NATIONAL CYBERSECURITY POLICY FRAMEWORK (NCPF)

Dr Kiru Pillay

26 July 2016

Page 2

PRESENTATION OVERVIEW

1. BACKGROUND

2. PURPOSE OF THE NCPF

3. NCPF OBJECTIVES

4. BENEFITS OF THE NCPF

5. SA CYBERSECURITY CONCEPTUAL MODEL

6. PROGRESS TO DATE

Page 3

BACKGROUND

To set out an aligned and coherent approach to Cybersecurity, in March2012, the South African government approved the National CybersecurityPolicy Framework (NCPF).

The NCPF addresses:

Uncoordinated and silo approach to Cybersecurity;

Inadequate regulatory framework to support Cybersecurity;

Lack of general public awareness about Cybersecurity; and

Inadequate capacity, skills and resources.

It outlines broad policy guidelines on Cybersecurity in the Republic and requiresGovernment to develop detailed Cybersecurity policies and strategies.

Page 4

PURPOSE OF THE NCPF

To create a secure, dependable, reliable and trustworthy cyber space that facilitatesthe protection of National Critical Information Infrastructures (NCIIs).

To provide for:

Measures to address national security in terms of cyber space;

Measures to combat cyber warfare, cybercrime, cyber terrorism, cyber espionage and other cyber ills;

The development and review of existing laws to ensure alignment; and

Measures to build confidence and trust in the secure use of ICTs;

The NCPF is aligned to Outcome 3: “All People in South Africa Are and Feel Safe”,Output 7, which requires the development and implementation of a CybersecurityPolicy and the development of capacity to combat and investigate cybercrime.

Page 5

NCPF

a) To articulate

overall aim and

objectives of the South

African Government

b) To centralize

coordination of

Cybersecurity activities;

c) To foster cooperation and

coordination between

Government, the Private Sector

and Civil society

d) To promoteinternational cooperation

e) To develop requisite skills and

R&D capacity

f) Promote a culture of

Cybersecurity

g) Promote compliance

with appropriate

technical and operational

Cybersecurity standards

NCPF OBJECTIVES

Page 6

BENEFITS OF THE NCPF

The NCPF, when implemented will achieve the following:

A safer and more secure cyber space that underpins national security priorities;

The establishment of institutional structures to support a coordinated approach to addressing Cybersecurity;

The identification and protection of National Critical Information Infrastructure (NCII);

A secure e-environment that stimulates economic growth and competitiveness of South Africa;

Promotion of a national research and development agenda relating to Cybersecurity;

Effective prevention, combating and prosecution of cybercrime; and

Enhanced management of Cybersecurity.

Page 7

SA CYBERSECURITY CONCEPTUAL MODEL

CABINET

JCPS CLUSTER DGs FORUM

JCPS CYBERSECURITY RESPONSE

COMMITTEE (CRC)

(Chair: DG SSA)

CYBERSECURITY POLICY

DTPS

Deals with OoS issues

CYBERSECURITY CENTER

SSA

Deals with issues pertaining to NCII

SSA

GOVERNMENT CSIRTSECTOR CSIRTs

CYBERSECURITY HUB

Deals with Civil Society issues

Deals with Sector issues

NATIONAL CYBERSECURITY POLICY FRAMEWORK (NCPF)

Deals with cybercrime

SAPS

NATIONAL CYBERCRIME CENTER

Deals with Military issues

SANDF

CYBER COMMAND

R&D AgendaNCII Policy E-Identity Management StrategyCybercrime Policy Cyber Defence Strategy

Legend:Information flow

CYBERSECURITY LEGISLATION

Awareness Strategy

Page 8

ROLES AND RESPONSIBILITIES

Roles and Responsibilities of Government

• Government has an overall responsibility and accountability for coordination, development and implementation of Cybersecurity measures and to align ICT policies and practices with the Policy.

The Role and Responsibility of the Private Sector and Civil Society

• The Policy promotes cooperation between private sector and Government to address Cybersecurity threats.

• In line with this, the private sector is responsible for implementing minimum Cybersecurity measures as prescribed by Government from time to time.

• Similarly, each person has a responsibility to ensure that his or her electronic device is protected.

• Each person also has a responsibility to report Cybersecurity incidents to the police or the most accessible CSIRT.

