The centrality of cybersecurity to socioeconomic development policy: A case study of cyber-vulnerability at South Africa’s Transnet

Authors

DOI:

https://doi.org/10.23962/ajic.i32.16949

Keywords:

cybersecurity, cyber-incidents, state-owned enterprises (SOEs), developmental state, IT networks, Transnet, South Africa

Abstract

Using South African state-owned enterprise (SOE) Transnet as a case study, this article explores the factors that influence the cybersecurity risks that are posed to infrastructure, with implications for markets and society, by advanced computational systems. We studied the legislation and corporate governance decisions leading up to the July 2021 breach of Transnet’s IT network, a high-profile event with potential cascading consequences. We also examined the evolution, since the country’s transition to democracy, of the South African government’s approach to fostering a developmental state. The findings illustrate that cybersecurity policy needs to be a core dimension of contemporary South African socioeconomic development policy, necessitating a central role for the developmental state in creating trusted marketplaces and procuring suitable security software systems. The findings also underscore the reality that a failure to act against increasing cyber-threats constitutes a substantial risk to the functioning of the South African market. Based on the findings, this article argues for a close examination of how the cybersecurity performance of South African SOEs can be improved. While focused on South Africa, the findings are relevant to other countries seeking to integrate robust cybersecurity measures into their national logistical and infrastructural sectors.

References

Adams, R., Pienaar, G., Olorunju, N., Gaffley, M., Gastrow, M., Thipanyane, T., ... Adams, F. (2021). Human rights and the fourth industrial revolution in South Africa. HSRC Press. https://doi.org/10.1515/9780796926173

African National Congress (ANC).(1994).The Reconstruction and Development Programme (RDP). https://www.sahistory.org.za/sites/default/files/the_reconstruction_and_development_programm_1994.pdf

African Union (AU). (2014). African Union Convention on Cyber Security and Personal Data Protection. https://au.int/en/treaties/african-union-convention-cyber-security-and-personal-data-protection

Allen, K. (2021a, March 9). Critical infrastructure attacks: Why South Africa should worry. ISS Today. Institute for Security Studies. https://issafrica.org/iss-today/critical-infrastructure-attacks-why-south-africa-should-worry

Allen, K. (2021b, June 9). South Africa lays down the law on cybercrime: Despite major implementation challenges, the new legislation signals the country’s commitment to global cyber security. ISS Today. Institute for Security Studies. https://issafrica.org/iss-today/south-africa-lays-down-the-law-on-cybercrime

AmaBhungane Centre for Investigative Journalism NPC v Minister of Justice and Correctional Services [2021] ZACC 3 (Constitutional Court). https://www.saflii.org/za/cases/ZACC/2021/3.html

Auditor-General of South Africa. (2022). PFMA 2021–22: Consolidated general report on national and provincial audit outcomes. https://www.agsa.co.za/Reporting/PFMAReports/PFMA2021-22.aspx

Basson, D. J. (2017). Managing infrastructure risks in information communication technology outsourced projects: A case study at Transnet, South Africa [Master’s dissertation]. Cape Peninsula University of Technology, Cape Town.

BBC. (2019, July 26). Ransomware hits Johannesburg electricity supply. https://www.bbc.com/news/technology-49125853

Beach, D. (2017). Process tracing in the social sciences. In Oxford research encyclopedia of politics. https://doi.org/10.1093/acrefore/9780190228637.013.176

Booth, I. (2021, July 28). Transnet cyberattack could have catastrophic consequences. Investec Focus. https://www.investec.com/en_za/focus/economy/transnet-cyberattack-could-have-catastrophic-consequences.html

Botha, R. (2021, June 8). Understanding POPI and its impact on cybersecurity. Media Update. https://mediaupdate.co.za/marketing/150645/understanding-popi-and-its-impact-on-cybersecurity

Breckenridge, K. (2014). Biometric state: The global politics of identification and surveillance in South Africa, 1850 to present. Cambridge University Press. https://doi.org/10.1017/CBO9781139939546

Burbidge, M. (2022, November 28). Over a million user accounts “stolen” in South Africa. ITWeb. https://www.itweb.co.za/content/GxwQD71Da5ZvlPVo

BusinessTech. (2021, December 2). South Africa’s new cybercrime laws have been partially introduced – here’s what comes next. https://businesstech.co.za/news/technology/543432/south-africas-new-cybercrime-laws-have-been-partially-introduced-heres-what-comes-next

Chang, H. J. (2007). State-owned enterprise reform. UN Department of Economic and Social Affairs (UN DESA) Policy Notes. https://edisciplinas.usp.br/pluginfile.php/154675/mod_resource/content/1/ic-chang.pdf

Collier, D. (2011). Understanding process tracing. PS: Political Science & Politics, 44(4), 823– 830. https://doi.org/10.1017/S1049096511001429

Council of Europe. (2001). Budapest Convention on Cybercrime. https://www.coe.int/en/web/cybercrime/home

Crees, S. (2020). Artificial intelligence and the law. Routledge.

