Protecting Critical Databases – Towards a Risk Based Assessment of Critical Information Infrastructures (CIIS) in South Africa

Keywords: Critical databases, critical information infrastructures, national security, social and economic well-being

Abstract

South Africa has made great strides towards protecting critical information infrastructures (CIIs). For example, South Africa recognises the significance of safeguarding places or areas that are essential to the national security of South Africa or the economic and social well-being of South African citizens. For this reason South Africa has established mechanisms to assist in preserving the integrity and security of CIIs. The measures provide inter alia for the identification of CIIs; the registration of the full names, address and contact details of the CII administrators (the persons who manage CIIs); the identification of the location(s) of CIIs or their component parts; and the outlining of the general descriptions of information or data stored in CIIs.

 

It is argued that the measures to protect CIIs in South Africa are inadequate. In particular, the measures rely on a one-size-fits-all approach to identify and classify CIIs. For this reason the South African measures are likely to lead to the adoption of a paradigm that considers every infrastructure, data or database, regardless of its significance or importance, to be key or critical.

     ScienceOpen_Log0343275.png

References

Bibliography

Afzal, Rohaniand and Roshana 2011 ISBEIA

Afzal AZ, Rohaniand EI and Roshana T "Contractor’s strategic approaches to risk assessment techniques at project planning stage" 2011 ISBEIA 318-323

Anderson et al 2005 IEEE Transactions on Power Systems

Anderson G et al "Causes of the 2003 Major Grid Blackout in North America and Europe, and Recommended Means to Improve System Dynamic Performance" 2005 IEEE Transactions on Power Systems 1922-1928

Anderson Information Infrastructure

Anderson RH Securing the US Defense Information Infrastructure: A Proposed Approach (RAND Washington 1999)

Baocun and Fei "Information Warfare"

Baocun W and Fei L "Information Warfare" in Pillsbury M (ed) Chinese View of Future Warfare (National Defence University Washington 1997) 327-342

Bendisch et al "Towards a European Agenda"

Bendisch U et al "Towards a European Agenda for CIIP - Results from the CI2 RCO Project" in Lopez J and Hämmerli BM (eds) CRITIS 2007: Second International Workshop on Critical Information Infrastructures Security (Springer Berlin 2008) 1-12

Bolzoni and Etalle "Approaches in Anomaly-based Network Intrusion Detection Systems"

Bolzoni D and Etalle S "Approaches in Anomaly-based Network Intrusion Detection Systems" in Di Pietro R and Mancini LV (eds) Advances in Information Security: Intrusion Detection Systems (Springer Verlag London 2008) 1-15

Botma et al Navigating Information Literacy

Botma T et al Navigating Information Literacy: Your Information Society Survival Toolkit 2nd ed (Pearson Cape Town 2008)

Bowling, Marks and Murphy "Crime Control Technologies"

Bowling B, Marks A and Murphy C "Crime Control Technologies – Towards an Analytical Framework and Research Agenda" in Brownword R and Yeung K (eds) Regulating Technologies: Legal Futures, Regulatory Frames and Technological Fixes (Hart Oxford 2008) 51-78

Brazzoli "Future Prospects of Information Warfare"

Brazzoli MS "Future Prospects of Information Warfare and Particularly Psychological Operations" in Le Roux L (ed) South African Army Vision 2020: Security Challenges Shaping the Future South African Army (Institute for Security Studies Pretoria 2007) 217-232

Carcano et al "State-based Network Intrusion Detection Systems"

Carcano A et al "State-based Network Intrusion Detection Systems for SCADA Protocols - A Proof of Concept" in Rome E and Bloomfield B (eds) Critical Information Infrastructures Security: CRITIS 2009 (Springer Verlag Berlin 2010) 138-150

Chandrasekhar "Living with Disasters"

Chandrasekhar D "Living with Disasters – A Planning Approach to Critical Incidents" in Schwester RW (ed) Handbook of Critical Incident Analysis (Sharpe New York 2012) 186-200

Conant and Ashby 1970 Int J Syst Sci

Conant RC and Ashby WR "Every Good Regulator of a System Must be a Model of That System" 1970 Int J Syst Sci 89-97

Deuchars International Political Economy

Deuchars R The International Political Economy of Risk: Rationalism, Calculation and Power (Ashgate Aldershot 2004)

Durrani Information and Liberation

Durrani S Information and Liberation: Writings on the Politics of Information and Librarianship (Library Justice Duluth 2008)

Granova and Eloff 2005 Computer Fraud and Security

Granova and Eloff "A Legal Overview of Phishing" 2005 Computer Fraud and Security 6-11

Griffiths, O’Callaghan and Roach Internal Relations

Griffiths M, O’Callaghan T and Roach SC Internal Relations: The Key Concepts 2nd ed (Routledge London 2008)

Kapoor Computerised Banking

Kapoor N Computerised Banking System in India (Sublime Jaipur 2008)

Katyal 2001 U Pa L Rev

Katyal NK "Criminal Law in Cyberspace" 2001 U Pa L Rev 1003-1114

Lessig 1995 Yale L J

Lessig L "The Path of Cyberlaw" 1995 Yale L J 1743-1755

Lessig Code and Other Laws of Cyberspace

Lessig L Code and Other Laws of Cyberspace (Basic Books New York 1999)

