Day 1: PUBLIC PARTICIPATION OF THE “COMPUTER MISUSE AND CYBERCRIMES (CRITICAL INFORMATION INFRASTRUCTURE AND CYBERCRIMES MANAGEMENT) REGULATIONS, 2023.

Thank you so much for the informative Input Mr. Barrack, this is Well
received and noted.

Dear Listers,

Given the regulations above, Do you think NC4 shall be acting as a
regulator to some extent or are the regulations perfectly within its
prescribed mandate?

Feel free to share your insights, justifications and recommendations on the
same.

On Mon, 18 Sept 2023 at 05:13, Barrack Otieno <barrack@kictanet.or.ke>
wrote:

> Hi Linda,
>
> Many thanks for your email and for setting the scene with respect to *”Computer
> Misuse and Cybercrimes (Critical Information Infrastructure and Cybercrimes
> Management) Regulations 2023*.
> My initial comments:
>
> 1. The subject still sounds too elitist to the common man, technology
> waits for no man but there is need for more effort by the Interior Ministry
> geared towards Public awareness to enable the public understand and
> appreciate their rights and responsibilities as has been the case with pin
> yako siri yako.
> That said:
>
> *Question:*
>
> * Is this sufficient to allow each government related cyber unit to
> operate efficiently without turf wars on who is more superior?*
>
> *It is too soon to have multiple entities handling cyber security. I would
> rather we maintain the status quo where the Communications Authority has
> been at the centre of coordinating multistakeholder efforts aimed at
> guaranteeing the nations cybersecurity, if it aint broken, it doesnt need
> to be fixed, i think NC4 should focus on R&D and situations where gateways
> are involved. Domestic affairs can be handled by Government and Independent
> agencies such as the Communications Authority.*
>
> PART III – CYBERSECURITY OPERATIONS CENTRES
>
> Section 13
>
> 13. (2) The cybersecurity awareness programme under paragraph (1) shall
> include the following topics—…..
>
> Question:
>
> Does this need to be this prescriptive? And what does this mean for
> emerging areas? How about emerging cyber threats?
>
> Borrowing from ISO Standards , its based for the programme to be as
> comprehensive and as prescriptive as possible to avoid assumptions.
>
> 13(3) The owner of critical information infrastructure shall in
> consultation with the Committee, review the cybersecurity awareness
> programme at least once every twelve months to ensure that the programme is
> adequate and that it remains upto-date and relevant.
>
>
> Question:
>
> Is this a role for NC4? Review curriculum on infrastructure t*hat it does
> not own*. Any comments?
>
>
> This is where the roles of NC4 and the regulatory bodies need to be
> defined. The fact that we are discussing security does not meet NC4 needs
> to be mentioned everywhere. This is our creme de la creme when we are
> cornered they should not be involved in domestic affairs. Some situations
> just need our registered security companies to address, we need to separate
> roles and responsibiltiies in the ecosystem and encourage self regulation
> since most Cyber Security challenges emanate from Social Engineering.
>
>
> Regards
>
>
>
>
> On Mon, Sep 18, 2023 at 10:12 AM Linda Wairure via KICTANet <
> kictanet@lists.kictanet.or.ke> wrote:
>
>> DAY 1: Monday 18/09/2023
>>
>> Dear Listers,
>>
>> Welcome to the inaugural day of our lively discussion and debate centered
>> around the *”Computer Misuse and Cybercrimes (Critical Information
>> Infrastructure and Cybercrimes Management) Regulations 2023,*” put forth
>> by the Cabinet Secretary for Interior and National Administration.
>> nc4.go.ke/cmca-2018-draft-regulations/
>>
>> We extend a warm invitation to all Stakeholders in the Digital Space to
>> actively engage in this conversation, as your insights are not just valued
>> but indispensable. Together, we aim to ensure that these regulations are
>> not only well-informed but also in perfect alignment with the swiftly
>> evolving realm of cyber security and digital technologies. Discover how
>> they will impact your organization and be part of the conversation that
>> will define the future of cyber security regulations. Your perspectives
>> will help us shape and submit a more comprehensive and effective framework.
>>
>> *We shall also have a twitter space on Thursday to disseminate/validate
>> the report before submitting it on Friday. *
>>
>>
>> *Feel free to share your insights, concerns, justifications and
>> recommendations to shape these regulations effectively.*
>>
>>
>> PART I – PRELIMINARY PROVISIONS
>>
>>
>> Objects of the Regulations
>>
>> *Section 3.*
>>
>> (a) Provide a framework to monitor, detect and respond to cyber security
>> threats in the cyberspace belonging to Kenya;
>>
>> (i) Promote coordination, collaboration, cooperation and shared
>> responsibility amongst stakeholders in the cybersecurity sector including
>> critical infrastructure protection
>>
>> (g) Approve the identification and designation of critical information
>> infrastructure *Question:*
>>
>> * Is this sufficient to allow each government related cyber unit to
>> operate efficiently without turf wars on who is more superior?*
>>
>>
>> (l) Monitor all databases established for purposes of establishing their
>> integrity and confidentiality for the attainment of the objectives of the
>> Act and these Regulations.
>>
>> Question:
>>
>> Is this regulation realistic and can this be effectively implemented?
>>
>> What are some of the data protection and privacy rights concerns that
>> may arise from this regulation?
>>
>> PART III – CYBERSECURITY OPERATIONS CENTRES
>>
>> Section 13
>>
>> 13. (2) The cybersecurity awareness programme under paragraph (1) shall
>> include the following topics—…..
>>
>> Question:
>>
>> Does this need to be this prescriptive? And what does this mean for
>> emerging areas? How about emerging cyber threats?
>>
>>
>> 13(3) The owner of critical information infrastructure shall in
>> consultation with the Committee, review the cybersecurity awareness
>> programme at least once every twelve months to ensure that the programme is
>> adequate and that it remains upto-date and relevant.
>>
>>
>> Question:
>>
>> Is this a role for NC4? Review curriculum on infrastructure t*hat it
>> does not own*. Any comments?
>>
>> :
>>
>> :
>>
>> :
>>
>> *What are your views, justifications and recommendations regarding the
>> following sections, and how do you interpret the regulations in question?*
>>
>>
>>