TechCentralTechCentral
    Facebook Twitter YouTube LinkedIn
    Facebook Twitter LinkedIn YouTube
    TechCentralTechCentral
    NEWSLETTER
    • News

      Fixing SA’s power crisis is not complex: it simply takes the will to do better

      12 August 2022

      Consortium makes unsolicited bid for state’s 40% stake in Telkom

      12 August 2022

      Actually, solar users should pay more to access the grid – here’s why

      12 August 2022

      Telkom says MTN talks remain on track

      12 August 2022

      Analysis | Rain muddies the waters with approach to Telkom

      11 August 2022
    • World

      Tencent woes mount, even after $560-billion selloff

      12 August 2022

      Huawei just booked its first sales rise since US blacklisting

      12 August 2022

      Apple remains upbeat about iPhone sales even as Android world suffers

      12 August 2022

      Ether at two-month high as upgrade to blockchain passes major test

      12 August 2022

      Gaming industry’s fortunes fade as pandemic ends

      11 August 2022
    • In-depth

      African unicorn Flutterwave battles fires on multiple fronts

      11 August 2022

      The length of Earth’s days has been increasing – and no one knows why

      7 August 2022

      As Facebook fades, the Mad Men of advertising stage a comeback

      2 August 2022

      Crypto breaks the rules. That’s the point

      27 July 2022

      E-mail scams are getting chillingly personal

      17 July 2022
    • Podcasts

      Qush on infosec: why prevention is always better than cure

      11 August 2022

      e4’s Adri Führi on encouraging more women into tech careers

      10 August 2022

      How South Africa can woo more women into tech

      4 August 2022

      Book and check-in via WhatsApp? FlySafair is on it

      28 July 2022

      Interview: Why Dell’s next-gen PowerEdge servers change the game

      28 July 2022
    • Opinion

      No reason South Africa should have a shortage of electricity: Ramaphosa

      11 July 2022

      Ntshavheni’s bias against the private sector

      8 July 2022

      South Africa can no longer rely on Eskom alone

      4 July 2022

      Has South Africa’s advertising industry lost its way?

      21 June 2022

      Rob Lith: What Icasa’s spectrum auction means for SA companies

      13 June 2022
    • Company Hubs
      • 1-grid
      • Altron Document Solutions
      • Amplitude
      • Atvance Intellect
      • Axiz
      • BOATech
      • CallMiner
      • Digital Generation
      • E4
      • ESET
      • Euphoria Telecom
      • IBM
      • Kyocera Document Solutions
      • Microsoft
      • Nutanix
      • One Trust
      • Pinnacle
      • Skybox Security
      • SkyWire
      • Tarsus on Demand
      • Videri Digital
      • Zendesk
    • Sections
      • Banking
      • Broadcasting and Media
      • Cloud computing
      • Consumer electronics
      • Cryptocurrencies
      • Education and skills
      • Energy
      • Fintech
      • Information security
      • Internet and connectivity
      • Internet of Things
      • Investment
      • IT services
      • Motoring and transport
      • Public sector
      • Science
      • Social media
      • Talent and leadership
      • Telecoms
    • Advertise
    TechCentralTechCentral
    Home»In-depth»Spooks threaten online freedoms

    Spooks threaten online freedoms

    In-depth By Jane Duncan19 June 2013
    Facebook Twitter LinkedIn WhatsApp Telegram Email

    keyboard-640

    At a recent breakfast briefing on cybersecurity hosted by Neotel and the Mail & Guardian, information security consultant Beza Belayneh referred to cybercrime in South Africa as a “crisis”, and called on the government to make it a national security concern.

    He said the state needs to respond to cybercrime to prevent loss of life in the same way that it responded to the HIV and Aids pandemic. Cybercrime is a problem, but to equate it with HIV and Aids is inappropriate and insensitive. It has not and will not lead to loss of life at the levels caused by Aids. In fact, according to cyber warfare expert and academic Thomas Rid, no recorded cyber attack has led to loss of life, injury or damage to a building.

