News

‘Cybersecurity law a step in the right direction’

David Moepeng
 
David Moepeng

Mmegi: Your initial thoughts on the draft bill?Moepeng: I have read the draft Bill and I must say it is a step in the direction, except for a few amendments that are needed to enhance it as already expressed by industry practitioners at the recent Cybersecurity Workshop hosted by the Ministry of Communications, Knowledge and Technology.

With the ongoing digitalisation drive, access to the internet in Botswana has grown tremendously, and this means exposure to cyberattacks has also increased.

Increased exposure to cyberattacks, including organisations and enterprises of different forms, creates a need for a cybersecurity posture.

It is therefore only crucial that a law of this nature exists to ensure the development of an effective and well-coordinated cybersecurity industry, starting with regulatory, policy facilitation and practitioner operations. This is also to ensure adherence to high standards. and best practice.

Mmegi: What areas of weakness in terms of cybersecurity would you say the country has?Moepeng: The weaknesses that we have observed in Botswana’s cybersecurity posture are mainly in the area of awareness. Starting right from the top to low levels of society. There is significant lack of awareness of cyber vulnerabilities, risks and associated threats as well as about needed policies and interventions, whether at national level, organisational or community level. This is the case in both the public and private sector.

This lack of awareness therefore trickles down to user level, where as a result, attitudes and behaviors remain relatively ignorant and unchanged. It is for this reason that Cybersmart Botswana, in partnership with Core Knowledge have introduced training courses on cybersecurity for Non-IT Professionals to equip people without IT background with the understanding of cyber threats at all levels of society and the economy, so they can make informed decisions on needed safeguards. When a manager, leader or any individual at whatever level is informed, they are most likely to make appropriate strategic decisions about cybersecurity policies, strategies, practices and resources.

Mmegi: We’ve seen gov’t depts and parastatals frequently hit by attacks, especially on their social media. Is this a sign of weak cybersecurity protocols?Moepeng: Most cyber-attacks occur due to user ignorance or error, often stemming from a lack of awareness training. Users who are not trained on phishing scams are less likely to act cautiously when encountering social engineering tricks used by scammers and hackers, potentially exposing an entire organization to an attack. Similarly, managers or leaders who are not informed about strategic cyber risk management are less likely to drive the development of cybersecurity policies or strategies for their organisation, or allocate resources to counter risks, including skills development. Social media accounts are frequently hacked through phishing attacks, granting access to third-party apps, and the use of weak passwords, among other methods. Therefore, individuals managing such accounts need to be educated on effective security measures.

Mmegi: From what you know about the proposed law, would you say it goes far enough?Moepeng: The law is essentially designed to regulate cybersecurity as a profession and industry. In my view, it covers most of the basics needed to ensure ethical cybersecurity practices and capacity building at a national level. However, I believe our regulatory framework needs to extend to online safety regulation, following emerging trends around the world. We can regulate the domestic cybersecurity industry all we want, but if platform owners, especially international BIG Tech companies, do not assume legal responsibility for preventing cyberattacks and online harms, our efforts are futile.

Countries such as South Africa, the UK, Australia, and the European Union have introduced what is termed platform accountability.

They demand safety by design from platform owners, placing the obligation to prevent cyberattacks and online harms primarily on the platform owners before the law and users themselves.

This approach aims to ensure the protection of users from attacks. Therefore, I recommend that we start looking at incorporating platform accountability into our laws.