Day 1: PUBLIC PARTICIPATION OF THE “COMPUTER MISUSE AND CYBERCRIMES (CRITICAL INFORMATION INFRASTRUCTURE AND CYBERCRIMES MANAGEMENT) REGULATIONS, 2023.

Hi Linda,

I tend to think we are over legislating. Having moderated a session during
this years Communications Authority ICT Week, i learnt from GSMA that while
the country has 98% Infrastruture Coverage, usage is a paltry 21%. The
users account for 30% of the population and are mostly in urban centres. We
need to pay attention so that we dont scare away the 70% based in rural
areas who are mostly using feature phones. We should also have this in mind
as we frame the laws so that we avoid a scenario where we respond to
mosquito bites with a hammer.

Best Regards

On Mon, Sep 18, 2023 at 3:20 PM Linda Wairure via KICTANet <
kictanet@lists.kictanet.or.ke> wrote:

> Can you provide examples of robust sector-specific cybersecurity
> regulations that have been successful ? …….What are the potential
> drawbacks or challenges associated with trying to monitor all databases?
>
>
> On Mon, 18 Sept 2023 at 04:54, Neema MASITSA <masitsaneema@gmail.com>
> wrote:
>
>> (l) Monitor all databases established for purposes of establishing their
>> integrity and confidentiality for the attainment of the objectives of the
>> Act and these Regulations.
>>
>> Question:
>>
>> Is this regulation realistic, and can it be effectively implemented?
>>
>> My opinion is rather than to attempt to monitor all databases, we can
>> focus on risk-based and sector-specific approaches to cybersecurity.
>>
>> On Mon, Sep 18, 2023 at 10:12 AM Linda Wairure via KICTANet <
>> kictanet@lists.kictanet.or.ke> wrote:
>>
>>> DAY 1: Monday 18/09/2023
>>>
>>> Dear Listers,
>>>
>>> Welcome to the inaugural day of our lively discussion and debate
>>> centered around the *”Computer Misuse and Cybercrimes (Critical
>>> Information Infrastructure and Cybercrimes Management) Regulations 2023,*”
>>> put forth by the Cabinet Secretary for Interior and National
>>> Administration. nc4.go.ke/cmca-2018-draft-regulations/
>>>
>>> We extend a warm invitation to all Stakeholders in the Digital Space to
>>> actively engage in this conversation, as your insights are not just valued
>>> but indispensable. Together, we aim to ensure that these regulations
>>> are not only well-informed but also in perfect alignment with the swiftly
>>> evolving realm of cyber security and digital technologies. Discover how
>>> they will impact your organization and be part of the conversation that
>>> will define the future of cyber security regulations. Your perspectives
>>> will help us shape and submit a more comprehensive and effective framework.
>>>
>>> *We shall also have a twitter space on Thursday to disseminate/validate
>>> the report before submitting it on Friday. *
>>>
>>>
>>> *Feel free to share your insights, concerns, justifications and
>>> recommendations to shape these regulations effectively.*
>>>
>>>
>>> PART I – PRELIMINARY PROVISIONS
>>>
>>>
>>> Objects of the Regulations
>>>
>>> *Section 3.*
>>>
>>> (a) Provide a framework to monitor, detect and respond to cyber security
>>> threats in the cyberspace belonging to Kenya;
>>>
>>> (i) Promote coordination, collaboration, cooperation and shared
>>> responsibility amongst stakeholders in the cybersecurity sector including
>>> critical infrastructure protection
>>>
>>> (g) Approve the identification and designation of critical information
>>> infrastructure *Question:*
>>>
>>> * Is this sufficient to allow each government related cyber unit to
>>> operate efficiently without turf wars on who is more superior?*
>>>
>>>
>>> (l) Monitor all databases established for purposes of establishing
>>> their integrity and confidentiality for the attainment of the objectives of
>>> the Act and these Regulations.
>>>
>>> Question:
>>>
>>> Is this regulation realistic and can this be effectively implemented?
>>>
>>> What are some of the data protection and privacy rights concerns that
>>> may arise from this regulation?
>>>
>>> PART III – CYBERSECURITY OPERATIONS CENTRES
>>>
>>> Section 13
>>>
>>> 13. (2) The cybersecurity awareness programme under paragraph (1) shall
>>> include the following topics—…..
>>>
>>> Question:
>>>
>>> Does this need to be this prescriptive? And what does this mean for
>>> emerging areas? How about emerging cyber threats?
>>>
>>>
>>> 13(3) The owner of critical information infrastructure shall in
>>> consultation with the Committee, review the cybersecurity awareness
>>> programme at least once every twelve months to ensure that the programme is
>>> adequate and that it remains upto-date and relevant.
>>>
>>>
>>> Question:
>>>
>>> Is this a role for NC4? Review curriculum on infrastructure t*hat it
>>> does not own*. Any comments?
>>>
>>> :
>>>
>>> :
>>>
>>> :
>>>
>>> *What are your views, justifications and recommendations regarding the
>>> following sections, and how do you interpret the regulations in question?*
>>>
>>>
>>>