The Conceptualisation of a National Malware Intelligence Laboratory for South Africa

South Africa has become an increasingly attractive target for cybercriminals, with malware and ransomware attacks on critical national infrastructure and public institutions rising in both frequency and severity. High-profile incidents, such as ransomware attacks on Transnet, the Department of Justice, and the Government Employees Pension Fund (GEPF) highlight the scale of the threat. These attacks result in severe operational disruption and financial losses, often due to inadequate readiness and response mechanisms. This paper presents the conceptualisation of a national malware intelligence laboratory (NMIL) for South Africa, designed to strengthen domestic readiness and response to malware-related threats. A literature study was carried out to determine the main gaps. This was complemented by a stakeholder interview and questionnaire. This led to a gap analysis, and the examination of existing models as reference for the proposed design of the NMIL. This process not only identifies systemic weaknesses in the national cyber defence capabilities of South Africa but also evaluates how an NMIL could be integrated into existing national cybersecurity processes. The gap analysis revealed limited coordination of malware intelligence sharing across sectoral computer security incident response teams (CSIRTs), the potential to improve the ability of the National Cybersecurity Hub (CSHUB) to aggregate and disseminate actionable threat data, and insufficient hands-on exposure to malware in current cybersecurity education and training programs. In response, the paper introduces a framework and reference model that defines NMIL functions and its manner of integration into the national cybersecurity ecosystem. Specifically, the laboratory would provide high-quality malware intelligence to the CSHUB, including sample analysis results, threat profiling, and advisory support on removal tools, to improve effective response coordination. Additionally, the laboratory would offer access to a sandboxed training environment to educational institutions, thereby adding greater depth to cybersecurity education and promoting national cybersecurity readiness. The framework and reference model is developed using a systems engineering approach, to detail the NMIL’s information flows, interfaces and functional domains. It is anticipated that the formal process resulting in conceptual laboratory provides a replicable approach for institutionalising national malware laboratories. This model offers both strategic and operational insights for South Africa as well as other developing countries.