On the Cover

He points out that it does not make sense for the SAPS to have all the expertise relating to cyber crime in-house. "No bank will allow external interference with their IT systems. He points out that it does not make sense for the S to have all the expertise relating to cyber crime in-house. "No bank will allow external interference with their IT systems. More importantly, no bank, or any business for that matter, can afford to shut down their systems for an hour, let along three of four days, in order for an investigation to take place."

He adds: "In any crime, cyber or other, we involve experts in specific fields to assist with our investigations. The Internet fraud matter in Cape Town, for example, was a joint venture between a bank, PricewaterhouseCoopers and the Commercial Crime Unit."

Cooperation, according to Meiring, is central to the public-private partnership between the SAPS and the banks, which are spearheading the conceptualisation and implementation of SA`s e-crime strategy.

He sees the development of the strategy as has having two distinct but integrated parts: "The first one relates to what and how the SAPS and the banks [and business in general] plan to be able to deal with incidents from a criminal investigation and prosecution perspective. The second one is the bigger picture, particularly the `CERT` model."

Susan Potgieter, GM of SABRIC`s commercial crime operations, who heads up the e-crime initiative on the banks` behalf, elaborates: "Short-term, we have identified three projects: online reporting, legislative shortfalls and capacity building. Stakeholders have been invited and are an integral part of each of the projects, with a project leader assigned from the various stakeholder groups to oversee and manage implementation."

An SA-cert

The CERT model is the long-term project, which will see SA getting its own real-time e-crime combating centre, based on the international Computer Emergency Response Team (CERT) model.

Says Meiring: "In order to combat e-crime effectively and efficiently, we need an effective network of private and public partnerships, which are centrally coordinated. This is what we envisage for an SA-CERT. A centre capable of facilitating expertise sharing and information exchange between all stakeholders - in the private and public sectors, law enforcers, and e-crime expert realm, on a national and international level."

This role, according to Ettienne Lambrechts, associate director: Forensic Services at PricewaterhouseCoopers, is currently handled on an ad hoc basis by the private sector as well as the SAPS and Scorpions. "Some entities would mandate a private entity, like PricewaterhouseCoopers Forensic Services, to perform an investigation, and some entities would report the matter to the SAPS or Scorpions."

Potgieter adds: "It is not just about investigation and prosecution. It is to provide a centre of excellence where any businessperson can call in should he or she have an IT-related threat, as well as to be kept abreast and advised on international developments pertaining to cyber crime. This is important, especially to provide expert guidance on tap to the smaller businesses that do not have access to the in-house expertise of large organisations."

The SA-CERT model will be similar to, for example, the US-CERT that was established in 2003 to protect the country`s Internet infrastructure - it coordinates all defence against and responses to cyber attacks at a national level.

Apart from analysing and reducing cyber threats and vulnerabilities, the SA-CERT would assume responsibility for disseminating cyber threat warning information and coordinating incident response activities countrywide.

Says Potgieter: "In the case of SA, it will also support and enhance SAPS`s e-crime combating capability, and support and coordinate e-crime combating relationships in SA and beyond our borders, as well as setting minimum e-crime industry norms and standards for e-crime professionals."

Potgieter does not see an SA CERT coming about soon. "The timeframe depends on a number of factors. We are preparing a business case, which we will have to present to the relevant authorities and stakeholders."

Web-based crime reporting

Meanwhile, stakeholders involved in Project Charlie have their hands full with short-term projects and deliverables, one of which is the online reporting project. Advocate Glynnis Breytenbach, deputy director of public prosecution at the National Prosecuting Authority`s (NPA) Specialised Commercial crime unit, heads up this project.

Says Breytenbach: "The business community perceives reporting of criminal activities to the police to be futile. We believe that by simplifying the reporting process, for example by doing it online, the actual process will no longer be a deterrent to reporting a crime."

She adds: "We envisage a central Web-based crime reporting centre providing a single point of entry, via phone, fax or Internet, to lodge a complaint concerning any frauds, traditional or Internet based, and have it directed quickly and efficiently to the respective law enforcement or investigative agency."