Milone 2002 Business Lawyer

Milone MG "Hacktivism - Securing the National Infrastructure" 2002 Business Lawyer 383-413

Morgan and Yeung Law and Regulation

Morgan B and Yeung K An Introduction to Law and Regulation: Text and Materials (Cambridge University Press Cambridge 2007)

Myers "Introduction to Phishing"

Myers S "Introduction to Phishing" in Jakobsson M and Myers S (eds) Phishing and Counter-Measures: Understanding the Increasing Problem of Electronic Identity Theft (Wiley Hoboken 2007) 1-30

Nickolov 2005 Information & Security

Nickolov E "Critical Information Infrastructure Protection - Analysis, Evaluation and Expectations" 2005 Information & Security 105-119

Okhravi et al 2012 IJCIP

Okhravi H et al "Creating a Cyber Moving Target for Critical Infrastructure Applications Using Platform Diversity" 2012 IJCIP 30-39

Rittinghouse and Hancock Cybersecurity Operations

Rittinghouse JW and Hancock WM Cybersecurity Operations Handbook (Elsevier Amsterdam 2003)

Sieber "Emergence of Information Law"

Sieber U "The Emergence of Information Law - Object and Characteristics of a New Legal Order" in Lederman E and Shapira R (eds) Law, Information and Information Technology (Kluwer The Hague 2001) 1-30

Somsen "Cloning Trojan Horses"

Somsen H "Cloning Trojan Horses – Precautionary Regulation of Reproductive Technologies" in Brownword R and Yeung K (eds) Regulating Technologies: Legal Futures, Regulatory Frames and Technological Fixes (Hart Oxford 2008) 221-242

Spedding Due Diligence

Spedding LS Due Diligence and Corporate Governance (LexisNexis Coydon 2004)

Spencer Internal Auditing Handbook

Spencer PKH The Internal Auditing Handbook 3rd ed (John Wiley Chichester 2010)

Taylor SQL for Dummies

Taylor AG SQL for Dummies 7th ed (Wiley Hoboken 2010)

Taylor "Hacktivism"

Taylor PA "Hacktivism - In Search of Lost Ethics?" in Wall D (ed) Crime and the Internet (Routledge New York 2001)

Van Niekerk and Maharaj 2011 South African Journal of Military Studies

Van Niekerk B and Maharaj MS "Relevance of Information Warfare Models to Critical Infrastructure Protection" 2011 South African Journal of Military Studies 52-75

Von Solms "Critical Information Infrastructure Protection"

Von Solms B "Critical Information Infrastructure Protection – Essential During War Times, or Peace Times or Both?" in Phahlamohlaka J et al (eds) IFIP TC9 Proceedings on ICT Uses in Warfare and the Safeguarding of Peace (CSIR Pretoria 2008) 36-40

Von Solms "Securing the Internet"

Von Solms B "Securing the Internet - Fact or Fiction?" in Camenisch J, Kisimov V and Dubovitsknya M (eds) Open Research Problems in Network Security (Springer Verlag Heidelberg 2011) 1-8

Vrijling et al 2004 Journal of Risk Research

Vrijling JK et al "A Framework for Risk Criteria for Critical Infrastructures – Fundamentals and Case Studies in Netherlands" 2004 Journal of Risk Research 569-579

Webster Theories

Webster F Theories of the Information Society (Routledge London 2006)

West "Preventing System Intrusions"

West M "Preventing System Intrusions" in Vacca JR (ed) Computer and Information Security Handbook (Morgan Kaufmann Amsterdam 2009) 39-51

Register of cases

Columbus Joint Venture v Absa Bank Ltd 2002 1 All SA 105 (SCA)

Energy Measurements (Pty) Ltd v First National Bank of South Africa 2000 2

All SA 396 (W)

Indac Electronics (Pty) Ltd v Volkskas Bank Ltd 1992 1 All SA 411 (A)

LIoyds Bank Ltd v The Chartered Bank of India, Australia and China 1928 All ER Rep 285

United States v Morris 928 F2N 504 (2nd Circuit Court 1991)

United States v Robert J Riggs 739 FSupp 414 (North District of Illinois 1990)

Register of legislation

Computer Fraud and Abuse Act, 1986

Cyber Security Enhancement Act, 2002

Cyber Security Research and Development Act, 2002

Defence Act 42 of 2002

Electronic Communications and Transactions Act 25 of 2002

Electronic Communications Security Pty (Ltd) Act 68 of 2002

Financial Intelligence Centre Act 38 of 2001

National Key Points Act 102 of 1980

National Strategic Intelligence Act 39 of 1994

Protection of Personal Information Bill, 1998

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercepting and Obstructing Terrorism Act, 2001

Register of government publications

GN 118 GG 32963 of 19 February 2010

Procl R1 in GG 21951 of 1 January 2001

Procl R118 in GG 32962 of 19 February 2010

Register of international conventions

Council of Europe’s Convention on Cybercrime (2001)

