What is a cyberattack? “It is an international effort to steal, expose, alter, disable, or destroy data, applications, or other assets through unauthorized access to a network, computer system or device.”
South Africa has adopted a national cybersecurity strategy and established a military Cyber Command. Unfortunately, other issues have been ranked above cybersecurity, such as corruption, poverty and social injustice and it has therefore not been seen as a high priority by successive governments.
In 2023, according to the South African Banking Risk Information Centre, South Africa saw an increase of 22% in cyberattacks and in a briefing by the South African Council for Scientific and Industrial Research, the impact of cybercrime to the economy was estimated at R2.2 billion per year. Importantly, as at 25 October 2023, SARS had zero ICT security breaches from known risks and had invested R646 million to ensure that mission-critical infrastructure and systems were operable.
In June 2023, South Africa experienced what was termed an EDI crisis during which declarations were submitted to customs via the EDI (Electronic Data Interchange) platform but, due to technical issues, no return messages were received and therefore no electronic releases were issued for the best part of two weeks. This was not, in any way, linked to a cyberattack but it provided a glimpse of what impact such an attack could have on the supply chain, like the cyberattack on Transnet in 2021.
After emergency meetings between the private sector and SARS, contingency measures were implemented to release declarations manually using a DA74 or CN1 process until the EDI system came back online but there were still significant delays in the physical movement of goods as well as additional costs. It is believed that upgrades to the e-filing tax platform and the volume of declarations in the pipeline created unexpected disruptions to the EDI gateway, but could a cyberattack have the same impact?
The risk of such an attack on SARS is, and always will be, a major concern and such an attack could not only disrupt the EDI platform but the e-filing system and the SARS website.
Personal and business information relating to tax and other financial matters would also be at risk, which is, in most cases, the primary objective of a cyberattack. As and when other Government Agencies are linked to the National Single Window via the EDI system, there is potential for the risk to increase if these OGAs do not have the same level of security measures in place, but it must be assumed that adequate measures would be put in place by SARS to prevent such an eventuality.
For obvious reasons, cybersecurity measures that SARS has in place are not generally public knowledge and for good reason, but we are assured that this is a high priority for SARS and that every effort has been made to combat the threat of a cyberattack. It also becomes the responsibility of those interacting with SARS electronically to ensure their business systems are secure so as not to unintentionally pose a risk.
It is an unfortunate consequence of modern technology that such a topic even needs to be discussed but forewarned is forearmed.
