Cybersecurity bill: Experts raise censorship concerns

Cybersecurity experts have raised concerns about the latest version of a proposed cybersecurity bill, validated in Windhoek this week, warning it risks enabling censorship and imposing disproportionate penalties.

“On the surface, this law looks like it targets hackers, scammers, and criminals," Grant Thornton’s head of cybersecurity, Rigo Reddig, said.

"But the way it is written, it also criminalises everyday digital behaviour, security work, research and even mistakes. The danger isn’t only what the law says it forbids but also how broadly and vaguely it is written."

Extreme prison sentences of up to 25 years prescribed in the bill could discourage security research, the reporting of vulnerabilities and investigations into wrongdoing, Reddig warned.

“This discourages exactly the kind of expertise a country needs to improve security,” he said.

Critics also argue that the bill's definition of "unauthorised access", based on access alone rather than harm or malicious intent, could leave cybersecurity professionals vulnerable to prosecution.

“If you access a system without formal permission – even just to check if it’s vulnerable – the law treats that the same way as a criminal attack,” Reddig explained.

He noted that testing systems for vulnerabilities, checking whether public websites leak sensitive information and analysing malware samples are routine parts of cybersecurity work.

Reddig called for a clear distinction between ethical cybersecurity practice and malicious exploitation.

He also proposed that the definitions of "undesirable content" may enable censorship where there is a lack of judicial oversight.

“This enables quiet, expansive surveillance without the checks found in many democratic countries. Journalists, activists and researchers would have no way of knowing when monitoring occurs,” he warned.

Balancing speed and consensus

Vanessa Maresch of Salt Essential IT was more optimistic, saying the validation workshop – hosted by the information and communication technology ministry – was an opportunity to iron out the bill's shortcomings.

She flagged a potential blind spot around zero-day attacks, where communications infrastructure may be down before a vulnerability is even known to exist.

"There might not be a way to give authorisation through conventional channels in such cases, and things like WhatsApp communication may not be recognised, so those are the kinds of things we need to bring up and discuss here, so the bill can make provision for that,” she said.

Legislative drafting consultant Dr Johnson Okoth Okello told the workshop that the current bill draws heavily on UN and African Union cybersecurity conventions.

"We will never come up with a bill that is 100% clean," he said.

"Even as we make our final submissions, the ministry should move with speed and even have the bill introduced in parliament, but that does not mean that we don't prepare a bill that will have good consensus."

He added that the draft legislation has "borrowed heavily from Namibia's commitment to the Malabo Convention, the African Convention on Cybersecurity and Data Protection. It has also borrowed very heavily from the UN Convention on Cybercrime and Cybersecurity."

– [email protected]