Air'- v 24 CONFIDENTIAL - DRAFT NATIONAL CYBERSECURITY POLICY - FRAMEWORK FOR SOUTH AFRICA May 2011 - 1r - Y - Con dential A NATIONAL CYBERSECURITY POLICY FRAMEWORK FOR SOUTH AFRICA CONTENTS EXECUTIVE SUMMARY 3 l A ACRONYMS 5 B DEFINITIONS 6 1 INTRODUCTION 9 2 THE SOUTH AFRICAN CONTEXT 12 3 PURPOSE OF THE NCPF 15 i 4 NATIONAL CYBERSECURITY POLICY 16 5 CREATING INSTUTITIONAL CAPACITY TO RESPOND TO CYBERSECURITY IMPERATIVES 12 I 6 COMPUTER SECURITY INCIDENT RESPONSE TEAMS -CSIRT 17 61 NA TIONAL CSIRT Error Bookmark not de ned 6 2 GOVERNMENT CSIRT Error Bookmark not defined 6 3 SECTOR CSIRTs Error Bookmark not de ned NATIONAL CRITICAL INFORMATION INFRASTRUCTURE Cll PROTECTION IDENTITY MANAGEMENT 22 10 PROMOTE AND STRENGTHEN LOCAL AND INTERNATIONAL 24 11 CAPACITY DEVELOPMENT RESEARCH AND DEVELOPMENT 25 12 TECHNICAL AND OPERATIONAL STANDARDS 27 1'3 ROLES AND RESPONSIBILITIES OF RELEVANT ORGANS OF STATE 22 14 CONCLUSION 29 ANNEXURE 30 A SYNOPSIS OF NATIONAL CYBERSECURITY IMPLEMENTATION SCHEDULE so B REFERENCE MATERIAL 32 1 Confidential - g a- - - c - Confidential - A NATIONAL CYBERSECURITY POLICY FRAMEWORK FOR SOUTH AFRICA EXECUTIVE SUMMARY Information and Communications Technologies lCT s are indispensible in modern society The interconnectivity of computer networks contributes significantly to economic growth education citizens participation in social media and many others This new electronic environment is commonly known as cyberspace However this dependence of the daily functioning of society on information communication technology solutions has led to a concomitant need for the develmeent of adequate security measures It is generally accepted by the int rnationa'ljcemmunity and the United Nations that the threat posed by ber attaICKs and the inherent vulnerabilities of cyberspace constitute a realand very serious security risk confronting all nations I The numerous cyber attacks launched in recen'tl'years against advanced information societies aimed at undermining the functioning of public and private sector information systems have placed the abuse of cyberspace high on the list of international and also local security threats For this reason the cyber threats need to be addressed at both the global and national levels Given the seriousness of cyberthreats and of the interests at stake it is therefore imperative that the comprehensive use of information communication technology solutions be supported by a high level of security measures and be embedded in a broad and sophisticated cybersecurity culture National cybersecurity is a broad term encompassing many'aspects of electronic information data and media services that affect a country s security economy and wellbeing Ensuring the security of a country's cyberspace comprises a range of activities at different levels The danger that cybersecurity threats pose is very real - Confidential - - Confidential The JCPS Cluster has consequently developed as part of its mandate and obligations under Outcome 3 All people are and feel safe in South Africa a National Cybersecurity Policy Framework NCPF to comply with Output 8 of Outcome 3 which requires the development and implementation of a cybersecurity policy and the development of capacity to combat and investigate cybercrime that seeks to promote in particular the following - Measures to address national security threats in terms of cyberspace 0 Measures to promote the combating of cybercrime I 0 Measures to build con dence and trust in the secure use of The development review and updating existing substantive procedural laws to ensure alignment The NCPF is intended to provide a holistic approach pertaining to the promotion of cybersecurity measures by all role players Stateb public private sector and civil society and special interest groups in relation __cybersecurity threats This framework will be supported by a National Cybers' curity Implementation Plan which will be developed in consultation with relevant stakeholders identifying roles and responsibilities timeframes specific performance indicators and monitoring and evaluation mechanisms The development and large-scale implementation of a system of security measures as implemented elsewhere in the world will form part of the National Plan Through the NCPF the seeks to address the following The development and implementation of a Government led coherent and integrated cybersecurity approach to address cybersecurity threats The promotion of a cybersecurity culture and compliance with minimum security standardsStrengthening of intelligence collection investigation prosecution and judicial I processes in respect of preventing and addressing cybercrime cyber terrorism and cyber warfare 0 Ensure the protection of national critical information infrastructure 0 The establishment of public-private partnerships for national and action plans in line with the and - Ensure a comprehensive legal framework governing cyberspace - Confidential - A ACRONYMS - Confidential CSIRT Computer Security Incident Response Teams Department of Communications Department of Justice and Constitutional Development Department of Defence and Military Veterans DST Department of Science and Technology FIRST Forum for Incident Response and Security Teams GRC Governance Risk Management and Compliance Information and Communications Technology I ICASA Independent Communications Authorityof SA ISPs Internet Service Providers - 7 i 2- I JCPS Justice Crime Prevention and Security Cluster NCPF National Cybersecurity Policy Framework NPA National Prosecuting Authority PKI Public Key Infrastructure I SSA State Security Agency SAPS South African Police Service Confidential - - Confidential NATIONAL CYBERSECURITY POLICY FRAMEWORK FOR SOUTH AFRICA B DEFINITIONS I I In the context of this policy National Critical information infrastructure means all ICT systems data systems data bases networks including people buildings facilities and processes that are fundamental to the effective operation of the Republic1 Computer Security Incident Response Team is amteam of dedicated information security specialists that to