Tag: ncpf

Hidden Digital Dependency and the Case for a National Technology Dependency Audit in South Africa

Given SHINGANGE

Abstract

South Africa’s rapid digital transformation has been enabled largely through the adoption of foreign-owned and foreign-governed digital technologies, including cloud platforms, software ecosystems, cybersecurity tools, and global payment networks. While these technologies have improved efficiency, scale, and service delivery, they have also introduced a less visible but strategically significant risk: hidden digital dependency. This article argues that South Africa’s most serious digital vulnerability does not arise from overt hardware procurement or isolated vendor choices, but from embedded dependencies in control planes, identity systems, software update mechanisms, cybersecurity supply chains, and cross-border data governance regimes that lie beyond South Africa’s legal and political authority. Drawing on international political economy and security literature, particularly the concept of weaponised interdependence, and grounding the analysis in South Africa’s cybersecurity, data, and infrastructure governance frameworks, the article demonstrates that current national preparedness is fragmented and insufficient. It advances the case for a National Technology Dependency Audit as a proportionate, governance-aligned instrument to restore visibility, prioritise risk, and strengthen national resilience without pursuing technological isolation. The article concludes that resilient interdependence, rather than digital autarky, should be South Africa’s strategic objective in an increasingly contested digital environment.

Keywords: digital sovereignty; hidden digital dependency; weaponised interdependence; cybersecurity supply chains; cloud governance; South Africa.

1. Introduction

Digital infrastructure has become foundational to modern state capacity. In South Africa, digital systems underpin revenue collection, social grant disbursement, banking and payments, aviation and logistics, healthcare delivery, municipal services, and political communication. The state’s ability to govern, regulate, and deliver services increasingly assumes uninterrupted access to global digital platforms and networks. Yet this assumption is rarely interrogated at the level of national risk.

South Africa’s digital modernisation has been shaped primarily by pragmatic considerations: cost efficiency, scalability, skills availability, and speed of deployment. As a result, government departments, state-owned enterprises, and systemically important private-sector actors have adopted foreign cloud platforms, software ecosystems, and cybersecurity services as default infrastructure. While this trajectory has produced tangible short-term benefits, it has also created long-term structural dependencies that remain poorly understood within policy and security circles.

This article argues that South Africa faces a growing problem of hidden digital dependency, and that the absence of a national technology dependency audit represents a strategic governance failure. Existing policy instruments recognise aspects of digital risk, but they do not provide a consolidated national view of where foreign control intersects with critical digital functions. Without such visibility, preparedness remains reactive, fragmented, and overly dependent on assumptions of benign continuity.

2. Conceptualising hidden digital dependency

Hidden digital dependency refers to reliance on foreign-owned or foreign-governed digital capabilities that are essential to national continuity but are not treated as strategic dependencies. Modern digital architectures deliberately abstract control. Users interact with applications and dashboards, while authority over identity, encryption, updates, availability, and compliance resides elsewhere.

These dependencies typically manifest across several layers:

  • control-plane governance in cloud platforms,
  • identity and authentication services,
  • encryption key management and certificate authorities,
  • software update and patching ecosystems,
  • proprietary application programming interfaces and data formats, and
  • cross-border data governance regimes.

The critical distinction is between operational use and strategic control. A system may be hosted locally, staffed locally, and paid for locally, yet remain subject to external decisions regarding access, lawful disclosure, or termination. This distinction explains why digital dependency is a national security and sovereignty issue rather than a purely technical or commercial concern.

3. Weaponised interdependence and digital power

The concept of weaponised interdependence provides a useful analytical lens for understanding why hidden digital dependency matters at state level. Farrell and Newman argue that global economic and information networks are structured around hubs and chokepoints, and that actors who control these nodes can exploit them for coercive purposes. Power is often exercised indirectly, through private intermediaries complying with domestic law, export controls, or risk-averse corporate policies.

In the digital domain, these hubs include cloud control planes, dominant operating systems, app distribution platforms, global payment networks, and cybersecurity service providers. Control over these nodes enables surveillance, denial of access, and influence through standards and ecosystem rules.

