Training for Incident Response Teams (CSIRTs) – Improving South Africa’s response to national cyber threats 

Summary

This project is part of the United Kingdom Foreign, Commonwealth & Development Office (FCDO) commitment to build national cyber security capacity and resilience to cybersecurity threats in five middle-income countries. The UK Government’s Digital Access Programme provides support through: Government-to-Government technical assistance; cyber hygiene training; public awareness-raising; and research. It aims to reduce the impact of cyber harms on their governments, economies and citizens – particularly amongst groups vulnerable to online exploitation.

Details

Aim

To strengthen national incident response by building on existing infrastructure for and with the Cybersecurity Hub, the National CSIRT from the Department of Communications and Digital Technologies Sector CSIRTs, the South African Reserve Bank (SARB), and the South African Police Service (SAPS).

Context

Existing infrastructure covered a Cybersecurity Hub, which is the national Computer Security Incident Response Team (CSIRT) for the private sector in South Africa, and a government CSIRT which serves government departments and several industry sector equivalents. However, there was a lack of communication and coordination across these CSIRTs making national response challenging.

Outcomes

• Improvement in the capability for coordinating a national South African cyber incident response.
• Recommended next steps to the South African government.

Outputs

Over 100 participants were trained covering Government (CSHUB-CSIRT), sector CSIRTs (incl. FS, Telco, Higher education and CSIR) and regulators (SARB, PASA) which resulted in an increased awareness of the challenges involved in delivering a successful incident response.

Activities

• Delivery of three simulation events to test different sectors’ responses to a cyber incident – which revealed strengths and weaknesses of leadership, coordination and communication. Analysis of decisions to determine what worked, what didn’t and how the response protocols might need to be amended.
• Incident response workshops to explore the outputs of the simulations which identified lessons learned, recommended actions, identified contingency planning and articulated roles and responsibilities.