cyber security breaches cybersecurity incidents Cybersecurity is the collection of security concepts security - safeguards guidelines risk ma agement approaches actions training best practices assurance and technologies that can be used to protect the cyber' environment and organization and user assets Cyberspace means a physical and non-physical terrain created by and or composed of some or all of the following computers computer systems networks and their computer programs computer data content data traffic data and users Cyber-Warfare means actions by a nation state to penetrate another nation s computers and networks for purposes of causing damage or disruptionz Cyber espionage means the act or practice of obtaining secrets without the permission of the holder of the information personal sensitive proprietary or of 1 This relates to critical services such as the economy social services and law enforcement inclusive of the justice system and state security 3 This de nition do not purport to be a universally accepted definition in a UN reference framework Con dential - Confidential classified nature from individuals competitors rivals groups Governments and enemies for personal economic political or military advantage3 Cyber terrorism means use of internet based attacks in terrorist activities by individuals and groups including acts of deliberate large scale disruptions of computer networks especially computers attached to the internet by the means of tools such as computer viruses Cybercrime means illegal acts the commission of which involves the use of information and communication technologies Information and Communication communications device or application including radio television cellular phones satellite systems computers network hardware and software services such as videoconferencing If I z #295 Information society means-i inclusive and development- oriented information where eve-fy'one can create access utilise and share information and knowledge enabling individuals communities and people to achieve their full potential'in promoting their sustainable development and improving the qua-ljity'oftheir life Malware means malicious software and is programming code scripts active content and other software designed to disrupt or deny operation gather information that leads to loss of privacy or exploitation gain unauthorized access 'to system resources and other abusive behaviour The expression is a general termused by computer professionals to mean a variety of forms of hostile intrusive or dangerous software or program code Malware's most common pathway from criminals to users is through the Internet primarily by e-mail and the World Wide Web Symantec published a report in 2008 indicating that the release rate of malicious code and other unwanted programs may be exceeding 3 Ibid 4 Ibid - Confidential -- Confidential that of legitimate software applications According to F-Secure As much malware was produced in 2007 as in the previous 20 years altogether 5 Organisation and user s assets include connected computing devices personnel infrastructure applications services telecommunication systems and a totality of transmitted and or stored information in the cyber environment organ of States means an Organ of the State as defined in sectign 239 of the Constitution - Phishing indicates the fraudulent way of attempting to sensitive information such as usernames passwords and credit card details by someone masquerading as a trustworthy entity in an electronic communication to lure the unsuspecting public Phishing is typically e mail or instant messaging and it often directs users to enter details a t a fake website whose look and feel are almost identical to the legitiigate g in f 5 - Confidential - - Confidential A NATIONAL CYBERSECURITY POLICY FRAMEWORK FOR SOUTH AFRICA 1 INTRODUCTION 1 1 A number of strategic interventions and tactical interventions have been - successfully implemented over the past few years and other interventions are in 1 2 Africa the process of being implemented within the Justice Crime Prevention and Security JCPS Cluster in the fight against crime with the objective of making South Africa Safe As part of Government s Outcome based priorities the JCPS Cluster signed on 24 October 2010 the JCPS Delivery Agreement relating to Outcome 3 All People in South Africa Ar'e'i'ahd Feel-Safe This Outcome focuses on certain areas and activities clustered a'ro'Und specific Outputs where interventions will make a substantial and a positive impact on the safety of the people of South Africa One such area relates to Output 8 which requires the development and implementatiOn of a Cybersecurity Policy and the development of capacity to combat and i 'veStigaate cybercrime In line herewith this document therefore sets out a National Cybersecurity Policy Framework NCPF for South It is generally accepted that Information and Communications Technologies lCT s have become indispensible in modern society The increased interconnectivity of computer networks and the expansion of broadband including mobility are contributing significantly to economic growth digital integration education electronic governance citizens' participation in governance and many others This new electronic environment is commonly known as cyberspace It has created a global village with instantaneous communication possible between persons on the opposite sides of the world The Cybersecurity Policy Framework therefore recognises that cybersecurity threats and the combating thereof have both a national as well as an international context - Confidential - - Confidential 1 3 Cyberspace comes with new types of challenges to the governments of the world 1 4 It introduces a further dimension to National Security It is a borderless platform that enables more sophisticated threats such as cybercrime cyber terrorism cyber war and cyber espionage The numerous cyber attacks launched in recent years against advanced information societies aimed at undermining the functioning of public and private sector information systems have placed the abuse of