Day 2: Public Participation of the Computer Misuse and Cybercrimes (Critical Information Infrastructure and CyberCrimes Management Regulations, 2023)

Dear Listers,

Welcome to Day 2 of our engaging discourse on the “*Computer Misuse and
CyberCrimes (Critical Information Infrastructure and CyberCrimes
Management) Regulations 2023*,” KICTANet extends gratitude to each and
every one of you who made Day 1 an enriching experience. Thank you for
being an integral part of this important discussion.

Your active participation, insightful contributions, and unwavering
commitment have been truly inspiring and informative towards paving the way
for a more robust and effective framework. Let’s keep the momentum going
and build upon the strong foundation we laid on Day 1. Your expertise is
essential and is what makes this conversation so meaningful.

We will also have a twitter space on Thursday to disseminate/validate the
report before official submissions.

Stay engaged, share your concerns, justifications and recommendations to
ensure a safer and more secure digital future for all.

Today our focus for discussion will center around the following sections:
S. 14( 1),( 2), S.18 3 (d), 4 .

PART III: CYBERSECURITY OPERATION CENTRES

OutSourced Capabilities

14. (1) An owner of a critical information infrastructure including
government-owned critical information infrastructure who intends to
outsource any operations shall, in writing, notify the Committee prior to
outsourcing…

Question:●

How does the notification requirement to notify before outsourcing impact
various aspects, such as Institutional independence, business autonomy,
legality, decision-making, and cybersecurity and other related concerns?

(2)The external service provider shall report to the owner of the critical
information infrastructure, at least quarterly, notifying on the status of
implementation of their obligations under the agreement including notifying
on any security incident.

Question:

Is it appropriate for this reporting requirement between the external
service provider and the owner of critical information infrastructure to be
mandated by regulations, Or Should it be left as a matter of business
arrangement and negotiation between the parties involved?

Risk assessment and evaluation of cybersecurity operation centres

18. 3. (d) define a treatment plan and implement business

continuity management controls including – (4) The business impact analysis
of an organization shall

be based on—

(a) the potential impacts of business disruptions for each prioritized
business function and processes including financial, operational, customer,
legal

and regulatory impacts;

(b) recovery time objectives, recovery point

objectives and maximum acceptable outage;

(c) internal and external inter-dependencies; and

(d) the resources required for recovery

Question:

1.

Is this not too prescriptive?
2.

How can organizations strike a balance between complying with extensive
business impact analysis requirements in cybersecurity operations and
maintaining the flexibility to adapt these regulations to their specific
cybersecurity needs and circumstances?
3.

Is the committee not assuming the role of big bro?

(Business Autonomy Preservation, Regulatory Detail, Comprehensive
Requirements)

*Feel free to offer your insights, justifications and recommendations to
any of the questions above as we continue our discussion on these
regulations through this platform. *

*~Shaping the Future of CyberSecurity ~ *

On Fri, 15 Sept 2023, 11:02 Grace Githaiga via KICTANet, <
[email protected]> wrote:

> Hi Listers,
>
> KICTANet is inviting all Stakeholders to participate in this crucial
> public engagement and informed dialogue regarding the regulations conferred
> by the Computer Misuse and Cybercrimes (Critical Information
> Infrastructure and CyberCrimes Management Regulations, 2023)
> <nc4.go.ke/cmca-2018-draft-regulations/>and released by the
> Cabinet Secretary for Interior and National Administration.
>
>
> Your valuable input is not just welcomed, but it is essential in ensuring
> that the Regulations are well-informed and aligned with the rapidly
> evolving landscape of cybersecurity and digital technologies.
>
> We plan to hold a three-day online moderated debate on this list,
> starting from Monday to Wednesday next week (September 18- 20, 2023). The
> debate will be moderated by Our Linda Gichohi.
>
> What is your take on these regulations? Do you have any concerns about the
> regulations? Looking forward to your active participation.
>
> We provide a quick summary of the regulations below:
>
> The Regulations
>
> Introduction
>
> The Regulations are conferred by 70 of the Computer Misuse and Cybercrimes
> Act, 2018. The Cabinet Secretary for Interior and National Administration
> makes the following Regulations—
>
>
>
> PART I – PRELIMINARY PROVISIONS
>
> This encapsulates the citation, interpretation, objects of the
> Regulations, guiding principles, and the Scope of Regulations. Thereby
> entailing the official title by which the regulations should be referred,
> to ensure clarity, defining specific terms and phrases used within the
> regulations. This is to ensure that meanings are understood, and
> fundamental principles to be adhered to when implementing the regulations.
> The boundaries are defined and the applicability of the regulations
> including their jurisdiction and purpose.
>
> PART II- ADMINISTRATION AND MANAGEMENT OF THE COMMITTEE
>
> This part essentially deals with the responsibilities of the committee,
> the conduct of business of the committee, and the role of the secretariat.
> The regulations focus on the practical aspects of how the committee
> operates, and are supported in its efforts to enforce and manage the
> regulations related to cybercrime and critical information infrastructure.
>
>
>
> PART III- CYBERSECURITY OPERATIONS CENTRES
>
> This part entails the establishment and operations of the Cyber Security
> Operations Centres, monitoring and inspection processes related to their
> activities, particularly in safeguarding critical information
> infrastructure and addressing cyber threats.
>
> PART IV- CRITICAL INFORMATION INFRASTRUCTURE
>
> This part covers the Critical Information Infrastructure and encompasses
> the critical aspects of managing, preserving, and protecting critical
> information infrastructure, including designations, obligations, security
> measures, auditing, inspection, and the establishment of the National
> Public Key Infrastructure.
>
>
>
> PART V— CYBERSECURITY CAPABILITY AND CAPACITY
>
> This proposes measures to strengthen cyber security capabilities and
> capacity through training, information sharing, information sharing,
> standards, collaboration, and the certification of institutions and
> professionals in the field of cybersecurity.
>
> PART VI—REPORTING MECHANISM
>
> This part focuses on the objectives, procedures, and methods of reporting
> cyber threats, including provisions for anonymous reporting to promote
> cybersecurity awareness and response.
>
>
>
> PART VII—MISCELLANEOUS PROVISIONS
>
> This typically covers various miscellaneous provisions related to
> cybersecurity, including the adoption of best practices, partnerships,
> dispute resolution, and data protection while,
>
> The “SCHEDULES” section contains additional detailed information or forms
> related to compliance.
> Again, we look forward to your active participation. Have a great weekend.
> —
> Grace Githaiga
> KICTANet Convenor
>
> KICTANet portals
> KICTANet.or.ke <kictanet.or.ke/> | Twitter
> | LinkedIn
> <www.linkedin.com/company/18428106/admin/> | Facebook
> <www.facebook.com/KICTANet/>
>