**5. Discussion**

The aim of this study was to contextualise the water and wastewater sector's cybersecurity responsibilities within the national cybersecurity legislative and policy environment. To achieve the aim, systems thinking was adopted to analyse the purpose or function of both the national cybersecurity and water and wastewater systems, stakeholders involved to achieve the functions, and stakeholder interrelation. The ramifications of the study

findings are discussed under two headings: (i) National cybersecurity legislative and policy environment; and (ii) Water and wastewater legislative and policy environment.

*National cybersecurity legislative and policy environment*. The study findings indicate that the function of the national cybersecurity system is clearly defined in the NCPF. The purpose of the national cybersecurity strategy is therefore very clear. According to Meadows [84], altering the function of a system has the greatest impact on the entire system and may render it unrecognisable. This means that changing the purpose of the national cybersecurity strategy has the greatest impact on the entire national cybersecurity programme. The findings also indicated that the JCPS CRC was established to oversee the implementation of the national cybersecurity strategy by ensuring consistency with guidelines, standards and best practices developed in the NCPF. The JCPS CRC is the key stakeholder or element/actor in the national cybersecurity system. Although it is acknowledged that some key stakeholders can indeed be more important than others [84], systems thinking indicates that changing individual stakeholders should have the least impact on the national cybersecurity programme provided that the purpose and legislation and policies remain unaltered. This means that stakeholders implementing the national cybersecurity strategy, including individual members of the JCPS CRC, can be changed without having a noticeable impact on the overall purpose of the programme.

Furthermore, the findings indicated that the flow of information among and between the national cybersecurity stakeholders is governed by legislation and policies such as the Cybercrimes Bill, CIPA, ECT Act, NCPF, POPI Act, RICA, and PAIA. In terms of international cybersecurity cooperation, South Africa is ye<sup>t</sup> to ratify the Budapest Convention of 2001 as of 10 November 2020 [35]. That leaves Interpol and extradition treaties between South Africa and other countries as the only available international cooperation mechanisms to fight cybercrimes perpetrated outside its jurisdiction. Systems thinking indicates that each legislation and/or policy interconnects stakeholders in such a way that it could generate its own characteristic or emergen<sup>t</sup> behaviour, which may start to differ from the espoused or defined purpose of the national cybersecurity strategy. This means that amending or repealing cybersecurity-related legislation and governmen<sup>t</sup> policy could have significant impact on the overall purpose and performance of the national cybersecurity programme. This is why it was important to dig deeper to understand the interconnected relationships among the stakeholders involved and the impact these relationships have on the overall purpose and performance of the national cybersecurity programme. What the findings show is that a seamless coordinated effort is required to implement the national cybersecurity strategy. The argumen<sup>t</sup> that governmen<sup>t</sup> has a below par performance record when it comes to the implementation of policies involving several governmen<sup>t</sup> stakeholders and requiring public-private partnerships [91] is not encouraging. It was also found that the no less that 37 different pieces of legislation and policies led to further implementation gaps and challenges. The ramifications of these gaps and challenges, which also impact on the water and wastewater sector's cybersecurity responsibilities, are fourfold.

Firstly, since the enactment of the ECT Act in 2002, the DCDT has failed to establish the Cyber Inspectorate unit and appoint cyber inspectors, failed to report any activities by the National Cybersecurity Advisory Council, if any, and progresses slowly to ensure the establishment of industry and sector CSIRTs as stipulated in the NCPF since it was gazetted in 2015. All these shortcomings point to a lack either of capacity or capability by the DCDT, or a combination of both.

Secondly, tasked to be the national structure dedicated to cybersecurity activities, including cybersecurity technical skills and user awareness campaigns and engagemen<sup>t</sup> with the private sector and civil society, the DCDT's Cybersecurity Hub is visibly absent in the coordination of these activities. As already alluded to by Detecon [37] and corroborated by Gcaza [92], cybersecurity awareness and education have proven to be effective in significantly reducing the risk of a security breach. This is because awareness and education prepare technical experts to put proactive safeguards in place, and ordinary end-users to be consciously alert. The case in point on the importance of cybersecurity awareness

and education is the data breach at Experian South Africa, a credit records organisation, where a database containing personal details of approximately 24 million consumers and nearly 800,000 businesses was willingly handed over to a fraudster [93] as a result of a social engineering attack. Thus, the national government, and in particular the water and wastewater sector, should develop a strategy to embark on a coordinated effort to achieving the required sector cybersecurity skillset. This investment is fully supported and encouraged in Section 2.7 of the NCPF. This lack of visible and strategic coordination by the Cybersecurity Hub also points to a lack either of capacity or capability within the DCDT.

Thirdly, the regulations to promulgate the CIPA had not ye<sup>t</sup> been gazetted by the SAPS at the time of writing. In terms of the transitional arrangements in the Act, Parliament must first approve the SAPS draft regulations. Until that happens, the Act is held in abeyance [94]. In this regard, it is not ye<sup>t</sup> clear which national assets per sector, including the water and wastewater sector, will be identified and classified as national critical infrastructure. Perhaps when the CIPA regulations are gazetted, the roles, responsibilities, and accountability of different parties will be defined to also include cyber resilience. As argued by Mutemwa [66], a good cybersecurity strategy should also include cyber resilience in addition to cyber defence policies and capabilities. A cyber resilience strategy helps shift from a retroactive to a more proactive approach [95]. As matters currently stand, the CIPA merely promises to enable the protection and safeguarding of critical infrastructure to achieve resiliency. How that critical infrastructure resilience is going to be achieved with cooperation between governmen<sup>t</sup> and the private sector remains unclear.