For South Africa, the key issue is asymmetry. Dependence on a small number of global technology ecosystems concentrates risk and creates latent leverage, regardless of political intent. Even in the absence of formal sanctions, export controls, compliance overreach, and platform governance decisions can constrain access to essential services during periods of geopolitical stress. In this sense, hidden digital dependency constitutes a standing condition of vulnerability rather than a contingent threat.

4. South Africa’s digital governance architecture and its limits

South Africa is not without relevant policy instruments. The National Cybersecurity Policy Framework positions cybersecurity as a national interest and calls for the protection of critical information infrastructure. The Protection of Personal Information Act establishes principles for lawful processing and data protection. The Cybercrimes Act provides mechanisms for criminal investigation and cooperation. The National Policy on Data and Cloud articulates ambitions for a data-driven economy and provides policy direction on cloud adoption.

However, these instruments operate largely in silos. None mandates a systematic assessment of foreign technology dependency across critical national functions. Cybersecurity governance focuses on coordination and incident response rather than structural dependency. Data policy prioritises economic opportunity and inclusion rather than control and jurisdiction. Procurement decisions remain decentralised and sector-specific.

The result is fragmented preparedness. No single authority is responsible for understanding how foreign control, legal jurisdiction, and platform governance intersect across the national digital ecosystem. This fragmentation creates blind spots that only become visible during crises.

5. National security implications of hidden digital dependency

Hidden digital dependency generates several interrelated categories of national security risk.

First, jurisdictional risk arises when foreign legal regimes can compel technology providers to disclose data or restrict services through corporate entities, irrespective of where data is physically stored. Data location does not equate to data control.

Second, availability risk emerges when access to platforms, identity services, or software updates is degraded or denied due to compliance actions, geopolitical disruption, or corporate policy changes. Modern cloud platforms integrate identity, security monitoring, and administrative control into a single dependency stack.

Third, integrity risk arises from software supply chain compromise. Trusted update mechanisms and centrally managed platforms can be exploited or withdrawn, creating systemic exposure across multiple institutions simultaneously.

Fourth, lock-in risk constrains policy autonomy. Proprietary platforms and data formats raise switching costs and narrow exit options, creating indirect coercion even in the absence of explicit restrictions.

Finally, strategic leverage risk arises when concentrated dependency becomes a bargaining chip during diplomatic or economic disputes. South Africa’s current preparedness does not adequately address these risks because it treats them as isolated technical issues rather than interconnected structural vulnerabilities.

6. Sectoral exposure in South Africa

Hidden digital dependency is not evenly distributed. Its impact varies across sectors.

In government administration, digital identity and access management underpin grants, payroll, licensing, and secure communications. External governance of authentication services, certificate authorities, or key management creates a single point of failure for the digital state.

In financial systems, payment rails, clearing mechanisms, and fraud detection tools rely on global networks governed externally. International experience demonstrates that financial messaging and settlement access can be restricted rapidly, with cascading economic effects.

In aviation, transport, and logistics, air traffic management, port operations, and cargo systems depend on specialised software, satellite navigation, and real-time data exchange subject to export controls and certification regimes.

In health and social services, cloud-hosted systems process sensitive data and support social stability. Dependency without contingency planning magnifies both operational and political risk.

Across sectors, dependency mapping is typically treated as an operational concern rather than a strategic one, reinforcing the need for a national-level assessment.

7. Cloud governance, data sovereignty, and control

Cloud computing sits at the centre of South Africa’s hidden dependency problem. Policy debate has focused largely on data residency and economic development. Yet scholarship and policy analysis consistently demonstrate that data location does not equal control. Jurisdiction follows corporate domicile and legal obligation, not server geography.

While POPIA addresses personal information protection, it does not resolve conflicts of law or address national security data, metadata, or platform telemetry. International best practice emphasises control-plane independence, transparency in lawful access procedures, and tested exit mechanisms. These factors are not systematically assessed in South Africa’s current governance approach.