cyberspace high on the list of international and also local security threats The acknowledgment that such attacks pose a threat to international security reached new heights in 2007 owing to the first-ever co-ordinated cyber attack against an entire country Estonia and also because of large-scale cyber attacks against information systems in many other countries as well The co- ordinated cyber attacks against government agencies banks and media and telecommunications companies in a single country Estonia demonstrated that the vulnerability of a society's information Infrastructure is 'an aspect of national security that needs attention in all countries There are views that internet is becoming more and more problem-His very specific to malware being distributed through terror groups 6 in The recurrence and growing incidencepotr cyber attacks indicate the start of a new era in which the security of cyberspace acquires a global dimension and the protection of National critical information Infrastructure must be elevated in terms of national a par with traditional defence interests 1 5 National Cyb rsecuriw is a broad term encompassing many aspects of electronic information data and media services that affect a country's security eConomy and wellbeing Ensuring the security of a country's cyberspace thus comprises a range of activities at different levels Toward this end the most important policy domains include reducing the vulnerability of cyberspace preventing cyber threats and attacks in the first instance and in the event of an attack ensuring a swift recovery of the functioning of information systems Thus a cyber strategy must appraise the vulnerability of a country s critical infrastructure devise a system of preventive measures against cyber attacks and decide upon the allocation of tasks relating to cyber security management at the national level 6 Beeld 12 May 2011 article entitled Web raak al hoe meer militaristiesI s ioernalis - - Confidential - - - 10 1 7 1 8 1 9 Confidential Moreover it is also important to improve the legal framework against cyber attacks to enhance international and institutional co-operation and to raise public awareness and develop training and research programmes on cyber security The above threats necessitate a comprehensive and all-encompassing approach in dealing with cyber threats In short a cybersecurity culture driven in main by the State is critical to ensure that citizens take advantage of the information age whilst remaining conscious of the threats and vulnerabilities of cyberspace The NCPF recognises the need to balance on the one hand the risks associated with the use of information systems and on the other hand the indispensability of extensive and free use of information technology to the functioning of open and modern societies The growing threats to cyber security should not hinder the crucial role of information and communications techn0 ogy in stimulating the growth of economies and societies are I In response to the above challenges worldwide have established policies and structures that govern interaction and collaboration between Government private sector academia-and civil society in an effort to prevent react to combat andxmitigatecybersecurity vulnerabilities and attacks The NCPF recogniSes that the State is charged with implementing a Government led coherent and integrated cybersecurity approach which amongst others will Promote a cybersecurity culture and demand compliance with I - minimum security standards b Strengthen intelligence collection investigation prosecution and judicial processes in respect of preventing and addressing cybercrime cyber terrorism and cyber warfare 0 Establish public-private partnerships for national and international action plans I d Ensure the protection of national critical information infrastructure and Confidential - 11 - Confidential e Promote and ensure a comprehensive legal framework governing cyberspace 1 10 This framework is intended to implement an all encompassing approach 2 2 1 2 2 2 3 2 4 THE SOUTH AFRICAN CONTEXT pertaining to all the role players State public private sector civil society and special interest groups in relation to Cybersecurity This framework will be supported by a National Cybersecurity Implementation Plan which will be developed in consultation with relevant stakeholders identifying roles and responsibilities timeframes specific performance indicators and monitoring and evaluation mechanisms The development and large-scale implementation of a system of security measures as implemented elsewhere in the world will form part of the National Cybersecurity Implementation Plan Irina - unis South Africa has become dependent on the 'lnternet to govern to conduct business and for social purposes Tilrli'erlnteimet has become indispensable to many South Africans be as more people join the information highway Taking into consideration the increase in national and international bandwidth in South Africa cybercrimes and threats are and will continue to increase These Cybercrimes and threats have the potential to impact on__ogr__national security and economy 'Curre-ntly there are various pieces of legislation some with overlapping mandates administered by different Government Departments and whose implementation is not coordinated Furthermore the legislation when viewed collective to don t adequately address South Africa s Cybersecurity challenges The absence of an aligned legal and regulatory framework and the challenge of uncoordinated Cybersecurity efforts is not unique to South Africa other jurisdiction are faced with the same challenges Statistics in 2011 indicate that South Africa remains in the top three of countries that are targeted for phishing purposes the other two countries are the USA and the UK It was noted that the number of unique phishing attacks - Confidential - 12 6 2 5 - Confidential identified by the RSA authorities aimed at RSA instances and individuals from outside the RSA worldwide in February 2011 was 18 079 an 11 percent increase from January This represents for the first time in nearly