Lastly, the findings sugges<sup>t</sup> a clear lack of capacity and capability by law enforcement agencies in fighting cybercrimes in the country. This might require a coordinated cybercrimes skills development collaboration programme with international stakeholders such as Interpol and similar others to help bridge the gaps in the short term. In addition to all the matters considered above relating to the national cybersecurity legislation and policy environment, there is another concern: It would appear that the national cybersecurity strategy is primarily more defensive [8], and thus retroactive, than offensive which requires proactiveness [96]. It is more passive and static than proactive. Under international laws, any sovereign state has the right to defend itself against adversarial actors [96]. As the national cybersecurity policy overarching both the DoD's Defence Review and Cyber Warfare Strategy, the NCPF does not explicitly state whether South Africa would execute cyber offence strategies in response to a cyberattack. Even in its delineation of the role and responsibilities of the DoD, the NCPF refers to the development of a "Cyber Defence Strategy, that is informed by the National Security Strategy of South Africa" [65] (p. 24). Defence (retroactive approach) seems to be our cybersecurity strategy as opposed to adopting an offensive (proactive approach) or a combination of both strategies.

In spite of these national cybersecurity challenges, the Cybercrimes Bill, CIPA, ECT Act, NCPF, POPI Act, RICA, and PAIA, together with other cybersecurity-relevant legislation and policies, are drafted in such a way as to address the cybersecurity requirements of the water and wastewater sector without the need to propose any new legislation and/or policies or amend existing ones. All the sector needs to do is to encourage member organisations to align their ICT policies and cybersecurity practices with the NCPF to address cyber risks and water-related cybersecurity implementation challenges such as those highlighted in Table 1.

*Water and wastewater legislative and policy environment*. The study findings indicate that the water and wastewater sector has two functions fulfilled through two different stakeholder responsibilities. The first function is that the water and wastewater sector is mandated to supply quality water and wastewater services to the nation. This function or purpose is achieved through the water and wastewater sector as an independent system comprised of its own stakeholders (system elements/actors)—such as DWS, water boards, and Trans-Caledon Tunnel Authority)—and legislation and policies (interconnections) —such as the National Water Act, Water Services Act, and National Water and Wastewater Master Plan. The second function is that the water and wastewater sector has national

cybersecurity responsibilities. This function is achieved by the water and wastewater sector as a stakeholder—public sector CSIRT—in the bigger national cybersecurity system. The public sector CSIRT cybersecurity responsibilities of the water and wastewater sector are defined in Section 6.3.6 of the NCPF [65].

The findings also indicated that the public sector CSIRT will report to the national CSIRT or ECS-CSIRT in the SSA. It is not clear whether the ECS-CSIRT caters for both corporate IT and ICS cybersecurity services nor how, specifically, it helps the public sector CSIRTs as it claims on its website. The roles and responsibilities defined in the NCPF [65] (pp. 18–19) further require that the Cybersecurity Centre located in the SSA be consulted by public sector CSIRTs when establishing national security standards and best practices for their sectors. The question is, what is the relationship between the Cybersecurity Centre and ECS-CSIRT, both located in the SSA? Is COMSEC (Pty) Ltd. now the Cybersecurity Centre? Are they different? To reiterate Sutherland's [38] point, perhaps this is what contributes to the complex manner in which the national cybersecurity strategy of South Africa is being implemented. Nonetheless, it has already been proven that the existing national cybersecurity legislative and policy environment provides for the establishment of the water and wastewater sector-specific CSIRT without the need to propose any new laws or amend existing ones. However, this is based on the assumption that the DWS will host the CSIRT on behalf of the entire sector. Whether this is the best way to do it is a separate discussion. Alignment of the sector's ICT policies and cybersecurity practices with the NCPF is enough to establish a CSIRT that will be hosted at the DWS.

By understanding the dynamic nature of its interconnected relationships [23,85,97] among various stakeholders, the water and wastewater sector is therefore immediately able to develop its own cybersecurity governance framework and resilience strategy as illustrated in Figure 6.

**Figure 6.** Water and wastewater cybersecurity system.

De Jong et al. [98] assert that outsiders usually offer creative and innovative policy inputs that can lead to a better understanding of societal challenges. This approach yields better policy decisions with more realistic judgements of the advantages and disadvantages of potential policy measures [98,99]. The water and wastewater sector should therefore be as collaborative with "outsiders" such as the JCPS CRC, Cybersecurity Hub in the DCDT, and Cybersecurity Centre in the SSA and as representative (among its member organisations) as possible in order to attain, through better policy decisions, the desired level of sector cybersecurity resiliency against cyber threats and attacks. In this regard, policy recommendations are proposed as outlined in the next section.
