The centrality of cybersecurity to socioeconomic development policy: A case study of cyber-vulnerability at South Africa’s Transnet
DOI:
https://doi.org/10.23962/ajic.i32.16949Keywords:
cybersecurity, cyber-incidents, state-owned enterprises (SOEs), developmental state, IT networks, Transnet, South AfricaAbstract
Using South African state-owned enterprise (SOE) Transnet as a case study, this article explores the factors that influence the cybersecurity risks that are posed to infrastructure, with implications for markets and society, by advanced computational systems. We studied the legislation and corporate governance decisions leading up to the July 2021 breach of Transnet’s IT network, a high-profile event with potential cascading consequences. We also examined the evolution, since the country’s transition to democracy, of the South African government’s approach to fostering a developmental state. The findings illustrate that cybersecurity policy needs to be a core dimension of contemporary South African socioeconomic development policy, necessitating a central role for the developmental state in creating trusted marketplaces and procuring suitable security software systems. The findings also underscore the reality that a failure to act against increasing cyber-threats constitutes a substantial risk to the functioning of the South African market. Based on the findings, this article argues for a close examination of how the cybersecurity performance of South African SOEs can be improved. While focused on South Africa, the findings are relevant to other countries seeking to integrate robust cybersecurity measures into their national logistical and infrastructural sectors.
References
Adams, R., Pienaar, G., Olorunju, N., Gaffley, M., Gastrow, M., Thipanyane, T., ... Adams, F. (2021). Human rights and the fourth industrial revolution in South Africa. HSRC Press. https://doi.org/10.1515/9780796926173
African National Congress (ANC).(1994).The Reconstruction and Development Programme (RDP). https://www.sahistory.org.za/sites/default/files/the_reconstruction_and_development_programm_1994.pdf
African Union (AU). (2014). African Union Convention on Cyber Security and Personal Data Protection. https://au.int/en/treaties/african-union-convention-cyber-security-and-personal-data-protection
Allen, K. (2021a, March 9). Critical infrastructure attacks: Why South Africa should worry. ISS Today. Institute for Security Studies. https://issafrica.org/iss-today/critical-infrastructure-attacks-why-south-africa-should-worry
Allen, K. (2021b, June 9). South Africa lays down the law on cybercrime: Despite major implementation challenges, the new legislation signals the country’s commitment to global cyber security. ISS Today. Institute for Security Studies. https://issafrica.org/iss-today/south-africa-lays-down-the-law-on-cybercrime
AmaBhungane Centre for Investigative Journalism NPC v Minister of Justice and Correctional Services [2021] ZACC 3 (Constitutional Court). https://www.saflii.org/za/cases/ZACC/2021/3.html
Auditor-General of South Africa. (2022). PFMA 2021–22: Consolidated general report on national and provincial audit outcomes. https://www.agsa.co.za/Reporting/PFMAReports/PFMA2021-22.aspx
Basson, D. J. (2017). Managing infrastructure risks in information communication technology outsourced projects: A case study at Transnet, South Africa [Master’s dissertation]. Cape Peninsula University of Technology, Cape Town.
BBC. (2019, July 26). Ransomware hits Johannesburg electricity supply. https://www.bbc.com/news/technology-49125853
Beach, D. (2017). Process tracing in the social sciences. In Oxford research encyclopedia of politics. https://doi.org/10.1093/acrefore/9780190228637.013.176
Booth, I. (2021, July 28). Transnet cyberattack could have catastrophic consequences. Investec Focus. https://www.investec.com/en_za/focus/economy/transnet-cyberattack-could-have-catastrophic-consequences.html
Botha, R. (2021, June 8). Understanding POPI and its impact on cybersecurity. Media Update. https://mediaupdate.co.za/marketing/150645/understanding-popi-and-its-impact-on-cybersecurity
Breckenridge, K. (2014). Biometric state: The global politics of identification and surveillance in South Africa, 1850 to present. Cambridge University Press. https://doi.org/10.1017/CBO9781139939546
Burbidge, M. (2022, November 28). Over a million user accounts “stolen” in South Africa. ITWeb. https://www.itweb.co.za/content/GxwQD71Da5ZvlPVo
BusinessTech. (2021, December 2). South Africa’s new cybercrime laws have been partially introduced – here’s what comes next. https://businesstech.co.za/news/technology/543432/south-africas-new-cybercrime-laws-have-been-partially-introduced-heres-what-comes-next
Chang, H. J. (2007). State-owned enterprise reform. UN Department of Economic and Social Affairs (UN DESA) Policy Notes. https://edisciplinas.usp.br/pluginfile.php/154675/mod_resource/content/1/ic-chang.pdf
Collier, D. (2011). Understanding process tracing. PS: Political Science & Politics, 44(4), 823– 830. https://doi.org/10.1017/S1049096511001429
Council of Europe. (2001). Budapest Convention on Cybercrime. https://www.coe.int/en/web/cybercrime/home
Crees, S. (2020). Artificial intelligence and the law. Routledge.
