Gov’t fine-tunes tough new cybersecurity law
Otlarongwa Kgweetsi - Mbongeni Mguni | Tuesday June 4, 2024 13:47
For an extended period of time, the Ministry of Communications, Knowledge and Technology and its various departments and parastatals have been engaging extensively with the industry, as part of development of the Cybersecurity Bill. The Attorney General is set to soon begin work on panel-beating the proposed legislation, preparing it for tabling in Parliament.
According to a circulating rough draft, the proposed law is designed to plug gaps in the Cybercrimes Act of 2018, by including strong sections on the protection of key sectors such as electricity and water, amongst others. The proposed legislation also envisages stiff financial and prison terms for cybercriminals, including those who ply their “trade” on social media.
According to the draft seen by Mmegi this week, cyber-extortionists, or those who use the internet to demand money or other goods from their victims as well as those using fake profiles, including using these profiles to harm others online, face stiff penalties amounting to hundreds of thousands of pula and/or jail terms for several years.
The proposed legislation is particularly tough on online identity and its abuse.
“A person who, knowingly without lawful excuse by using a computer system, transfers, possesses, or uses, a means of identification of another person, commits an offence and is liable, on conviction, to a fine not exceeding P500,000 or to imprisonment for a term not exceeding 10 years, or to both,” the rough draft reads.
Those who create fake profiles to cause harm face fines not exceeding P50,000 and jail terms no exceeding 20 years.
The proposed law introduces tighter cybersecurity protocols across the economy, through the identification of Critical National Information Infrastructure (CNII). This includes infrastructure and systems that are “essential for the maintenance of vital societal functions, including public health and safety, national security, economic stability, international stability, and the social well-being of people”.
Emmanuel Thekiso, the head of the country’s Computer Security Incident Response Team (CSIRT), this week told Mmegi the proposed legislation was key to boosting national cyber protection.
“It will be dealing with critical information entities like Ministry of Water Affairs, hospitals, power and others, because currently there is no law that forces them to adhere to cybersecurity,” he said. “This law will compel them to report to us. “It also includes the establishment of a national cybersecurity agency, mandatory reporting of data breaches and stringent penalties for cybercrimes.”
According to the rough draft of the proposed legislation, anyone who interferes with the full functioning of a CNII will be liable to a fine of between P500,000 and P5 million and/or a prison term of between 20 and 30 years. In the case of corporations, these will receive fines not exceeding 35% of their gross turnover for the previous year.
Finalisation of the proposed law comes as the country witnesses an uptick in cyber-related attacks and incidents, including data breaches, financial fraud, and ransomware attacks.
The incidents have not only resulted in financial losses but also threatened national security and eroded public trust in digital services. The growing dependency on digital platforms for commerce, communication, and government services has further highlighted the urgent need for robust cybersecurity measures.
Last year, the Botswana Energy Regulatory Authority and the Local Enterprise Authority were subjected to phishing attacks in the same week in which cyber criminals sent fraudulent, but genuine-looking communications purporting to come from the two parastatals. More recently, the MVA Fund was a target of a cyber-attack.
An Interpol report last year found that Botswana was third most targetted country for ransomware, attracting six percent of Africa’s attacks in 2022. Local experts said part of the challenge is that while Internet connection and usage has exploded across the country, this has been accompanied by lenient legal penalties and low awareness on sophisticated cybercrime.
Experts say these incidents have not only resulted in financial losses but also threatened national security and eroded public trust in digital services. The growing dependency on digital platforms for commerce, communication, and government services has further highlighted the urgent need for robust cybersecurity measures.
Thekiso said the proposed legislation law would also compel companies to assess the cyber risks of their organisations and act accordingly.
“Individuals dealing with cybersecurity for businesses (third parties) will be required to register first and have a licence before they can start operating because you never know who your hacker is. “In addition, there are no standards covering cybersecurity nationally and so the new law is proposing to have those standards governed through the Botswana Bureau of Standards,” he added.
Under the proposed law, a National Cybersecurity Commission would be set up with nine members selected by the Minister of Communications, Knowledge and Technology.
“As we embrace the digital age, it is crucial that we have robust mechanisms in place to protect our digital infrastructure and ensure the safety of our citizens online,” said Thekiso. “This legislation will provide the necessary tools and frameworks to combat cyber threats and foster a secure digital environment.”