IDSI

A Review of South Africa’s National Cybersecurity Policy Framework: Progress and Challenges After Nearly a Decade

by Given SHINGANGE

INTRODUCTION

South Africa’s cybersecurity landscape has been marred by a series of high-profile cyber-attacks and data breaches in recent years, underscoring the urgent need for robust cybersecurity measures. In June 2024, the National Health Laboratory Service (NHLS) was hit by a devastating ransomware attack that disrupted critical health services and compromised the data of millions of public health patients[1]. Just a month later, Sibanye-Stillwater[2], a leading multinational mining and metals processing group, suffered a cyber-attack that affected its global IT systems, highlighting the vulnerabilities within the private sector[3]. These incidents, among many others, reveal a troubling trend. South Africa’s cybersecurity defences are inadequate, leaving both public and private sectors vulnerable to increasingly sophisticated cyber threats. It is important to note that these are just some of the incidents that are in the public eye as reported in the media.

Private Sector Data Breaches

OrganizationDateImpactCauseConviction/Outcome
Experian South AfricaAugust 2020[4] & Nov 2023[5]24 million South Africans, 800,000 businessesFraudster masqueraded as clientSuspected fraudster arrested
ViewFines[6]May 20181 million personal recordsServer maintenance errorNo known convictions
Master Deeds (Jigsaw Holdings)[7]October 201760 million unique recordsData exposed on public serverNo known convictions
Life Healthcare GroupJune 2020[8]Admissions, processing systems, email serversCyber-attackNo known convictions
TransnetJuly 2021[9]IT systems crippled; operations impactedRansomware attackNo known convictions
Dis-ChemMay 2022[10]3.6 million personal recordsCyber-attackNo known convictions
Sibanye StillwaterJuly 2024[11]Employee and contractor dataCyber-attackNo known convictions
TransUnionMarch 2022[12], November 2023[13]54 million personal recordsRansomware attackNo known convictions

Government Sector Data Breaches

OrganizationDateImpactCauseConviction/Outcome
SA Department of Justice and Constitutional DevelopmentSeptember 2021[14], Mat 2024[15]1,200+ confidential filesRansomware attackNo known convictions
City Power (Johannesburg)July 2019[16]Power supplies disruptedRansomware incidentNo known convictions
South African National Defence Force (SANDF)August 2023[17]Potentially massive data breachClaimed by Snatch threat group[18]No known convictions
Government Employees Pension Fund (GEPF)July 2023, March 2024[19]668GB of data leakedRansomware attackNo known convictions

As South Africa approaches the 10-year anniversary of its National Cybersecurity Policy Framework (NCPF)[20] in 2025, it is crucial to assess the progress made and challenges faced in implementing this critical policy. This review examines the NCPF’s objectives, achievements, shortcomings, and the role of the Cybersecurity Response Committee (CRC), while also considering the evolving cyber threat landscape and the need for urgent action from policymakers.

Background and Objectives of the NCPF

The NCPF was approved by the South African Cabinet in 2012[21] and officially published by the Minister of State Security in December 2015. This marked the formal adoption of a national cybersecurity policy framework aimed at addressing the identified challenges and achieving the outlined objectives.

The State Security Agency [22](SSA) was designated[23] with overall responsibility and accountability for the coordination, development, and implementation of cybersecurity measures in the country. This centralized approach was intended to streamline efforts and ensure effective management of cybersecurity initiatives.

The comprehensive policy document was aimed at addressing the growing threats in cyberspace[24]. The key objectives of the NCPF include:

The NCPF was implemented to address the growing cyber threats, regulatory and institutional gaps, and the need for a coordinated national approach to cybersecurity. The NCPF was designed to provide a framework for South Africa to respond effectively to cyber-attacks and build a robust national cybersecurity posture. However, a decade later, the implementation of this policy has fallen short of expectations, leaving the country vulnerable to increasingly sophisticated cyber threats. It is still debatable if whether had the NCPF been fully implemented, would that have made the country safer. This question is important because the assumption that the only problem with the country’s cybersecurity status should be attributed to the implementation of NCPF may be incorrect. However, this review focuses on the implementation of the NCPF as is.

