Day 1: PUBLIC PARTICIPATION OF THE “COMPUTER MISUSE AND CYBERCRIMES (CRITICAL INFORMATION INFRASTRUCTURE AND CYBERCRIMES MANAGEMENT) REGULATIONS, 2023.

Dear Listers,

Welcome to the inaugural day of our lively discussion and debate centered
around the *”Computer Misuse and Cybercrimes (Critical Information
Infrastructure and Cybercrimes Management) Regulations 2023,*” put forth by
the Cabinet Secretary for Interior and National Administration.
nc4.go.ke/cmca-2018-draft-regulations/

We extend a warm invitation to all Stakeholders in the Digital Space to
actively engage in this conversation, as your insights are not just valued
but indispensable. Together, we aim to ensure that these regulations are
not only well-informed but also in perfect alignment with the swiftly
evolving realm of cyber security and digital technologies. Discover how
they will impact your organization and be part of the conversation that
will define the future of cyber security regulations. Your perspectives
will help us shape and submit a more comprehensive and effective framework.

*We shall also have a twitter space on Thursday to disseminate/validate the
report before submitting it on Friday. *

*Feel free to share your insights, concerns, justifications and
recommendations to shape these regulations effectively.*

PART I – PRELIMINARY PROVISIONS

Objects of the Regulations

*Section 3.*

(a) Provide a framework to monitor, detect and respond to cyber security
threats in the cyberspace belonging to Kenya;

(i) Promote coordination, collaboration, cooperation and shared
responsibility amongst stakeholders in the cybersecurity sector including
critical infrastructure protection

(g) Approve the identification and designation of critical information
infrastructure *Question:*

* Is this sufficient to allow each government related cyber unit to operate
efficiently without turf wars on who is more superior?*

(l) Monitor all databases established for purposes of establishing their
integrity and confidentiality for the attainment of the objectives of the
Act and these Regulations.

Question:

Is this regulation realistic and can this be effectively implemented?

What are some of the data protection and privacy rights concerns that may
arise from this regulation?

PART III – CYBERSECURITY OPERATIONS CENTRES

Section 13

13. (2) The cybersecurity awareness programme under paragraph (1) shall
include the following topics—…..

Question:

Does this need to be this prescriptive? And what does this mean for
emerging areas? How about emerging cyber threats?

13(3) The owner of critical information infrastructure shall in
consultation with the Committee, review the cybersecurity awareness
programme at least once every twelve months to ensure that the programme is
adequate and that it remains upto-date and relevant.

Question:

Is this a role for NC4? Review curriculum on infrastructure t*hat it does
not own*. Any comments?

:

:

:

*What are your views, justifications and recommendations regarding the
following sections, and how do you interpret the regulations in question?*