Cwele, S.(2014). Minister of Telecommunications and Postal Services budget speech. Briefing, 16 July. Parliamentary Monitoring Group. https://pmg.org.za/briefing/19078

Department of Finance.(1996). Growth, Employment and Redistribution: A Macroeconomic Strategy. https://www.treasury.gov.za/publications/other/gear/chapters.pdf

Department of Home Affairs. (2020). Draft Official Identity Management Policy (public consultation version). http://www.dha.gov.za/images/PDFs/Draft_Official_Identity_Management_Policy_-_Gazette_Version_of_22122020.pdf

Department of Public Enterprises (DPE). (2000). An Accelerated Agenda towards the Restructuring of State Owned Enterprises: Policy Framework. https://www.gov.za/sites/default/files/gcis_document/201409/acceleratedagendarestructuringsoe0.pdf

DPE. (2022). Annual report 2021/2022. https://dpe.gov.za/wp-content/uploads/2022/09/DPE-AR2022-d13.pdf

Erwin, A. (2004). Public Enterprises Dept Budget Vote 2004/2005, Ministry of Public Enterprises, 14 June. Parliamentary Monitoring Group. https://static.pmg.org.za/docs/2004/appendices/040609erwin.htm

European Investment Bank. (2022). European cybersecurity investment platform. https://www.eib.org/attachments/lucalli/20220206-european-cybersecurity-investment-platform-en.pdf

Evans, P. (1995). Embedded autonomy: States and industrial transformation. Princeton University Press. https://doi.org/10.1515/9781400821723

Fourie, D. (2022). The neoliberal influence on South Africa’s early democracy and its shortfalls in addressing economic inequality. Philosophy & Social Criticism. https://doi.org/10.1177/01914537221079674

Gall, G. (1997). Trade unions and the ANC in the “new” South Africa. Review of African Political Economy, 24(72), 203–218. https://doi.org/10.1080/03056249708704253

Ginindza, B. (2021, July 23). Transnet “cyber attack” causes logistics logjam from road to freight and ports. IOL. https://www.iol.co.za/business-report/economy/transnet-cyber-attack-causes-logistics-logjam-from-road-to-freight-and-ports-56f6bd97-c5ef-4d65-90d6-c41d0fe290e2

Global Freedom of Expression. (n.d.). Amabhungane Centre for Investigative Journalism v. Minister of Justice and Correctional Services. https://globalfreedomofexpression.columbia.edu/cases/amabhungane-centre-for-investigative-journalism-v-minister-of-justice-and-correctional-services

Govender, T. F. (2018). A critical analysis of the search and seizure of electronic evidence relating to the investigation of cybercrime in South Africa [LLM dissertation]. University of KwaZulu-Natal, Durban.

Government of South Africa. (n.d.). Smart identity document (ID) card roll-out. https://www.gov.za/about-government/government-programmes/smart-identity-document-id-card-roll-out

Gumede, W. (2009). Delivering the democratic developmental state in South Africa. Development Planning Division Working Paper Series No. 9. Development Bank of Southern Africa (DBSA).

Gumede, W. (2016). The political economy of state-owned enterprises restructuring in South Africa. Journal of Governance & Public Policy, 6(2), 69–97.