LIMITED PROGRESS AND PERSISTENT CHALLENGES

Despite the NCPF’s ambitious goals, progress in implementing its provisions has been slow and inconsistent. It is difficult to really gauge the progress as there is not much out there that tells us how far the implementation has been. Several key areas of concern include:

  1. Lack of a National Cybersecurity Strategy

One of the most glaring omissions is the absence of a comprehensive national cybersecurity strategy, which should have been developed based on the NCPF’s guidelines[25]. This absence leaves South Africa without a clear roadmap for addressing cyber threats at a national level.

A national[26] cybersecurity strategy is crucial for safeguarding a country’s national interests, including its economic stability, national security, and public safety. By implementing robust cybersecurity measures, a country can protect critical infrastructure, sensitive data, and financial systems from cyber threats, thereby fostering a secure environment for economic growth and innovation.

This strategy not only mitigates risks but also enhances public trust and international cooperation. In South Africa, the commitment to cybersecurity aligns with the Medium-Term Strategic Framework (MTSF)[27] goal that “all people are and feel safe,” ensuring a resilient and secure digital landscape for all citizens.

The failure to identify and protect national critical information infrastructure remains a significant vulnerability. Without a clear understanding of which systems and networks are most crucial to national security and economic stability, it becomes challenging to allocate resources effectively for their protection[28].

South Africa faces significant challenges due to inadequate Critical Infrastructure Protection, particularly concerning its National Critical Information Infrastructure (NCII). As defined in the National Cybersecurity Policy Framework (NCPF), NCII encompasses all ICT systems, data systems, databases, networks, and related assets fundamental to the effective operation of the Republic[29].

The country struggles with protecting these vital systems from cyber threats, physical attacks, and infrastructure[30] failures[31]. This vulnerability exposes South Africa to risks of service disruptions, economic losses, and national security breaches[32]. The lack of a comprehensive, risk-based approach to NCII protection, coupled with insufficient resources and coordination among stakeholders, hinders the country’s ability to safeguard its critical infrastructure effectively[33] [34].

The private sector operates with limited oversight due to the absence of cybersecurity laws and regulations. This regulatory vacuum creates inconsistencies in cybersecurity practices across industries and potentially exposes critical sectors to increased risk[35].

The absence of comprehensive cybersecurity laws and regulations in South Africa creates significant vulnerabilities in the private sector’s digital infrastructure. Without proper oversight, companies are left to self-regulate their cybersecurity practices, leading to inconsistent standards across industries.

This regulatory vacuum not only allows some businesses to underinvest in cybersecurity measures, potentially exposing critical sectors to increased risk of cyberattacks. It also creates an environment where unscrupulous entities may exploit the situation. They could offer subpar cybersecurity services or products, taking advantage of the limited accountability and further exacerbating the cybersecurity challenges we face.

Additionally, the absence of clear guidelines makes it challenging for well-intentioned companies to benchmark their security practices effectively. This regulatory gap not only heightens the risk of successful cyberattacks but also hampers South Africa’s ability to build a resilient digital economy[36] [37].

Despite the NCPF’s emphasis on capacity building, South Africa continues to face a severe shortage of cybersecurity professionals. This skills gap hampers the country’s ability to defend against and respond to cyber threats effectively[38].

The global cybersecurity skills shortage exacerbates this issue, with an estimated worldwide shortfall of 3.5 million professionals by 2025[39]. In South Africa, 40% of companies struggle to recruit and retain cybersecurity talent, while 64% agree that the shortage creates additional cyber risks[40]. This scarcity of skilled professionals leaves South African organizations vulnerable to attacks, with 86% experiencing multiple breaches partially attributed to a lack of cybersecurity skills.

The shortage also impacts the country’s ability to implement and maintain robust security measures across its digital infrastructure. As cyber threats continue to evolve, particularly with the advent of AI-powered attacks, closing the skills gap becomes crucial for South Africa’s organizational and national security[41].

