Day 2: PUBLIC PARTICIPATION OF THE “COMPUTER MISUSE AND CYBERCRIMES (CRITICAL INFORMATION INFRASTRUCTURE AND CYBERCRIMES MANAGEMENT) REGULATIONS, 2023.

Thank you for the informative input Barrack.

I agree with your sentiments that the enactment of such regulations
supplants the functions of well-established regulatory authorities and may
potentially cause a discord leading to contradiction, ambiguity and
operational inefficacy.

Dear Listers,

*Should we let the existing regulatory bodies do their jobs instead of
introducing the given regulations that might cause conflicts?*

*Or on the Contrary…. Do you have any recommendations and/or reasons to
justify such regulations? *

“14. (1) An owner of a critical information infrastructure including
government-owned critical information infrastructure who intends to
outsource any operations shall, in writing, notify the Committee prior to
outsourcing….. “

*Any other concerns on the regulations below? *

*Feel free to share your insights on the same.*

(2)The external service provider shall report to the owner of the critical
information infrastructure, at least quarterly, notifying on the status of
implementation of their obligations under the agreement including notifying
on any security incident…

Sent from Outlook for Android <aka.ms/AAb9ysg>
——————————
*From:* Barrack Otieno <[email protected]>
*Sent:* Tuesday, September 19, 2023 10:19:01 PM
*To:* Kenya’s premier ICT Policy engagement platform <
[email protected]>
*Cc:* Linda Wairure <[email protected]>
*Subject:* Re: [kictanet] Re: Day 2: PUBLIC PARTICIPATION OF THE “COMPUTER
MISUSE AND CYBERCRIMES (CRITICAL INFORMATION INFRASTRUCTURE AND CYBERCRIMES
MANAGEMENT) REGULATIONS, 2023.

Dear Linda,

My responses inline:

On Tue, Sep 19, 2023 at 11:25 AM Linda Wairure via KICTANet <
[email protected]> wrote:

DAY 2: Tuesday 19/09/2023

Dear Listers,

Welcome to Day 2 of our engaging discourse and virtual Public Participation
forum on the “Computer Misuse and CyberCrimes (Critical Information
Infrastructure and CyberCrimes Management) Regulations 2023,” KICTANet
extends gratitude to every stakeholder and partner who made Day 1 an
enriching experience. Thank you for being an integral part of this
important discussion.

We shall also have a Twitter Space on Thursday to disseminate/validate the
report before official submissions.

Today our focus of discussion will center around the following sections: S.
14( 1),( 2), S.18 3 (d), 4 .

*PART III: CYBERSECURITY OPERATION CENTRES *

*OutSourced Capabilities *
14. (1) An owner of a critical information infrastructure including
government-owned critical information infrastructure who intends to
outsource any operations shall, in writing, notify the Committee prior to
outsourcing…

Question*:● *
*How does the notification requirement to notify before outsourcing impact
various aspects, such as Institutional independence, business autonomy,
legality, decision-making, and cybersecurity and other related concerns?*

BO: This requirement does not make sense. It is usurping roles of
Regulatory bodies such as the Communications Authority and Office of the
Data Protection Commissioner which Registers Data Controllers.

(2)The external service provider shall report to the owner of the critical
information infrastructure, at least quarterly, notifying on the status of
implementation of their obligations under the agreement including notifying
on any security incident.

Question*:*
*Is it appropriate for this reporting requirement between the external
service provider and the owner of critical information infrastructure to be
mandated by regulations,…*

BO: This will become an administrative burden, again, Service providers
report periodically to the agencies overseeing their ecosystem such as the
communications Authority.

*Or Should it be left as a matter of business arrangement and negotiation
between the parties involved? *

*Risk assessment and evaluation of cybersecurity operation centres*

18. 3. (d) Define a treatment plan and implement business continuity
management controls including – …

(4) The business impact analysis of an organization shall be based on—
(a) the potential impacts of business disruptions for each prioritized
business function and processes including financial, operational, customer,
legal and regulatory impacts;
(b) recovery time objectives, recovery point
objectives and maximum acceptable outage;
(c) internal and external inter-dependencies; and
(d) the resources required for recovery

Question:

*1. Is this not too prescriptive? *

*2. How can organizations strike a balance between complying with extensive
business impact analysis requirements in cybersecurity operations and
maintaining the flexibility to adapt these regulations to their specific
cybersecurity needs and circumstances?*

*3. Is the committee not assuming the role of Big bro? *
*(*Business Autonomy Preservation, Regulatory Detail, Comprehensive
Requirements)

Stay engaged, share your concerns, views, justifications and
recommendations to ensure a safer and more secure digital future for all.

*~Shaping the Future of CyberSecurity ~*

On Mon, 18 Sept 2023, 17:04 Linda Wairure, <[email protected]> wrote:

Thank you Counsel for the eye-opening feedback and very valid points.
Indeed there is need for more public awareness and advocacy.