The project team has undertaken extensive research and assessed various internal best practice models. It has opted to put the Canadian model, Reporting Economic Crime Online (RECOL), forward for consideration by the SAPS and other stakeholders.

A feasibility project in Gauteng is already under way to test a system based on RECOL, initially only with the banks and the SAPS commercial branch participating. A costing model will be finalised by mid-August. "The immediate goal is to create a working model, demonstrate some success, and, commence expansion to include other partners as funding and commitment permits," says Breytenbach. If all goes well, she sees this happening by mid-2006.

Adds Meiring: "I believe all crime reporting in the future should be done online. Once the pilot is completed, the SAPS IT division will evaluate the model and, if viable and approved, we will definitely allocate the necessary funds to make it happen."

Building e-crime capacity

The second project focuses on investigation and prosecution capacity building.

"The intention is to ensure that, within the banking sector, SAPS and eventually business, there will be sufficient internal capacity to investigate crimes perpetrated through the use of an electronic device," says Potgieter. The project team is currently undertaking a capability and requirement assessment on SA`s e-crime combating capacity, in order to determine the ideal skills set.

"One of the e-crime strategy`s objectives is to ensure skills transfer between the private and public sector. Currently, most capacity exists within the private sector, not only locally but also abroad. While the SAPS and Scorpions also have capacity and are investing resources and money, they do not to handle all matters," observes Lambrechts.

The end goal of this project, according to Potgieter, is to establish a joint training programme with the SAPS, NPA, banks and other e-crime combating alliances that will enable stakeholders to, among others, keep abreast of e-crime modi operandi and combating methods, and to share experiences and knowledge. "The result will be effective mechanisms to minimise e-crime risk, effectively and efficiently resolve e-crime incidents and pool skilled resources," she enthuses.

An ongoing debate, Lambrechts notes, is whether or not an e-crime certification is needed and should become a prerequisite for public and private sector organisations.

He says: "Currently some of the investigators within the private sector have certification [for example EnCase], but as demand increases for skills, I am sure a course will be introduced. Through experience alone, there are obviously a number of very skilled investigators in SA."

According to Potgieter, if all goes according to plan, recommendations will be put forward by the end of the year.

The legal perspective

As with all things crime-related, legislation plays a crucial role. E-crime is no different, but the challenge is far bigger, as SABRIC, which addresses e-crime from an investigation and prosecution perspective, discovered.

"Almost without exception, when any commercial crime is investigated, some sort of device was used. We find that cellphones have become an instrument for perpetrating crimes. For example, when a criminal engages in `shoulder surfing` at an ATM, they will have a cellphone in their pocket and would use it to copy pin numbers," observes Potgieter.

This is why, according to Potgieter, the starting point in formulating an e-crime strategy for SA was to adopt a very broad definition of e-crime, namely "any crime committed using an electronic device or interface".

While cyber crime forms part of SA`s Electronic Communications and Transactions Act 25 of 2002, it also falls within the scope of Common Law offences like theft, fraud, and extortion.

The project team focusing on e-crime legislation aims to identify shortfalls between SA`s existing laws and international ones. It is using the Council of Europe`s Convention on Cybercrime, which was the first international treaty to combat crime in cyberspace, as the benchmark against which to compare SA legislation.

The Convention deals particularly with infringements of copyright, computer-related fraud, child pornography and violations of network . It also contains a series of powers and procedures, such as the search of computer networks and interception. Its main objective is to pursue a common criminal policy aimed at the protection of society against cyber crime, especially by adopting appropriate legislation and fostering international co-operation.

Says Potgieter: "Once legal loopholes and gaps have been identified and prioritised, recommendations will be put forward to stakeholders and then, of course, the lobbying process will have to start." She expects the recommendations to be ready by year-end.

A national priority

The end result could possibly see SA, at present only a signatory of the Convention on Cybercrime, also ratifying its status - in other words, for Parliament to adopt and ratify the EU legislation.

Given the growth in online scams and frauds, it is crucial that both the private and public sector embrace the proposed e-crime strategy as a national priority. The initiative taken by the SAPS and the banks has certainly set SA on the right path, but for the country to effectively combat cyber crime of any shape or form, it is crucial that more stakeholders become involved and actively participate.

Tags: On  The  Cover