The centralized coordination of cybersecurity activities, as envisioned by the NCPF, has not been fully realized. This lack of coordination leads to fragmented efforts and inefficient use of resources in combating cyber threats[42].Several factors contribute to this implementation gap.

Firstly, the designation of the State Security Agency (SSA) as the lead department for NCPF implementation has raised concerns among private sector stakeholders. The SSA’s primary focus on national security and intelligence gathering may not align well with the broader cybersecurity needs of businesses and civil society[43] [44].

This misalignment has led to a trust deficit between the public and private sectors, hindering effective collaboration. Additionally, the complex coordination mechanisms outlined in the NCPF, involving multiple government departments and agencies, have proven difficult to manage effectively[45]. Interministerial rivalries and the historical challenges of cross-departmental cooperation in South Africa further complicate this issue.

The lack of transparency in some cybersecurity activities, often shrouded in unnecessary secrecy, has also impeded meaningful private sector engagement. Moreover, resource constraints and skills shortages within government agencies, particularly in the SSA, have limited their capacity to drive and coordinate national cybersecurity efforts effectively[46]. The private sector, which owns and operates much of the country’s critical information infrastructure, has expressed frustration at the slow pace of implementation and the perceived lack ofpractical guidance from the government[47]. Thesechallenges collectively undermine the NCPF’s goal of fostering a cohesive, multi-stakeholder approach to cybersecurity in South Africa.

THE ROLE OF THE CYBERSECURITY RESPONSE COMMITTEE (CRC)

The Cybersecurity Response Committee (CRC) was established as a key component of the NCPF to oversee and coordinate national cybersecurity efforts. According to the NCPF, the CRC’s responsibilities include:

However, the effectiveness of the CRC in fulfilling these roles has been limited. The committee has struggled to assert its authority and drive meaningful progress in national cybersecurity initiatives. This underperformance can be attributed to numerous factors, including resource constraints, lack of clear mandate enforcement, and insufficient engagement with relevant stakeholders[48].

Evolving Cyber Threat Landscape

Since the NCPF’s approval in 2015, the global cyber threat landscape has evolved significantly. South Africa has witnessed a dramatic increase in cyber-attacks, particularly in the wake of the COVID-19 pandemic. Some notable trends include:

Critical Infrastructure Attacks: High-profile cyber-attacks on critical infrastructure, such as the 2021 incident affecting Transnet (a state-owned transportation company), have highlighted the vulnerability of essential services.

CONCLUSION

As South Africa faces an increasingly complex and dangerous cyber threat landscape, the shortcomings of the NCPF implementation over the past decade have left the country vulnerable. The approaching 10th anniversary of the framework’s approval should catalyse urgent action from policymakers.

Rather than celebrating progress, this milestone should prompt a critical reassessment of South Africa’s cybersecurity posture and a renewed commitment to implementing effective measures.

The country must do away with a piecemeal approach to cybersecurity, relying on outdated frameworks and unimplemented policies.

Policymakers must prioritise cybersecurity as a matter of national security and economic stability. This requires updating the NCPF to address current threats and ensuring its full implementation through adequate funding, clear accountability measures, and strong political will.

South Africa can significantly enhance its cybersecurity posture by establishing a dedicated national cybersecurity agency and adopting a more structured and collaborative approach.

By taking decisive action now, South Africa can bridge the gap between policy and practice, building a resilient cybersecurity ecosystem that protects its citizens, businesses, and critical infrastructure from ever-evolving cyber threats. The time for complacency has long passed – the next decade must be one of concrete action and measurable progress in South Africa’s cybersecurity journey.

RECOMMENDATIONS

  1. Establish a Dedicated National Cybersecurity Agency

Create an independent national cybersecurity agency with a clear mandate to oversee all aspects of cybersecurity. This agency should have the authority and resources to coordinate efforts across public and private sectors, fostering better collaboration and trust.

Prioritize the development and implementation of a robust national cybersecurity strategy. This strategy should align with the NCPF’s objectives and be adaptive to address both current and emerging cyber threats. It should include clear goals, timelines, and performance indicators.