a year that the total number of phishing attacks in a single month reached over 18 000 The US remained the top hosting country for these attacks in February hosting two out of every three phishing attacks identified by the RSA The countries that have consistently been among the top five hosts over the last six months include the US UK Canada and Germany For over a year now 13 consecutive months the and South Africa have remained the top three targets of mass phishing campaigns The US while still remaining the top targeted country in February witnessed a nine percent decrease in attack volume The UK saw a seven percent increase while South Africa remained unchanged since January suffering a 7 5 percent of the attack volume 7 I incidents in the i 55 t if 'l GO-niffhm inbaf ight cf the irrio'r'e bat The'HBOrd'esrl-ress nature of cybercrimes introduces a further dimension to National Security Numerous cybe-r attacks have been launched against a number of countries such as the attack on Estonia in 2007 which crippled the country s electronic systems South Africa is not immune to such attacks The protection of South Africa's critical information infrastructure and the coordination thereof is therefore essential South Africa needs to develop mechanisms that will ensure proactive and coordinated national response to cyber threats and incidents including combating cybercrime The Government s leadership role in this regard is important whilst acknowledging that 7 Source RSA Anti-Fraud Command Center March 201 1 - Confidential - - - 2 6 2 7 2 8 - Confidential I Cybersecurity is everyone s responsibility public sector private sector and civil society The role of the in social and economic development on a country has been widely acknowledged however the full potential of cannot be realized unless there is confidence and trust in the secure use of lCT s Government should take responsibility to ensure that the private sector and civil society are not only aware of the dangers of operating in cyberspace but also take necessary measures not to become victims of cybercrime it is thus prudent to develop a culture of Cybersecurity that will address the-needs pf the public sector private sector and civil society Opportunities of ICT and the challenges off- Cybersecurity are fuelled by advances in technology There is consequently a need to develop the requisite skills to exploit the opportunities of an information economy and meet the dynamic challenges of Cybersecurity South Africa will always be lag behind or be vulnerable unless we deveIOp requisite skills There is a need to create an enabling environment for Cybersecurity training education research and development and skills development programmes in South Africa South Africa is a consumer of and depends on overseas manufactured technologiestol's cme its Cyberspace The downside of this is that our critical information infrastruCtUre will continue to have some degree vulnerability Thus it is important to develop indigenous cybersecurity technologies Unless we capabilities to address this we will continue to rely of foreign technologies for this purpose The absence of stringent compliance monitoring to ensure that technologies used comply to international and national Cybersecurity standards -ConfidentiaI-' - 14 Confidential 2 9 South Africa will in the promotion and development of cybersecurity measures in relation to this NCPF bear in mind the international instruments and measures that may be relevant such as the work of the various agencies of the United NationsB 3 PURPOSE OF THE NCPF 3 1 The purpose of the NCPF is to create a secure dependable reliable and trustworthy cyber environment that facilitates the protection of critical information infrastructure whilst strengthening shared human values and understanding of cybersecurity in support of national security imperatives and the economy This will enable the development of an information society which takes into account the fundamental rights of every South African citizen to privacy security dignity an A 29 eta- r access to information the right to communicationandu freedom of expression 3 2 The NCPF seeks to ensure that Govergr mentigusiness and civil society are able to enjoy the full benefits of a safe and yberspace To this end the public sector private sector and civil society will work together to understand and address the risks reduce the benefits to criminals and seize opportunities in cyberspace to enhance South Africa s overall security and safety including its economic well being I 3 3 This NCPZE__provides for Measures to address national security in terms of cyberspace b Measures to combat cybercrime 8 The UN General Assembly Resolution 56MB 21 December 2001 endorsed the hoiding of the World Summit on the Information Society in two phases The objective of the first phase in Geneva was to develoo and foster a clear statement of political will and take concrete steps to establish foundations for an Information Society for all reflecting all the different interests at stake The objective of the second phase in Tunis was to put the Geneva Plan of Action into motion as well as to find solutions and reach agreements in the eld of internet governance nancing mechanisms and follow up and implementation of the Geneva and Tunis documents The WSIS Action line C5 identifies the need to build con dence and security in the use of ICTs The Tunis World Summit on the lnfonnation Society mandated the International Telecommunication Union to assist in further developing the Global Cybersecurity Agenda GCA A High-Level Experts Group HLEG on Cybersecurity was established to support the Secretary General to assist countries to develop Cybersecurity intervention identi ed the following key pillars organisational structures legal technical and procedural measures internationai collaboration and national partnership of stakeholders The UN is of the view that the implementation of instruments such as the Budapest Convention is a way to help countries worldwide to address cybercrime as indicated at the 12th United Nations Congress on