When Salva Kiir Mayardit signed the Cybercrime and Computer Misuse Act into law, the government framed it as a long-overdue response to fraud, hacking, and online incitement. Few would dispute that cyber-enabled crimes exist and require legal tools, but laws do not operate in isolation. In South Sudan, this new Act does not stand alone — it now sits beside the sweeping National Security Service (NSS) Act, a law long criticized for granting expansive powers of arrest, detention, surveillance, and search.
The question is not whether cybercrime should be regulated. The question is: what happens when an already contentious national security regime “marries” a vaguely worded cybercrime law?
The marriage of two expansive laws
The National Security Service (NSS) law has, for years, allowed broad discretion in the name of “national security.” Critics have documented patterns of arbitrary detention, intimidation of journalists, and suppression of dissent under its provisions. Now, with the Cybercrime and Computer Misuse Act in place, the state gains a new vocabulary — “false information,” “harmful communication,” “digital threats” — through which criticism can be reframed as criminal conduct.
This fusion is dangerous because the NSS already enjoys expansive operational latitude. The Cybercrime Act introduces ambiguous offences related to speech. Enforcement mechanisms remain unclear, and judicial oversight appears weak. Together, they create a legal architecture capable of transforming dissent into a digital crime.
For journalists, rights defenders, and lawyers, this means that publishing an investigative report on corruption, documenting abuses, or mobilizing public debate online could now fall within a criminal frame — not because it is unlawful in substance, but because it is politically inconvenient.
Surveillance in practice: How the NSS has operated in the digital sphere
Beyond the text of the law lies the question of practice. Over the past decade, there have been persistent allegations from journalists, activists, and international watchdogs that the National Security Service has engaged in monitoring phone calls, tracking communications, and informally compelling telecommunications operators to cooperate with surveillance requests. Publicly available reporting across Africa has shown that several governments in the region have procured sophisticated interception technologies — including deep packet inspection systems and spyware platforms capable of monitoring emails, messaging applications, and metadata.
However, in South Sudan’s case, there has been no transparent public declaration detailing: What surveillance software, if any, has been procured; Whether lawful interception systems are installed within telecom infrastructure; What standards govern data retention and analysis; Who authorizes targeting decisions; How long intercepted data is stored; Whether independent audits exist.
There has also been little public evidence of court-issued warrants authorizing digital interception. If such warrants exist, the issuing court and procedural safeguards remain opaque.
This opacity creates two core risks: Normalization of executive-led surveillance without judicial oversight. Absence of clarity on how retrieved data is analyzed, shared, or protected.
Without formal disclosure frameworks — such as annual transparency reports or parliamentary oversight — the public cannot evaluate whether surveillance is targeted and proportionate or broad and preventive.
In effect, the surveillance environment operates in a gray zone: widely suspected, rarely acknowledged, and minimally scrutinized.
Are digital citizens truly a National Security threat?
Governments often argue that online spaces pose unique dangers: misinformation, incitement, and foreign interference. These risks are real. But proportion matters.
In South Sudan — as in much of East Africa — the gravest threats to national security have historically been: Armed conflict; Ethnic violence; Corruption in public finance; Proliferation of small arms; Organized political violence. These are overwhelmingly offline phenomena.
So why is digital speech increasingly framed as a primary security threat? One answer is that digital citizens speak more freely online than they do in physical spaces. Social media lowers barriers to participation. A young activist in Juba, Bor, or Wau can question authority without physically entering a newsroom or public rally. The digital sphere becomes a parallel public square.
Yes, citizens often speak more boldly online. But does that boldness equal danger? Or does it simply reflect the fact that traditional civic spaces are constrained?
If the majority of serious crimes remain offline, why is online speech elevated to the level of national security urgency — while entrenched corruption and violence are not always treated with equal vigor? The risk is that the “digital threat” narrative becomes a convenient justification for regulating dissent rather than protecting security.
Implementation under the Cybercrime and Computer Misuse Act: Monitoring, blocking, and shutdown powers
The Cybercrime and Computer Misuse Act reportedly mandates authorities to monitor and respond to “harmful” or “false” online information, including on social media platforms. Yet the law’s implementation framework remains unclear.
Key questions emerge: Will telecom operators be required to install real-time monitoring interfaces? Will internet service providers be compelled to block specific websites or platforms? Under what authority can social media shutdowns occur? Is there a requirement for judicial authorization before blocking digital services?
Across the region, governments have implemented internet shutdowns during elections or unrest. These actions are often justified under national security grounds but carry sweeping economic and civil liberties consequences. If the Cybercrime Act is interpreted broadly, it could provide statutory cover for: Temporary or prolonged internet shutdowns; Platform-specific bans; Geo-targeted blocking of communications; Content takedown directives without independent review.