    Other comments made at the breakfast also require examination. Siyabonga Cwele, the minister of state security, commented on South Africa’s vulnerability to cyber terrorism and cyber warfare.

    But the main cyber security threats in South Africa are not related to national security at all: they are criminal and, more specifically, related to fraud. Phishing is the most common form of attack, with the distribution of malware such as worms being the second-biggest problem.

    So, then, why are the spooks needed to fight the worms? While there is no denying that cybercrime is a terribly serious issue, there are unexamined implications for users’ Internet rights if we simply accept that this criminal matter is so grave that it should be escalated to the level of a threat to national security, and that therefore the department of state security should become the lead agency on cyber security matters.

    The best defences against cybercrime are technical and social in nature. The fight against phishing requires the widespread use of anti-spam software and user education. This encourages users to change their behaviour and not provide sensitive information to criminals.

    Such threats can be dealt with effectively through an information policy that protects information systems from unauthorised access, use, disclosure, disruption and/or destruction, rather than through a national security policy.

    Policy framework
    Yet it appears that the problem has already been escalated to a national-security threat — the government’s cyber security policy framework has been transferred from the department of communications to that of state security. The framework is due for release in August, although no public comment has been sought on it. This should sound warning bells.

    Many of the statements made at the breakfast are typical of the sort of hyperventilation elsewhere (especially in the US) that creates public panic and paves the way for policy overreactions that securitise and militarise cyberspace.

    These overreactions often lead to emergency measures that erode civil liberties — especially privacy and rights to freedom of expression and association — and such erosions soon become normalised as permanent ways of life.

    In the words of Brunel University’s Mark Neocleous: “Whatever example we use, the pattern is the same: an ‘emergency’ occurs in which ‘security’ is threatened; existing emergency powers are exercised and new ones put into place; these are then gradually ‘stretched’ beyond their original scope; this stretching is gradually justified and legitimised, until the police and security forces are exercising the powers way beyond their original context, to the extent that they become part of the everyday functioning of the rule of law: the emergency becomes permanent, the exceptional becomes the rule, and the sun fails to set on the sunset clauses.”

    A nexus has developed in other countries between the security industry and governments. The former hypes cyber security threats to ensure larger government budgets and hence more expenditure on consultancies, while governments hype them to increase Internet controls.

    Cwele’s warnings about the country’s vulnerability to cyber terrorism overstate the threat. It is difficult to mount a cyber attack that threatens critical national infrastructure, and their outcomes remain unclear. As a result, terrorists have stuck largely to physical attacks of the analogue variety.

    In attempting to justify increasing their powers over the Internet, governments often refer to the cyber attacks on Estonia in 2007 and Georgia in 2008, when the countries’ major institutions were subjected to distributed denial-of-service attacks. The Russian government was accused of being behind the attacks, but investigations traced them to Russian “hacktivists” and criminal botnets.

    Critical services
    A scientist at the Nato Co-operative Cyber Defence Centre of Excellence has stated that the immediate impacts of the attacks were minimal to nonexistent, and that no critical services were permanently affected. Yet cyber security policies continue to be developed based on dread risks or worst-case scenarios that will probably never occur as feared, leading to misallocations of public resources.

    The one cyber attack that came closest to cyber warfare, although it didn’t fulfil all the criteria, was launched by the government that has been shouting the loudest about the threat of cyber warfare — the US.

    Soon after taking office, President Barack Obama ordered a cyber attack to disable Iran’s nuclear systems, using the Stuxnet worm developed by the US and Israel. But such attacks are highly resource-intensive, making them relatively unpopular warfare choices.

    South Africans need to be particularly vigilant when examining whether cybercrime should be securitised. National security offences are generally punished much more harshly than ordinary crimes, and the state security organs are particularly secretive, making them even more susceptible to abuse.

