The draft of the Cybersecurity bill was finally gazetted – it’s one step closer to coming into law or (if parliamentarians aren’t happy with it) being rejected.
One of the more topical issues outlined in the bill is the fact that POTRAZ will become the “National Cyber Security Centre” if the bill is effected into law.
The Postal and Telecommunications Regulatory Authority established in terms of the Postal and Telecommunications Act [Chapter 12:05] is hereby designated as the Cyber Security Centre.CYBER SECURITY AND DATA PROTECTION BILL, 2019
HP 820 G1.US $300.00 Harare
Dell 5420US $200.00 Harare
HP Laptop 250 G7US $360.00 Harare
HP Elitebook 840 G3US $300.00 Harare
This new National Cyber Security Centre (NCSC) is mandated to carry out the following functions;
- Advise & implement government policy on cybercrime and cybersecurity;
- identify areas for intervention to prevent cybercrime;
- coordinate cybersecurity and establish a national contact point available daily around-the-clock;
- establish and operate a protection-assured whistle-blower system that will enable members of the public to confidentially report to the Committee cases of alleged cybercrime;
- promote and coordinate activities focused on improving cybersecurity and preventing cybercrime by all interested parties in the public and private sectors;
- provide guidelines to public and private sector interested parties on matters relating to awareness, training, enhancement, investigation, prosecution and combating cybercrime and managing cybersecurity threats;
- oversee the enforcement of the Act to ensure that it is enforced reasonably and with due regard to fundamental human rights and freedoms;
- provide technical and policy advice to the Minister;
- advise the Minister on the establishment and development of comprehensive legal framework governing cybersecurity matters
The biggest question mark I have is that of conflict of interest. The NCSC is under POTRAZ which is a government organisation. Will that hierarchy be allowed to “establish and operate a protection-assured whistle-blower system”?
Ok here’s a clearer way to think about it. The POTRAZ board is appointed by the government (usually the ICT Minister). So what happens when a whistleblower exposes the ICT Minister, the government or the President who appointed said Minister?
Will this Whistle-blower system be allowed to carry out its mandate when a targeted Minister/President can simply appoint a new board that ensures the Whistleblower is actually exposed instead of being protected. Separation of powers is important and as long as it doesn’t exist the NCSC will be a facade.
Parts of the NCSCs mandate aren’t clear. One example is “coordinate cybersecurity”. It’s vague and doesn’t clearly spell out what coordinating cybersecurity is. The clearer the mandate the better the NCSC will be at doing its job and the easier it will be for taxpayers to hold it accountable.
Lastly, and this is less of a criticism and more of me thinking out loud – does POTRAZ already have the capacity to carry out what is being proposed here or that will be built out once the law is put into place?