Crime Prevention and Criminal Justice Adopted on 19 April 2010 the Salvador Deciaration confirms the need for a global capacity building effort to strenghten the full implementation of existing treaties and standards while continuing to study new remedies - Confidential - I 15 - 4 1 Confidential 0 The development review and updating existing substantive and procedural laws to ensure alignment and d Measures to build confidence and trust in the secure use of ICT NATIONAL CYBERSECURITY POLICY OBJECTIVES The NCPF articulates the overall aim and objectives of the South African Government and sets out strategic priorities that will be pursued to achieve these objectives In order to achieve the strategic vision set out in this policy it is expected that this National Cybersecurity Policy Framework will a Centralise coordination of oybersecurity activities b 2 facilitating the establishment of relevant structures policy frameworks and strategies in support of cybersecurity in order to combat cybercrime address national security imperatives and to enhancei'the information society and knowledge based economy I Anticipate and confront emerging cyber threats and coordinate responses thereto by reducing cyber threats and vulnerabilities through technical measures cybercrime policy and strategies regulatory measures general awareness and legal measures inter alia enhancing all substantive and and coordination between Government the private sector and civil society by stimulating and fostering a strong interplay between policy legislation societal acceptance and technology Promote international cooperation Develop requisite skills research and development capacity Promote a culture of cybersecurity - Confidential -- 5 1 5 2 - Confidential 9 Promote compliance with appropriate technical and operational Cybersecurity standards CREATING CAPACITY TO RESPOND TO CYBERSECURITY IMPERATIVES The Justice Crime Prevention and Security Cluster JCPS working in consultation with other Government Clusters such as the Economic Cluster will oversee the implementation of this policy framework with the air -to ensure centralized coordination of cybersecurity issues A dedicated Cybersecurity Response Committee chaired by State Security Agency will be established within the JCPS Clusterto coordinate cybersecurity actNItIes 6 NATIONAL CYBER SECURITY AND COMPUTER SECURITY INCIDENT RESPONSE TEAMS cam 6 1 6 2 Not withstanding various Natiogial Security-structures established within the lntelligencelcommunity and the broader-security cluster Departments and other government and private sector entities South Africa does not have a centralised structure to anticipate cyber threats and respond to those threats This situation can lead to being reactive to responding to cybersecurity threats and attacks and resulting in an uin'comdinated approach these challenges of government not having a centralised structure such as the computer security incident team to aniticipate cyber threats and coordinate South Africa s responses thereto the NCPF promotes the establishment of the following - II Confidential 1_7_ 6 3 6 3 1 6 3 2 6 3 3 6 3 4 - Confidential NATIONAL CYBER SECURITY COORDINATING CENTRE NCSC The NCSC shall be established by the JCPS cluster and will play an oversight and coordinating role in the operations of all Computer Security Incident Response Teams in SA The NCSC will provide guidelines and national standards on the establishment of CSIRTs with special focus on National Security matters _ The Department of State security in consultation other gtate Organs dealing with National security issues shall be responsible forth-e establishment of the N080 This will include the development of relevant pelicies standards processes and procedures for information sharing and coordinated National security response on all national cyber security incidents The key focus areas for the N080 w i Jbe elite hematters related to cyber warfare cyber intelligence and Cybercrime and will I 353331'1 33 a Act as single centact on cybersecurity matters pertinent to national see-Urityggiationali defence national intelligence and cybercrime b bordiri ete iiey fevrsecurity incident response activities regarding national intelligence national defence and cybercrime Facilitate information Sharing and technology exchange relevant to national security in cyberspace d Establish and guide standards and best practices for South Africa e Develop agreed measures to deal with cybersecurity matters impacting on national security - Confidential - 18 Confidential f Facilitate interaction both nationally and internationally including through international memberships to organisations such as the Forum for Incident Response and Security Teams and develop policy guidelines to inform such interaction i Facilitate the identification protection and develop national standards on the protection and security of the National Critical Information infrastructure 9 Assist with Corporate Security and Policy Risk Management and Compliance GRC Identity and Security Management Security Information and Event Management SIEM Digital Forensics h Develop response protocols responses to cybersecurity incidents and interaction with the various stakeholders such as the National CSIRTs and the cybersecurity fraternity in general i Do regular assessment of National critical information infrastructures including vulnerability assessments threat and risk assessment angpenetration testing j Conduct cy'B irgecurity audits assessments and readiness exercises Hand-advise on the development of a national response plan and Perform any other function consistent with the policy objectives set out herein I 6 3 5 The Department of Communications in consultation with relevant ICT industry bodies and the general public shall initiate establish and develop operational - processes and procedures for SeCtor CSIRTs in the Republic in accordance with the national guidelines and standards set out by the NCSC Con dential- - Confidential I 6 3 6 In establishing these the shall set out the role and functions of each Sector CSIRTs including