    Furthermore, South Africa has a broad definition of national security, drawn from human-security conceptions of national security. The evidence is that this definition has allowed intelligence agencies to become, effectively, state watchdogs over society, leading to inappropriate interventions in aspects of the country’s politics. Fears that new state powers over the Internet may be abused are not unjustified.

    It is instructive to look at the government’s previous efforts to regulate communications networks on national-security grounds.

    The 2002 Regulation of Interception of Communications and Provision of Communication-Related Information Act was one of a basket of laws passed after the 9/11 attacks on the US. It allows intelligence agencies to intercept communications, including Internet traffic, providing they have a warrant from a judge (an “interception direction”, in the language of the act).

    Communications surveillance
    Last week, however, several organisations released a set of international principles on the application of human rights to communications surveillance. The act falls short of many of these principles. For instance, it forbids the establishment of networks that are not capable of surveillance. This means that users cannot hold a single phone conversation or send a single e-mail without the expectation of it being intercepted.

    Apart from the implications for users’ rights to privacy and expression, the requirement that network operators build “backdoors” into their networks as a matter of course creates network insecurity: these backdoors can (and have) been used, not just by the state, but by criminals, to hack into networks.

    As a result, the international principles say that “in order to ensure the integrity, security and privacy of communications systems, and in recognition of the fact that compromising security for state purposes almost always compromises security more generally, states should not compel service providers or hardware or software vendors to build surveillance or monitoring capability into their systems”.

    Even more seriously, there is no provision in the act for people whose communications have been intercepted to be informed of the warrants, even after the investigations are complete: a crucial safeguard to prevent abuse, as the principles note.

    Moreover, the public is provided with too little information to be able to monitor whether the act is achieving its intended results – information such as the number of warrants that have resulted in convictions.

    A recent court case revealed how the act can be abused to threaten privacy and the right to media freedom. In 2010, crime-intelligence officers duped the designated judge into signing an order to tap the phones of Bheki Cele, then the national police commissioner, and two Sunday Times journalists who were reporting on a controversial lease deal implicating Cele.

    Cyber security is a relatively new issue for policymakers, but already it has proved susceptible to premature securitisation. Unless overstatements on cyber security are challenged, and there is a proper debate backed up by empirical evidence of the source and nature of the threats, control of the Internet will, slowly but surely, creep into the hands of the spooks. And that will be the beginning of the end for Internet freedom.

    • Professor Jane Duncan is the Highway Africa chair of Media and Information Society at Rhodes University. This piece was first published in the Mail & Guardian
    • Visit the Mail & Guardian Online, the smart news source
    • Image: RoccoAlpha/Flickr
    Bheki Cele Jane Duncan Mark Neocleous Siyabonga Cwele Thomas Rid
    Share. Facebook Twitter LinkedIn WhatsApp Telegram Email
    Previous ArticleKenya to hand out 3,3m light bulbs
    Next Article How New Zealand became tech hotbed

    Related Posts

    African unicorn Flutterwave battles fires on multiple fronts

    11 August 2022

    The length of Earth’s days has been increasing – and no one knows why

    7 August 2022

    As Facebook fades, the Mad Men of advertising stage a comeback

    2 August 2022
    Add A Comment

    Comments are closed.

    Promoted

    Get your brand in front of TechCentral’s amazing audience

    12 August 2022

    Pricing Beyond CMYK: printers answer the FAQs

    11 August 2022

    How secure is your cloud?

    10 August 2022
    Opinion

    No reason South Africa should have a shortage of electricity: Ramaphosa

    11 July 2022

    Ntshavheni’s bias against the private sector

    8 July 2022

    South Africa can no longer rely on Eskom alone

    4 July 2022

    Subscribe to Updates

    Get the best South African technology news and analysis delivered to your e-mail inbox every morning.

    © 2009 - 2022 NewsCentral Media

    Type above and press Enter to search. Press Esc to cancel.