Hogan, B. (2009). Public Enterprises: Minister’s budget speech, 22 June. Parliamentary Monitoring Group. https://pmg.org.za/briefing/18715

Institute of Directors in Southern Africa (IoDSA), & King Committee on Corporate Governance. (2016). Report on corporate governance for South Africa 2016 (King IV). https://cdn.ymaws.com/www.iodsa.co.za/resource/collection/684B68A7-B768-465C-8214-E3A007F15A5A/IoDSA_King_IV_Report_-_WebVersion.pdf

Interpol. (2021). African cyberthreat assessment report. https://www.interpol.int/content/download/16759/file/AfricanCyberthreatAssessment_ENGLISH.pdf

Johnson, C. (1982). MITI and the Japanese miracle: The growth of industrial policy, 1925–1975. Stanford University Press. https://doi.org/10.1515/9780804765602

Khanyile, G. (2021, July 27). Significant progress made in restoring Transnet IT systems. IOL. https://www.iol.co.za/dailynews/news/significant-progress-made-in-restoring-transnet-it-systems-2b83efff-31e1-4378-92d6-6c30c336c539

Labuschagne, H. (2021, August 17). Transnet ransomware hackers did not get a single cent. MyBroadband. https://mybroadband.co.za/news/security/410058-transnet-ransomware-hackers-did-not-get-a-single-cent.html

Leftwich, A. (1996). On the primacy of politics in development. In A. Leftwich (Ed.), Democracy and development: Theory and practice. Polity Press.

Marks, S., & Rathbone, R. (Eds.). (1982). Industrialisation and social change in South Africa: African class formation, culture, and consciousness, 1870–1930. Longman.

Mayedwa, V. A. (2018). The role of the state-owned enterprises in the developmental state of South Africa: A case study of Transnet. http://vital.seals.ac.za:8080/vital/access/manager/Repository/vital:32028?site_name=GlobalView

Mazzucato, M. (2013). The entrepreneurial state: Debunking public vs. private sector myths. Anthem Press.

Minister of Justice and Correctional Services. (2017). Cybercrimes and Cybersecurity Bill, 21 February. https://www.gov.za/documents/cybercrimes-and-cybersecurity-bill-b6-2017-21-feb-2017-0000

Minister of State Security.(2015).The National Cybersecurity Policy Framework, 4 December. https://www.gov.za/sites/default/files/gcis_document/201512/39475gon609.pdf

Moyo, A. (2021, July 22). Transnet suffers “disruption” of IT systems. ITWeb. https://www.itweb.co.za/content/wbrpOqgYAwY7DLZn

Muller, S. M., Amra, R., & Jantjies, D. (2015). Report on State-Owned Enterprises. Parliamentary Standing Committee on Finance. https://static.pmg.org.za/150812report.pdf

Ntsaluba, N. (2018). Cybersecurity policy and legislation in South Africa [Master’s dissertation]. University of Pretoria.

Pieterse, H. (2021). The cyber threat landscape in South Africa: A 10-year review. The African Journal of Information and Communication (AJIC), 28, 1–21. https://doi.org/10.23962/10539/32213

Portfolio Committee on Home Affairs. (2013). ATC130503: Report of the Portfolio Committee on Home Affairs on the Annual Performance Plan and Budget Vote 4 of the Department of Home Affairs and its entities, 30 April. Parliamentary Monitoring Group. https://pmg.org.za/tabled-committee-report/1396

Qian, Y., & Sun, Y. (2021). The correlation between annual reports’ narratives and business performance: A retrospective analysis. SAGE Open, 11(3). https://doi.org/10.1177/21582440211032198

Razzano, G. (2021). Digital identity in South Africa: Case study conducted as part of a ten- country exploration of socio-digital ID systems in parts of Africa. Research ICT Africa (RIA). https://researchictafrica.net/publication/digital-identity-in-south-africa-case-study-conducted-as-part-of-a-ten-country-exploration-of-socio-digital-id-systems-in-parts-of-africa

Reddy, P. S., & Moodley, D. (1993). Privatisation of public corporations in South Africa: The issue re-examined. Africanus, 23(1). https://hdl.handle.net/10520/AJA0304615X_262

Rens, A. (2023, August 29). The negotiations for a global cybercrime convention, global public goods and AI cyber risk [Blog post]. Research ICT Africa (RIA). https://researchictafrica.net/2023/08/29/the-negotiations-for-a-global-cybercrime-convention-global-public-goods-and-ai-cyberisk

Republic of South Africa (RSA). (1996). Constitution of the Republic of South Africa Act, No. 108 of 1996.

RSA. (2002a). Electronic Communications and Transactions Act, No. 25 of 2002 (ECTA).

RSA. (2002b). Regulation of Interception of Communications and Provision of Communications-Related Information Act, No. 70 of 2002 (RICA).

RSA. (2013). Protection of Personal Information Act, No. 4 of 2013 (POPIA).

RSA. (2020). Cybercrimes Act, No. 19 of 2020.

