Cybersecurity is a multifaceted concept and a multistakeholder challenge that requires enabling legislation to clarify roles and avoid duplication of resources, the Independent Communications Authority of South Africa (Icasa) has found.
There was also a need to collaborate with public- and private-sector organisations, with Icasa assuming different levels of responsibilities in those collaborations, the authority commented in its Findings Document and Position Paper, published in April, following an inquiry to define its role and responsibilities in the cybersecurity and cyberthreat regulatory environment.
With cybersecurity being increasingly recognised as a prominent information and communication technology- (ICT-) related issue, Icasa believes its policy advisory functions should increasingly be required to provide inputs on cybersecurity issues.
In January, Icasa initiated public hearings to discuss responses to a discussion document published in October to explore the evolving role of ICT regulators in the governance of cybersecurity in different countries, with the aim of deciding whether the authority should adopt similar roles, taking into account the confines of South African law.
Industry input at the time had suggested that the regulator’s resources would be best placed elsewhere, cautioning Icasa not to take on more significant roles in the realms of cybersecurity so as not to overwhelm its already strained resources, and that it should instead feed into the policies and legislative processes already under development.
Icasa received 13 written submissions in relation to the discussion document, with seven stakeholders opting to undertake oral submissions at the public hearings.
“The authority found that there are several legislative processes that are under way, such as the Cybercrime and Critical Infrastructure Bills, which relate to some aspects of cybersecurity and might affect how this is dealt with in future,” the authority noted in the findings document. “However, Icasa is of the view that there is a provision in the Electronic Communications Act (ECA) that is adequate and empowers the authority to play a role in the cybersecurity space even though it is only limited to network reliability and information security.” The findings document and position paper show conflicting views on Icasa’s role in cybersecurity and that the ECA does not provide Icasa with a sufficiently clear mandate on the regulation of cybersecurity. The authority found that, in addition to amending its existing regulations to include cybersecurity matters, it should be working in collaboration with other organisations that deal with cybersecurity so as not to duplicate their efforts. “The authority will be guided by the International Telecommunications Union and the country legislation around cybersecurity (when it has been finalised) to formulate a precise definition on cybersecurity,” it says. Further, Icasa aims to facilitate collaboration with the departments of Communication and Justice, as well as the industry, to identify the most suitable standards for South Africa. .