The centrality of cybersecurity to socioeconomic development policy: A case study of cyber-vulnerability at South Africa’s Transnet




cybersecurity, cyber-incidents, state-owned enterprises (SOEs), developmental state, IT networks, Transnet, South Africa


Using South African state-owned enterprise (SOE) Transnet as a case study, this article explores the factors that influence the cybersecurity risks that are posed to infrastructure, with implications for markets and society, by advanced computational systems. We studied the legislation and corporate governance decisions leading up to the July 2021 breach of Transnet’s IT network, a high-profile event with potential cascading consequences. We also examined the evolution, since the country’s transition to democracy, of the South African government’s approach to fostering a developmental state. The findings illustrate that cybersecurity policy needs to be a core dimension of contemporary South African socioeconomic development policy, necessitating a central role for the developmental state in creating trusted marketplaces and procuring suitable security software systems. The findings also underscore the reality that a failure to act against increasing cyber-threats constitutes a substantial risk to the functioning of the South African market. Based on the findings, this article argues for a close examination of how the cybersecurity performance of South African SOEs can be improved. While focused on South Africa, the findings are relevant to other countries seeking to integrate robust cybersecurity measures into their national logistical and infrastructural sectors.


Metrics Loading ...


Adams, R., Pienaar, G., Olorunju, N., Gaffley, M., Gastrow, M., Thipanyane, T., ... Adams, F. (2021). Human rights and the fourth industrial revolution in South Africa. HSRC Press.

African National Congress (ANC).(1994).The Reconstruction and Development Programme (RDP).

African Union (AU). (2014). African Union Convention on Cyber Security and Personal Data Protection.

Allen, K. (2021a, March 9). Critical infrastructure attacks: Why South Africa should worry. ISS Today. Institute for Security Studies.

Allen, K. (2021b, June 9). South Africa lays down the law on cybercrime: Despite major implementation challenges, the new legislation signals the country’s commitment to global cyber security. ISS Today. Institute for Security Studies.

AmaBhungane Centre for Investigative Journalism NPC v Minister of Justice and Correctional Services [2021] ZACC 3 (Constitutional Court).

Auditor-General of South Africa. (2022). PFMA 2021–22: Consolidated general report on national and provincial audit outcomes.

Basson, D. J. (2017). Managing infrastructure risks in information communication technology outsourced projects: A case study at Transnet, South Africa [Master’s dissertation]. Cape Peninsula University of Technology, Cape Town.

BBC. (2019, July 26). Ransomware hits Johannesburg electricity supply.

Beach, D. (2017). Process tracing in the social sciences. In Oxford research encyclopedia of politics.

Booth, I. (2021, July 28). Transnet cyberattack could have catastrophic consequences. Investec Focus.

Botha, R. (2021, June 8). Understanding POPI and its impact on cybersecurity. Media Update.

Breckenridge, K. (2014). Biometric state: The global politics of identification and surveillance in South Africa, 1850 to present. Cambridge University Press.

Burbidge, M. (2022, November 28). Over a million user accounts “stolen” in South Africa. ITWeb.

BusinessTech. (2021, December 2). South Africa’s new cybercrime laws have been partially introduced – here’s what comes next.

Chang, H. J. (2007). State-owned enterprise reform. UN Department of Economic and Social Affairs (UN DESA) Policy Notes.

Collier, D. (2011). Understanding process tracing. PS: Political Science & Politics, 44(4), 823– 830.

Council of Europe. (2001). Budapest Convention on Cybercrime.

Crees, S. (2020). Artificial intelligence and the law. Routledge.

Cwele, S.(2014). Minister of Telecommunications and Postal Services budget speech. Briefing, 16 July. Parliamentary Monitoring Group.

Department of Finance.(1996). Growth, Employment and Redistribution: A Macroeconomic Strategy.

Department of Home Affairs. (2020). Draft Official Identity Management Policy (public consultation version).

Department of Public Enterprises (DPE). (2000). An Accelerated Agenda towards the Restructuring of State Owned Enterprises: Policy Framework.

DPE. (2022). Annual report 2021/2022.

Erwin, A. (2004). Public Enterprises Dept Budget Vote 2004/2005, Ministry of Public Enterprises, 14 June. Parliamentary Monitoring Group.

European Investment Bank. (2022). European cybersecurity investment platform.

Evans, P. (1995). Embedded autonomy: States and industrial transformation. Princeton University Press.

Fourie, D. (2022). The neoliberal influence on South Africa’s early democracy and its shortfalls in addressing economic inequality. Philosophy & Social Criticism.

Gall, G. (1997). Trade unions and the ANC in the “new” South Africa. Review of African Political Economy, 24(72), 203–218.