To date, there has been no detailed public disclosure from authorities explaining: The technical tools that will be used to detect “harmful information”; The criteria used to classify content as misinformation; The appeal mechanisms available to affected individuals; The oversight body reviewing blocking or surveillance decisions.
Without these safeguards, implementation risks are discretionary and politically influenced. For civil society, the legal ramifications are significant: NGOs may face monitoring of internal communications. Journalists may see digital investigations framed as “misinformation.” Human rights defenders may encounter platform restrictions or criminal exposure. Ordinary citizens may self-censor to avoid ambiguity-driven prosecution. The chilling effect may precede enforcement. Fear alone can narrow civic space.
Must digital offenses always be criminalized?
Not all harms require prison. Around the world, democratic systems use a range of remedies for digital misconduct: Civil defamation suits. Regulatory fines. Independent media councils. Platform moderation mechanisms. Data protection authorities. Right-of-reply frameworks.
Criminal law — especially imprisonment — is considered a last resort, reserved for severe offenses such as child exploitation, terrorism coordination, or large-scale financial fraud.
In many East African contexts, however, cybercrime laws criminalize speech itself. This creates a chilling effect. When a journalist faces years in prison for allegedly “false” information, self-censorship becomes rational survival.
The real question is whether South Sudan’s law distinguishes between: Legitimate investigative reporting; Sharp political criticism; Genuine incitement to violence and organized cyber fraud. Without clear thresholds, everything risks collapsing into the same criminal category.
Lessons from the history of the National Security Law
HistLawory matters. The National Security Service has previously been accused of: Arresting journalists without transparent charges; Detaining critics for extended periods; Monitoring civic actors without visible judicial authorization; Restricting media operations.
One crucial issue remains unanswered: How often have courts in South Sudan been formally approached to issue warrants for surveillance, interception, or blocking communications?
If judicial authorization has been rare or opaque under the existing NSS framework, what safeguards will govern enforcement of the Cybercrime and Computer Misuse Act? Which court will issue interception warrants? The High Court? A specialized tribunal? Will proceedings be transparent? Will targets have the right to challenge surveillance?
If these mechanisms are undefined or bypassed, the enforcement of the Cybercrime Act may rely more on executive discretion than judicial review — a troubling prospect in any constitutional system.
Who is competent to debate the Cybercrime Act?
The Cybercrime and Computer Misuse Act is not merely a security statute. It is: A constitutional law issue; A human rights issue; A media law issue; A digital governance issue, and a public policy issue.
Globally and in East Africa, the most competent voices in such debates include: Constitutional lawyers and human rights advocates; They assess compliance with international obligations like the ICCPR and the African Charter.
Journalists and media associations. Because press freedom is directly implicated.
Digital rights organizations and technologists. They understand how surveillance technologies work and how easily they can be misused.
Academics in cyber law and information technology. They provide comparative legal analysis from jurisdictions like Kenya, Uganda, and Tanzania.
Judges and former judicial officers. They can clarify the standards required for lawful interception and due process.
Civil society coalitions. Because the law affects ordinary citizens, not just political elites. In East Africa, experience has shown that where cyber laws were debated primarily within executive circles, they tended to expand state power. Where civil society and professional bodies were included, safeguards improved.
Conclusion: Security or Silence? No state can function without security. But security laws must be proportionate, precise, and accountable.
When a powerful National Security Act merges with a vaguely drafted Cybercrime and Computer Misuse Act, the risk is not simply regulatory overreach. It is the normalization of digital surveillance and the criminalization of civic voice.
The real test of this law will not be how it handles hackers. It will be how it treats critics.
If journalists, lawyers, doctors, activists, and ordinary citizens begin to hesitate before speaking online — not because they are wrong, but because they are afraid — then the law will have succeeded not in protecting South Sudan, but in shrinking it.
Absent of long overdue judicial reforms, what has been hailed by the likes of Wani Steven, Deputy Secretary General of the South Sudan Bar Association who asserted that the law as “…necessary to regulate cyberspace and strengthen protection against online crimes,” and Nelson Kwaje, Head of Digital Rights Frontlines who stated that Kiir’s penning of the vaguely worded legal document into law as “… a step forward” as a historic legal framework for digital protection, risks becoming another tool of control in a country where political space is already tightly constrained.
In its current form, the Cyber Crime and Computer Misuse Act may be less about protecting citizens than about controlling how they think, speak, and connect—a digital leash that binds free expression and narrows civic space under the guise of cybersecurity.
And that is a cost no young nation should accept lightly.
The writer is an independent media voice known for his critical reporting on governance, security, and human rights in South Sudan. Forced into exile, he continues to comment on civic space, accountability, and democratic reform across East Africa, advocating transparency and press freedom.
The views expressed in ‘opinion’ articles published by Radio Tamazuj are solely those of the writer. The veracity of any claims made is the responsibility of the author, not Radio Tamazuj.