Kenya ICT Action Network (KICTANet) with the support of UK’s Digital Access Programme convened a round table meeting to deliberate on Kenya’s common cybersecurity priorities in a post Covid-19 world and to consolidate the various stakeholder priorities to inform the country’s cybersecurity strategies.

Currently, Kenya has the second most cyberattacks in Africa, demonstrating the growing attractiveness of the Kenyan cyber ecosystem to online malicious threat actors. The main cybersecurity challenges faced are third party misuse of data, data breaches, malware attacks and business disruption, and attacks on IT infrastructure. 

The expected outcome of the meeting held on November 25, 2021, is to establish an up to date and shared understanding of Kenya’s cybersecurity priorities for the coming years. The sentiments of the multifaceted panelists shall inform the development of Kenya’s latest National Cybersecurity Strategy. 

The event was graced by the following panelists:

• Joseph Nzano – Head of Cybersecurity at the Communications Authority of Kenya and Head of the National Kenya Computer Incident Response Team Coordination Center (KE-CIRT/CC).
• Dr Paula Musuva –  A lecturer in Forensic Information Technology at the United States International University-Africa where she teaches specialised courses in Information Security. 
• Mutheu Khimulu – Legal specialist in counter terrorism, cybersecurity and crisis management. 
• Phillip Irode – Head of Information Security at ICT Authority (ICTA)
• Dr Katherine Getao – CEO of the ICTA, although to be replaced by Dr Kipronoh Ronoh in the next 2 weeks. 
• Hon. William Kisang – MP for Marakwet West and Chair for the National Assembly Departmental Committee for Communication, Information and Innovation. 
• Dr Martin Koyabe – Senior Manager at the African Union Commission – Global Forum on Cyber Expertise (AUC-GFCE) collaboration project. 

The panellists derived the cybersecurity priorities against the backdrop of Kenya’s cybersecurity achievements, such as the enactment and implementation of the Computer Misuse and Cybercrimes Act, establishment of the Office of the Data Protection Commission, development of Kenya’s ICT Policy 2020, and the launch of National Computer and Cybercrimes Coordination Committee (NC4). 

Priorities for the future

Understanding the status quo of ICT in Kenya 

Understanding the current state of cybersecurity will inform Kenya’s strategic cybersecurity roadmap and will guide the prioritisation of programmes and goals to enhance the security of Kenya’s cyber ecosystem. The status quo can be established by: 

• Conducting studies to determine ICT’s contribution, both direct and indirect, to the Kenyan economy.
• A risk assessment framework that will identify the cybersecurity threats that exist to the various economic sectors dependent on ICT technologies.

Legislative priorities

• Enactment of a Critical Infrastructure Bill which would provide for the establishment of an institutional framework for the designation and protection of critical infrastructure, establishment of a national database of critical infrastructures, and undertaking research in order to identify the challenges and vulnerabilities faced, including those from cyber threats. The Bill should apply to protection of physical infrastructure like the National Optic Fibre Backbone (NOFBI) as well as virtual infrastructure such as cloud environments. 

• Development of a new National Cybersecurity Strategy for Kenya which shall:
  • Incorporate lessons learned from litigation challenges to the Computer Misuse and Cybercrimes Act; 
  • Assure expansive and inclusive stakeholder mapping and engagement to ensure all relevant stakeholders are afforded an opportunity to contribute to a robust, operational, and sustainable policy document;
  • Ensure that the cybersecurity strategies are complementary to Kenya’s ICT Policy 2020; and
  • Account for the adoption of emerging technologies such as Artificial Intelligence and blockchain technology. 

People/ Human priorities

The human factor has been recognised as the weakest link in creating a safe and secure digital environment, with research establishing that human error is the cause of 95% of cybersecurity breaches. The human factor can be rectified by:

• Instilling ethical values – strive for value-based education which incorporates constitutional values such as integrity, transparency, justice, and respect for human rights and dignity. The promotion of these values are meant to reduce the instances of ethical hackers turning into malicious actors.
• Narrowing the cybersecurity skill gap – address the cybersecurity skill gap experienced nationally and globally by developing affordable, accessible, and relevant cybersecurity educational programmes and certifications. 
• Induce behaviour change – the adoption of a cyber hygiene mindset while relevant governmental, advocacy and educational institutions proceed with cyber awareness campaigns. 

Development of Internet and cybersecurity standards for informal sectors of the economy

The informal economy accounted for 83 percent of total employment in 2019 while contribution to national income increased from 18.9 percent in 1999 to 33.8 percent in 2015. The growing informal sector is a driver of economic growth, employment creation and poverty reduction, as such, the development of guiding internet and cybersecurity standards. The informal sector actors that possess the capacity to implement the technical standards will benefit from a reduced attack surface from cyber threats. 

Institutional Capacity Building

• Establishment of sectoral specific computer incident report teams that will conduct their operations in collaboration with national KE-CIRT. The sector specific insights and expertise will promote greater efficiency in management and resolution of cyber attacks.  
• Development of a robust information sharing framework between governmental agencies to ensure efficient and expedited cyber incident response and resolution.  
• Strengthen international collaboration and cooperation between response teams, as well as joint investigations into cybercrimes due to the cross-jurisdictional nature of cybercrimes. 

As conversations surrounding the development of Kenya’s National Cybersecurity Strategy intensify, it remains to be seen if Kenya can capitalise on previous gains to ensure the adoption of a progressive and robust cybersecurity policy for the medium term.