LITERATURE REVIEW
2.3. INTERNATIONAL ORGANISATIONS ON CYBER-SECURITY 1. The International Organization for Standardization (ISO)
The International Organization for Standardization (ISO) is a non-profit organisation that develops and publishes standards of virtually every possible type, including cyber-security.
ISO which was founded in 1946 is supported by 159 countries and is the leading issuing body for international standards (Disterer, 2013). The standards ISO 27000 to ISO 27002
which is a leading global issuer of international standards in the electronics and electronic - related technologies sector
ISO 27032 (ISO/IEC, 2012) is the cyber-security standard that is recognised globally and was designed to address the lack of communication between cyberspace users and providers (Dennis et al., 2014). According to the ISO/IEC 27032 (ISO/IEC, 2012), the standard was designed to address the reality that
Devices and connected networks that support cyberspace have multiple owners – each with their own business, operational and regulatory concerns. Not only do the different users and providers share little or no input, but each has a different focus when dealing with security. Such a fragmented state opens up vulnerabilities in cyberspace. ISO/IEC 27032 will provide an overarching, collaborative, multi-stakeholder solution to reduce these risks.
This framework provides guidance on four domains, namely information security, internet security, network security and critical information infrastructure (ISO/IEC, 2012).
2.3.2. International Telecommunication Union (ITU)
The United Nations has a specialised agency responsible for ICT across member states called the International Telecommunication Union (ITU). ITU has recognised the criticality of cyber-security and the possible adverse consequences of any inefficiency. As a result, the Union constructed the Global Cyber-Security Agenda (GCA) Strategy Guide (ITU, 2015).
The GCA is a framework prescribed for utilisation by all interested countries and is independent of international barriers. The guide aims to design, implement and provide strategies on cyber-security across different sectors. The GCA framework provides a holist ic development, implementation and coordination of a vigorous global cyber-security culture (ITU, 2015). The Ends-Ways-Means strategy was used to address the issue of cyber-security (Dennis et al., 2014). As the basis for cyber-security strategies, ITU recommends that countries apply national values, since countries have varied needs, capabilities and threats.
The ITU (2015) recommendations are based on:
a. the perception that risks and their mitigations are influenced by national interest and culture; and
b. a country’s relevant stakeholders on cyber-security, such as private and public sectors and the judiciary are likely to support the strategy since it is rooted in the national interests and values.
2.3.3. Organisation for Economic Co-operation and Development (OECD)
The Organisation for Economic Co-operation and Development (OECD) is an internatio na l forum where governments across the globe work together to attend to issues concerning economic, environmental, and social challenges globally. The OECD is a neutral setting where member states collaborate, seek to formulate solutions for common challenges, formulate best industry practice and function to coordinate international and domestic policies (OECD, 2015). ICT and the Internet are critical for social and economic development; hence they are part of critical infrastructure. On the other hand, cyber-security policy formulation is in its infancy (OECD, 2015). The organisation takes cognisance of the fact that governments are hugely dependent on digital infrastructure to execute fundame nta l service-delivery functions. Threats to cyberspace are surfacing rapidly and the cyber- attackers appear to be better organised as they conceal their tracks. The high extent of sophistication, such as that of Stuxnet, is clear confirmation that governments are faced with a daunting task of protecting critical information infrastructure. Governments need to adopt an integrated and comprehensive approach when addressing cyber-security policy issues, particularly taking into consideration the essential impact of the Internet and related technology on the modern economy (OECD, 2015). Facets of cyber-security need to be addressed holistically, covering government-wide applications and also encompassing the social, economic, legal, educational, technical, law-enforcement, diplomatic, intellige nce and military-related aspects. Support from strong leadership at the head of government level (OECD, 2015) is required so that cyber-security will be recognised as a critical governme nt priority. According to the OECD (2015), most cyber-security strategies share the follow ing key conceptions:
a. Improved government coordination at policy and operational levels. Cyber-security policy formulation, as a national government priority, can be implemented by being assigned within the government. It is important to note that no single vertical agency can have a sufficiently wide authority to manage all facets of cyber-security; also, no single agency can claim comprehensive understanding of cyber-security. This point emphasises the importance of coordination amongst relevant stakeholders.
b. Strengthened public–private cooperation is essential. Cyberspace is operated and owned by the private sector, to a large degree, and these users play an important role in the secure use of cyberspace.
2.3.4. The European Network of Information Security Agency (ENISA)
To address cyber-security threats, the European Union member states came together and formed the European Network of Information Security Agency (ENISA) which provides guidance on the formulation of a national cyber-security strategy. Key performance indicators are provided for each cyber-security strategy component. Through the ENISA Guidebook, a country’s policy makers are guided by the practical recommendations for controlling the development and improvement process on national the cyber-security status and security affairs within the country (ENISA, 2015).
2.3.5. The African Union Convention on Cyber Crime and Personal Data Protection
In June 2014, the heads of member states of the African Union adopted the African Union Convention on Cyber Crime and Personal Data Protection. South Africa is an affiliated member state. This convention aims to harmonise the laws of African member states on electronic commerce, data protection, cyber-security governance and cybercrime control (Orji, 2018). The Convention also defines the objectives for the information society in Africa and seeks to strengthen existing ICT laws in member states. The convention mainly covers four areas which are the security of e-commerce, legal aspects, personal data protection, and cybersecurity (Ball, 2017). With regard to e-commerce, South Africa has the Electronic Communication, and Transactions (ECT) Act of 2002. For personal data protection, the country has Protection of Personal Information (POPI) Act of 2013.
The Convention has prescribed broad obligations for member states to establish national cyber-security policies as well as legal, regulatory and institutional frameworks for cyber- security governance and cybercrimes control. The Convention, in this regard, requires member states to implement obligations that include: establishing a national cyber-security framework; promoting a culture of cyber-security; establishing national cyber-security governance structures; protecting critical information infrastructure; establishing cybercrime
offences and procedural measures; and, promoting international cooperation and legal harmonisation.
Member states are required to establish a national cyber-security framework that comprises a national cyber-security policy and a national cyber-security strategy. A member state’s national cyber-security policy is required to recognise the importance of national Critical Information Infrastructure (CII), and identify related risks using the all-hazards approach, while also outlining how the objectives of such a policy are to be achieved. The “all-haza rds ” approach to CII protection entails the protection of such infrastructure from all forms of threats, whether they originate from deliberate attacks, accidents or natural disasters. In addition, the obligation to establish a national cyber-security policy requires member states to outline how their national cyber-security policy will achieve the objectives of protecting national CII from identified risks. In 2015, South Africa published a National Cyber-security Policy Framework and has worked towards implementing the Convention’s requirements on cyber-security.
The Critical Infrastructure Protection Bill was tabled in Parliament on 15 September 2017.
This Bill replaces the National Key Points Act (102 of 1980), and it deals with the process of the declaration of National Key Points. The Bill talks to the safeguarding of critical infrastructure and persons inside the critical infrastructure area. The Bill provides for the establishment of a National Infrastructure Council, and provides for designation and functions of inspectors, amongst others.
South Africa has made recognisable strides towards the legal aspect of cyber-security. The Government of South Africa published the Regulation of Interception of Communicat io ns and Provision of Communication-related information Act (RICA), 2002. The aim of RICA is to make the country safer as it assists law enforcement agencies to identify mobile phone users and track criminals using mobile phones for illegal activities. RICA regulates information communication interception and monitoring. On 9 December 2016, the Department of Justice and Correctional Services published the Cybercrimes and Cybersecurity Bill.
2.4. SOUTH AFRICAN NATIONAL CYBER-SECURITY POLICY