Page 9

The NCPF promotes establishment of collaboration with local stakeholders focusing on:

Inclusion of the industry and creating an enabling environment for successful partnership;

Encouraging Private Sector to address common security interests;

Bringing private sector and Government together in trusted forums; and

Creating a common understanding of the threat and vulnerabilities that the country faces andresponses required.

In terms of the policy framework, the Cybersecurity Hub will foster cooperation andcoordination between the public sector, private sector and civil society.

COORDINATION AND COOPERATION

Page 10

NCPF promotes Public-Private-Civil Sector collaboration premised on the fact thatCybersecurity is everyone’s business.

The borderless nature of the cyber space and the challenges it poses in terms ofjurisdiction requires countries to cooperate in order to combat cybercrime.

There is a need for Regional, Continental and International cooperation on matterspertaining to Cybersecurity and cybercrime combating.

COORDINATION AND COOPERATION

PROGRESS TO DATE

Page 12

PROGRESS TO DATE

In line with the Cabinet approved National Cybersecurity Policy Framework (NCPF), theCybersecurity Response Committee (CRC) has finalized the development of the followingdraft policies, strategies and Bill:

• National Cybersecurity Policy (led by SSA);

• National Critical Information Infrastructure Policy (led by SSA);

• National Cybercrime Policy (led by SAPS);

• National Cybersecurity Awareness Strategy (led by DTPS);

• National Cyber Defence Strategy (led by SANDF);

• National Cybersecurity R&D Agenda

• E-Identity Strategy; and

• Cybersecurity and Cybercrimes Bill (led by DoJ&CD);

NATIONAL CYBERSECURITY POLICY

Page 14

NATIONAL CYBERSECURITY POLICY

The Cybersecurity Policy is an overarching policy which outlines Government’s position onCybersecurity matters and measures to be taken to secure the State’s critical informationinfrastructures, businesses and citizens alike.

In order to address cyber threats the Policy aims to:

• Centralise the coordination of Cybersecurity activities;

• Establish institutional Capacity;

• Foster cooperation and coordination between Government, the private sector and the general public, to address cyber threats;

• Promote international cooperation;

• Develop requisite skills, research and development capacity;

• Promote measures to secure National Critical Information Infrastructures (NCIIs) in the public and private spheres against cyber threats;

• Promote a culture of Cybersecurity; and

• Promote the development and implementation of legislation to effectively deal with cybercrime and improve Cybersecurity.

Page 15

POLICY OBJECTIVES

The policy is aimed at consolidating the policy statements and activities contained in theNCPF that are intended to:

• Build confidence and trust in the secure use of the ICT;

• Address national security threats in cyberspace;

• Build institutional and human capacity;

• Build R&D capacity; and

• Create a framework for public-private partnerships and international cooperation.

The measures outlined in the policy will enable South Africa to:

• Address threats to NCIIs and national security;

• Ensure LEAs are appropriately empowered to deal with cybercrime;

• Promote international cooperation;

• Promote public-private partnerships;

• Promote secure online services; and

• Raise general Cybersecurity awareness.

Page 16

GUIDING PRINCIPLES

The Policy is guided by the following key principles:

• All people in South Africa are and feel safe;

• An information society which promotes privacy, security, dignity, access to information and freedom of expression;

• A JCPS-led, coherent and integrated Cybersecurity approach for the Republic;

• Centralised coordination of Cybersecurity activities;

• Fostering of public-private partnerships in relation to Cybersecurity;

• Awareness of cyber threats and promotion of Cybersecurity;

• Regional and international cooperation on Cybersecurity matters ;and

• The revision and alignment of existing legislation.

NATIONAL CRITICAL INFORMATION INFRASTRUCTURE POLICY

Page 18

NATIONAL CRITICAL INFORMATION INFRASTRUCTURES (NCIIs)

The National Critical Information and Infrastructures Policy centralizescoordination of NCIIs identification and protection process.

The NCII Policy seeks to:

• Propose various approaches in the identification and protection process;

• Define the role of the State entities, private sector and citizenry in the NCIIPprocess;

• Create a framework for technical, regulatory and institutional capacitybuilding in the NCIIP process; and

• Propose a review and alignment of current measures with the NCPF.