Conduct a thorough assessment to identify national critical information infrastructure. Develop and implement specific protection measures for these assets to ensure their resilience against cyber threats.

Strengthen the existing regulatory framework by developing and enforcing comprehensive cybersecurity regulations. These regulations should provide clear guidelines for both public and private sector organizations, ensuring a consistent and unified approach to cybersecurity across all industries.

Allocate significant resources to cybersecurity education and training programs. This investment is crucial to address the current skills shortage and to build a capable workforce that can effectively defend against sophisticated cyber threats.

Empower the Cybersecurity Response Committee (CRC) or establish a new coordinating body with the necessary authority and resources. This body should be responsible for overseeing national cybersecurity efforts, ensuring a coordinated and proactive approach to threat management.

Actively engage in international cybersecurity initiatives and partnerships. Sharing best practices, intelligence, and resources with global partners is essential for combating cyber threats that transcend national borders.

Implement a mechanism for the regular review and update of the NCPF. This will ensure that the framework remains relevant and effective in addressing the evolving landscape of cyber threats.


[1] https://therecord.media/south-africa-national-health-laboratory-service-ransomware-recovery

[2] https://mybroadband.co.za/news/security/544063-south-african-mining-giant-hacked.html

[3] https://www.itweb.co.za/article/sibanye-stillwater-suffers-cyber-attack-on-global-it-systems/LPp6VMrB2BLMDKQz

[4] https://www.infosecurity-magazine.com/news/experian-data-breach-24-million/

[5] https://www.businesslive.co.za/bd/national/2023-11-23-hackers-demand-60m-from-transunion-and-experian-claiming-data-theft/

[6] https://www.citizen.co.za/news/massive-data-leak-affects-nearly-one-million-south-africans/

[7] https://mybroadband.co.za/news/security/234790-massive-south-african-data-leak-now-over-75-million-records-at-risk.html

[8] https://www.reuters.com/article/technology/south-africas-life-healthcare-hit-by-cyber-attack-idUSKBN23G0MY/

[9] https://www.silicon.co.uk/security/cyberwar/transnet-ransomware-attack-408791

[10] https://www.itweb.co.za/article/over-36m-records-exposed-in-dis-chem-cyber-attack/PmxVE7KEABOqQY85

[11] https://www.moneyweb.co.za/news/tech/sibanye-stillwater-hit-by-global-cyber-attack/#:~:text=Multi%2Dnational%20mining%20group%20Sibanye,became%20aware%20of%20the%20incident.

[12] https://businesstech.co.za/news/cloud-hosting/569658/transunion-cyber-attack-hackers-demand-r225-million-ransom/

[13] https://www.itweb.co.za/article/hackers-demand-r11bn-ransom-from-transunion-experian/DZQ58MV8ymzvzXy2

[14] https://www.news24.com/news24/southafrica/news/justice-departments-it-system-brought-down-in-ransomware-attack-20210909

[15] https://www.itweb.co.za/article/justice-department-suffers-another-cyber-attack/rW1xLv5nJkx7Rk6m

[16] https://www.securitymagazine.com/articles/90618-city-power-hit-by-ransomware-attack

[17] https://www.dailymaverick.co.za/article/2023-09-06-snatched-sandf-data-leaked-in-cyberattack-appears-to-be-authentic-say-cybersecurity-analysts/

[18] https://krebsonsecurity.com/2023/09/a-closer-look-at-the-snatch-data-ransom-group/

[19] https://www.dailymaverick.co.za/article/2023-09-06-snatched-sandf-data-leaked-in-cyberattack-appears-to-be-authentic-say-cybersecurity-analysts/

[20] https://www.gov.za/sites/default/files/gcis_document/201512/39475gon609.pdf

[21] https://carnegieendowment.org/research/2024/01/south-africas-cyber-strategy-under-ramaphosa-limited-progress-low-priority?center=global&lang=en

