 5G deployment was expected to happen in 2021.

The Chairperson expressed his serious reservations as to whether the Electronic Communications Act (ECA) bill would be completed in this year.

Ms Jeanette Morwane, Acting Deputy Director General (DDG): Information Society and Development, said that “Internet for All” had been launched in May 2017 at the World Economic Forum on Africa in Durban. Its objective was to connect 22 million new users to the internet by 2020. The total number of stakeholders involved to date was 66 organisations, and the Secretariat was staffed by the DTPS and a seconded member from one of the voluntary organisations.

She said the “Internet for All” platform was made up of four pillars:

• Infrastructure: Access to connectivity in the underserviced/remote areas.
• Skills and Awareness: Focusing on digital literacy, training for youth and small, medium and micros enterprises (SMMEs), but also on the provision of advanced digital skills such as coding.
• Content: Focusing on e-government services as well as creating local content.
• Affordability: Focusing on affordable data and smart devices.

The steering committee dealt with infrastructure, working on GAP modelling and broadband connectivity in remote areas; and also, affordability, working on broadband pricing and the broadband spectrum. The Secretariat dealt with content and skills, doing language translation and basic digital skills; and also dealt with data, working on the “Internet for All” dashboard and measuring digital inequality. She spoke to the skills and awareness working group’s training activity done by Google, Microsoft, Cisco, Ericsson, Huawei and the Schools Project. She addressed the content of the working group’s activities in language translations, the provision of government e-services, applications to empower SMMEs, usage stimulating content, and entertainment.

She then spoke about the infrastructure working group’s activities and said the GAP Analysis, with the assistance of the Council for Scientific and Industrial Research (CSIR) and ICASA, had progressed significantly, with two provinces completed. There was also a commitment from the Wireless Access Providers Association (WAPA) and the FTTX Council to share their coverage information, which would strengthen the understanding of the underserviced or uncovered areas.

There had been successful implementation of six pilot areas, with the assistance of Intelsat, Dudusec and Sentech, which had been completed ahead of schedule with further growth of the solutions in the areas completed and the addition of districts. The locations were selected by the DTPS, and Alfred Nzo, Bethlehem, Mukula, Mhinga, Jane Furse and Wesselton were completed. On devices and performance, mobile penetration and smartphone ownership in the South African market was increasing at a significant pace with a median of 53% reporting ownership of a smartphone in 2018, up from 33% in 2017. Despite this growth however, large populations still owned basic phones that were lacking the necessary functions to use the Internet due to affordability and other factors. There was a need to push for more Third Generation and Long-Term Evolution (LTE) devices.

Cybersecurity

The Chairperson said that the Committee needed to include the Portfolio Committees of Home Affairs and Police in joint sittings on the cybersecurity issue.

Dr Kiru Pillay, Chief Director: Cybersecurity Operations, DTPS, said one way to measure the state of cybersecurity of a country was to use the ITU Global Cybersecurity Index (GCI). The objective of the GCI was to help countries identify areas for improvement, as well as to motivate them to take action to improve their ranking, thus helping to raise the overall level of commitment to cybersecurity worldwide. The five pillars of the GCI were:

• Legal: A measurement based on the existence of legal institutions and frameworks dealing with cybersecurity and cybercrime.
• Technical: A measurement based on the existence of technical institutions and frameworks dealing with cybersecurity.
• Organizational: A measurement based on the existence of policy coordination institutions and strategies for cybersecurity development at the national level.
• Capacity Building: A measurement based on the existence of research and development, education and training programmes; certified professionals and public sector agencies fostering capacity building.
• Cooperation: A measurement based on the existence of partnerships, cooperative frameworks and information sharing networks.

South Africa had scored medium levels of commitment to all pillars except legal, where it had a high level of commitment. Its global ranking was 58th place.

He referred to the National Cybersecurity Policy Framework (NCPF) and the legislation currently tabled before Parliament, namely the Cybercrimes and Cybersecurity Bill and the Critical Infrastructure Bill which was out for public comment. He said regulations would be drafted on promulgation of the Bill. The Information Regulator was empowered to monitor and enforce compliance by public and private bodies with the provisions of the Protection of Personal Information Act (POPIA). A person or business that was responsible for personal information would, in the event of a security compromise, have to notify the Information Regulator as well as any parties whose personal information was accessed or acquired by an unauthorised party. Dr Pillay said there was not a lot of empirical evidence regarding attacks, therefore the need for regulations around documenting attacks.

He spoke about the Cybersecurity hub functions and said sector Computer Security Incident Response Teams (CSIRTs) had been established to increase collaboration through public-private partnerships and to coordinate responses to threats at a national level. Other functions were the dissemination of information, establishing best practice guidelines, developing standardisation, initiating cybersecurity awareness campaigns and to do readiness assessments and skills development.

