2.2.1. National Cybersecurity Stakeholders

Review work of the national cybersecurity stakeholders was conducted in Appendix A. Stakeholders that are mentioned multiple times in Appendix A are listed once below as either domestic or foreign. All other stakeholders are listed below without exception. It should thus be noted that not all of these are necessarily key stakeholders to the implementation of the national cybersecurity strategy. The domestic stakeholders relevant to the national cybersecurity endeavours as reviewed in Appendix A are as follows:

	- - Electronic Communications Security—Cyber Security Incidents Response Team (ECS-CSIRT)
	- - Cybersecurity Centre
	- - National Cybersecurity Hub
	- - Cyber Inspectorate
	- - National Cybersecurity Advisory Council
	- Department of Defence (DoD)
		- - Cyber Command

•

	- - Cyber Crime Centre
	- - National Prosecuting Authority

• South African Revenue Service

The key national and domestic stakeholders as defined in the NCPF can be represented, as shown in Figure 1. As shown in Figure 1 and delineated in the NCPF, the key organs of state that play a critical role in the implementation of the cybersecurity strategy [65] are dominated by the Justice, Crime Prevention and Security (JCPS) cluster [66]. According to the Government of South Africa [67], the JCPS cluster is made up of the Presidency, the Ministry of Defence and Military Veterans, the Ministry of State Security, the Ministry of Justice and Correctional Services, the Ministry of Police, the Ministry of Home Affairs, the Ministry of International Relations and Cooperation, the Ministry of Finance, the Ministry of Small Business Development, the Ministry in the Presidency for Women, Youth and Persons with Disabilities, and the Ministry of Social Development. In Figure 1, the bidirectional arrows are not reporting lines. They represent information flow within and outside the national cybersecurity system.

**Figure 1.** National cybersecurity governance structure in South Africa.

All other organs of state, including but not limited to those listed above, are required to align their cybersecurity and Information and Communications Technology (ICT) policies and practices with the NCPF [65]. Effectively, Figure 1 shows the cybersecurity coordination and managemen<sup>t</sup> structure in South Africa. The coordination is performed by the JCPS Cybersecurity Response Committee (CRC) [67] that is operationally supported by the Cybersecurity Centre in the SSA [65]. This inter-ministerial coordination is managed and facilitated through various pieces of legislation and governmen<sup>t</sup> policies.

#### 2.2.2. National Cybersecurity Legislation and Policies

Review work of legislation and governmen<sup>t</sup> policies used for the implementation of the national cybersecurity strategy was conducted in Appendix A. Similarly, pieces of legislation and policies that are mentioned multiple times in Appendix A are listed once below. All other pieces of legislation and policy are listed below without exception. It is therefore acknowledged that not all of these are necessarily key cybersecurity legislation and policies for the implementation of the national cybersecurity strategy. It is also acknowledged that not all cybersecurity-relevant legislation and policies are reflected in Appendix A. For example, as mentioned in the NCPF [65], the Electronic Communications Security Proprietary (Pty) Limited (Ltd) Act 68 of 2002 was not reflected in the review work in Appendix A. Nonetheless, the legislation and policies relevant to the national cybersecurity endeavours as reviewed in Appendix A are as follows:


Achievement of the six key objectives of South Africa's national cybersecurity strategy is therefore distributed among 37, and probably more, different pieces of legislation and governmen<sup>t</sup> policies [37,38]. This is the legal framework for national cybersecurity governance and resilience in South Africa. Harmonising and aligning these [37] could make the currently complex coordination and managemen<sup>t</sup> of the national cybersecurity endeavours [38] a bit easier. In addition to the Constitution [68], it would appear from Appendix A that seven pieces of legislation and governmen<sup>t</sup> policies in particular are key to the implementation of the national cybersecurity strategy as they are repeatedly mentioned. These are shown in Figure 2 [65,69–74].

**Figure 2.** Key national cybersecurity policy and legislation in South Africa.

Review of the six individual pieces of legislation and one policy in Figure 2 revealed that some older laws—those enacted prior to the democratic dispensation in 1994—have since been repealed while others have been amended to respond to changing needs and to align with the country's constitution. It is worth highlighting a few of these in Table 2 as they relate to cybersecurity and cybercrimes in South Africa.

There are many other repeals and amendments but those are beyond the scope of the study. However, as one of the key cybersecurity laws in South Africa, it is imperative to highlight that, as shown in Table 2, sections 85 to 88 (cybercrime offences) of the ECT Act [73] have since been repealed and substituted by sections 2 to 12 of the newly approved Cybercrimes Bill [69]. Moreover, section 89 (cybercrime penalties) of the ECT Act has also been amended as outlined in section 58 of the Cybercrimes Bill. A review of the NCPF also revealed a few implementation gaps and challenges.

## 2.2.3. National Cybersecurity Challenges

The review work in Appendix A revealed that, apart from the fact that the current coordination and managemen<sup>t</sup> of the national cybersecurity strategy of South Africa is complex and should be simplified [37,38], a few challenges were identified. Although Appendix A revealed more than ten gaps and challenges, these can be aggregated into the ten described in Table 3.



Some of the challenges in Table 3 are similar to those experienced in other countries, for example, the limited collaboration and information sharing among various sectors and inadequate cybersecurity skills in Turkey [75]. Identifying and classifying critical infrastructure and updating the inventory on a regular basis is a challenge [6]. This is highlighted by White [2] in regards to the USA's Department of Homeland Security's need to develop guidelines to classify critical infrastructure sectors. In the case of Turkey, what [75] found was that if a sector is predominantly managed by private entities, the general cybersecurity posture tends to be more mature, and vice versa. In the case of the USA, however, the Department of Homeland Security is not a private entity. Perhaps cybersecurity issues are not that straightforward as stakeholder roles and responsibilities are often not as obvious, and moreover, the required security levels are also difficult to define [76]. The complex nature of the current coordination and managemen<sup>t</sup> of the national cybersecurity strategy [37,38] may not be unique to South Africa after all. It is, however, important to understand how the cybersecurity gaps and challenges in Table 3 impact the water and wastewater sector's cybersecurity responsibilities. In this regard, the water and wastewater legal context was reviewed to determine whether and how it addresses protection of the sector's critical cyber infrastructure.
