Day 2: PUBLIC PARTICIPATION OF THE “COMPUTER MISUSE AND CYBERCRIMES (CRITICAL INFORMATION INFRASTRUCTURE AND CYBERCRIMES MANAGEMENT) REGULATIONS, 2023.

Dear Linda,

My responses inline:

On Tue, Sep 19, 2023 at 11:25 AM Linda Wairure via KICTANet <
[email protected]> wrote:

> DAY 2: Tuesday 19/09/2023
>
> Dear Listers,
>
> Welcome to Day 2 of our engaging discourse and virtual Public
> Participation forum on the “Computer Misuse and CyberCrimes (Critical
> Information Infrastructure and CyberCrimes Management) Regulations 2023,”
> KICTANet extends gratitude to every stakeholder and partner who made Day 1
> an enriching experience. Thank you for being an integral part of this
> important discussion.
>
> We shall also have a Twitter Space on Thursday to disseminate/validate the
> report before official submissions.
>
> Today our focus of discussion will center around the following sections:
> S. 14( 1),( 2), S.18 3 (d), 4 .
>
> *PART III: CYBERSECURITY OPERATION CENTRES *
>
> *OutSourced Capabilities *
> 14. (1) An owner of a critical information infrastructure including
> government-owned critical information infrastructure who intends to
> outsource any operations shall, in writing, notify the Committee prior to
> outsourcing…
>
> Question*:● *
> *How does the notification requirement to notify before outsourcing impact
> various aspects, such as Institutional independence, business autonomy,
> legality, decision-making, and cybersecurity and other related concerns?*
>
BO: This requirement does not make sense. It is usurping roles of
Regulatory bodies such as the Communications Authority and Office of the
Data Protection Commissioner which Registers Data Controllers.

>
>
> (2)The external service provider shall report to the owner of the critical
> information infrastructure, at least quarterly, notifying on the status of
> implementation of their obligations under the agreement including notifying
> on any security incident.
>
> Question*:*
> *Is it appropriate for this reporting requirement between the external
> service provider and the owner of critical information infrastructure to be
> mandated by regulations,…*
>
BO: This will become an administrative burden, again, Service providers
report periodically to the agencies overseeing their ecosystem such as the
communications Authority.

