The Risks of AI-Cybersecurity Gaps to the Developmental State Project

This policy paper forms part of the broader project to understand what factors amplify or diminish the risks to markets and society in Africa from, by, and with advanced computational systems. To address this and other related “big questions’’, we use process tracing methods to examine what factors need to be considered in the formation of an industrial policy calibrated to anticipate and respond to the everyday risks of cybersecurity, artificial intelligence (AI) software included.

We examine relevant legislation and corporate governance decisions in the decade prior to the breach of the South African Transnet IT network in July 2021 to support this broader policy analysis. This case provides an opportunity to derive insights about what sorts of measures the Government of South Africa can consider adopting in the near future if it wishes to safeguard the digital, administrative and mechanical systems that are vital for circulation of commodities.

Another reason we focus on the Transnet cyber-attack is because it is a high profile event in a critical sector where catastrophic failure would near guarantee cascading consequences that would strain South African society, as well as nearby landlocked countries that rely upon this bulk freight complex. This case attests to the industrial implications of cybersecurity as well as the wider impact of cybersecurity on state–society dynamics.

Our overarching argument is that cybersecurity can no longer be thought of as the sole province of the state security cluster. As the Transnet cyber-attack well illustrates, cybersecurity policy is industrial policy. Viewed from this perspective, a developmental state must have a central role in creating trusted marketplaces, not only in terms of the legal and policy space, but also in procurement of suitable security software systems for the various state-owned enterprises that shoulder the economy.

As state-owned enterprises are prominent in the South African economy – and will be for the foreseeable future – it is crucial that there is an examination of how their performance with AI and cybersecurity technologies can be improved. What matters is how cybersecurity is linked to the state’s efforts to address the triple-fold challenges of unemployment, inequality and poverty.

South Africa has a developed, if uneven, infrastructure with a relatively high degree of digitisation although there is insufficient government capacity to ward against cyber threats. With AI technologies becoming more accessible to the everyday person the world over, failure to act constitutes a major threat to the smooth functioning of the South African market and the people that rely on that economy.

Attaining a sufficient level of cybersecurity is a desirable priority. While the case study focuses on a single state-owned enterprise in South Africa, the implications are much wider. While South Africa has more advanced infrastructure than many other African countries, the case study provides an important experience that other countries should draw on as they develop logistics, other infrastructure, and begin introducing cybersecurity measures.