South African Banking Risk Information Centre (SABRIC). (2012). Card fraud South Africa, 2011–2012. https://www.sabric.co.za/media/c2ljwaww/2011-to-2012-card-fraud-booklet.pdf

SABRIC. (2017). Card fraud booklet 2017. https://www.sabric.co.za/media/tjigbdjl/2017-card-fraud-booklet.pdf

SABRIC. (2020). Annual report 2020. https://www.sabric.co.za/media/lejmweri/sabric_annual-report_2020.pdf

SABRIC. (2021a). Annual report 2021. https://www.sabric.co.za/media/z0vch20l/sabric-annual-report-2021.pdf

SABRIC. (2021b). Annual crime statistics 2021. https://www.sabric.co.za/media/5dlnhnyj/sabric-crime-stats-2021_fa.pdf

Sen, A. (1999). Development as freedom. Oxford University Press.

Shaw, M. (2018, January 9). Known unknowns: The threat of cybercrime in Africa. ISS Today. Institute for Security Studies. https://issafrica.org/iss-today/known-unknowns-the-threat-of-cybercrime-in-africa

Southall, R. (2013). Realism and neoliberalism: Macro-economic policy in South Africa. In J. Curry (Ed.), Liberation movements in power: Party and state in Southern Africa (pp. 88–96). University of KwaZulu-Natal Press.

Sutherland, E. (2017). Governance of cybersecurity – The case of South Africa. The African Journal of Information and Communication (AJIC), 20, 83–112. https://doi.org/10.23962/10539/23574

Terreblanche, S. (2002). A history of inequality in South Africa, 1652–2002. University of KwaZulu-Natal Press.

The Presidency. (2011). National Development Plan 2030: Our Future – Make it Work (Executive summary). National Planning Commission. Government of the Republic of South Africa.

The Presidency. (2012). Report of the Presidential Review Committee on State-owned Entities: Volume 1: Executive summary of the final report. Government of South Africa. https://www.gov.za/sites/default/files/gcis_document/201409/presreview.pdf

The Presidency. (2019, September 27). President appoints Economic Advisory Council [Press release]. https://www.thepresidency.gov.za/press-statements/president-appoints-economic-advisory-council

Thomas, A. (2000). Poverty and the “end of development”. In T. Allen & A. Thomas (Eds.), Poverty and development into the 21st century. Oxford University Press.

Tijerina, W. (2022). Industrial policy and governments’ cybersecurity capacity: A tale of two developments? Journal of Cyber Policy, 7(2), 194–212. https://doi.org/10.1080/23738871.2022.2071747

Timcke, S. (2017). Capital, state, empire: The new American way of digital warfare. University of Westminster Press. https://doi.org/10.16997/book6

Timcke, S. (2023). The political economy of fortune and misfortune. Bristol University Press. https://doi.org/10.1332/policypress/9781529221756.001.0001

Timcke, S., & Gaffley, M. (2022, December 8). RIA’s public comment on National Infrastructure Plan 2050. Research ICT Africa. https://researchictafrica.net/2023/01/05/ria-public-comment-national-infrastructure-plan-2050/

Timcke, S., Gaffley, M., & Rens, A. (2023). A single point of failure: Transnet’s IT network and the risk of AI-cybersecurity gaps to the South African developmental state project. Working Paper, Research ICT Africa (RIA).

Timmers, P. (2018). The European Union’s cybersecurity industrial policy. Journal of Cyber Policy, 3(3), 363–384. https://doi.org/10.1080/23738871.2018.1562560

Toyana, M. (2021, July 27). Transnet ports division declares force majeure on container terminals after cyber attack. Daily Maverick. https://www.dailymaverick.co.za/article/2021-07-27-transnet-ports-division-declares-force-majeure-on-container-terminals-after-cyber-attack

Transnet. (2009a). Limited annual report 2009, corporate governance. https://www.transnet.net/InvestorRelations/AR/2009/Corporate%20Governance.pdf

Transnet. (2009b). Limited annual report 2009, executive summary. https://www.transnet.net/InvestorRelations/AR/2009/Executive%20%20Summaries.pdf

Transnet. (2010). Annual results 2010, operational report. https://www.transnet.net/InvestorRelations/AR/2010/Operational%20Reports.pdf

Transnet. (2011). Quantum leap, integrated annual report 2011. https://www.transnet.net/InvestorRelations/AR/2011/Integrated%20Report.pdf

Transnet. (2012). Integrated report 2012. https://www.transnet.net/InvestorRelations/AR/2012/Integrated%20Report.pdf