>
>
> *Or Should it be left as a matter of business arrangement and negotiation
> between the parties involved?*
>
> *Risk assessment and evaluation of cybersecurity operation centres*
>
> 18. 3. (d) Define a treatment plan and implement business continuity
> management controls including – …
>
> (4) The business impact analysis of an organization shall be based on—
> (a) the potential impacts of business disruptions for each prioritized
> business function and processes including financial, operational, customer,
> legal and regulatory impacts;
> (b) recovery time objectives, recovery point
> objectives and maximum acceptable outage;
> (c) internal and external inter-dependencies; and
> (d) the resources required for recovery
>
> Question:
>
> *1. Is this not too prescriptive? *
>
> *2. How can organizations strike a balance between complying with
> extensive business impact analysis requirements in cybersecurity operations
> and maintaining the flexibility to adapt these regulations to their
> specific cybersecurity needs and circumstances?*
>
> *3. Is the committee not assuming the role of Big bro? *
> *(*Business Autonomy Preservation, Regulatory Detail, Comprehensive
> Requirements)
>
> Stay engaged, share your concerns, views, justifications and
> recommendations to ensure a safer and more secure digital future for all.
>
> *~Shaping the Future of CyberSecurity ~*
>
> On Mon, 18 Sept 2023, 17:04 Linda Wairure, <[email protected]> wrote:
>
>> Thank you Counsel for the eye-opening feedback and very valid points.
>> Indeed there is need for more public awareness and advocacy.
>>
>> Echoing Barrack sentiments, over-legislation might not be the best way to
>> go.
>> As a country, we need more emphasis on implementation of the already
>> existing regulations and laws.
>>
>> To follow up and expound on the same…
>>
>> Dear Listers,
>>
>> What are some of your concerns, justifications and recommendations on
>> how governments can strike a balance between securing critical information
>> infrastructure and ensuring the privacy and civil liberties of their
>> citizens?
>>
>>
>>
>>
>>
>>
>>
>> On Mon, 18 Sept 2023, 16:25 Faith Kisinga via KICTANet, <
>> [email protected]> wrote:
>>
>>>
>>> Hi Linda,
>>> Thanks for providing this opportunity.
>>> Indeed there’s need to create awareness on what this framework aims to
>>> do, to avoid leaving the public feeling overwhelmed.
>>>
>>> These regulations are specifically aimed at the facilities, networks and
>>> systems, which if disrupted, would have a debilitating effect on national
>>> security, the economy, public health and safety. 16 critical infrastructure
>>> sectors are listed.
>>>
>>>
>>> On 18 Sep 2023, at 15:58, Barrack Otieno via KICTANet <
>>> [email protected]> wrote:
>>>
>>> 
>>> Hi Linda,
>>>
>>> I tend to think we are over legislating. Having moderated a session
>>> during this years Communications Authority ICT Week, i learnt from GSMA
>>> that while the country has 98% Infrastruture Coverage, usage is a paltry
>>> 21%. The users account for 30% of the population and are mostly in urban
>>> centres. We need to pay attention so that we dont scare away the 70% based
>>> in rural areas who are mostly using feature phones. We should also have
>>> this in mind as we frame the laws so that we avoid a scenario where we
>>> respond to mosquito bites with a hammer.
>>>
>>> Best Regards
>>>
>>> On Mon, Sep 18, 2023 at 3:20 PM Linda Wairure via KICTANet <
>>> [email protected]> wrote:
>>>
>>>> Can you provide examples of robust sector-specific cybersecurity
>>>> regulations that have been successful ? …….What are the potential
>>>> drawbacks or challenges associated with trying to monitor all databases?
>>>>
>>>>
>>>> On Mon, 18 Sept 2023 at 04:54, Neema MASITSA <[email protected]>
>>>> wrote:
>>>>
>>>>> (l) Monitor all databases established for purposes of establishing
>>>>> their integrity and confidentiality for the attainment of the objectives of
>>>>> the Act and these Regulations.
>>>>>
>>>>> Question:
>>>>>
>>>>> Is this regulation realistic, and can it be effectively implemented?
>>>>>
>>>>> My opinion is rather than to attempt to monitor all databases, we can
>>>>> focus on risk-based and sector-specific approaches to cybersecurity.
>>>>>
>>>>> On Mon, Sep 18, 2023 at 10:12 AM Linda Wairure via KICTANet <
>>>>> [email protected]> wrote:
>>>>>
>>>>>> DAY 1: Monday 18/09/2023
>>>>>>
>>>>>> Dear Listers,
>>>>>>
>>>>>> Welcome to the inaugural day of our lively discussion and debate
>>>>>> centered around the *”Computer Misuse and Cybercrimes (Critical
>>>>>> Information Infrastructure and Cybercrimes Management) Regulations 2023,*”
>>>>>> put forth by the Cabinet Secretary for Interior and National
>>>>>> Administration. nc4.go.ke/cmca-2018-draft-regulations/
>>>>>>
>>>>>> We extend a warm invitation to all Stakeholders in the Digital Space
>>>>>> to actively engage in this conversation, as your insights are not just
>>>>>> valued but indispensable. Together, we aim to ensure that these
>>>>>> regulations are not only well-informed but also in perfect alignment with
>>>>>> the swiftly evolving realm of cyber security and digital technologies.
>>>>>> Discover how they will impact your organization and be part of the
>>>>>> conversation that will define the future of cyber security regulations.
>>>>>> Your perspectives will help us shape and submit a more comprehensive and
>>>>>> effective framework.
>>>>>>
>>>>>> *We shall also have a twitter space on Thursday to
>>>>>> disseminate/validate the report before submitting it on Friday. *
>>>>>>
>>>>>>
>>>>>> *Feel free to share your insights, concerns, justifications and
>>>>>> recommendations to shape these regulations effectively.*
>>>>>>
>>>>>>
>>>>>> PART I – PRELIMINARY PROVISIONS
>>>>>>
>>>>>>
>>>>>> Objects of the Regulations
>>>>>>
>>>>>> *Section 3.*
>>>>>>
>>>>>> (a) Provide a framework to monitor, detect and respond to cyber
>>>>>> security threats in the cyberspace belonging to Kenya;
>>>>>>
>>>>>> (i) Promote coordination, collaboration, cooperation and shared
>>>>>> responsibility amongst stakeholders in the cybersecurity sector including
>>>>>> critical infrastructure protection
>>>>>>
>>>>>> (g) Approve the identification and designation of critical
>>>>>> information infrastructure *Question:*
>>>>>>
>>>>>> * Is this sufficient to allow each government related cyber unit to
>>>>>> operate efficiently without turf wars on who is more superior?*
>>>>>>
>>>>>>
>>>>>> (l) Monitor all databases established for purposes of establishing
>>>>>> their integrity and confidentiality for the attainment of the objectives of
>>>>>> the Act and these Regulations.
>>>>>>
>>>>>> Question:
>>>>>>
>>>>>> Is this regulation realistic and can this be effectively
>>>>>> implemented?
>>>>>>
>>>>>> What are some of the data protection and privacy rights concerns
>>>>>> that may arise from this regulation?
>>>>>>
>>>>>> PART III – CYBERSECURITY OPERATIONS CENTRES
>>>>>>
>>>>>> Section 13
>>>>>>
>>>>>> 13. (2) The cybersecurity awareness programme under paragraph (1)
>>>>>> shall include the following topics—…..
>>>>>>
>>>>>> Question:
>>>>>>
>>>>>> Does this need to be this prescriptive? And what does this mean for
>>>>>> emerging areas? How about emerging cyber threats?
>>>>>>
>>>>>>
>>>>>> 13(3) The owner of critical information infrastructure shall in
>>>>>> consultation with the Committee, review the cybersecurity awareness
>>>>>> programme at least once every twelve months to ensure that the programme is
>>>>>> adequate and that it remains upto-date and relevant.
>>>>>>
>>>>>>
>>>>>> Question:
>>>>>>
>>>>>> Is this a role for NC4? Review curriculum on infrastructure t*hat it
>>>>>> does not own*. Any comments?
>>>>>>
>>>>>> :
>>>>>>
>>>>>> :
>>>>>>
>>>>>> :
>>>>>>
>>>>>> *What are your views, justifications and recommendations regarding
>>>>>> the following sections, and how do you interpret the regulations in
>>>>>> question?*
>>>>>>
>>>>>>
>>>>>>