ensuring that the CSIRTs in SA 6 3 7 8 Disseminate relevant information to NCSC or other sector where necessary Act as a single point of contact for that specific sector on Cybersecurity matters Create and maintain situational awareness concerning th e' fisl environment of South African cyberspace Initiate national cybersecurity awareness__campaigns I Establish information sharing processes with the NCSC as part of the broader SA National Cybers curity coordination - may rad MA 5'15 Facilitate information and technology sharing within that sector Conduct Cybersecuritylau-dits assessments and readiness exercises for the seq r I Develop agreed measures to deal with Cybersecurity matters impacting on the sector The SSA shall in consultation with encourage and facilitate the establishment of regional and continental and provide advice on best practice guidance on NET security for Government business and civil society - Confidential - 20 7 1 7 2 Confidential NATIONAL INFORMATION PROTECTION CRITICAL INFRASTRUCTURE OH This policy framework recognises the need to provide mechanism to ensure that South Africa s critical information infrastructure is protected and secured against cyber related crimes It is also noted that a more secured critical information infrastructure will also help to achieve the continued provision of essential services and support national security economic prosperity and social wellbeing of the Republic The policy framework recognises that a significant proportion of SA's critical information infrastructure CII is privately owned-or operated on a commercial basis The NCPF therefore seeks to ensure theta-pipropriate are taken to ascertain that all National Critical Information Infrastructure NCII are identified and properly protected from a variety of Forcontinued availability of the critical information infrastructure the- _ for the development of a National Critical Information Infrastructure NCII Strategy that will address the identification and protection of NCII by af a Developing National Critical Information Infrastructure regulations inter ali'a a Information Security Policy and Procedures Party Access to NCII I I to authentication on NCII I iv Storage and archiving of critical databases v Incident management and business continuity vi Physical and technical protection of all NCII b Facilitate an effective business - government partnership relating to the implementation of the CII Protection Plan To this end the private sector state owned enterprises and other government agencies and institutions such as the State Information Technology Agency SITA will - play a critical role in ensuring the implementation of NCII protection plan - Confidential - - 21 - Confidential I 8 8 1 There are an ever-increasing numbers of devices software and users requiring secure communications and the geographic spread of locations of these devices This policy framework provides for the regulation of given the critical role it plays in ensuring improved secure communications 8 2 The NCPF notes that various attempts at regulating as a way of developing a coherent and integrated approach to this matter These strategies are found in various laws such as '0 National Convention Arms Control Act Act 41 of 2002 I 0 Electronic Communications and Transactions Act 25 of 2002 _o Electronic Communications Security Act Act 68 of 2002 0 Regulation of Interception of Communications and Provision of Communications Related Information Act Act 70 of 2002 a State Information Technology Agency Act Act 88 of 1998 0 Conventional Arms Control Regulations R7969 of 2004 regulations R 8418 of 2006 8 3 Taking the above-mentioned legislation there is a need to I a Review the existing legislation and regulations thereof and cab Develop an integrated regulatory framework for in the Republic I - I 9 E- IDENTITY MANAGEMENT IN CYB-ERSPACE 9 1 The ECT Act provides for the establishment of the South African Accreditation Authority to facilitate the accreditation and regulation of authentication services 2 -Confidential- I - Confidential and products It further provides for the advanced electronic signature facilitating the recognition of electronic documents as legal and binding 9 2 To this end the South African Post Office which in terms of the ECT Act was 9 3 9 4 identified as a preferred service provider for advanced electronic signatures has deveIOped Public key Infrastructure PKI to support advanced electronic signature e identity the Department of Public Service and Administration pursuant to its mandate in - Government has developed a PKI Strategy The Department of Communication is pursuant to its mandate established the South African Accreditation Authority to accredit and regulate authentication-services and products The NCPF I seek to address the an integrated National E-identity and strategy Such a strategy and implementation thereof will be criticalin providing inter alia e-government services as well as to ensure security con dentiality and integrity Uptake and usage of e-identity in e-government services will stimulate other sectors as well The issue of identity management in cyberspace is central to the building confidence and trust in their-secure errors The NCPF acknowledges tha tl't rainsmission of information over the Internet for trading and communication purposes present new and sophisticated threats for both the senders and recipients of information Therefore to ensure online transaction security the NCPF provides for the development of a holistic national IE-Identity and PKI strategy The strategy will amongst others address a riAut hentication and securing of the identities of the parties to an e transaction b Confidentiality ensuring information is kept private c Integrity ensuring the information or process has not been modified or corrupted - d Non-repudiation ensuring neither party can refute that thetransaction occurred the transaction is binding The structure and regulatory framework for E Identity and I - Confidential - - Confidential 10 PROMOTE AND STRENGTHEN LOCAL AND INTERNATIONAL COOPERATION 10 1 In terms of this