As the Independent Communications Authority of South Africa (Icasa) seeks to define its role and responsibilities in the cybersecurity and cyberthreat regulatory environment, industry input suggests that the regulator’s resources will be best placed elsewhere.

Icasa in January kicked off its public hearings to discuss responses to a discussion document published in October to explore the evolving role of information and communication technology (ICT) regulators in the governance of cybersecurity in different countries, with the aim of deciding whether the authority should adopt similar roles, taking into account the confines of South African law.

However, industry cautions Icasa not to take on more significant roles in the realms of cybersecurity so as not to overwhelm its already strained resources, and that it should rather feed into the policies and legislative processes already under development.

Icasa is considering adopting the roles and responsibilities of private-sector cooperation and industry regulation, capacity building, research and development, and the regulation of cybersecurity standards.

While the actual role Icasa can play will depend on a number of variables, including how cybersecurity and cyberthreats are perceived, the authority believes it is well positioned in terms of its mandate, resources and experience to deal with current and emerging cybersecurity challenges.

With cybersecurity being increasingly recognised as a prominent ICT-related issue, Icasa believes its policy advisory functions should increasingly be required to provide inputs on cybersecurity issues.

“The responsibility for ICT policymaking is delegated to the legislature and administered by the Parliament in South Africa. However, the authority can play a key role in policymaking by virtue of its familiarity with the sector that it regulates, the resources available to the regulator, and the processes and mechanisms that have been put in place to engage in consultations with industry stakeholders,” it notes.

Media Monitoring Africa (MMA), however, expresses concern over Icasa expanding its role into the realm of cybersecurity, given existing challenges and the level of regulatory uncertainty.

“There are currently a plethora of laws – or proposed laws – that seek to address different matters of cybersecurity. However, the different stages of finalisation and implementation of these laws has given rise to significant regulatory uncertainty,” it says in its submission.

“We note in this regard that the existing and proposed regulatory framework that currently exists does not appear to foreshadow a role for Icasa to play in the realm of cybersecurity. This is similarly true in respect of the National Cybersecurity Policy Framework published in the Government Gazette in December 2015,” MMA continues.

The company references proposed laws and amendments such as the Cybercrimes Bill, the Protection of Personal Information Bill, the Critical Infrastructure Protection Bill, the Protection of State Information Bill, and the Defence Amendment and the Films and Publications Amendment Bill.

However, there is no certainty when any of these will be finalised.

Further, South Africa’s position in respect of cybersecurity at regional and international level remains unclear, as South Africa has signed, but not ratified, the Convention on Cybercrime of the Council of Europe and has neither signed nor ratified the African Union Convention on Cyber Security and Personal Data Protection.

“Given the existing state of flux that the regulatory environment is currently in, and the high levels of regulatory uncertainty that persist in respect of cybersecurity, MMA would strongly caution against exacerbating this through the addition of further laws and policies in an effort to carve out a role for Icasa that does not presently exist,” MMA urges.

The Internet Service Provider Association (Ispa) adds that Icasa does not have a clear mandate with regard to cybersecurity, and says that the move to define cybersecurity roles is premature.

“Icasa should not be seeking to expand its mandate. In Ispa’s view, taking into consideration the pressing demands to which the authority is subject, it should not involve itself in a matter which is, at best, tangential to its mandate,” the association says.

MMA believes that the authority should foster its role as a facilitator of public- and private-sector engagement, raising consumer awareness and digital literacy, and protecting the rights of vulnerable users.

“Building awareness and capacity on ICT-related matters that include, but extend beyond cybersecurity, is an important and much-needed endeavour that Icasa may want to pursue further.”

The parties also strongly caution Icasa against expanding its mandate before addressing the current financial, technical and human resource constraints that it faces in fulfilling its existing mandate, particularly in light of a reduced budgetary allocation for the 2018/19 financial year.

The South African Communications Forum says Icasa is already resource constrained, financially and from a human resource perspective. “We further understand that Icasa’s budgetary allocation was reduced during the current financial year.”

Research ICT Africa suggests Icasa facilitate an empirical, independent and impartial cybersecurity maturity assessment to identify the stage of maturity across a number of indicators related to cybersecurity, such as cybersecurity policy and strategy; cyber- culture and society; cybersecurity education, training and skills; legal and regulatory frameworks; and standards, organisations and technologies.

The outcomes can inform the National Cybersecurity Strategy, which should be underpinned by a comprehensive cybercapacity-building programme to develop competences, resilience and trust in the Internet.