Transnet. (2013). Integrated report 2013. https://www.transnet.net/InvestorRelations/AR/2013/Integrated%20Report.pdf

Transnet. (2014). Integrated report 2014. https://www.transnet.net/InvestorRelations/AR/2014/Integrated%20Report.pdf

Transnet. (2015). Integrated report 2015. https://www.transnet.net/InvestorRelations/AR2015/2015/downloads/Transnet_IR_2015_190715.pdf

Transnet. (2016). Integrated report 2016. https://www.transnet.net/InvestorRelations/AR2016/2016/downloads/TRANSNET-IR-2016.pdf

Transnet. (2017). Integrated report 2017. https://www.transnet.net/InvestorRelations/AR2017/Transnet%20IR%202017.pdf

Transnet. (2018). Integrated report 2018. https://www.transnet.net/InvestorRelations/AR2018/Transnet%20IR%202018.pdf

Transnet. (2019). Integrated report 2019. https://www.transnet.net/InvestorRelations/AR2019/Transnet%20IR%202019.pdf

Transnet. (2020). Integrated report 2020. https://www.transnet.net/InvestorRelations/AR2020/Transnet%20IR%202020.pdf

Transnet. (2021a). Repair and grow: Annual results announcement. https://www.transnet.net/InvestorRelations/AR2021/2021%20ANNUAL%20RESULTS%20PRESENTATION.pdf

Transnet. (2021b). Integrated report 2021. https://www.transnet.net/InvestorRelations/AR2021/Transnet%20Integrated%20Report.pdf

Transnet. (2021c). Transnet governance report 2021. https://www.transnet.net/InvestorRelations/AR2021/Governance%20report%2028%20Oct.pdf

Transnet. (2022). Unabridged governance report 2022. https://www.transnet.net/InvestorRelations/AR2022/Governance%20report%202022.pdf

Ukwandu, D. C. (2019). South Africa as a developmental state: Is it a viable idea? African Journal of Public Affairs, 11(2), 41–62.

United Nations Conference on Trade and Development (UNCTAD). (2007). Economic development in Africa: Reclaiming policy space: Domestic resource mobilisation and developmental states. https://unctad.org/system/files/official-document/aldcafrica2007_en.pdf

Van der Merwe, P. (2020, March 26). Unprecedented spike in cyber attacks since declaration of national disaster. TimesLive. https://www.timeslive.co.za/news/south-africa/2020-03-26-unprecedented-spike-in-cyber-attacks-since-declaration-of-national-disaster

Van Heerden, R., Von Soms, S., & Mooi, R. (2016). Classification of cyber attacks in South Africa, 2016. In 2016 IST-Africa Week Conference (pp. 1–16). https://doi.org/10.1109/ISTAFRICA.2016.7530663

Van Niekerk, B. (2017). An analysis of cyber-incidents in South Africa. The African Journal of Information and Communication (AJIC), 20, 113–132. https://doi.org/10.23962/10539/23573

Van Niekerk, B., Ramluckan, T., & Collard, A. (2023). A South African perspective on cybercrime during the pandemic. In D. Ventre & H. Loiseau (Eds.), Cybercrime during the SARS-CoV-2 pandemic (2019-2022): Evolutions, adaptations, consequences (pp. 177–209). ISTE and Wiley. https://doi.org/10.1002/9781394226344.ch6

Venter, I. (2022, March 31). White Paper on rail lauded as SA loses at least 1% of GDP to Transnet inefficiency. Creamer Media’s Engineering News. https://www.engineeringnews.co.za/article/white-paper-on-rail-lauded-as-country-loses-1-of-gdp-to-transnet-inefficiency-2022-03-31

Western Cape Government. (2020, October 6). An introduction to the Protection of Personal Information Act (or POPI Act or POPIA). https://www.westerncape.gov.za/site-page/introduction-protection-personal-information-act-or-popi-act-or-popia

World Bank. (2008). New directions in development thinking. In G. Secondi (Ed.), The development economics reader. Routledge.

Downloads

Published

21-12-2023

Issue

Section

Research Articles

How to Cite

“The centrality of cybersecurity to socioeconomic development policy: A case study of cyber-vulnerability at South Africa’s Transnet” (2023) The African Journal of Information and Communication (AJIC), (32), pp. 1–28. doi:10.23962/ajic.i32.16949.
Views
  • Abstract 1012
  • PDF 580