Kenya developed its first cybersecurity strategy in 2014. Significantly, the 2014 strategy culminated in the development of the 2022 National Cybersecurity Strategy. The latter gives guidance for a coordinated approach in the execution of cybersecurity operations in Kenya. The strategy combines good governance with a number of measures and interventions to develop the bases and pillars for effective cybersecurity for both the public and private sectors. The Strategy also offers a framework for defending and safeguarding Kenya’s cyberspace supported by strategic pillars. Further, it also includes a matrix for its implementation, which lists the tactical actions connected to its Strategic Pillars.

Cybersecurity is a major economic and security challenge for Kenya. According to cybersecurity statistics, the number of cyberthreats identified in Kenya over the past three years has dramatically increased.The most prevalent cybersecurity threats and actors include:

The formulation and implementation of the Kenya Cybersecurity Strategy 2022 involved five parts; that is, initiation, stocking and analysis, production, implementation and Monitoring & Evaluation.

The Computer Misuse and Cybercrimes Act, 2018 goals, serve as the foundation for the guiding principles of the Kenya Cybersecurity Strategy 2022.

Goals of the strategy

The Kenyan government has made noteworthy strides in the development of:

1. A Cyber Governance framework; The 2022 strategy seeks to improve governance, resource allocation and coordination of cybersecurity in Kenya by:
   1. Allocating the National Computer and Cybercrime Coordination Committee (NC4) Secretariat with dedicated budget, human capacity, infrastructure and tools;
   2. Establishing an autonomous cybersecurity entity (National Cybersecurity Agency).
   3. Upgrading the Kenya Computer Incident Response Team (KE-CIRT) to the National Multi-Stakeholder Computer Incident Response Team
   4. Establishing a National Cybersecurity Operation Centre (NSOC).
   5. Enhancing Cybersecurity Operation Centers (SOC) in CIIs.
   6. Setting up specialised cybersecurity units and sector CIRTs (Defence, Intelligence, Police, Public Prosecutions, Judiciary and Sector CIRTs).
   7. Formulating Joint Cybersecurity technical working groups

2. Cybersecurity laws, regulations, policies and standards; The 2022 strategy seeks to ensure Kenya possesses up-to-date cybersecurity policies, laws, regulations and standards by reviewing the current framework.

3. Critical Information Infrastructure Protection (CIIP); In an effort to strengthen the cybersecurity posture and resilience of CIIs and other digital systems and infrastructure, the Kenyan government is committed to implementing a number of projects. These include;
   1. Developing Critical Information Infrastructure Protection framework.
   2. Implementation of Cryptography and access control to safeguard GoK sensitive information and data
   3. Implementing baseline cybersecurity measures (physical and technical security controls including emergency/disaster contingency and recovery measures).
   4. Encouraging establishment of in-country Cloud Computing Data Centres and services, and promoting local hosting.

4. Strengthen Cybersecurity Capability & Capacity Building; An immediate and expanding opportunity exists in the cybersecurity industry due to the demand for experienced cybersecurity specialists. From the strategy, the government is committed to;
   1. Establishing a national cyber Defence/Protection framework.
   2. Developing a cyber-defense Strategy for the Republic of Kenya.
   3. Establishing a cybersecurity professional certification and career progression framework.
   4. Establishing a Cybersecurity Centre of Excellence (CCoE).
   5. Developing more local specialised experts in cybersecurity.
   6. Developing cybersecurity basic education curriculum and awareness raising programme.

5. Cyber-Risks & Cyber-Crimes Management; To safeguard Kenyans from cybercrime, respond to new threats, defend vital systems, and make sure that cyberphysical risks are properly managed, the government will intervene by;
   1. Developing and implementing a national cybersecurity risks management framework.
   2. Performing national cybersecurity risk assessment/audits.
   3. Developing and implementing a national framework for cybercrime management.
   4. Establishing a National Cybercrimes Alert and Warning system

6. Foster national and international co-operation & collaboration; To create a more secure and resilient cyberspace, enhancing involvement and collaboration with all stakeholders to develop processes and policies and implement cybersecurity efforts would be needful. This will involve;
   1. Developing a national framework for national, regional and international co-operation and collaboration.
   2. Establishing a trusted information sharing mechanism for information exchange and incident reporting for national and international stakeholders.
   3. Participating and promoting the development and implementation of international laws, agreements, treaties, policies, norms, standards, conferences and fora on cybersecurity. 

Designated Critical Information Infrastructure

Below is a summary of Kenya’s Critical Information Infrastructure as designated by the former Cabinet Secretary for Interior, Dr Fred Matiang’i: