Cyber Warfare Policy: Department of Defence briefing

Meeting report

The Chairperson introduced a new committee member, Mr Tseko Mafanya. He said there is harmony in this Committee and he wanted it to remain the same. He invited the Department to make its presentation.

Cyber Warfare Policy Framework: Department of Defence (DOD) briefing
Maj Gen B Ngcobo, DOD Chief Director Collection: Defence Intelligence Division, presented on the cyber policy framework which gives the origin towards developing a cyber-defence strategy within DOD. Members will recall that on 07 March 2012, Cabinet approved the national cyber security policy framework which stipulated under cyber warfare that to protect its interests in the event of a cyber-war, a cyber-defence capacity has to be built. This framework promotes a cyber-defence strategy be developed that is guided by the justice, crime prevention and cyber-security response committee. This committee already exists and is chaired by the State Security Agency.

Section 16(5) states that the DOD and Military Veterans has the overall responsibility for coordination, accountability and implementation of cyber-defence matters in RSA as an integral part of its national defence mandate. To this end, the Department will develop policies and strategies pursuant to its core mandate. The national cyber security strategy envisages achieving the following deliverables;
- More secure and safer cyber space
- Establishment of institutional structures
- To support a coordinated approach
- Identification and safeguarding critical national infrastructures
- Establishment of institutional structures
- Support e-environment that stimulates economic growth and competitiveness
- Promotion of national research and development
- Effective prevention and combating of cybercrime.

As for where South Africa is placed with the top countries of the world in terms of cyber security. China has about 90 000 known or declared cyber security operators. This followed by Israel and North Korea with 15 000 each. In the African continent, Rwanda has 1 800 declared cyber security operators and South Africa for now has only trained 100 operatives. Even this small trained number is not at the ideal tier seven level that  South Africa wishes to be at.

In terms of the strategy, DOD adopted the vision that cyber command should develop a globally competitive cyber defence capability that serves as a strategic reserve for the commander in chief of SA National Defence Force (SANDF).

Discussion
Gen B Holomisa (UDM) said he foresees problems if clarity is not obtained from the Minister and Cabinet as to why the Defence Force is excluded from the Cybercrimes Bill. If there is a court challenge and it is found that your back is not covered and happens to be illegal, the Department will be in a serious problem. Is there collaboration between other countries to train members of the team? If yes, has this country been screened so that they do not in future turn against the country and use the information provided to them to destabilise SA? Since being involved in this exercise, have you come across people within the defence establishment such as Denel who may be involved in economic espionage or in selling our intellectual property rights legally to other countries?

Mr S Marais (DA) thanked the Department for the presentation and asked when last they presented to this Committee because he cannot recall ever receiving a presentation from DOD on cyber security. Section 200 of the Constitution places a special imperative on the Defence Force's role in protecting the safety and security of SA citizens. In the current environment in which you operate, there is a concept and message mentioned in the last page of the presentation which is force multiplier. We are all aware of the budget deficiencies and the inability to properly protect SA’s land maritime borders. The Committee’s view is that cyber security can be a huge force multiplier for both land and sea borders. In terms of our current capabilities, to what extent has that been looked at to the extent that, prior to any external attack, that they are found and fished out? Cyber security can be used as an early warning alarm to notify the authorities before any harm befalls us. On the cyber defence indaba mentioned in the presentation, what is the present status of that? What has it contributed to strengthen our cyber security? From the presentation one can deduce that the cyber security structure proposed has not been approved – so where do we stand on that? We have a military academy in Saldanha and they have a cyber-security department. They were not mentioned in the presentation so is there any cooperation between yourselves and that institution?

Ms A Beukes (ANC) said looking at what the cyber security plan intends to achieve since its approval in 2018, what has really happened? Was this plan presented to DOD and what is its stance? What will this plan cost? What is the right tier needed to protect SA? Looking at your indicators, what is your awareness programmes plan? How do you intend to popularise this concept? With the suggestions of developing and training for SANDF members, how do you plan to identify, screen and vet those who will go for this training? You intend to go from good to great in the hierarchy of achievements; what is the time frame for getting there?

