On 25 July 2019, one of the electricity distributors in Johannesburg, City Power Johannesburg, was hit by ransomware. According to the reports, the company’s website was affected and access to the website denied.

This meant that people were not able to access the website to purchase pre-paid electricity or log any complaints against City Power Johannesburg.

With President Cyril Ramaphosa’s determination to transform South Africa into a full digital society through the premise of the 4th Industrial Revolution and the development of smart cities, the question that everyone should be asking is whether South Africa has the right legal framework in place to deal with criminal elements of cyberattacks and cyberthreats on its planned smart cities.

What is a Smart City?

A smart city uses digital technologies to enhance performance and well-being, to reduce costs and resource consumption, and to engage more effectively and actively with citizens. It involves the use of smart energy, smart healthcare, smart transport and smart waste and water. A smart city can be defined as a city that uses Information and Communication Technology (ICT) as an enabler, to merge dimensions of smart utilities, smart mobility, smart economy, smart environment, smart education, smart people, smart living, smart health, smart planning and smart governance.

Amsterdam is one prominent example of a smart city which relies on smart energy like solar energy and a smart grid. A smart city enables its citizens, its resident businesses, its varied government and non-government stakeholders and itself to benefit from the effective use of technology.

Source: smartercommunities.media

Ubiquitous high-speed broadband connectivity is at the crux of a smart city as this connectivity will enable effective data collection and analytics, effective use of mobile technologies and provide the foundation to use available technologies to address the unique challenges faced by each city.

Smart cities heavily rely on the Internet in order to facilitate the delivery of services.

For a health care system to be considered as smart, there is the deployment of Artificial Intelligence (AI), the Internet of Things (IoTs) and the Internet of Everything, use of drones and telemedicine. The City of Johannesburg municipality has been striving to make Johannesburg a world class smart city. Some of the notable indications of a smart city in the City of Johannesburg are the efficient transport services provided by the Rea Vaya bus services as well as Gautrain and the provision of free access to the internet at various hotspots spread across the city.

Cybersecurity threats on smart cities

Where the Internet and computers are involved, issues of cybersecurity and cybercrime are unavoidable. In 2017, the Wannacry ransomware attack across Europe left different government departments including Britain’s National Health System (NHS) crippled. A few years back, Estonia was also subjected to a serious cyberattack which crippled the country for three days.  

The attack on City Power Johannesburg is just the tip of the cybersecurity iceberg.

Imagine what would happen if a cyberattack is launched on the national electricity grid?

How many businesses, hospitals, schools, universities, transport systems will be affected?  

Imagine what would happen if a cyberattack is launched against a government department?

Does South Africa have the right laws in place to deal with such an attack? Is South Africa’s cybersecurity systems cyber resilient to withstand such cyberattacks?

South Africa’s legislative framework

Adoption of smart cities and smart technologies is a welcome development in our economy.  However, South Africa’s legal framework on cybersecurity and cybercrime is still lagging behind.  Should there be a cyberattack on computer networks and computer systems which feeds smart cities, South Africa’s law enforcement might face challenges with bringing the actors to justice.  Currently, the South Africa's Electronic Communications and Transactions Act 25 of 2002 (ECT Act) is the piece of legislation which criminalises some forms of cybercrimes.

Smart cities heavily rely on the Internet in order to facilitate the delivery of services.

The ECT Act defines data as an electronic representation of information in any form. The ECT Act only criminalises the unlawful access, interference with or interception of data (sections 86 and 87). The limitation of the ECT Act to data means that cybercriminals who target the computer system or the computer network itself and not particularly the data contained by computer systems, will be able to walk scot-free.  Should South Africa’s smart cities be subjected to a cyberattack, such as the one that was launched on Estonia, South Africa may find it particularly difficult to rely on the ECT Act to prosecute the offenders on the grounds of cybercrime as the elements of the crime of hacking are not properly set out in the ECT Act. This calls for an urgent call to the President to sign the Cybercrimes Bill into law as it particularly sets out all the elements of different cybercrimes.

The Critical Infrastructure Protection Bill provides for certain infrastructure to be declared critical infrastructure if the functioning of that infrastructure is essential for the economy, national security, public safety and the continuous provision of basic public services.  Infrastructure may also be declared critical if the loss, damage, disruption or immobilisation of such infrastructure may severely prejudice the functioning or stability of the Republic, the public interest regarding the safety and the maintenance of law and national security.

In the case of smart cities, the computer systems and computer networks forming a smart electricity grid can be vulnerable to cyberattacks.  If a smart electricity grid is hacked, that can lead to severe consequences across different industry sectors.  As such a smart electricity grid is an example of infrastructure which should be declared as critical under the Critical Infrastructure Protection Bill.

Conclusion

Cyberattacks and cybercrime are on the rise in South Africa. The laws criminalising such conduct are lagging behind.

The law should play catch up and deal with the imminent threats of cybercrime and cyber-attacks. Without the proper legal rules in place, the dream of efficient smart cities will not be realised.

Share this article via: