The Cybercrimes Act: A question of capacity


After some time the Cybercrimes Act was signed into law on the 01 June 2021 although it has not come into force yet. Members of the public often get confused about this and ask: 'How can it be an Act and not be in force?'. While it does not always happen, there is a modern trend to insert a section (in this case section 60) which allows the President of South Africa to announce a commencement date of the Cybercrimes Act in the Government Gazette. This is done for both convenience and for timing. Convenience in the sense that all that is needed is a small notice in the Government Gazette to implement the Act (as opposed to a vote on the Act in the National Assembly) and timing in the sense that the necessary parties (the South African Police Services (SAPS)) need let the president know that they have the procedures, personnel and systems to be ready to enforce the Cybercrime Act.

The recent riots in Kwazulu-Natal and Gauteng bring the question of capacity in SAPS into stark relief. In general the prosecution of Cybercrimes would require police officers who would have a tertiary qualification - preferably in computer science or forensics. Anecdotal evidence suggests that new SAPS recruits into the commercial crime / cybercrime section do not need any tertiary qualification. This is dramatically different from the type of qualifications you find in the private sector where digital forensic specialists often have multiple qualifications and considerable experience in the field. Put simply it is difficult to imagine how the commercial crime / cybercrime section of the SAPS will succeed without strong assistance from the private sector - the cybercrimes problem is just too complex. Unfortunately it is not as easy as the private sector being willing to provide the help - it is also up to the SAPS to accept the help and facilitate appropriate interaction with the private sector. 

The question of capacity not just a local South African problem, but also a problem for African countries. Many African countries are also in the process of implementing their own cybercrimes legislation (for example, consider the metrics that we used to evaluate Cybercrime legislation for the African Union eCommerce project on page 4 of this presentation) and struggling to increase their cybercrime capacity. 

While there are many strategies to increase cybercrime capacity, there is one that I would like to propose which would be along the lines of the Digital Security Challenge hosted by Interpol every year. This has a host of benefits including strengthening of public / private interaction and identifying upcoming talent which can be nurtured and mentored. This could be particularly valuable in that the talent comes to the SAPS rather than the SAPS having to find it. This model could also be enlarged so that African Union countries, rather than just South Africa, would be able to participate.

Cybercrime prevention is not just about having the legislation to prosecute it: that is just the first building block. Our Cybercrime Act will not properly get off the ground if the SAPS does not come up with innovative ways to make its cybercrime division an employer of choice and work together with the private sector to vastly ramp up its capacity. 

(Postscript: After this article was published I discovered Safehack 2021 which seems like a good initiative. Hopefully the SAPS will be paying attention).