[ Home ] [ Speeches & statements ]

18 June 2008

Theme: Building partnerships for effective management of internet security risks at country and international levels.

[Minister has only five minutes to contribute, hence a slight revision from the initial speech outline].

1. Introduction

* Thanking Organisation for Economic Co-operation and Development (OECD) for inviting South Africa (SA) to participate in the work of the OECD as an observer
* What this gesture mean for South Africa.
* SA participated in two working committees on Information Party reflecting SA's experience so far.

2. Infrastructure to support information economy

* Information economy requires huge investments in critical information and communication technology (ICT) infrastructure especially broadband infrastructure.
* Investment in national backbone broadband infrastructure and submarine cables.
* Such infrastructure should be secured and protected to support e-commerce thereby building confidence to transact online.

3. Institutional arrangements to ensure secure internet infrastructure

* Internet has created borderless societies worldwide changing how information is shared posing security risks in the cyberspace.
* The need to build national and international partnerships between public and private sector institutions.
* Hence the need for countries to develop and harmonise legislative frameworks to deal with the cyber security and protection of the critical information communication infrastructure.

* At international level, there are initiatives such as:
a. The International Telecommunication Union (ITU's) High Level Expert Group (HLEG) that aims to develop strategies and guidance to countries in dealing with cyber crime.
b. International multilateral partnership against cyber-terrorism (IMPACT), will contribute to forging partnerships and collaborations geared towards combating cyber crime, thus building confidence in the use of internet.
* In South Africa:
a. Electronic Communications and Transactions Act provides for the appointment of cyber inspectors.
b. Establishment of Communications Security (Pty) Ltd (COMSEC) to detect, deterrence and compacting cyber threat.
* The need to protect and empower consumers online to ensure secured online transactions.
* The need to building a culture of security in the face of rapid technological and socioeconomic changes and illiteracy levels particularly in developing countries.

4. Concluding remarks

Prepared by:
Mr NN Munzhelele and Rosey Sekese
12 June 2008

2. Explanatory notes

2.1 Measures to assess and manage security risks

* Some countries have legislative frameworks that deal with the cyber security and protection of the critical information communication infrastructure. Most of these legislative frameworks are not harmonised with each other. The harmonisation is curial to the resilience, reliability and confidence in the use of the internet and cyberspace.
* The internet has created a borderless world, hence the need for harmonisation.
* It is important that countries who do not have legislative frameworks be encouraged to develop own legislative framework that governs cyber space.
* The High Level Expert Group (HLEG) under the International Telecommunications Union (ITU) umbrella is one of the international initiatives aimed at developing strategies and guidance to countries in dealing with cyber crime. HLEG has adopted the following five focus areas:
(a) legal measures,
(b) technical and procedural measures,
(c) capacity building,
(d) international cooperation,
(e) organisational structures.

South Africa is benefiting more in participating on the HLEG and South Africa is currently using the preliminary output of the HLEG towards the development a national Cyber Security Framework.
* Initiatives such as international multilateral partnership against cyber-terrorism (IMPACT), also contribute to a great extent to forging partnerships and collaborations geared towards combating cyber crime, thus building confidence in the use of internet.
* It is also important to create awareness for the end users regarding cyber security and threat, to enable them to effectively secure themselves from cyber threats. It is sometimes lack of knowledge that makes it easy for cyber criminals to attack end users. As and when new threats are known, there should be published so that the end users are aware of the new threats and can protect themselves.

2.2 Ways of detection, deterrence, combat cyber threat to security and consumer confidence like "malware" and identity theft

* There are various ways of dealing with the cyber security ranging from awareness for end users, software development and update, involves academia and expert research and training. A Computer Security Incident Response Team (CSIRT) is also a critical mechanism for detecting, deterring and combating cyber threat. In South Africa, Electronic Communications and Transactions Act, 2002 (ECT Act) provides for the appointment of cyber inspectors as another way of detecting, deterrence and compacting cyber threat.

* As a way of working towards detection, deterrence and combat cyber threat the department and COMSEC has established a partnership through a Memorandum of Understanding for:
(a) identification and protection of the critical infrastructure,
(c) CSIRT establishment (for the organs of the states),
(d) collaboration with academia and international partners with respect to cyber security skills development.