On the coordination of activities, he said there was a cyber response committee chaired by the DG of the State Security Agency which received input from the cybersecurity centre, which in turn received input from all the sector CSIRTs.

The Cybersecurity Hub, according to the National Cybersecurity Policy Framework (NCPF), had to have the ability to respond quickly to cybersecurity threats and incidents and to this end, the Hub had established a ‘ar room’ which enabled constituents and law enforcement agencies to communicate with each other in a secure manner from remote locations.

He spoke to developing a standardisation of threats as a means to understand all the components of a threat and to combat threats proactively. Part of the Hub’s mandate was to coordinate threats at a national level. The National Response Capability research initiative was developing response and escalation protocols in the event of an attack against the country. Currently three scenarios were being developed:

• An attack against national critical infrastructure;
• A large data breach attack, where the private sector would be one of the main stakeholders;
• An attack that may originate in another country or take place from SA targeting another country; in which mutual legal agreements (MLA’s) and national CSIRT-to-CSIRT communication and coordination would be important.

Dr Pillay said a national Awareness Portal had been developed and launched in October 2017. Two programmes dealing with cyberbullying and financial astuteness were being run in conjunction with stakeholders. In partnership with the Government Communication and Information System (GCIS) it was involved with:

• Developing information adverts with weekly competitions on 65 community radio station in all districts.
• Designing one-page information brochures, translated into the 11 official languages and distributed during planned community outreach programmes.
• Content development, production and flighting of a weekly, five-minute, 10-episode cybersecurity programme broadcast on selected public radio stations.
• A media partnership with a selected commercial radio station (e.g. Power FM, Talk Radio 702/Cape Talk) for a month-long advertising campaign during Cybersecurity month.
• Engaging with relevant television programmes such as Morning Live, Network, Sunrise, etc. for non-paid-for features with key messages on Cybersecurity.
• The conceptualisation and production of a Cybersecurity mascot, which would be utilised for community, outreach programmes.
• Cybersecurity features on GCIS social media, radio and print platforms.

On developing the Cybersecurity SMME sector, he said most SMMEs were either service providers or advisory in nature. Only a few were actively involved in research.

On the development of a national Cybersecurity skills framework , he said it was based on international best practice model - National Initiative for Cybersecurity Education (NICE) – and was customised for South Africa. It had been developed in collaboration with the South African Banking Risk Information Centre (SABRIC) and the Bank Sector Education and Training Authority (SETA), and had been socialised with various other SETAs. Organising Framework for Occupations (OFO) codes had been developed as a precursor to curriculum development

Ms J Kilian (ANC) said it was important for the Committee to know what the National Assembly’s Portfolio Committee on Justice had approved in terms of the Cybersecurity and Cybercrimes Amendment Bill and where in the process the relevant National Council of Provinces (NCOP) Committee was.

Ms M Shinn (DA) asked whether CSIRT played an important role during deliberations on the bill, as the bill should be activated and regulated as soon as possible.

Dr Pillay said the process was outside of their mandate -- it was Intelligence’s mandate. The Department of Telecommunications’ responsibility was only the cybersecurity hub.

Debit Orders

Mr Charl Ackerman, Senior Legal Counsel: Payments Association of SA (PASA), spoke about the National Payment System (NPS). The NPS settled R118 trillion annually, of which 9% was retail transactions. PASA’s role was to maintain a safe and efficient NPS “infrastructure”, to stimulate, encourage and facilitate the development of new “infrastructure”, and to protect a critical “common” public asset. PASA was recognised and overseen by the SA Reserve Bank and existed to facilitate the circulation of money in the interest of the economic development of South Africa, and aspired to be world class.

Moving on to debit orders he said a typical model was of the consumer, his bank, the sponsoring bank and the user, like for example, an insurance company and the debit order mandate for a transaction resided with the user. The number of debit order disputes between June 2017 and June 2018 had been 9.3%, and reflected a year on year increase of 37%. PASA was in the process of trying to reduce this through the introduction of DebiCheck, which was a world first and aimed to reduce debit order abuse. In the DebiCheck process, the mandate which resided with the user would now require the consumer’s bank to have an electronic copy of the mandate, which would improve the authentication of debit orders. In the process of implementing DebiCheck, the industry was setting itself up for further payment modernisation. Development and testing had been completed and its implementation was currently being phased in.

Discussion

Mr C Mackenzie (DA) questioned the need for the Ikamva Skills Institute, given that the presentation showed the impressive large amount of digital skills training done by the private sector. The presentation had not included timelines for the completion of work. Fraudulent debit orders by rogue operators were theft and should be criminally charged as such. When would prosecution against someone be made?