Cwele, S.(2014). Minister of Telecommunications and Postal Services budget speech. Briefing, 16 July. Parliamentary Monitoring Group. https://pmg.org.za/briefing/19078
Department of Finance.(1996). Growth, Employment and Redistribution: A Macroeconomic Strategy. https://www.treasury.gov.za/publications/other/gear/chapters.pdf
Department of Home Affairs. (2020). Draft Official Identity Management Policy (public consultation version). http://www.dha.gov.za/images/PDFs/Draft_Official_Identity_Management_Policy_-_Gazette_Version_of_22122020.pdf
Department of Public Enterprises (DPE). (2000). An Accelerated Agenda towards the Restructuring of State Owned Enterprises: Policy Framework. https://www.gov.za/sites/default/files/gcis_document/201409/acceleratedagendarestructuringsoe0.pdf
DPE. (2022). Annual report 2021/2022. https://dpe.gov.za/wp-content/uploads/2022/09/DPE-AR2022-d13.pdf
Erwin, A. (2004). Public Enterprises Dept Budget Vote 2004/2005, Ministry of Public Enterprises, 14 June. Parliamentary Monitoring Group. https://static.pmg.org.za/docs/2004/appendices/040609erwin.htm
European Investment Bank. (2022). European cybersecurity investment platform. https://www.eib.org/attachments/lucalli/20220206-european-cybersecurity-investment-platform-en.pdf
Evans, P. (1995). Embedded autonomy: States and industrial transformation. Princeton University Press. https://doi.org/10.1515/9781400821723
Fourie, D. (2022). The neoliberal influence on South Africa’s early democracy and its shortfalls in addressing economic inequality. Philosophy & Social Criticism. https://doi.org/10.1177/01914537221079674
Gall, G. (1997). Trade unions and the ANC in the “new” South Africa. Review of African Political Economy, 24(72), 203–218. https://doi.org/10.1080/03056249708704253
Ginindza, B. (2021, July 23). Transnet “cyber attack” causes logistics logjam from road to freight and ports. IOL. https://www.iol.co.za/business-report/economy/transnet-cyber-attack-causes-logistics-logjam-from-road-to-freight-and-ports-56f6bd97-c5ef-4d65-90d6-c41d0fe290e2
Global Freedom of Expression. (n.d.). Amabhungane Centre for Investigative Journalism v. Minister of Justice and Correctional Services. https://globalfreedomofexpression.columbia.edu/cases/amabhungane-centre-for-investigative-journalism-v-minister-of-justice-and-correctional-services
Govender, T. F. (2018). A critical analysis of the search and seizure of electronic evidence relating to the investigation of cybercrime in South Africa [LLM dissertation]. University of KwaZulu-Natal, Durban.
Government of South Africa. (n.d.). Smart identity document (ID) card roll-out. https://www.gov.za/about-government/government-programmes/smart-identity-document-id-card-roll-out
Gumede, W. (2009). Delivering the democratic developmental state in South Africa. Development Planning Division Working Paper Series No. 9. Development Bank of Southern Africa (DBSA).
Gumede, W. (2016). The political economy of state-owned enterprises restructuring in South Africa. Journal of Governance & Public Policy, 6(2), 69–97.