8. Cybersecurity supply chains as a dependency vector

Cybersecurity tooling itself introduces dependency. South African institutions increasingly rely on foreign-managed platforms for endpoint protection, threat detection, and incident response. These tools often require privileged access and centralised update mechanisms.

Supply chain incidents documented internationally demonstrate how compromise or withdrawal of trusted vendors can cascade across multiple organisations. Treating cybersecurity procurement as a routine operational matter overlooks jurisdictional exposure, export control risk, and platform governance. A credible dependency audit must therefore include defensive technologies, not only productive systems.

9. Sanctions, export controls, and platform governance

Contemporary sanctions and export controls increasingly target technology ecosystems rather than individual goods. Export controls on advanced computing, software, and components operate upstream, affecting entire supply chains. At the same time, platform governance increasingly functions as de facto sanctions enforcement, with access constrained through terms of service and compliance risk.

Denial can occur without formal designation of a country or institution, creating grey-zone exposure for non-aligned states. For South Africa, neutrality does not eliminate risk. Visibility and mitigation are therefore essential.

10. Why current preparedness is inadequate

South Africa’s preparedness gap is structural rather than technical. Accountability is fragmented across departments. Compliance with international standards is often mistaken for resilience. Most critically, preparedness is built on an implicit assumption of continuity in global digital access.

In an environment characterised by strategic competition, sanctions, and platform power, this assumption is no longer defensible. Preparedness that assumes continuity is not preparedness at all.

11. The case for a National Technology Dependency Audit

A National Technology Dependency Audit provides a structured means of restoring visibility. It identifies which digital capabilities are essential to national continuity, where foreign control is embedded, under what legal and contractual conditions access is governed, and what the impact of disruption would be.

The audit is diagnostic rather than prescriptive. It does not ban technology or dictate suppliers. Its value lies in enabling evidence-based prioritisation, coordination across sectors, and informed decision-making.

12. Addressing objections

Claims that dependency audits deter investment misunderstand investor preferences for predictable governance. Concerns about isolation or censorship reflect governance risk, not inevitability. The objective is not digital autarky, but resilient interdependence: maintaining global connectivity while preserving national capability.

13. Conclusion

Hidden digital dependency is a present condition for South Africa, not a hypothetical future risk. Existing policies acknowledge aspects of digital risk but do not address foreign control holistically. A National Technology Dependency Audit is a proportionate, policy-aligned response that transforms intuition into evidence and reaction into preparation.

In an increasingly contested digital environment, South Africa’s strategic objective should not be control over global technology systems, but the capacity to govern, decide, and function under pressure. Without a dependency audit, that capacity remains uncertain.

References (Harvard)

BIS (2019). Export Administration Regulations and Entity List Amendments.

Couldry, N. and Mejias, U. (2019). The Costs of Connection. Stanford University Press.

Cory, N. (2017). Cross-Border Data Flows. ITIF.

DCDT (2024). National Policy on Data and Cloud. Government of South Africa.

Deibert, R. (2013). Black Code. Oxford University Press.

Drezner, D. (2015). Economic Statecraft. Princeton University Press.

ENISA (2021). Threat Landscape for Supply Chain Attacks.

Farrell, H. and Newman, A. (2019). ‘Weaponized Interdependence’, International Security, 44(1), 42–79.

Government of South Africa (2013). Protection of Personal Information Act.

Government of South Africa (2015). National Cybersecurity Policy Framework.

Government of South Africa (2019). Critical Infrastructure Protection Act.

Government of South Africa (2020). Cybercrimes Act.

Kello, L. (2017). The Virtual Weapon and International Order. Yale University Press.

Mueller, M. (2017). Will the Internet Fragment? Polity.

NIST (2022). Cybersecurity Supply Chain Risk Management (SP 800-161 Rev.1).

OECD (2020). Digital Security Risk Management.

Schneider, F. (2019). Cloud Sovereignty. SWP.

UNCTAD (2021). Digital Economy Report.

World Economic Forum (2023). Global Cybersecurity Outlook.

Conversations…..

