Kenya developed its first Cybersecurity Strategy in 2014. Its key objective and commitment was to support national priorities by encouraging ICT growth and protecting critical information infrastructures. The 2014 Strategy led to the enactment of the Computer Misuse and Cybercrimes Act in 2018, the overarching law for protecting Critical Information Infrastructures and managing cybercrime in Kenya. 

Increased ICT growth meant more system interconnection, which made it more susceptible to sabotage through deliberate and malicious acts that disrupt normal processes and operations of critical information infrastructure.

The second Cybersecurity Strategy was developed in 2022. It aimed to enhance coordinated cybersecurity institutional framework and governance, strengthen cybersecurity capability and capacity, minimise cybersecurity risks and crimes, enhance the protection and resilience of critical information infrastructure and foster national and international cooperation and collaboration. This strategy was due for a midterm review after three years and a final evaluation after five years. The Ministry of Interior and National Administration recently released a draft 2nd review of the National Cybersecurity Strategy 2025-2029 (the Strategy).

New strategy goals and pillars

The Strategy is similar to the 2022 strategy save for a few changes that seek to introduce new priority goals, critical pillars, and interventions in addition to those set in 2022. The goals introduced in the Strategy include streamlining incident response and management, guiding emerging technologies, and enhancing private-public partnerships. The pillars include:

Cyber incident response and management

The Strategy aims to build a resilient cyber incident response and management mechanisms that ensure adequate response to cyberattacks and incidents. To attain this goal, the Strategy proposes specific interventions, such as building cyber-incident response teams at the national and sector levels to coordinate incident response activities. These teams are proposed to fall under sector regulators and the National Cybersecurity Agency.

The Strategy also seeks to develop systems and processes that can quickly and accurately identify cybersecurity incidents while allowing collaboration in reporting cyber incidents from various stakeholders. It also aims to implement a unified system to ensure coordinated tracking of cybersecurity incidents and streamlined response efforts from multiple stakeholders.

Emerging technologies

The Strategy aims to proactively identify and mitigate associated risks by supporting local capabilities in emerging technologies through funding academic institutions, industry partnerships, and public-private-led research programmes.

 It proposes enacting laws and regulations that govern developing, deploying, and using emerging technologies, focusing on security by design, data protection, and accountability. This is in addition to building capacity and capability.

 It further aims to use emerging technologies to automate security protocols, detect malicious activities, and ensure adherence to cybersecurity regulatory compliance.

Private-public partnerships

The Strategy recognises the vital role of private-public partnerships (PPPs) in enhancing cybersecurity. PPPs will be key in building capacity and capability in cybersecurity training, research, innovation, and information sharing. To enhance PPPs and collaboration, the strategy proposes implementing a secure platform for information exchange and incident reporting among national and international stakeholders.

The Strategy also proposes proactive participation in multistakeholder forums in cybersecurity, such as the Council of Europe and the African Network of Cybersecurity Authorities. These interventions are expected to culminate in coordinated and increased effectiveness and efficiency in cybersecurity partnerships, leveraging strengths from the public and private sectors.

Evaluation and monitoring

The Strategy proposes integrating with the National Integrated Monitoring and Evaluation System (NIMES) to maintain clear linkages between its implementation and Vision 2030. Further, a mid-term review of this strategy will be conducted after three years and a final review after five years.

Conclusion

The Strategy only introduces new goals, pillars and interventions. However, it fails to demonstrate alignment with best cybersecurity practices, such as adopting internationally recognised frameworks and standards. The Strategy does not demonstrate cross-border intelligence sharing, especially internationally as it mainly focuses on PPPs. It does not efficiently demonstrate how it aims to stay ahead of evolving cyber threats, especially from emerging technologies. 

Key interventions such as vulnerability scans should be a priority to ensure efficient and effective preparation for potential shifts in the threat landscape. Certainly, more strategies and interventions need to be considered for Kenya to be fully prepared to create a safe and trusted cyberspace.