Hogan, B. (2009). Public Enterprises: Minister’s budget speech, 22 June. Parliamentary Monitoring Group. https://pmg.org.za/briefing/18715
Institute of Directors in Southern Africa (IoDSA), & King Committee on Corporate Governance. (2016). Report on corporate governance for South Africa 2016 (King IV). https://cdn.ymaws.com/www.iodsa.co.za/resource/collection/684B68A7-B768-465C-8214-E3A007F15A5A/IoDSA_King_IV_Report_-_WebVersion.pdf
Interpol. (2021). African cyberthreat assessment report. https://www.interpol.int/content/download/16759/file/AfricanCyberthreatAssessment_ENGLISH.pdf
Johnson, C. (1982). MITI and the Japanese miracle: The growth of industrial policy, 1925–1975. Stanford University Press. https://doi.org/10.1515/9780804765602
Khanyile, G. (2021, July 27). Significant progress made in restoring Transnet IT systems. IOL. https://www.iol.co.za/dailynews/news/significant-progress-made-in-restoring-transnet-it-systems-2b83efff-31e1-4378-92d6-6c30c336c539
Labuschagne, H. (2021, August 17). Transnet ransomware hackers did not get a single cent. MyBroadband. https://mybroadband.co.za/news/security/410058-transnet-ransomware-hackers-did-not-get-a-single-cent.html
Leftwich, A. (1996). On the primacy of politics in development. In A. Leftwich (Ed.), Democracy and development: Theory and practice. Polity Press.
Marks, S., & Rathbone, R. (Eds.). (1982). Industrialisation and social change in South Africa: African class formation, culture, and consciousness, 1870–1930. Longman.
Mayedwa, V. A. (2018). The role of the state-owned enterprises in the developmental state of South Africa: A case study of Transnet. http://vital.seals.ac.za:8080/vital/access/manager/Repository/vital:32028?site_name=GlobalView
Mazzucato, M. (2013). The entrepreneurial state: Debunking public vs. private sector myths. Anthem Press.
Minister of Justice and Correctional Services. (2017). Cybercrimes and Cybersecurity Bill, 21 February. https://www.gov.za/documents/cybercrimes-and-cybersecurity-bill-b6-2017-21-feb-2017-0000
Minister of State Security.(2015).The National Cybersecurity Policy Framework, 4 December. https://www.gov.za/sites/default/files/gcis_document/201512/39475gon609.pdf
Moyo, A. (2021, July 22). Transnet suffers “disruption” of IT systems. ITWeb. https://www.itweb.co.za/content/wbrpOqgYAwY7DLZn
Muller, S. M., Amra, R., & Jantjies, D. (2015). Report on State-Owned Enterprises. Parliamentary Standing Committee on Finance. https://static.pmg.org.za/150812report.pdf
Ntsaluba, N. (2018). Cybersecurity policy and legislation in South Africa [Master’s dissertation]. University of Pretoria.
Pieterse, H. (2021). The cyber threat landscape in South Africa: A 10-year review. The African Journal of Information and Communication (AJIC), 28, 1–21. https://doi.org/10.23962/10539/32213
Portfolio Committee on Home Affairs. (2013). ATC130503: Report of the Portfolio Committee on Home Affairs on the Annual Performance Plan and Budget Vote 4 of the Department of Home Affairs and its entities, 30 April. Parliamentary Monitoring Group. https://pmg.org.za/tabled-committee-report/1396
Qian, Y., & Sun, Y. (2021). The correlation between annual reports’ narratives and business performance: A retrospective analysis. SAGE Open, 11(3). https://doi.org/10.1177/21582440211032198
Razzano, G. (2021). Digital identity in South Africa: Case study conducted as part of a ten- country exploration of socio-digital ID systems in parts of Africa. Research ICT Africa (RIA). https://researchictafrica.net/publication/digital-identity-in-south-africa-case-study-conducted-as-part-of-a-ten-country-exploration-of-socio-digital-id-systems-in-parts-of-africa
Reddy, P. S., & Moodley, D. (1993). Privatisation of public corporations in South Africa: The issue re-examined. Africanus, 23(1). https://hdl.handle.net/10520/AJA0304615X_262
Rens, A. (2023, August 29). The negotiations for a global cybercrime convention, global public goods and AI cyber risk [Blog post]. Research ICT Africa (RIA). https://researchictafrica.net/2023/08/29/the-negotiations-for-a-global-cybercrime-convention-global-public-goods-and-ai-cyberisk
Republic of South Africa (RSA). (1996). Constitution of the Republic of South Africa Act, No. 108 of 1996.
RSA. (2002a). Electronic Communications and Transactions Act, No. 25 of 2002 (ECTA).
RSA. (2002b). Regulation of Interception of Communications and Provision of Communications-Related Information Act, No. 70 of 2002 (RICA).
RSA. (2013). Protection of Personal Information Act, No. 4 of 2013 (POPIA).