policy framework the National CSIRT will foster Cooperation and coordination between the public sector private sector and civil society 10 2 Local cooperation 10 2 1 The goal for the Government-Industry Collaboration is among others to develop government-industry collaboration and to use industry perspectives equities and knowledge to enhance Cybersecurity The Government-Industry Collaboration is based on the understanding that Cybersecurity is everyone's responsibilities and there is a need to leverage on the Industry knowledge as they are the business of developing ways and means to combat cybercrime The NCPF provides to the establishment Collaboration with local stakeholder and this collobaration following aspects a Inclusion of the industry an'eh'a'bling environment for a successful IpartnerShip I b Encouraging private grouse to address common security interests and collaborate with government including encouraging cooperation among groups from interdependent industries I I c Bringing private sector and government together in a trusted forums d Creating a common understanding of the threats and vulnerabilities that the - country faces 10 3 International Cooperation 10 3 1 Internet as a form of media can in essence not be regulated in total by an authority or government Given the borderless nature of the Internet and the - Confidential - 24 I - Confidential challenges it poses in terms of jurisdiction it is important that countries learn and collaborate with each other in order to combat cyber crimes 10 3 2Therefore international collaboration is critical in securing cyberspaces nationally and globally Recognising the need for global collaboration on matters regarding cybersecurity South Africa shall collaborate with relevant and appropriate international organisations and governments subject the Constitution national security imperatives foreign policy and existing international agreements To this end South Africa a A a Participate in regional African Union and international fora on matters pertinent to cybersecurity in order to ensure advance Africa s'views in the definition and elaboration of the global cybersecurity agenda in - - combating cybercrime and building confidence and trust in the secure use b Forge bilateral and multilateral partnerships in our national interest through various instruments inter alia memorandum of Understanding Convention Treaty I A c Affiliateui 'to relevant international organisations in order to promote a coordinated global response to threats and vulnerabilities and to keep of developments in the Cybersecurity front 11 CAPACITY DEVELOPMENT RESEARCH AND DEVELOPMENT 11 1 The dynamic nature of cybersecurity challenges necessitates the continuous deveIOpment of capabilities and requisite skills 4 Confidential - I 25 I - Confidential 11 2 The therefore promotes the a Development of capacity building strategies to address South Africa s specific skills requirements to meet the ever increasing challenges of addressing cybersecurity threats b Development of recruitment and retention strategies aimed at ensuring a sufficient level of technical expertise is developed and maintained within the Republic and c 12 PROMOTION OF A CULTURE OF Development of Cybersecurity research and development agenda and enhance Cybersecurity research within South African Universities industry and the Department of Science and Technology 12 1 To effectively deal with that civil society - government and the private sector play their part in ensuring South Africa has a culture of Cybersecurity Critical to this is the development of a culture of Cybersecurity in which role-players__ understand the risks Of surfing in cyberspace To culture of Cybersecurity the NCPF provides for inter aliaImplementing-5cybersecurity awareness programs for private sector public sector and civil society users Encouraging business to develop a Culture for Cybersecurity Supporting outreach to civil society children and individual users Promoting an comprehensive national awareness program and guidelines I I I Reviewing and updating existing privacy regime Develop awareness of cyber risks and available solutions and Continously review cyber applications and the impact from a Cybersecurity perspective Compliment the culture of Cybersecurity with online support mechanisms COn dential- - - Confidential 13 TECHNICAL AND OPERATIONAL STANDARDS COMPLIANCE 13 1 The also promotes 14 14 1 a The recognition of and compliance with appropriate international and local technical and operational cybersecurity standards The Minister of Communications shall enforce compliance with such standards where appropriate and in consultationwith the National Cybersecurity Advisory Council I b The continuous monitoring review and assassmeht of regulatory frameworks that support cybersecurity I c The development and or adoption of standards-by the South African Bureau of Standards in consultation with relevant Government Departments and industry Thiisiywil'lxiensure a safe and secure cyberspace environment will growth of e-commerce and an inclusive information society ROLES AND 0F RELEVANT ORGANS OF STATE This policy recognizes that there are a number of Organs of State that play a critical-robin the implementation of cybersecurity measures and for effective of this policy framework the role of some of the main relevant organs of State are set out below Inclusive of the various roles and responsibilities set out all other governmental priorities such as the protection I of vulnerable groups promotion of job creation and general protection of Constitutional values and principles are endorsed and should be promoted in the development of implementation plans and activities Liaison with other clusters such as the economic cluster will be essential in the development of the various implementation plans guided by the NSPF - - Confidential - 27 Confidential a The Department of Justice and Constitutional Development b C I Republic which and the National Prosecuting Authority NPA have an overall responsibility for facilitating cybercrime prosecution and court processes