Echoing Barrack sentiments, over-legislation might not be the best way to
go.
As a country, we need more emphasis on implementation of the already
existing regulations and laws.

To follow up and expound on the same…

Dear Listers,

What are some of your concerns, justifications and recommendations on how
governments can strike a balance between securing critical information
infrastructure and ensuring the privacy and civil liberties of their
citizens?

On Mon, 18 Sept 2023, 16:25 Faith Kisinga via KICTANet, <
[email protected]> wrote:

Hi Linda,
Thanks for providing this opportunity.
Indeed there’s need to create awareness on what this framework aims to do,
to avoid leaving the public feeling overwhelmed.

These regulations are specifically aimed at the facilities, networks and
systems, which if disrupted, would have a debilitating effect on national
security, the economy, public health and safety. 16 critical infrastructure
sectors are listed.

On 18 Sep 2023, at 15:58, Barrack Otieno via KICTANet <
[email protected]> wrote:


Hi Linda,

I tend to think we are over legislating. Having moderated a session during
this years Communications Authority ICT Week, i learnt from GSMA that while
the country has 98% Infrastruture Coverage, usage is a paltry 21%. The
users account for 30% of the population and are mostly in urban centres. We
need to pay attention so that we dont scare away the 70% based in rural
areas who are mostly using feature phones. We should also have this in mind
as we frame the laws so that we avoid a scenario where we respond to
mosquito bites with a hammer.

Best Regards

On Mon, Sep 18, 2023 at 3:20 PM Linda Wairure via KICTANet <
[email protected]> wrote:

Can you provide examples of robust sector-specific cybersecurity
regulations that have been successful ? …….What are the potential
drawbacks or challenges associated with trying to monitor all databases?

On Mon, 18 Sept 2023 at 04:54, Neema MASITSA <[email protected]> wrote:

(l) Monitor all databases established for purposes of establishing their
integrity and confidentiality for the attainment of the objectives of the
Act and these Regulations.

Question:

Is this regulation realistic, and can it be effectively implemented?

My opinion is rather than to attempt to monitor all databases, we can focus
on risk-based and sector-specific approaches to cybersecurity.

On Mon, Sep 18, 2023 at 10:12 AM Linda Wairure via KICTANet <
[email protected]> wrote:

DAY 1: Monday 18/09/2023

Dear Listers,

Welcome to the inaugural day of our lively discussion and debate centered
around the *”Computer Misuse and Cybercrimes (Critical Information
Infrastructure and Cybercrimes Management) Regulations 2023,*” put forth by
the Cabinet Secretary for Interior and National Administration.
nc4.go.ke/cmca-2018-draft-regulations/

We extend a warm invitation to all Stakeholders in the Digital Space to
actively engage in this conversation, as your insights are not just valued
but indispensable. Together, we aim to ensure that these regulations are
not only well-informed but also in perfect alignment with the swiftly
evolving realm of cyber security and digital technologies. Discover how
they will impact your organization and be part of the conversation that
will define the future of cyber security regulations. Your perspectives
will help us shape and submit a more comprehensive and effective framework.

*We shall also have a twitter space on Thursday to disseminate/validate the
report before submitting it on Friday. *

*Feel free to share your insights, concerns, justifications and
recommendations to shape these regulations effectively.*

PART I – PRELIMINARY PROVISIONS

Objects of the Regulations

*Section 3.*

(a) Provide a framework to monitor, detect and respond to cyber security
threats in the cyberspace belonging to Kenya;

(i) Promote coordination, collaboration, cooperation and shared
responsibility amongst stakeholders in the cybersecurity sector including
critical infrastructure protection

(g) Approve the identification and designation of critical information
infrastructure *Question:*

* Is this sufficient to allow each government related cyber unit to operate
efficiently without turf wars on who is more superior?*

(l) Monitor all databases established for purposes of establishing their
integrity and confidentiality for the attainment of the objectives of the
Act and these Regulations.

Question:

Is this regulation realistic and can this be effectively implemented?

What are some of the data protection and privacy rights concerns that may
arise from this regulation?

PART III – CYBERSECURITY OPERATIONS CENTRES

Section 13

13. (2) The cybersecurity awareness programme under paragraph (1) shall
include the following topics—…..

Question:

Does this need to be this prescriptive? And what does this mean for
emerging areas? How about emerging cyber threats?

13(3) The owner of critical information infrastructure shall in
consultation with the Committee, review the cybersecurity awareness
programme at least once every twelve months to ensure that the programme is
adequate and that it remains upto-date and relevant.

Question:

Is this a role for NC4? Review curriculum on infrastructure t*hat it does
not own*. Any comments?

:

:

:

*What are your views, justifications and recommendations regarding the
following sections, and how do you interpret the regulations in question?*