* South Africa is working towards becoming a member of the Forum for Incident Response Security Teams (FIRSTs), which aims at resolving continuous stream of security-related attacks and incidents including handling thousands of security vulnerabilities affecting nearly all of the millions of computer systems and networks throughout the world connected by the ever growing Internet), through COMSEC.

2.3 Factors that needs to be in place for identity management systems

* For the purposes of ensuring the business efficiency, quality of services, ensuring information security, and privacy and consumer trust in online transactions, it is important to establish authority/agency that will be responsible for accreditation of authentication services and products. In South Africa, the South African Accreditation Authority (SAAA) which was established in terms of Electronic Communications and Transactions Act is responsible for accreditation of authentication services and products, more importantly the accreditation of service providers who will issue advanced digital signatures. If these signatures are compromised, it can be easily detected. The Root Certification Authority1 is in South Africa.

2.4 How to best protect minors online

* Internet has grown exponentially and in importance in all spheres of modern life. It is an important phenomenon of modern society touching the lives of everybody in some way or another. The ease of access and relative cheap cost of disseminating information have changed many of the ways in which information is gathered or disseminated today. The challenges we face as a country is harmful content that targets children or uses children. In this regard, it is important for governments to ensure that their cyber crime legislations offer adequate protection of minors online.

* In South Africa, ECT Act, among others, seek to promote a safe and secure electronic environment. In this context, the minister of communications may recognise an industry representative body for service providers. On 14 December 2006, minister of communications has gazetted the Guidelines for Recognition of Industry Representative Bodies of Information System Service Providers ("Guidelines"). One of the conditions in the guidelines that the minister issued is that this industry body representative has to have a code of conduct that all its members are subject to.

* The guidelines requires the code of conduct to contain clauses/provisions that deals with the protection of minors. In this regard, provision 5.9 of the guidelines stipulates the following:
* members will take reasonable steps to ensure that they do not offer paid content subscription services to minors without written permission from a parent or guardian;
* members undertake to provide their recipients of internet access with information about procedures, content labelling systems, filtering and other software applications that can be used to assist in the control and monitoring of minors' access.

* Provision 5.4 of the guidelines provides the following with regard to content control:
* There is no general obligation on any member to monitor the content of the recipients of its service, except as provided in South African law such as the requirements in the Films and Publications Act, 1996(Act No 65 of 1996) on the prevention of child pornography, but a member is obliged to take action where it becomes aware of any illegal or unlawful content or conduct.
* A member shall not knowingly host or provide links to content that it knows is illegal or unlawful, except when required to do so by law, or engage in conduct that is illegal or unlawful.
* Members shall adhere to the code of conduct, the disciplinary procedure and the decisions of the IRB.
* Where a member becomes aware of illegal conduct or content, it shall suspend or terminate the recipient of the service's services and report the conduct or content to the relevant Enforcement Authority. In all instances members shall report such conduct or content and the steps taken to the IRB within a reasonable period of time.
* Members shall keep a copy or record of all take-down notices received in terms of the ECT Act and materials that have been taken down as a result for a period of three years, unless possession of such materials is illegal. In the latter instance such copies should be provided to the relevant Enforcement Authorities.
* In South Africa, at this point no entity has been recognised as an industry body representative.

2.5 Strengthen cross-boarder co-operation in the enforcement of laws

* Cyber-threats do not recognise borders or laws. There is a need for governments, business and civil society to work together to protect and secure their national cyber-spaces and critical infrastructure. Governments through-out the world are not able to deal with the emerging threat by their own, hence international initiative such 'International Multilateral Partnership Against Cyber-Terrorism (IMPACT)2; International Telecommunication Union (ITU) Global Cyber security Agenda 3 have been launched, in order to foster international co-operation. It is important for countries to also look at the Council of Europe Convention on Cyber Crime, which can be used as a framework for cyber crime legislation in different countries.

3. Key message

3.1 It is imperative that countries should have a national legislation that is aimed at curbing cyber crime as this will in turn build confidence in the utilisation of the internet as there will be legal recourse to deal with cyber crime and criminals. At regional and global level there should be harmonised legislation which will promote co-ordination and co-operation between different countries.