in accordance with the applicable laws including ensuring all relevant laws are aligned to this policy in order to create a coherent and integrated cybercrime prosecution approach in the Republic This would require initiation of processes to effect necessary amendments to relevant legislation in order to make cybercrime or related crimes punishable in law The State Security Agency SSA has overall for coordination accountability and implementation of cybersecurity measures in the Republic as an integral part of its National Security mandate This will include aspects of developing and implementing regulations collecting intelligence both locally and internationally conducting necessary Cybersecurity investigations and repqirti nggn outh Africa s Cybersecurity situation The South African Police Service in terms of this NCPF is responsible for prevention investigation and combating cybercrime in the includes development of cybercrime policies and strategies provides for specialized investigative capacity and interaction with national and international stakeholders Development of the anti- cybercrime policy and implementation plans should include operational I such as those identified by the EurOpean Commission pertaining to the fight against child sexual physical abuse material on the Internet actions to counter massive attacks against information systems such as denialeof-service attacks such as those affecting the banking sector and actions combating identity fraud It should also promote the development of cross-border law enforcement cooperation public-private COOperation to fight cybercrime in particular between law enforcement authorities and private companies and promote enhanced international cooperation to fight cybercrime by taking part in various international initiatives such the UN High Level Expert Group on Cybersecurity and The International Telecommunication Union Confidential - 28 15 Confidential d The Department of Communications 000 has the responsibility for i Developing and implementing policies regulations and industry standards Provide strategic direction and coordination on local and international Cybersecurity matters pursuant to building an information economy and building confidence and trust in the secure use of lCT's ii Establishing the National Cybersecurity Advisory Council NCAC whose - role will be to advise the Minister of Communications on policy and technical issues and other matters pertinent to Establishing the National CSIRT The Department of Defence and has overall responsibility for coordination accountability and implementation of cyber defense measures in the Republic as an integral part of its National defence mandate To this end the Department will develop policies and strategies pursuant to its gore mandate The Department of Science and Technology DST has the responsibility for the development coordination and implementation of national capacity development__p_rogram Furthermore the Department shall be responsible for dev'el0ping and facilitating the implementation of a national cybersecurity research and development agenda for South Africa other Organs of State are required to align the r po'iCieS and with this NCPF- I CONCLUSION 15 1 It is envisaged that the NCPF when implemented will achieve the following benefits - Confidential b 9 - Confidential A safer and more secure cyberspace that underpins national security pnon es The establishment of institutional structures to support a coordinated approach to addressing cybersecurity The identification and protection of critical information infrastructure A secure e-environment that stimulates economic and competitiveness of South Africa Promotion of a national research and development agenda relating to cy rfj -sy Wig The effective prevention combating-arid pro- sieI-cution of cybercrimeThe enhanced management of 52333 17 2 SYNOPSIS OF NATIONAL CYBERSECURITY IMPLEMENTATION SCHEDULE - - Confidential - - Confidential I ACTIVITY LEAD DEPT PROPOSED TIME FRAME COORDINATION OF JCPS CLUSTER OUTPUT Approval of NCPF and ESTABLISHMENT IMPLEMENTATION 8 IMPLEMENTATION thereafter Implementation PLAN DELIVERY FORUM Ian within 6 months CYBERCRIME SAPS By end March 2012 STRATEGY AND - IMPLEMENTATION LEGISLATIVE DOJCD 31 end Merch 2012 REVIEW SSA Dy end March 2012 STRATEGY AND REGULATIONS NCII STRATEGY By end March 2012 AND REGULATIONS IDENTITY By end March 2012 MANAGEMENT STRATEGY NATIONAL CSIRT Doc By end March 2012 ESTABLISHMENT GOVERNMENT SSA 7 By' end March 2012 CSIRT - Con dential - 31 - Confidential SECTOR CSERT DOC By end March 2012 ESTABLISHMENT SKILLS Science and TecnoIOQyi By and March 2012 DEVELOPMENT Education DPSA TECHNICAL DOCI ICASA By end March 2012 STANDARDS RESEARCH AND DST endpMarch__2012 DEVELOPMENT AGENDA - AWARENESS- DOC end March 2012 RAISING B Rapeh c 'MAT mL ln'developin gthe National Cybersecurity Policy Framework for South Africa material was taken into account and was central in the development of this submission 1 SA 3 draft Cybersecurify Policy- February 2010- Govemment Gazette no 32963 of 2010 2 International Telecommunications Union ITU Cybersecurity Guidelines for Developing Nations - 2008 - Confidential - following cybersecurity policies strategies guidelines and research 9 10 11 - Confidential Australian Government Cybersecurity Policy June 2010 Cybersecurity Strategy Australia- Japan 3 Cybersecurity Strategy- February 2011 National Security Vision- Mala ysia- 2009 Malaysia s National Cybersecurity Policy- 2009 Comprehensive National Cybersecurfty and Policy Considerations John Rollins and Anna Henning- March 2010 Cybersecurity Strategy of the United 20009 Rockfeller Snowe Cybersecurity iilcall-March 2010 References to the various sources was necessitated by the need to determine the approaches jurisdictions in dealing with this ever changing security-Challenge lit-is clear from the reference material referred to above that the technological developments have however exposed communication systems and networks globally to a growing number and wider variety of threats and vulnerabilities - Confidential 33