RSA. (2020). Cybercrimes Act, No. 19 of 2020.
South African Banking Risk Information Centre (SABRIC). (2012). Card fraud South Africa, 2011–2012. https://www.sabric.co.za/media/c2ljwaww/2011-to-2012-card-fraud-booklet.pdf
SABRIC. (2017). Card fraud booklet 2017. https://www.sabric.co.za/media/tjigbdjl/2017-card-fraud-booklet.pdf
SABRIC. (2020). Annual report 2020. https://www.sabric.co.za/media/lejmweri/sabric_annual-report_2020.pdf
SABRIC. (2021a). Annual report 2021. https://www.sabric.co.za/media/z0vch20l/sabric-annual-report-2021.pdf
SABRIC. (2021b). Annual crime statistics 2021. https://www.sabric.co.za/media/5dlnhnyj/sabric-crime-stats-2021_fa.pdf
Sen, A. (1999). Development as freedom. Oxford University Press.
Shaw, M. (2018, January 9). Known unknowns: The threat of cybercrime in Africa. ISS Today. Institute for Security Studies. https://issafrica.org/iss-today/known-unknowns-the-threat-of-cybercrime-in-africa
Southall, R. (2013). Realism and neoliberalism: Macro-economic policy in South Africa. In J. Curry (Ed.), Liberation movements in power: Party and state in Southern Africa (pp. 88–96). University of KwaZulu-Natal Press.
Sutherland, E. (2017). Governance of cybersecurity – The case of South Africa. The African Journal of Information and Communication (AJIC), 20, 83–112. https://doi.org/10.23962/10539/23574
Terreblanche, S. (2002). A history of inequality in South Africa, 1652–2002. University of KwaZulu-Natal Press.
The Presidency. (2011). National Development Plan 2030: Our Future – Make it Work (Executive summary). National Planning Commission. Government of the Republic of South Africa.
The Presidency. (2012). Report of the Presidential Review Committee on State-owned Entities: Volume 1: Executive summary of the final report. Government of South Africa. https://www.gov.za/sites/default/files/gcis_document/201409/presreview.pdf
The Presidency. (2019, September 27). President appoints Economic Advisory Council [Press release]. https://www.thepresidency.gov.za/press-statements/president-appoints-economic-advisory-council
Thomas, A. (2000). Poverty and the “end of development”. In T. Allen & A. Thomas (Eds.), Poverty and development into the 21st century. Oxford University Press.
Tijerina, W. (2022). Industrial policy and governments’ cybersecurity capacity: A tale of two developments? Journal of Cyber Policy, 7(2), 194–212. https://doi.org/10.1080/23738871.2022.2071747
Timcke, S. (2017). Capital, state, empire: The new American way of digital warfare. University of Westminster Press. https://doi.org/10.16997/book6
Timcke, S. (2023). The political economy of fortune and misfortune. Bristol University Press. https://doi.org/10.1332/policypress/9781529221756.001.0001
Timcke, S., & Gaffley, M. (2022, December 8). RIA’s public comment on National Infrastructure Plan 2050. Research ICT Africa. https://researchictafrica.net/2023/01/05/ria-public-comment-national-infrastructure-plan-2050/
Timcke, S., Gaffley, M., & Rens, A. (2023). A single point of failure: Transnet’s IT network and the risk of AI-cybersecurity gaps to the South African developmental state project. Working Paper, Research ICT Africa (RIA).