Mr T Mmutle (ANC) asked where the team intends to see itself in terms of the pyramid presented in its capability to mitigate against the threats mentioned. When do they hope to have the ability to be at the top? When do you intend to implement the strategies mentioned? Can the Committee get a brief progress made towards attaining the goals, if at all? For the skills needed, what is your recruitment strategy to attract the necessary skills? Are you applying the same recruitment strategy taken by the US by employing a 12 year old that broke into the FBI server? If this happens here, will you turn such a threat into an opportunity? Do you collaborate with universities and research institutes that specialise in cyber security? What is the cost and severity of the damage that was suffered by Armscor in the cyber-attack it faced recently? Are the weaknesses you uncovered at Armscor addressed and now protected? How do we know that this will not re-occur in future? What plans do you have in augmenting the capability of the fifteen units we have at the border line? Are there plans to protect areas not covered by these fifteen units with drones?

The Chairperson reminded members that the Cybercrimes Bill was passed by the National Assembly in November 2018 and then referred to the NCOP but lapsed at the end of the Fifth Parliament. It was revived and is now with the Security and Justice Select Committee in the NCOP.

Response
Maj Gen Ngcobo replied that they will follow up on the Cybersecurity Bill and promised that they will fight to ensure that clause 53 on Cyber Response Committee is restored to the Bill. There is collaboration going on with other countries especially Cuba for training. The rationale for choosing Cuba is not only because of the assistance the country rendered to the liberation struggle but it goes beyond that. The approach that Cuba takes plays a part too. Here is a country with minimal resources but it is able to protect itself though we should also not be fooled that they are completely effective in protecting themselves because they have a low level of connectivity which as well reduces its vulnerability. SA as matter of fact has a lesson to learn from them should our economy not perform so well. In terms of screening, no specific screening is being undertaken at the moment but guided by our own analysis that at least Cuba has no hegemonic ambitions but we would watch out if they change their stance.

Maj Gen Ngcobo replied that we believe economic espionage exists in SA even though we are unable to pinpoint individuals at this time. We believe as well that to a great extent, it is more negligence and lack of awareness that enables cyber activists to attack our systems rather than a case of SA citizens collaborating with external actors. Last year when Denel was attacked and information was retrieved from them, Defence Intelligence was able to detect that cyber mercenaries had been procured by an Arab state and that something was going to happen even though we did not know exactly where and what it was going to be. An advert was detected on the dark web where millions of dollars were promised to anyone who could do something for them in South Africa. We were unable to prevent this mainly because of our limited capability.

Maj Gen Ngcobo replied that this is the very first time DOD has presented to this Committee on matters of cyber security but it has presented to the Joint Standing Committee in 2018. The Department perceives cyber security and technology as a force multiplier both for defence and economic purposes hence it is referred to as a strategic reserve for the Commander in Chief. We are in the business of developing capacity that could be used for the benefit of the country. On the extent it could be used for border and maritime security, a limited operation centre has been developed within the Navy. As for border security management, a defence intelligence has been developed working together with the joint operations division which is aimed at looking at what sensor technology can be utilised.

Maj Gen Ngcobo replied that since the approval of the cyber strategy, the directorate within Defence Intelligence entrusted with establishing the cyber command is called Directorate of Cyber Operations.  The over 100 people spoken about are trained and developed by this directorate. It has not stopped and is largely involved in training the cyber command. A security operations has also been established that is located at the Armscor building. Another will be expended this year within the Air Force and Military. The tendency is that people feel cyber is not applicable to the military environment but the reality is that you can be killed while lying in hospital.

Mr Nhlanhla Mabaso, Armscor Executive Manager: Cyber Security, noted that the Cyber Security Committee chaired by SSA has also continued working on building on these capabilities. A number of task teams have been set up to integrate cyber security centres where the standard operating procedures have have been formalised. The national cyber security strategy is now at the consultation stage. The 2016 cyber-attack on Armscor used SQL vulnerability used for data management where suppliers submit their invoices. That hole was identified in 2008 and we were shocked that it was not fixed until 2016 when they were attacked.  We are not confident that we can deal with tier five and six attacks. Another way to recruit is to announce bounties whereby we invite people to breach our security and whoever succeeds will be paid a certain bounty. People who respond to those bounties then becomes a source of recruitment.