Page 19

NCII POLICY OBJECTIVES

NCII Objectives are to:

• Centralize coordination of NCIIs identification and protection process;

• Enable the adoption of appropriate mechanisms to identify, protect andsecure SA’s NCII;

• Promote cooperation and define roles of the Public and Private sector in thisregard;

• Develop minimum security standards for NCIIs; and

• Provide for capacity building and awareness programs for NCII protection.

Page 20

PROPOSED NCII IDENTIFICATION CRITERIA

The NCII identification criteria is based on:

• CII/network/system is vital to national law and order, public health, socialservices, economic growth or environmental matters etc.;

• Unavailability/compromise of a CII will have a negative impact on criticalservices such as energy services, financial services, manufacturing services,transportation services, healthcare or social services or emergencyservices;

• Assessment of impact either as maximum, moderate or minimum severityin order to determine security required; and

• Determination of the time period in which an owner of a NCII is required tocomply with the security requirements for a CII.

Page 21

NCII IDENTIFICATION APPROACH

A Risk based NCII Identification approach will focus on:

• Sectors that provide the essential services such as ICT, Financial, Energy,

Transport, Emergency, Manufacturing, Agriculture, Social Services, etc.

• Organs of State (OoS);

• National Key Points (NKPs);

• A Risk Assessment Methodology to be applied to all the sectors; and

• Minister to declare CIIs identified as well as protection mechanism.

NATIONAL CYBERCRIME POLICY

Page 23

NATIONAL CYBERCRIME POLICY

The National Cybercrime Policy is based on various approaches, inclusive of:

• Effective law enforcement and criminal justice responses;

• Strong law enforcement response;

• Activities pertaining to the combating of cybercrime in relation to prevention and detection of cybercrime;

• Intelligence-led investigation through the establishment of specialized investigative capacities;

• Prosecution of cybercrime;

• Cross-cutting activities within Government and the various Clusters;

• A coordinated approach bringing together law enforcement, business and civil society in partnerships; and

• Interaction with international stakeholders and engagement with other countries and institutions.

• Establishment of the National Cybercrime Centre (NCC);

NATIONAL CYBERSECURITY AWARENESS STRATEGY

Page 25

NATIONAL CYBERSECURITY AWARENESS STRATEGY

The National Cybersecurity Awareness Strategy creates awareness amongst South African citizens regarding cyberspace;

The Objectives of the strategy are:

• To create awareness amongst South African citizens regarding cyberspace;

• To identify and inform citizens regarding cyber incidents in South Africa;

• To establish partnerships with the Private sector and Civil Society to share ideas on prevention

and mitigation of cyber incidents;

• To develop awareness mechanisms and interventions tailored to needs of specific sections of

the South African population; and

• To create institutional mechanisms.

NATIONAL CYBER DEFENCE STRATEGY

Page 27

NATIONAL CYBER DEFENCE STRATEGY

The Cyber defence strategy builds cyber defence capacity for the country.

The strategy’s main objective is to acquire the necessary cyber defence capacity through:

• The establishment of a cyber defence capability which will, among others, consist of:

− Cyber Command;

− Cyber Defence Operations Centres; and

− Cyber Defence Workforce;

• Conducting research and development; and

• Ensuring information security.

LEGISLATIVE REVIEW PROCESS

CYBERSECURITY AND CYBERCIMES BILL

Page 29

In line with the NCPF stipulation, the Department of Justice and ConstitutionalDevelopment, reviewed the current legal framework.

The outcome of the reviewing process is the proposed draft Cybersecurity andCybercrimes Bill.

The Bill aims to comprehensively address cybercrime and Cybersecurity in theRepublic.

LEGISLATIVE REVIEW PROCESS

-Secret-

Page 30

Chapter 1: Definitions

Chapter 2: Offences

Chapter 3: Jurisdiction

Chapter 4: Powers to Investigate

Chapter 5: 24/7 Point of Contact

Chapter 6: Structures to deal with Cybersecurity

Chapter 7: NCII Protection

Chapter 8: Evidence

Chapter 9: Obligations on ECSP’s

Chapter 10: Agreements with foreign States or territories

Chapter 11: General Provisions

OVERVIEW OF BILL

Page 31

THANK YOU