Timmers, P. (2018). The European Union’s cybersecurity industrial policy. Journal of Cyber Policy, 3(3), 363–384. https://doi.org/10.1080/23738871.2018.1562560
Toyana, M. (2021, July 27). Transnet ports division declares force majeure on container terminals after cyber attack. Daily Maverick. https://www.dailymaverick.co.za/article/2021-07-27-transnet-ports-division-declares-force-majeure-on-container-terminals-after-cyber-attack
Transnet. (2009a). Limited annual report 2009, corporate governance. https://www.transnet.net/InvestorRelations/AR/2009/Corporate%20Governance.pdf
Transnet. (2009b). Limited annual report 2009, executive summary. https://www.transnet.net/InvestorRelations/AR/2009/Executive%20%20Summaries.pdf
Transnet. (2010). Annual results 2010, operational report. https://www.transnet.net/InvestorRelations/AR/2010/Operational%20Reports.pdf
Transnet. (2011). Quantum leap, integrated annual report 2011. https://www.transnet.net/InvestorRelations/AR/2011/Integrated%20Report.pdf
Transnet. (2012). Integrated report 2012. https://www.transnet.net/InvestorRelations/AR/2012/Integrated%20Report.pdf
Transnet. (2013). Integrated report 2013. https://www.transnet.net/InvestorRelations/AR/2013/Integrated%20Report.pdf
Transnet. (2014). Integrated report 2014. https://www.transnet.net/InvestorRelations/AR/2014/Integrated%20Report.pdf
Transnet. (2015). Integrated report 2015. https://www.transnet.net/InvestorRelations/AR2015/2015/downloads/Transnet_IR_2015_190715.pdf
Transnet. (2016). Integrated report 2016. https://www.transnet.net/InvestorRelations/AR2016/2016/downloads/TRANSNET-IR-2016.pdf
Transnet. (2017). Integrated report 2017. https://www.transnet.net/InvestorRelations/AR2017/Transnet%20IR%202017.pdf
Transnet. (2018). Integrated report 2018. https://www.transnet.net/InvestorRelations/AR2018/Transnet%20IR%202018.pdf
Transnet. (2019). Integrated report 2019. https://www.transnet.net/InvestorRelations/AR2019/Transnet%20IR%202019.pdf
Transnet. (2020). Integrated report 2020. https://www.transnet.net/InvestorRelations/AR2020/Transnet%20IR%202020.pdf
Transnet. (2021a). Repair and grow: Annual results announcement. https://www.transnet.net/InvestorRelations/AR2021/2021%20ANNUAL%20RESULTS%20PRESENTATION.pdf
Transnet. (2021b). Integrated report 2021. https://www.transnet.net/InvestorRelations/AR2021/Transnet%20Integrated%20Report.pdf
Transnet. (2021c). Transnet governance report 2021. https://www.transnet.net/InvestorRelations/AR2021/Governance%20report%2028%20Oct.pdf
Transnet. (2022). Unabridged governance report 2022. https://www.transnet.net/InvestorRelations/AR2022/Governance%20report%202022.pdf
Ukwandu, D. C. (2019). South Africa as a developmental state: Is it a viable idea? African Journal of Public Affairs, 11(2), 41–62.
United Nations Conference on Trade and Development (UNCTAD). (2007). Economic development in Africa: Reclaiming policy space: Domestic resource mobilisation and developmental states. https://unctad.org/system/files/official-document/aldcafrica2007_en.pdf
Van der Merwe, P. (2020, March 26). Unprecedented spike in cyber attacks since declaration of national disaster. TimesLive. https://www.timeslive.co.za/news/south-africa/2020-03-26-unprecedented-spike-in-cyber-attacks-since-declaration-of-national-disaster
Van Heerden, R., Von Soms, S., & Mooi, R. (2016). Classification of cyber attacks in South Africa, 2016. In 2016 IST-Africa Week Conference (pp. 1–16). https://doi.org/10.1109/ISTAFRICA.2016.7530663
Van Niekerk, B. (2017). An analysis of cyber-incidents in South Africa. The African Journal of Information and Communication (AJIC), 20, 113–132. https://doi.org/10.23962/10539/23573
Van Niekerk, B., Ramluckan, T., & Collard, A. (2023). A South African perspective on cybercrime during the pandemic. In D. Ventre & H. Loiseau (Eds.), Cybercrime during the SARS-CoV-2 pandemic (2019-2022): Evolutions, adaptations, consequences (pp. 177–209). ISTE and Wiley. https://doi.org/10.1002/9781394226344.ch6
Venter, I. (2022, March 31). White Paper on rail lauded as SA loses at least 1% of GDP to Transnet inefficiency. Creamer Media’s Engineering News. https://www.engineeringnews.co.za/article/white-paper-on-rail-lauded-as-country-loses-1-of-gdp-to-transnet-inefficiency-2022-03-31
Western Cape Government. (2020, October 6). An introduction to the Protection of Personal Information Act (or POPI Act or POPIA). https://www.westerncape.gov.za/site-page/introduction-protection-personal-information-act-or-popi-act-or-popia
World Bank. (2008). New directions in development thinking. In G. Secondi (Ed.), The development economics reader. Routledge.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2023 Scott Timcke, Mark Gaffley, Andrew Rens
This work is licensed under a Creative Commons Attribution 4.0 International License.
.png){kind=spacer}