Maj Gen Ngcobo said that without necessarily bragging, he believes the DOD are playing a crucial role in the SSA and Mr Mabaso is there representative there. Most of the ideas adopted there are influenced by the DOD. On the minimum number that is needed to be at the right place, the Department has come to the conclusion that in the event that the economy does not allow further resources to be directed to the development of the cyber command, its structure shown in the pyramid amounts to 392 persons of high level grouping. The target is tier three right up to tier six. Tier one and two could be left to do networking.

In the case of Defence, there is also the structure called Command Management and Information Service (CMIS) that deals with network security as opposed to hardcode cyber. The cyber command will take responsibility at higher level/tiers of the pyramid. It is envisaged that the CMIS and cyber command will be integrated to the point that the CMIS will cease to exist.

Maj Gen Ngcobo referred to the timeframe to move from good to great and said this can be done within three years if resources are provided and support given. This does not mean we could be great globally but in relation to the continent at least. We could count countries like Rwanda, Egypt, Algeria as countries we could compete with. In terms of tier six and five threats, we could be able to mitigate against them if we work with other stakeholders. It is a matter of battle and wars. Battle are won by soldiers while wars are won by nations because wars require galvanising national resources. We want to see ourselves at level six of the pyramid because this is the level that states are crippled.

On the recruitment strategies, Maj Gen Ngcobo replied that cyber security as a concept requires a national mind-set. Government has to have a clear understanding of what it intends to achieve with cyber capability and so invest accordingly. As a result of limited resources, recruitment is within the Department of Defence itself. When CMIS is up and running, the staff there will be trained and utilised within the security environment. By national mind-set is meant, people who have committed cyber fraud, even though are criminals, they have the capability and should be utilised. Why can they not be given a task while in prison? This is the time to be a bit unconventional in our approach.

In a follow-up question, the Chairperson asked why academics were not being considered too for recruitment. These skills cannot be built only through the Defence Force alone.

Mr T Mafanya (EFF) read from his notes that the Council for Scientific and Industrial Research (CSIR) is promoting a wide array of cyber defence and security offerings including a network stimulators and cyber vulnerability detector. This means we have the people that have the talents we aspire to have. There is also a military institute in Saldanha and higher educational institutions that do the same things. The expectation was that the presentation would focus more on these places as places for recruitment. The worry is the duplication of services which will be a waste of resources.

Mr Marais said his worst fears have been confirmed in terms of force multipliers on our borders. What should be done is to identify with the limited resources we have and use our forces as a reactionary force. Cyber does not patrol but is monitoring the borders constantly 100% of the time. Sensors as mentioned could be old technology as we speak; instead we should focus on 4th and 5th generation technologies. The answer about international collaboration is more general. Seeing that we are not at tier 5-6 at the moment, to what extent are we collaborating with other nations towards helping us to deal with cyber threats?

Gen Holomisa said threat analysis to the country must be ascertained. Based on the presentation, Rwanda is far ahead of SA precisely because they are being trained by Israel. SA has been dubbed as a country that gives terrorists access to its passports. We have been classified as a threat due to this in some countries. Rwanda undermined the authority and integrity of this country as they had the guts to come here and assassinate one of their generals. If these people were to be empowered with this knowledge as a way of retaliation, they can still target some of our sensitive areas. We need to know where we stand so this can receive urgent attention of the President.  The behaviour of Rwanda does not give us comfort.

The Chairperson said that there is an obvious need for more resources to be dedicated to this programme. At the moment they are no way near to a level of respectability and this has to be urgently addressed. Stellenbosch University trains a lot of people in this field and they have just invited Committee members to a programme on one of their cyber presentations.

Maj Gen Ngcobo replied that a relationship exists between DOD and CSIR to the extent that Defence Intelligence has regular strategic meetings with it and the issue of cyber security has come up in this parley. There is also interactions ongoing with Armscor and its presence testifies to that. As country we need to have a clear policy to harness theses written in our universities gathering dust. There must be a whole lot of intellectual property sold abroad by SA citizens. Soon we will be buying technology from other countries that actually came from South Africans so we need to invest in our people.

The majority of the members agreed to attend the Stellenbosch University summit on cyber security.

The meeting was adjoined.