Council of the European Union Framework Decision on Attacks against Information Systems (2005)

Register of internet sources

Brown, Bryan and Conley 1999 http://bit.ly/16rT8h8

Brown, Bryan and Conley "Database Protection in a Digital World" 1999 Richmond Journal of Law and Technology http://bit.ly/16rT8h8 [date of use 13 Jul 2012]

Commission of the European Communities 2006 http://bit.ly/Z497fe

Commission of the European Communities 2006 Proposal for a Directive of the of the Council Identification and Designation of European Critical Infrastructure and the Assessment of the Need to Improve Their Protection http://bit.ly/Z497fe [date of use 13 Jul 2012]

Council of the European Union and Commission of the European Communities 2000 http://bit.ly/YZQlMX

Council of the European Union and Commission of the European Communities 2000 E-Europe 2002 – An Information Society for All http://bit.ly/YZQlMX [date of use 13 Jan 2012]

Cukier 2005 http://bit.ly/179q6UO

Cukier K 2005 Critical Information Infrastructure Protection – Ensuring (and Insuring?) Critical Information Infrastructure Protection http://bit.ly/179q6UO [date of use 13 May 2012]

Denning 2000 http://bit.ly/16rUw3i

Denning DE 2000 Cyberterrorism Testimony before the Special Oversight Panel of Terrorism http://bit.ly/16rUw3i [date of use 14 Jan 2012]

Fikle and Rothacker 2012 http://reut.rs/179qwdK

Fikle J and Rothacker R 2012 Iranian Hackers Target Bank of America, JPMorgan, Citi http://reut.rs/179qwdK [date of use 12 Nov 2012]

Francis 2012 http://abcn.ws/ZwFUJH

Francis E 2012 Hackers, Possibly from Middle East, Block US Banks' Websites http://abcn.ws/ZwFUJH [date of use 12 Nov 2012]

G8 2003 http://bit.ly/128xThV

G8 Justice and Interior Ministers 2003 G8 Principles for Protecting Critical Information Infrastructures http://bit.ly/128xThV [date of use 15 Jul 2012]

ICS-CERT 2009-2011 http://1.usa.gov/16fCWxp

ICS-CERT 2009-2011 ICS-CERT Incidence Response Summary Report http://1.usa.gov/16fCWxp [date of use 13 Oct 2012]

Macaulay 2009 http://bit.ly/14AqrQM

Macaulay T 2009 US Critical Infrastructure Interdependency Wheel (CIIW) – Executive Summary http://bit.ly/14AqrQM [date of use 13 Jun 2012]

Marsh 1997 http://bit.ly/Z4cWkx

Marsh RT 1997 Critical Foundations – Protecting America’s Infrastructures http://bit.ly/Z4cWkx [date of use 13 Mar 2012]

McAfee Date unknown http://bit.ly/11d0cwJ

McAfee Date unknown White Paper on Identity Theft http://bit.ly/11d0cwJ [date of use 11 Jul 2011]

OECD 2002 http://bit.ly/14Ar0tG

OECD 2002 Guidelines for the Security of Information Systems and Networks – Towards a Culture of Security http://bit.ly/14Ar0tG [date of use 18 Mar 2012]

OECD 2008 http://bit.ly/11cZ1xh

OECD 2008 Recommendations of the Council on the Protection of Critical Information Infrastructures http://bit.ly/11cZ1xh [date of use 16 Mar 2012]

Perlroth 2012 http://nyti.ms/13M0EWG

Perlroth N 2012 Cyberattack on Saudi Firm, US Sees Iran Firing Back http://nyti.ms/13M0EWG [date of use 12 Nov 2012]

Scarfone and Mell 2007 http://1.usa.gov/ZwIkbb

Scarfone K and Mell P 2007 Guide to Intrusion Detection and Prevention Systems: Recommendations of the National Institute of Standards and Technology http://1.usa.gov/ZwIkbb [date of use 12 May 2012]

US-Canada Power System Outage Task Force 2004 http://1.usa.gov/10t19NH

US-Canada Power System Outage Task Force 2004 Final Report on the August 14 2003 Blackout in the United States and Canada – Causes and Recommendations http://1.usa.gov/10t19NH [date of use 11 Nov 2012]

US Department of Energy 2012 http://1.usa.gov/XmvVwl

US Department of Energy 2012 Special Report – Inquiry into the Security Breach at the National Nuclear Security Administration’s Y-12 National Security Complex http://1.usa.gov/XmvVwl [date of use 14 Nov 2012]

VandenBrink 2011 http://bit.ly/Yr6ok9

VandenBrink R 2011 8 Years Since the Eastern Seaboard Blackout – Has It Been Long? http://bit.ly/Yr6ok9 [date of use 6 Oct 2012]

Published
2017-04-26
How to Cite
NjotiniM. N. (2017). Protecting Critical Databases – Towards a Risk Based Assessment of Critical Information Infrastructures (CIIS) in South Africa. Potchefstroom Electronic Law Journal, 16(1), 450-481. https://doi.org/10.17159/1727-3781/2013/v16i1a2318
Section
Notes