[22] https://carnegieendowment.org/research/2024/01/south-africas-cyber-strategy-under-ramaphosa-limited-progress-low-priority?center=global&lang=en

[23] 16.2 of the NCPF states the “The Ministry of State Security and the State Security Agency (SSA) has overall responsibility and accountability for coordination, development, and implementation of Cybersecurity measures in the Republic as an integral part of its National Security mandate. 16.5 that deals with the responsibility of the Department of Defence and Military Veterans states that “The Department of Defence and Military Veterans (DOD&MV) has overall responsibility for coordination, accountability and implementation of cyber defence measures in the Republic as an integral part of its National defence mandate. To this end, the Department will develop policies and strategies pursuant to its core mandate” https://www.gov.za/sites/default/files/gcis_document/201512/39475gon609.pdf

[24] https://www.gov.za/sites/default/files/gcis_document/201512/39475gon609.pdf

[25] https://www.gov.za/documents/national-cybersecurity-policy-framework-4-dec-2015-0000

[26] https://www.itu.int/en/ITU-D/Cybersecurity/Documents/National_Strategies_Repository/approved%20botswana-national-cybersecurity-strategy.pdf

[27] https://www.gov.za/speeches/justice-crime-prevention-and-security-clusters-media-briefing-statement-13-dec-2015-0000

[28] https://www.coe.int/en/web/octopus/-/south-africa

[29] https://www.itu.int/en/ITU-T/Workshops-and-Seminars/cybersecurity/Documents/PPT/S4P1_Pillay_KiruV2%20.pdf

[30] https://issafrica.org/iss-today/critical-infrastructure-attacks-why-south-africa-should-worry

[31] https://www.moonstone.co.za/critical-infrastructure-blackouts-are-sa-corporates-biggest-worry/

[32] https://researchspace.csir.co.za/dspace/bitstream/handle/10204/12557/RS_26178_Systemic%20approaches%20to%20critical%20infrastructure%20risk%20and%20security%20capabilities%20Nov%202022.pdf?isAllowed=y&sequence=1

[33] http://www.scielo.org.za/scielo.php?pid=S1727-37812013000100015&script=sci_arttext

[34] https://theconversation.com/south-africa-needs-stronger-security-in-place-to-stop-the-sabotage-of-its-power-supply-187889

[35] https://scielo.org.za/scielo.php?pid=S2077-72132021000200003&script=sci_arttext

[36] https://www.michalsons.com/focus-areas/information-technology-law/information-security-law/cybersecurity-bill-in-south-africa-overview

[37] https://www.fanews.co.za/article/technology/41/general/1204/south-africa-needs-to-become-more-stringent-with-its-cyber-security-enforcement/39366

[38] https://carnegieendowment.org/research/2024/01/south-africas-cyber-strategy-under-ramaphosa-limited-progress-low-priority?center=global&lang=en

[39] https://www.techtarget.com/searchsecurity/tip/Cybersecurity-skills-gap-Why-it-exists-and-how-to-address-it

[40] https://www.itweb.co.za/article/south-africa-under-pressure-to-fill-cyber-security-skills-gap/DZQ587V8bjrqzXy2

[41] https://cybermagazine.com/articles/fortinet-cyber-survey-shows-global-scope-of-skills-gap

[42] https://www.researchgate.net/figure/National-cybersecurity-governance-structure-in-South-Africa_fig1_348114418

[43] https://www.jstor.org/stable/27199954

[44] https://scielo.org.za/scielo.php?pid=S2077-72132017000100005&script=sci_arttext

[45] https://scielo.org.za/scielo.php?pid=S2077-72132017000100005&script=sci_arttext

[46] https://carnegieendowment.org/research/2024/01/south-africas-cyber-strategy-under-ramaphosa-limited-progress-low-priority?center=global&lang=en

[47] https://www.coe.int/en/web/octopus/-/south-africa

[48] https://www.oliverwyman.com/our-expertise/insights/2023/aug/south-africa-protect-cyber-infrastructure.html

[49] https://bizmag.co.za/sas-cybercrime-trends-to-watch-in-2024/

Come dinnertime, the intimate group of guests was first ushered into the foyer for a staircase performance in which Broadway actors and dancers personified Davenport’s star ingredients.

