Addressing Cyber crime in South Africa – CyberBRICS fellowship

As the newest member of the Research ICT Africa team, I recently started a CyberBRICS fellowship which will soon take me to FGV Law Rio De Janeiro Law School, Brazil. During this RIA fellowship, I plan to start work on a three-part series of journal articles that theorise some of the ways that the South African Government can address cybercrime in South Africa. The project will follow on the research I will undertake during the CyberBRICS fellowship.

The series of papers elaborate on some of the themes and theories I discussed in my PhD thesis, as part of which I delved into the South African legislative responses to cybercrime through a critique of the South Africa Cybercrimes Bill. The Bill is currently awaiting debate in the National Council of Provinces (NCOP) and it may be a mere matter of months before it is signed into law. If it is, it will become South Africa’s first comprehensive piece of legislation dedicated to combatting cybercrime.

This series will be presented in three parts; each answering three central questions.

  1. Part one: Whose responsibility is it anyway?

The purpose of this first paper is to determine where the responsibility to protect citizens from cybercrime lies. Is it the sole responsibility of the Government, or does the private sector and civil society have a role to play? Given that cybercrime at the end of the day still represents a class of crime, it stands to reason that the responsibility should largely rest with the Government. This, however, also raises questions about whether governments can indeed be relied upon to exercise that responsibility without trampling on digital rights such as the right to privacy.  How do we guard against those very real threats?

While this paper will explore those concerns from a South African perspective, there will also be merit in drawing some comparative lessons from other jurisdictions in the BRICS network.

  1. Part two: What is the designated point of contact?

The second paper will be dedicated to the discussion of the “Designated Point of Contact” (DPOC) as provided for in the South African Cybercrimes Bill, 2018. The Cybercrimes Bill envisages the DPOC as the office in charge of combating cybercrime in South Africa. According to the Cybercrimes Bill, the DPOC will be housed within the South African Polices Services (SAPS) and should work in tandem with the National Prosecuting Authority (NPA) to ensure cybercrimes are properly prosecuted.

The paper will argue that because cybercrime is significantly complex, it may be necessary for the DPOC to be established (by the government) as an independent agency or as a state-owned enterprise that has the Government as the sole shareholder. These concepts will be elaborated upon in the paper.

The paper will also investigate the adoption of a “troika” approach, which involves giving the agency the powers of investigate, analyse and prosecute offences. This approach was favoured by the now disbanded Directorate of Special Offences, also known as the Scorpions. The creation of the DPOC as an independent agency with troika powers does not preclude it from working closely with SAPS and the NPA where there may be additional issues such as, for example, if a cybercriminal gang is also involved in money laundering. The benefit of having the DPOC as an independent agency is that its mandate will be clearly set out as being solely focused on combatting cybercrime.

  1. Part three: What is a Cyber-Capable Guardian?

The third and final part of the series will engage with the Routine Activities Theory (RAT) as formulated by Felson and Cohen in 1979. This theory was developed to determine the social and economic factors that exist to allow the successful commission of a crime. It proposes that in order to successfully commit a crime, there must be a convergence (in space and time) of a motivated offender, a suitable target and an absent capable guardian. This theory was presented to address ordinary offline crimes such as burglaries but, as I have argued elsewhere,[1]it can be extended to cater for cybercrimes.

The third essential element of the Routine Activities Theory, the capable guardian, will be the subject of this paper. I will argue that in order to combat cybercrime, it is necessary for the capable guardian to be a ‘something’ rather than a ‘someone’. The capable guardian should be something based on Artificial Intelligence and Machine Learning, and therefore I refer to it as the Cyber Capable Guardian. The Cyber Capable Guardian should be established by the DPOC and it should perform the specialised tasks of investigating and analysing data on cybercrime that a human being would be ill-equipped to handle.

Together, these three papers will contribute to the body of work that is already being done to combat the surge of cybercrime both in South Africa and the rest of the BRICS network. When viewed together, these papers will provide an overview of the challenges that present with cybercrime from both the philosophical and practical point of view.

[1] Mabunda, S., (2017) “Applying the Gordon & Ford categorisation and the routine activities theory to cybercrime: a suitable target” IST-Africa Conference Proceedings, Windhoek, Namibia.