2.1.1. International Cybersecurity Stakeholders

In the protection of critical water-related infrastructure cybersecurity webinar held on 18 November 2020 by the World Meteorological Organisation [30], it was indicated by one of the UNECE speakers that work encouraging common regulatory frameworks in specific sectors with critical impact on sustainable development is under way at the UN. This includes a report on the sectoral initiative on cybersecurity by the UNECE [28], albeit not one specifically focused on the water-related infrastructure sector. This makes the UN one of the important international cybersecurity cooperation stakeholders. In addition, some of the regional and other international stakeholders relevant to South Africa's cybersecurity endeavours were reviewed in Appendix A and are as follows:

• African Union


The African Network Information Centre is missing in Appendix A and is regarded by Dlamini [31] as a relevant stakeholder on the African continent regarding security of cyberspace. The next section explores some of the available treaties and conventions governing international cybersecurity cooperation and the interrelationships between the stakeholders mentioned above.

## 2.1.2. International Cybersecurity Laws

The 2001 Budapest Convention, which is the Convention on international cybercrime by member states of the Council of Europe and other non-member states [32], is the first international cooperation mechanism on issues relating to cybersecurity and cybercrime [33]. It attempts to provide signatory states with a common international policy to fight harmoniously against cybercriminals [34]. Of the 47 member states of the Council of Europe, only one—the Russian Federation—has not signed [35], citing infringement of its (internet) sovereignty [36]. Ireland and Sweden are the only two member states that have signed but never ratified [35].

There are several non-member states that have not signed and/or ratified the Budapest Convention. These include countries such as Brazil, Nigeria, and New Zealand. In the Brazil-Russia-India-China-South Africa (BRICS) bloc, only South Africa has signed the Convention but has never ratified [37,38]. Thus, the total number of signatures not followed by ratifications stands at three—South Africa, Ireland, and Sweden—as of 10 November 2020. In addition, the total number of ratifications now stands at 65 [35]. Since accession to the Convention is by invitation only for non-member states such as those in the BRICS bloc, no truly binding international cybersecurity and cybercrimes agreemen<sup>t</sup> is currently in place [33]. On the African continent however, the African Union (AU) adopted the AU Convention—Convention on Cyber Security and Personal Data Protection in June 2014 [36,38,39]. According to Coleman [39], the AU Convention provides a framework for personal data protection which member countries may transpose into their domestic legislation but requires at least 15 countries to be ratified and take effect. At the time of writing, the AU Convention had been signed by 14 member countries out of 55, and ratified by 8 [40]. South African has not ye<sup>t</sup> signed the AU Convention.

There has since been other efforts for international cooperation regarding cybersecurity and cybercrimes, such as the UN General Assembly resolution 70/237 adopted on 23 December 2015 [41]; the world summit on the information society's (WSIS) Geneva Plan of Action [42]; Global Cybersecurity Agenda by the International Telecommunication Union [33]; the Open-Ended Working Group based on UN General Assembly resolution 73/27 [43]; and the Group of Governmental Experts (GGE) based on UN General Assembly resolution 73/266 [44]. South Africa is a member of the GGE and, along with 24 other member states, is expected to submit a final report to the UN General Assembly in 2021 [44]. In summary, some of the most pertinent international cybersecurity laws are as follows:


Apart from the Budapest Convention of 2001, none of these international cooperation measures are binding as yet. This leaves the Budapest Convention on international cybercrime as the only treaty that is binding to its member states. Clough [33] (p. 725), however, cautions that the Convention is only effective when all member states have capacity in place to enact "domestic legislation across the spectrum of substantive and procedural laws and to put in place mechanisms for international cooperation." Some of the international cybersecurity implementation gaps and challenges in the water and wastewater sector are explored in the next section.

#### 2.1.3. International Water-Specific Cybersecurity Challenges

It was mentioned earlier that ICSs are essentially the backbone of critical infrastructures worldwide, including of the water and wastewater critical infrastructure. The introduction of cyber connectivity into ICS environments has increased the vulnerability of all types of critical infrastructures to cyberattacks [3,45–47]. Recently, the USA's cybersecurity and infrastructure security agency (CISA) [48] has reported compromises on critical infrastructures, governmen<sup>t</sup> agencies, and private sector organisations through a thirdparty contractor network managemen<sup>t</sup> tool called SolarWinds Orion platform. According to CISA [48], this advanced persistent threat (APT) [49] began approximately in March 2020, with evidence suggesting that there are additional initial access vectors other than the SolarWinds Orion platform. APTs are cyberattacks carried out repeatedly over an extended period of time by actors with significant resources and sophisticated levels of expertise [20].

The Australian and USA critical infrastructure cyberattacks point to supply chain compromises [11,25,50,51]. Some of the challenges of implementing cybersecurity safeguards on critical infrastructures, including the water and wastewater critical infrastructure, are summarised in Table 1.


**Table 1.** International water-related cybersecurity implementation challenges.

The above-mentioned challenges of implementing water-related and other critical infrastructure cybersecurity safeguards are mostly at an organisational level [61]. However, governmen<sup>t</sup> policy and legislation and international cooperation on fighting cybercrime can help deter the would-be attackers in various ways. For example, they can regulate and help improve the information flows, enable collaborative interrelationships, highlight best practices for different sectors, track and monitor emerging cybersecurity technologies, and increase cyber risk awareness and training among citizens [26]. South Africa's national cybersecurity legislation and governmen<sup>t</sup> policies are reviewed in this regard.