Capes came to town several years ago and then dwindled away again, but if you loved the look you’re in luck as it’s back for autumn. Female empowerment has been at the forefront of people’s thoughts, the news and social media, especially with more and more discussions about closing the gender pay gap happening throughout the world. Seen at the likes of Erdem, Missoni and Isabel Marant, it’s going to be a key piece to own.

Exclusive Daily Sale

What was really interesting about fashion at that time was the way rock ’n’ roll heroes like Jimmy Page, Marc Bolan and David Bowie blended the genders so beautifully. It’s really relevant today. So in those days, the guys were all wearing their girlfriends’ clothes and digging through their wardrobes wearing their flares and their scarves and their blouses.

What you can buy

& Other Stories 

Flowy Wrap Midi Dress (£69)

So when I look at my fashion icons from the ’60s and ’70s, they’re all men, but it’s the idea of women who are dressing like those men who are wearing their girlfriends’ clothes

Treat the idea like a game.

Fans were delighted by the funny video, with one writing: “This is priceless,” while another added: “She is the best!” However, one fan was quick to point out an inconsistency with the series, as Monica and Chandler had in fact moved out of that apartment by the series finale, and wrote: “That’s not your home anymore, you moved with Chandler.”

Although there doesn’t seem to be much hope of a Friends reunion episode any time soon, the creator of Friends recently opened up about what the characters would be up to these days, and revealed whether he thought Ross and Rachel’s relationship would last the test of time.

Mining diamonds has a host of possible negative side effects, including displacing the land, wasting water, polluting the air and having an effect on the living conditions of the local communities, as well as being linked to the funding of war. Laboratory-grown diamonds, however, have a far more ethical and sustainable footprint.

Girls on the vacation

We have collated five of the best brands that use only lab-grown diamonds, so the next time you are treating yourself or someone else to something sparkly, you can be sure that your conscious is clean.

If you talk about it, it’s a Dream, if you Envision it, it’s a Possible, but if you are Schedule it, it’s Real.

Tony Robbins

Spring is finally here—even though it doesn’t really feel like it, with temperatures hovering at just about freezing for much of the country. But, if the power of positive thinking works for mastering the problems of everyday living, who says the power of positive decorating can’t do the same?

She’s also sporting a khaki puffer jacket from The Arrivals–”It’s peak street style chic 101″–to stay cozy in the harsh New York City winter. Her gold-toned, cat-eyed sunglasses are from Jimmy Choo and she picked up her Jenny Bird hoop earrings from Intermix.

  1. “I was talking to the designer behind Seville Michelle, and I told her [that] her chokers are amazing, and she literally gave me this off her neck. I’ve worn it religiously ever since,” says Lenise of her two-tone necklace.Related StoryHandbags Are Getting Smaller and Smaller
  2. For Christmas, Lenise’s husband gifted her a green suede mini bag from Jacquemus. “When he got it in the mail, he was going to send it back because he didn’t realize it was supposed to be this tiny,” Lenise says with a smile. She appreciates that she can rock the bag as a crossbody, fanny pack style across her waist, or carry it as a handle bag.

Characters

Although there doesn’t seem to be much hope of a Friends reunion episode any time soon, the creator of Friends recently opened up about what the characters would be up to these days, and revealed whether he thought Ross and Rachel’s relationship would last the test of time.

Everything you Need to Know

Spring your mind forward with a lilac flower-inspired pot or, if real flowers are more your thing, a barely-there vase lets nature take center

Thankfully, we have an insider who gave us some valuable tips on how to shop it expertly so you can get there first (and find the pieces you’ve been eyeing up all season).

First up, you need to know that Zara’s sales start online at 10 p.m. the day before the in-store sale begins. Right now, there isn’t a sale on the site, but that only means you have loads of time to prep before the big mid-season sale.stage.

Read more

Exit mobile version