Ginindza, B. (2021, July 23). Transnet “cyber attack” causes logistics logjam from road to freight and ports. IOL.

Global Freedom of Expression. (n.d.). Amabhungane Centre for Investigative Journalism v. Minister of Justice and Correctional Services.

Govender, T. F. (2018). A critical analysis of the search and seizure of electronic evidence relating to the investigation of cybercrime in South Africa [LLM dissertation]. University of KwaZulu-Natal, Durban.

Government of South Africa. (n.d.). Smart identity document (ID) card roll-out.

Gumede, W. (2009). Delivering the democratic developmental state in South Africa. Development Planning Division Working Paper Series No. 9. Development Bank of Southern Africa (DBSA).

Gumede, W. (2016). The political economy of state-owned enterprises restructuring in South Africa. Journal of Governance & Public Policy, 6(2), 69–97.

Hogan, B. (2009). Public Enterprises: Minister’s budget speech, 22 June. Parliamentary Monitoring Group.

Institute of Directors in Southern Africa (IoDSA), & King Committee on Corporate Governance. (2016). Report on corporate governance for South Africa 2016 (King IV).

Interpol. (2021). African cyberthreat assessment report.

Johnson, C. (1982). MITI and the Japanese miracle: The growth of industrial policy, 1925–1975. Stanford University Press.

Khanyile, G. (2021, July 27). Significant progress made in restoring Transnet IT systems. IOL.

Labuschagne, H. (2021, August 17). Transnet ransomware hackers did not get a single cent. MyBroadband.

Leftwich, A. (1996). On the primacy of politics in development. In A. Leftwich (Ed.), Democracy and development: Theory and practice. Polity Press.

Marks, S., & Rathbone, R. (Eds.). (1982). Industrialisation and social change in South Africa: African class formation, culture, and consciousness, 1870–1930. Longman.

Mayedwa, V. A. (2018). The role of the state-owned enterprises in the developmental state of South Africa: A case study of Transnet.

Mazzucato, M. (2013). The entrepreneurial state: Debunking public vs. private sector myths. Anthem Press.

Minister of Justice and Correctional Services. (2017). Cybercrimes and Cybersecurity Bill, 21 February.

Minister of State Security.(2015).The National Cybersecurity Policy Framework, 4 December.

Moyo, A. (2021, July 22). Transnet suffers “disruption” of IT systems. ITWeb.

Muller, S. M., Amra, R., & Jantjies, D. (2015). Report on State-Owned Enterprises. Parliamentary Standing Committee on Finance.

Ntsaluba, N. (2018). Cybersecurity policy and legislation in South Africa [Master’s dissertation]. University of Pretoria.

Pieterse, H. (2021). The cyber threat landscape in South Africa: A 10-year review. The African Journal of Information and Communication (AJIC), 28, 1–21.

Portfolio Committee on Home Affairs. (2013). ATC130503: Report of the Portfolio Committee on Home Affairs on the Annual Performance Plan and Budget Vote 4 of the Department of Home Affairs and its entities, 30 April. Parliamentary Monitoring Group.

Qian, Y., & Sun, Y. (2021). The correlation between annual reports’ narratives and business performance: A retrospective analysis. SAGE Open, 11(3).

Razzano, G. (2021). Digital identity in South Africa: Case study conducted as part of a ten- country exploration of socio-digital ID systems in parts of Africa. Research ICT Africa (RIA).

Reddy, P. S., & Moodley, D. (1993). Privatisation of public corporations in South Africa: The issue re-examined. Africanus, 23(1).

Rens, A. (2023, August 29). The negotiations for a global cybercrime convention, global public goods and AI cyber risk [Blog post]. Research ICT Africa (RIA).

Republic of South Africa (RSA). (1996). Constitution of the Republic of South Africa Act, No. 108 of 1996.

RSA. (2002a). Electronic Communications and Transactions Act, No. 25 of 2002 (ECTA).

RSA. (2002b). Regulation of Interception of Communications and Provision of Communications-Related Information Act, No. 70 of 2002 (RICA).

RSA. (2013). Protection of Personal Information Act, No. 4 of 2013 (POPIA).

RSA. (2020). Cybercrimes Act, No. 19 of 2020.

South African Banking Risk Information Centre (SABRIC). (2012). Card fraud South Africa, 2011–2012.

SABRIC. (2017). Card fraud booklet 2017.

SABRIC. (2020). Annual report 2020.

SABRIC. (2021a). Annual report 2021.

SABRIC. (2021b). Annual crime statistics 2021.

Sen, A. (1999). Development as freedom. Oxford University Press.

Shaw, M. (2018, January 9). Known unknowns: The threat of cybercrime in Africa. ISS Today. Institute for Security Studies.

