The current reliance on the goodwill of telecom operators for cybersecurity is inadequate. Because without a regulatory framework, there are no legal obligations for operators to implement necessary security measures, leaving personal data vulnerable and the sector exposed to increased risks.
This was said by Communications Regulatory Authority of Namibia (CRAN)’ legal advisor for legislative drafting, Ms Magano Katoole.
Katoole said that the telecommunications sector is increasingly recognised as the backbone of modern communication, playing a crucial role in facilitating connections and supporting critical infrastructure as ICT has become an indispensable part of people’s daily lives.
However, this essential function also makes the industry a prime target for cyber threats, especially given the large volume of data handled by telecom companies.
“In Namibia, the rapid growth in mobile usage and digital services has amplified the vulnerabilities within the telecommunications sector,” she said.
“As highlighted by the Communications Regulatory Authority of Namibia (CRAN) in its 2023/2024 Universal Report, most Namibians have access to 3G and 4G networks, which has led to an explosion in data usage.
“This surge necessitates robust cybersecurity measures to protect against the rising tide of cyber threats.”
Katoole pointed out that the Communications Act (No. 8 of 2009) mandates CRAN to promote consumer interests and regulate telecommunications services, including matters related to telecommunications security, and network standards such as cybersecurity measures.
She thus outlined three possible regulatory approaches to meet the challenges posed by increasing cyber insecurity in the telecom sector.
“First is self-regulation. This voluntary approach allows operators to set their own cybersecurity standards based on their risk appetite and economic constraints.
“While self-regulation can offer flexibility and adaptability, it lacks accountability and could result in inconsistent application of security measures.”
Katoole pointed out that this approach, however, may leave consumers at risk if operators prioritise business interests over security.
“The second is quasi or co-regulatory approach. This hybrid model involves collaboration between industry stakeholders and regulators, with a legislative framework supporting industry-led initiatives.
“The co-regulatory approach allows for flexibility and leverages industry expertise while ensuring adherence to basic security standards. It aligns with global trends where countries are moving towards co-regulation to balance industry innovation with necessary regulatory oversight.”
The third is explicit mandatory legislative regulation.
“This comprehensive approach entails amending existing legislation or enacting new laws to impose strict cybersecurity obligations on telecom operators.
“This may take the form of amending the Communications Act to strengthen the existing framework and introduce a risk-based security framework and several high-level key obligations alternatively, the elaboration and enactment of the Cybercrime Bill.
While this method ensures compliance through legal enforcement and sanctions for non-compliance, it often involves a slower legislative process and higher costs due to extensive stakeholder engagement and infrastructure requirements.”
Katoole indicated that Namibia’s Cybercrime Draft Bill, of 2021, reflects the country’s commitment to creating a secure and resilient cyberspace. The Bill aims to enhance the nation’s ability to combat cybercrime, promote consumer trust, and support the ongoing digital transformation of various sectors, including telecommunications.
“The Bill proposes the establishment of a National Computer Incident Response Team (CSIRT); criminalises specific cyber-related offences and aims to enhance consumer trust and foster digital transformation.”
Although, this Bill represents progress in enhancing cybersecurity frameworks, sector-specific regulations are essential to ensure that the particular needs of telecommunications are adequately met.
“The impact of implementing these regulations extends beyond compliance, as it involves safeguarding operators’ reputations and maintaining consumer trust. As cyber threats evolve, proactive measures are vital for operators to stay ahead of potential risks.
“The need for digital education and literacy among consumers is also highlighted, as fostering awareness can enhance compliance and resilience within the industry.”
She said that the telecommunications sector is pivotal for Namibia’s national security, economy, and public safety.
“As digital services continue to expand, so too does the risk of cyber exploitation. A proactive regulatory approach is necessary to address these challenges effectively.
“While self-regulation may offer flexibility, it lacks the accountability required to protect consumer interests.”
In the photo: Ms. Magano Katoole, the Legal Advisor for Legislative Drafting at the Communications Regulatory Authority of Namibia (CRAN).