3.2 The global public-private initiatives aimed at combating cyber threats such as ITU GCA and IMPACT together with the work of the Council of Europe with regard to the Convention on Cyber crime presents significant step in the information age which emerges at a critical stage where governments are expected to ensuring that ICT infrastructure is robust, reliable and affordable to support multiplicity of applications and services. The outcome of the ITU HLEG will to assist in great extent countries to draft their legislative framework and to develop strategies to address the challenges of cyber threats/cyber crime.

3.3 The other important factor is creating awareness for the end users, with regards to cyber vulnerabilities.

3.4 In addressing the critical question of building confidence in use the internet and cyberspace, much emphasises should be on building capacity (i.e. skills development, research and training taking in account the needs of the developing countries.

1 A certification authority is an authority in a network that issues and manages security credentials and public keys for message encryption and decryption. A certification authority should authenticate documents to verify identity of a person or organisation before issuing a digital certificate.

2 Minister of communications indicated in her 2008 budget vote that "The issue of cyber security is high on our national agenda, as proven by the large delegation from South Africa who participated in the recent conference on the International Multi-lateral Partnership Against Cyber Terrorism (IMPACT) in Malaysia. The South African participants from our security cluster and the private sector was indicative of the collaborative nature required in dealing with the scourge of cyber terrorism and cyber crime, which poses a threat to our country's critical infrastructure". IMPACT was established in May 2006 as the world's first international partnership dedicated to combating terrorist activities in the area of information and communication technologies. The IMPACT initiative was formally announced by the Honourable Malaysian Prime Minister, Abdullah Badawi at the conclusion of the World Congress on Information Technology (WCIT 2006) staged in Austin, Texas, United States of America (USA).

3 The United Nations (UN) General Assembly Resolution 56/183 (21 December 2001) endorsed the holding of the World Summit on the Information Society (WSIS) in two phases. The first phase took place in Geneva from 10 to 12 December 2003 and the second phase took place in Tunis, from 16 to 18 November 2005. WSIS adopted the Geneva Declaration of Principles and Geneva Plan of Action. The common vision and guiding principles of the declaration are translated in the Plan of Action into concrete action lines to advance the achievement of the internationally-agreed development goals. In this context line C5 of the WSIS Action Plan provides for building confidence in the use of Information and Communication Technologies (ICTs). It is of vital importance to note that confidence and security in using ICTs are fundamental in building an inclusive, secure and global information society. In this regard, on 17 May 2007, the Global Cyber Security Agenda (GCA) was launched (i.e. International Telecommunications Union (ITU) framework for international cooperation aimed at proposing strategies for solutions to enhance confidence and security in the information society).

In order to assist the Secretary-General of the ITU in developing strategies, a High Level Experts Group on Cyber security (HLEG) was established. The responsibilities of the HLEG among others, includes: to further develop the Global Cyber Security Agenda, by proposing refinements to its main goals; to analyse current developments in cyber security, including both threats and state-of-the-art solutions, anticipate emerging and future challenges, identify strategic options, and formulate proposals to the ITU Secretary-General; to meet the goals of the Global Cyber Security Agenda; to provide guidance on possible long-term strategies and emerging trends in cyber security.

The HLEG comprises of high-level experts from governments, industry, relevant regional/international organisations, research institutes, academic institutions and individual experts from every part of the world appointed by the ITU Secretary-General. The Department of Communications represents the Republic of South Africa in the HLEG.

The first meeting of HLEG was held on 05 October 2007, Geneva, Switzerland. The first meeting adopted the following five focus areas of HLEG. The second meeting of HLEG took place on 21 May 2008, Geneva. The second meeting of the HLEG has developed draft reports on five working areas of the HLEG.

The expected deliverables of the HLEG will be five strategic reports, with a final consolidated report – a global strategic report delivered to the ITU Secretary-General and a set of recommendations on how best to achieve the strategic goals of the GCA and to best provide an appropriate response to WSIS Action Line C5. It is expected that the reports and recommendations would be submitted to the ITU Security-General in time for the ITU Council in November 2008.

Issued by: Department of Communications
18 June 2008