Southall, R. (2013). Realism and neoliberalism: Macro-economic policy in South Africa. In J. Curry (Ed.), Liberation movements in power: Party and state in Southern Africa (pp. 88–96). University of KwaZulu-Natal Press.

Sutherland, E. (2017). Governance of cybersecurity – The case of South Africa. The African Journal of Information and Communication (AJIC), 20, 83–112.

Terreblanche, S. (2002). A history of inequality in South Africa, 1652–2002. University of KwaZulu-Natal Press.

The Presidency. (2011). National Development Plan 2030: Our Future – Make it Work (Executive summary). National Planning Commission. Government of the Republic of South Africa.

The Presidency. (2012). Report of the Presidential Review Committee on State-owned Entities: Volume 1: Executive summary of the final report. Government of South Africa.

The Presidency. (2019, September 27). President appoints Economic Advisory Council [Press release].

Thomas, A. (2000). Poverty and the “end of development”. In T. Allen & A. Thomas (Eds.), Poverty and development into the 21st century. Oxford University Press.

Tijerina, W. (2022). Industrial policy and governments’ cybersecurity capacity: A tale of two developments? Journal of Cyber Policy, 7(2), 194–212.

Timcke, S. (2017). Capital, state, empire: The new American way of digital warfare. University of Westminster Press.

Timcke, S. (2023). The political economy of fortune and misfortune. Bristol University Press.

Timcke, S., & Gaffley, M. (2022, December 8). RIA’s public comment on National Infrastructure Plan 2050. Research ICT Africa.

Timcke, S., Gaffley, M., & Rens, A. (2023). A single point of failure: Transnet’s IT network and the risk of AI-cybersecurity gaps to the South African developmental state project. Working Paper, Research ICT Africa (RIA).

Timmers, P. (2018). The European Union’s cybersecurity industrial policy. Journal of Cyber Policy, 3(3), 363–384.

Toyana, M. (2021, July 27). Transnet ports division declares force majeure on container terminals after cyber attack. Daily Maverick.

Transnet. (2009a). Limited annual report 2009, corporate governance.

Transnet. (2009b). Limited annual report 2009, executive summary.

Transnet. (2010). Annual results 2010, operational report.

Transnet. (2011). Quantum leap, integrated annual report 2011.

Transnet. (2012). Integrated report 2012.

Transnet. (2013). Integrated report 2013.

Transnet. (2014). Integrated report 2014.

Transnet. (2015). Integrated report 2015.

Transnet. (2016). Integrated report 2016.

Transnet. (2017). Integrated report 2017.

Transnet. (2018). Integrated report 2018.

Transnet. (2019). Integrated report 2019.

Transnet. (2020). Integrated report 2020.

Transnet. (2021a). Repair and grow: Annual results announcement.

Transnet. (2021b). Integrated report 2021.

Transnet. (2021c). Transnet governance report 2021.

Transnet. (2022). Unabridged governance report 2022.

Ukwandu, D. C. (2019). South Africa as a developmental state: Is it a viable idea? African Journal of Public Affairs, 11(2), 41–62.

United Nations Conference on Trade and Development (UNCTAD). (2007). Economic development in Africa: Reclaiming policy space: Domestic resource mobilisation and developmental states.

Van der Merwe, P. (2020, March 26). Unprecedented spike in cyber attacks since declaration of national disaster. TimesLive.

Van Heerden, R., Von Soms, S., & Mooi, R. (2016). Classification of cyber attacks in South Africa, 2016. In 2016 IST-Africa Week Conference (pp. 1–16).

Van Niekerk, B. (2017). An analysis of cyber-incidents in South Africa. The African Journal of Information and Communication (AJIC), 20, 113–132.

Van Niekerk, B., Ramluckan, T., & Collard, A. (2023). A South African perspective on cybercrime during the pandemic. In D. Ventre & H. Loiseau (Eds.), Cybercrime during the SARS-CoV-2 pandemic (2019-2022): Evolutions, adaptations, consequences (pp. 177–209). ISTE and Wiley.

Venter, I. (2022, March 31). White Paper on rail lauded as SA loses at least 1% of GDP to Transnet inefficiency. Creamer Media’s Engineering News.

Western Cape Government. (2020, October 6). An introduction to the Protection of Personal Information Act (or POPI Act or POPIA).

World Bank. (2008). New directions in development thinking. In G. Secondi (Ed.), The development economics reader. Routledge.




How to Cite

Timcke, S., Gaffley, M. and Rens, A. (2023) “The centrality of cybersecurity to socioeconomic development policy: A case study of cyber-vulnerability at South Africa’s Transnet”, The African Journal of Information and Communication (AJIC). South Africa, (32), pp. 1–28. doi: 10.23962/ajic.i32.16949.



Research Articles