Can SA turn insecurity into profit?
A weak economy, advanced malware, information theft, critical infrastructure under siege...and yet infosec experts are upbeat.
South Africans are facing a tough year of cybercrime, and while the government is making progress in addressing the threats, that progress is far too slow to make much difference. Instead, we need to step up and take action in a year where the odds will be increasingly against us; by doing so, the country can grow cyber security into a breadwinner.
Craig Rosewarne, MD of Wolfpack Information Risk and a keynote speaker at the ITWeb Security Summit 2016, says he expects to see cyber threats on the rise, and information security budgets under pressure, creating a high-risk environment until the economy improves.
With the local economy slow and the rand-dollar exchange rate high, IT budgets will be under extreme pressure, he notes. "There will more than likely be cuts in IT budgets and especially in security.Companies are caught in a very dangerous situation – all the signs are there of increasing risk from a cyber point of view. They're under pressure to manage risk more effectively, while also trying to cut budgets."
Dominic White, CTO of SensePost and also a speaker at the Security Summit, hopes that some organisations will break that cycle. "During economic recessions, people don't cut back on insurance – they buy less stuff, but still protect what they have. Cyber security as risk management is often seen as similar to insurance, so some people may scale back on security as a priority. We may just see fewer new security initiatives and new products. As an industry, information security may actually prove to be recession-proof."
Cybercrime is certainly on the rise, and evolving rapidly. Globally, the internet has been reeling as one huge breach followed another – Target, Nieman Marcus, Hilton Hotels, Ashley Madison and more – but South Africa has not escaped unscathed either. In February this year, hacking collective Anonymous turned its baleful gaze on the country, defacing hundreds of South African government websites as part of #OpAfrica, a campaign aimed at protesting political issues across the continent. The group also claimed to have breached a database of South African government employees, including names, contact details and passwords. If there's a silver lining, it's that awareness has spiked.
"Anonymous is doing a sales job for security services in South Africa that no vendor could possibly achieve. Everyone you speak to has heard of a recent hacking incident. It's very much top of mind," White says.
"We'll definitely see more fraud," Rosewarne says. "There's a swing towards extortion, including denial of service, CryptoLocker attacks (where a user's files are encrypted unless a ransom is paid), and extortion around leaking stolen information. Hacktivism will grow globally, and criminal elements are getting more sophisticated. We're not really prepared for it. We're still mostly focused on basic cyber criminals, not the advanced organised crime."
White adds that there are signs that local criminals are evolving to use advanced crimeware. "We've had quite a few people approach us with CryptoLocker, including some customised for SA, using local Bitcoin exchanges to handle ransoms." And it's only going to get worse, he says. "When our local syndicates get more skilled up and start handing out sophisticated tools to their members, that will drive a bigger spike in SA cybercrime than any external threat factors." Right now, the arms race strongly favours the attackers, he adds. "There are some amazingly advanced techniques available for malware to evade detection and steal data, but we don't see them much: for the malware authors, it's not worth being that much more advanced than the current state of detection." Only state-sponsored threats like Stuxnet, which successfully attacked Iranian uranium enrichment facilities, would risk using, and revealing, such advanced techniques before it was necessary, he says.
But that is the background noise of ongoing cybercrime. "There are a lot of scam artists out there – many small incidents that add up to a lot of money over time. There's lots of payment fraud – stealing items and reselling them online," says Rosewarne. "Our banks are always under attack, and there's a fair amount of e-commerce crime going on. But that's all normal."
He is more worried about potential vulnerabilities in the country's critical infrastructure, and that's where the government's tardiness is a serious concern, he believes. "The risk is high for critical infrastructure to be attacked, either accidentally or on purpose. Our resources, especially electricity and water, are very precarious at the moment, so any successful attack, whether accidental or deliberate, could have a devastating effect."
Wolfpack has compiled a report into the status of cyber vulnerabilities across the country's national infrastructure, and hopes to initiate efforts to get stakeholders from each industry around the table to share information and co-ordinate response to attacks.
Government's efforts to deal with the growing cyber security risks are promising, but need to move faster. "With our government, historically, there has been a lot of talk: they bring out a great paper and then nothing happens. Now, they've made a lot of commitments, and that is good – we're starting to see the structures and the legislation coming out to drive that." White agrees: "The national cyber policy framework is a good idea – it keeps things close to the industry. As a concept, it's good, and different from the legislative paths that countries like America have taken. They're trying to get people who are close to each industry to co-operate with a minimum of legislative overhead. Of course, the issue is still the skills gap, and there's not much guidance on what they should actually be doing. I do wonder how much impact they will be able to have, and it's taking forever – the framework still has to be taken down to policy level and then down to legislation level."
In the meanwhile, the private sector will continue to fill the gaps, creating opportunities out of adversity. "South Africa's a bit of a haven for good security researchers," says White. "I've seen some really imaginative solutions – there's a lot of room for new ideas." Rosewarne also wants to see SA's nascent cyber exports market grow: "We have a lot of security talent in this country. Look at how successful Israel has been – it's now the second biggest exporter of cyber-security tools in the world. We should be investing in that; we're in a very good position to sell up into the rest of Africa.
We must exploit that to the benefit of our country."
National cyber security – all bark and no bite?
The South African government has made slow progress in enacting cyber security measures over many years. Last year saw some long awaited developments take shape, but a great deal of work remains to be done.
The National Cybersecurity Policy Framework (NCPF) was approved by cabinet in March 2012, and was finally published by the State Security Agency in December 2015. It sets out broad policy objectives for government and the public sector, encryption and data protection, cyberwarfare and more, and calls for the establishment of a national computer security incident response team (CSIRT) and cyber security hub. It's intended to be followed by a national cyber security implementation plan.
South Africa's a bit of a haven for good security researchers. - Dominic White, SensePost
The Cybersecurity Hub was officially opened in October 2015 by Minister of Telecommunications, Dr Siyabonga Cwele, a joint effort between the CSIR and the National Cybersecurity Response Team. It is intended to provide a central point of collaboration between government, the private sector, and the public for security alerts, reporting incidents, and responding to ongoing attacks. Although the site (www.cybersecurityhub.co.za) is live, it has yet to publish any alerts or security news.
The Cybercrimes and Cybersecurity Bill introduced new legislation intended to outline electronic offences and establish a legislative framework for prosecuting them. The draft Bill was published in August 2015, with a public consultation period closing in November. The Bill was welcomed as a vehicle for a robust cyber legislature, but also criticised for potential overlaps, and even contradictions with existing laws, including the Protection of Personal Information Act (POPI), the Electronic Communication and Transactions Act (ECT), and constitutional privacy safeguards.
Among the provisions in the Bill are the creation of several new facilities, including a national cyber security centre to be staffed and managed by the State Security Agency, a national cybercrime centre that would fall under the South African Police Service, and a cyber command within the South African National Defence Force.
Insiders within the SAPS have confirmed that the designs and plans for the cybercrime centre have been on file for some time, awaiting only the enactment of the Act to give it the green light. At present, the Hawks operate a small team of about a dozen agents focused on high-impact cybercrime, including organised crime and incidents like the multimillion-rand attempted crimes at the Gautrain, Eskom and Postbank.
This article was first published in the April 2016 edition of ITWeb Brainstorm magazine. To read more, go to the Brainstorm website.