Ms Shinn asked how the “Internet for All” work was being funded. Was it by the Department? She was encouraged that 81% of the rural population was covered. Was that by 3G? She said that mention had been made of being staffed by a non-governmental organisation (NGO) or consultancy firm to get the project off the ground. Who were they, were they still part of the project, and who paid them?

Ms D Tsotetsi (ANC) asked whether the DTPS was doing enough to market information technology (IT) in terms of its awareness campaigns. How was the Department dealing with the challenge of the other official languages? What negotiations had the Department entered into with Nigeria to limit what Nigerians were doing in South Africa? How was it possible that third parties could withdraw an amount greater than the daily amount limit that was set? She asked if it was possible to use face recognition technology to qualify a transaction, and where the face was covered, an ATM would not complete a transaction. Did the banks think they were world class? Were debit orders free, because surely there had to be a charge?

Ms N Ndongeni (ANC) asked what criteria were used when training students, and in which provinces the training was being done. She said the cyber hub had been launched in Pretoria. Was it working? Were there any challenges? She requested a report on fibre security operations. She wanted to know why charges were levied for debit order reversals when the fraudulent debit order was no one’s fault.

The Chairperson spoke to the weak strength of signal in lots of places, even in areas like, for example, Pelican Park where the level of signal was so weak there was no internet access, and therefore one could not work. He said that some of the security information about people appeared to be in private hands. How did this happen? He asked how many queries on debit order fraud there were on a monthly basis. If one was to report fraud, who should be reported, the money taker or the bank? He asked if the Committee was allowed to get a list of the names of companies doing fraudulent transactions.

PASA’s response

On fraudulent debit orders, Mr Ackermann replied that it was theft and PASA was working with SABRIC to take collectors to task. There were challenges in getting things to court, as complainants lost interest once they received their money back and were not interested in following up and participating in criminal charges that might be brought. To counteract that, a form was now required when disputing with banks which would allow for the gathering of evidence. There were two cases that were being prosecuted currently. The problem was that the cases kept getting postponed by the defendant’s legal manoeuvres.

On why charges were levied for debit order reversals, Mr Ackermann replied that PASA had no pricing mandate and members were competitors who set their own prices. Treasury, in conjunction with the World Bank, had published a paper which raised the issue of charges for debit order reversals, and PASA would be working with Treasury on how to address the matter.

On how much debit order fraud there was monthly, Mr Ackermann replied that it was 9.3% of debit order transactions. He did not know the value of these transactions off hand.

He said it was the entity pushing the payment through, not the bank that had to be reported.

On the Committee getting the list of the names of companies doing the fraudulent transactions, he said that the Committee needed to write a letter officially requesting the list of company names.

Cybersecurity: response

Dr Pillay said the cyber hub had been operational since 2015. What had been presented in the presentation was the mandate as prescribed in the NCPF. National CSIRTs presented their credentials to a forum which gauged whether the various aspects of the CSIRT were in place, and the hub was in the process of applying for membership.

On information of people appearing to be in private hands, Dr Pillay said the attack on the Master Deeds Office meant that the information of anyone who had a home or had applied for one, was in the public domain. Data augmentation companies build up a profile of a person using social media, and then sold that data. The POPI Act meant that only relevant information could be collected at gated communities.

On translation into other official languages, Dr Pillay replied that the cyber bullying platform that had been inherited had been translated into four languages, and universities had been engaged to use their translation services, and community radio station programmes had to ensure that inserts were in all the languages..

On what Nigerians were doing in South Africa, he said that at the national CSIRT level there were engagements with other national CSIRTs if it was found that there were concerted efforts from another country. Bilaterals and legal agreements could also be called upon. If an organisation could be identified, then a take down notice could be issued, which was fairly successful.

On the ability of third parties to withdraw an amount greater than the daily limit, he said a bank was attacked a few years ago where malware was placed, and cloned credit cards were used, pointing to the sophistication of the attack. More than the daily limit was often withdrawn through a sim swop which allowed increased limit authorisation requests to be approved.

“Internet for All” response

Ms Morwane replied that the “Internet for All” work initiative was funded through voluntary companies and the DTPS funded the operations of the working group. The Department was looking at how it could fund the initiative to ensure its sustainability.

On being staffed by an NGO or consultancy firm, she said there was an internal Departmental team plus one member who had been seconded from MTN.

On timelines for the completion of work, she replied that they would improve on reporting and provide targets with timelines.

On translation into the other official languages, she said that languages were something it was working on as part of the national e-government programme. The national e-services portal was developed, and the Department of Arts and Culture had offered to translate all 50 e-services that the initiative had developed and published.

On the training of students, Ms Morwane replied that currently it was leveraging off existing structures like SA Connect’s provincial steering committees.

 

Regarding the weak signal strength in some areas, she said that the sites rolled out by Intelsat and Sentech were carrying traffic currently at 10 megabits per second, but wanted to increase this figure.

 

The meeting was adjourned.