What conversations are you involved in? What conversations are taking place, but you are not a part of? I am asking about conversations because they are the safest form of communication, or rather, they should be.

conversations

What conversations are you involved in? What conversations are taking place, but you are not a part of? I am asking about conversations because they are the safest form of communication, or rather, they should be.
A conversation is defined as “a talk, especially an informal one, between two or more people, in which news and ideas are exchanged”. This is a platform where everything that separates us does not matter – race, level of knowledge, position, etc. One would also assume that this form of communication requires those involved in it to have the ability to listen, have some form of emotional intelligence, and even be able to communicate their views clearly.
A lot of work goes behind having conversations that bring positive change, whether it be at a personal level, organizational level, or even at a national and international level.
Unfortunately, while many platforms are created in the guise of facilitating such conversation more often than not, they tend to take a different path. You also find that if someone engages in what is supposed to be a conversation with a paternalistic approach, the process loses its meaning. You often see a situation where one party is not free to engage because they think their input is subordinate to the inputs of the other party.
Be involved in conversations. If you are not involved in any, find one that you can be a part of.
There are different kinds of conversations. With some, we may not be granted the opportunity to participate in them, whereas it is up to us with others. Take, for instance, conversations that have to do with the country’s well-being: I believe we should all be involved in such conversations. While I have to acknowledge that it is not easy to have such, it is only through having them that we shall refine our ability.
In summary, conversations are a critical way of communicating, and we are obliged to have them. There are, however, prerequisites to having effective conversations. Some conversations are essential for us, such as conversations that have to do with national matters. We have to be involved and understand what it means to be involved, be clear as to what we have to bring to the table.
My current conversations………..

convo 2

I am involved in many conversations and would like to have many more conversations. I am mainly engaged in cyber security and business, knowledge, social issues, etc.
My time is consumed by the cyber security conversation. I am not complaining, or maybe I should rather say a security conversation.
Over the past five years, I have spent time researching the field, and I continue to do so because of its ever-changing nature. I have also been privileged enough to be involved in different government departments and the private sector dealing with cyber security. It continues to be an exciting field. At the same time, when you look at how some countries like South Africa are dealing with it, you can’t help but worry.
As a side note, I just want to say that sometimes the people having the “conversation” are wrong. For various reasons, of course…
…But going back to the topic, I think we need to restart the conversation about cyber security, and we must not be shy to do so. There is absolutely nothing wrong with continuing, especially when the context requires a rethink.
Perhaps we should start by looking at the National Development Plan as a guiding document for what the country wants to achieve. I think we have not fully internalized the plan, and we are found wanting all the time. So, any conversation with a national bearing must first start with an understanding and an appropriate interpretation of the NDP.
I think we have missed an opportunity to do this, but all is not lost. Every conversation must be guided by some rules written and unwritten (e.g. relationship rules). Just like the constitution, whatever we plan to do, must not in any way be unconstitutional.
What we have experienced as a country is that we have written policies that we cannot implement. A lazy conclusion in many cases is that we have an implementation problem. We assume that the policies are not the problem; we are the problem because we fail to implement them. Once a policy has been signed, we stick to it, without ever considering that maybe the signed policy is not “implementable” or perhaps the policy itself is no longer relevant because the context has changed.
South Africa has the National Cybersecurity Policy Framework signed by Cabinet in 2012. This happens to be the only guide that deals with cybersecurity directly. Since its introduction, one would assume that much progress would have been made, and we would be much safer. However, we still have a cybercrime and cybersecurity bill in parliament, and I doubt it will be signed soon.
In this case, the conversation we should have answered the “so what now?” question. What does this reality mean for us as a country that is of late not doing very well economically? I know for a fact that there is a conversation taking place, or rather that has been taking place, but the same questions above should be raised. Are those involved in the conversation the right people? I think not. So, while we may not be directly involved in some of the conversations that have an impact on our lives, especially where such conversations are taking place on our behalf, we have to make sure that we know those who are representing us and be sure that they have what it takes to represent us as well.
Although this is a critical topic, it is not the only topic that we all should be having conversations about. Even in matters that we think we already have under control, we must always create platforms where we can evaluate if we are on the right track through conversations.
Let’s sit down and have a conversation. Are you prepared?

Bra G