This is the first installment of a bi-weekly commentary series on the third draft of the proposed Cybersecurity and Cybercrimes Bill (2017) compiled by the Centre for Law and Technology Development and the Media Institute of Southern Africa Zimbabwe Chapter (MISA Zimbabwe).
This analysis comes on the backdrop of fast-paced technological developments in the country during the past two years and the reality of the expansion of and utilisation of the Information Communication Technologies and the internet in Zimbabwe for everyday communication and transaction demands. This has resulted in the apparent need for the revision of the majority of laws in Zimbabwe to cater for the changed information and communications sector.
The absence of a holistic, rights focused internet regulatory framework in the country continues to create confusion and the stretching of application of the existing laws beyond their intended purposes. This should be considered against several historical and contextual developments in Zimbabwe.
Definition of cybersecurity and cybercrime
There is no universally shared definition of cybercrime and cybersecurity. Most definitions are context or statute based, and have very little shared meaning across borders, let alone in respective countries.
Zimbabwe’s current Cybercrimes Bill defines cybercrimes “as any offences under the Act”. On the other hand, the draft National Cyber Security Policy of Zimbabwe (2016) (Cyber Policy) describes cybercrime as “an illegal or abusive activity connected with computers or communications networks in which a computer is used as a tool to commit the offense or the target of the offense is a computer system (or its data)”.
The Cybercrimes Bill does not define cybersecurity. The Cyber Policy,on the other hand, defines cybersecurity “as the implementation of measures to protect information communication technology infrastructure including critical information infrastructure (CII) from intrusion and unauthorised access. It includes the adoption of policies, programmes, technology, procedures, protocols and good practices to better govern the use of cyberspace”.
The lack of clarity in policy and legislation on the definition of cybercrime in Zimbabwe has created a challenge for application of laws, resulting in legitimate users of cyber space being targeted or victimised.
The current Cybercrimes Bill identifies the Minister of Information and Communication Technology as the Minister who will have oversight over the Act when it is finalised. A new ministry of Cybersecurity, Threat Detection and Mitigation was created following ministerial reassignments and appointments made by President Robert Mugabe in October 2017. This alone is evidence of increased interest by the government of Zimbabwe to tighten its oversight over the cyberspace. However, it must be emphasised that the oversight role should take heed of the constitutional and fundamental rights in the Cybersecurity and Cybercrimes Bill’s preamble.
The creation of the Cybersecurity Ministry may cause changes or adjustments to the role that the Ministry assigned to oversee the law will play, mainly because the new Ministry is also set to focus on cyber security issues.
Within the current framework, one of the functions of the responsible Minister is to establishing a Cybersecurity Centre, in consultation with the Finance Minister. Inclusion of the Finance Minister in this function could have been prompted by the cost implications associated with the setting up of the centre. However, it is also highly likely that the concerns of crimes related to online financial transactions and security, may have influenced this thinking.
A Cybersecurity Committee, composed of more than 11 members “chosen for their computer and telecommunications, law and policy knowledge and skills”, will manage the Cybersecurity Centre. These include Ministries of Defence; Science and Technology; and that of Justice, Legal and Parliamentary Affairs, the Zimbabwe Republic Police, Zimbabwe Prison Services, National Prosecution Authority and the Director-General of the Postal and Telecommunications Regulatory Authority. The committee also comprises representatives drawn from computer professionals and civil society. The functions of this Committee include managing the Cybersecurity Centre and policy advise and the submission of an annual report to the Minister outlining from the committee/centre, which are then presented in Parliament.
There are concerns, however, on the dominance of state security actors in the composition of the Committee, which unevenly skews representation that leans heavily in favour of state actors at the expense of non-state representatives.
Key Points Summary
- A cybersecurity approach requires clarity on whether it is a state focused, rights focused, or privacy focused. While the Bill prioritises aspects of freedom of expression and privacy as contained in the preamble, there is need, however, for a policy that reinforces this rights focus. The primary focus of the law must be the protection of individuals, networks and devices.
- Laws are being developed before the policies are fully clarified and or adopted, creating potential for policy discord, abuse of laws, selective application and or malicious enforcement. There is more emphasis on national security aspects rather than ensuring an enabling environment as noted in the dominance of state actors, and in particular state security sector representation in the Cybersecurity Committee. This demonstrates the prioritisation focus as being that of security.
- The cybersecurity intended by the Bill covers wide ranges of threats to state, state infrastructure, to individuals, data, and devices.
For more information a copy of the Cybersecurity and Cybercrimes Bill visit MISA Zimbabwe’s e-resource centre on: zimbabwe.misa.org