Day 3: PUBLIC PARTICIPATION OF THE “COMPUTER MISUSE AND CYBERCRIMES (CRITICAL INFORMATION INFRASTRUCTURE AND CYBERCRIMES MANAGEMENT) REGULATIONS, 2023.

Thank you Lawrence for your cyber-secure informed inputs and views.

We shall hold the Twitter Space with the disseminated/ consolidated report
informed by the KICTANet virtual Public Participation and public forums
tomorrow at 8pm – 9pm before official submissions.
Welcome!!!

Dear Listers,

What are your views on Regulation 22 (3)(c) on Failure to Implement
directives.

*Is this justified?*
(3) The suitable actions or administrative actions
contemplated under paragraph (1) may include orders to⸻
(a) provide a detailed report on non-compliance to
the National Security Council;
(b) inform the respective Regulator to impose
specified actions under their respective law;
(c*) be under twenty-four hours’ surveillance by the **Director;*
(d) constitute a multi-agency committee to
implement the directives;
(e) fully implement the directives by the Director;
(f) require investigations by the law enforcement
agencies;

*Feel free to share your concerns, justifications and recommendations on
the same.*

On Wed, 20 Sept 2023, 19:53 Lawrence Muchilwa via KICTANet, <
[email protected]> wrote:

> Linda,
>
> Thank you for this.
>
> I happened to attend the public session on monday and will be looking
> forward to the formal submission. I would be happy to be part of the space
> as a guest speaker.
>
> Please find my highlighted comments.
>
> PART III: CYBERSECURITY OPERATION CENTRES
>
> OutSourced Capabilities
> 14. (1) An owner of a critical information infrastructure including
> government-owned critical information infrastructure who intends to
> outsource any operations shall, in writing, notify the Committee prior to
> outsourcing…
>
> Question:●
> How does the notification requirement to notify before outsourcing impact
> various aspects, such as Institutional independence, business autonomy,
> legality, decision-making, and cybersecurity and other related concerns?
>
> LM: I agree with Barack, there is an administrative burden here that can
> impact business autonomy is not managed well. However, this requirement
> introduces ‘neutral’ oversight that was lacking allowing independent review
> and impact assessment to national socio economic factors and security. The
> committee via its members will have visibility that a private entity might
> lack, which can be useful in adequate impact analysis.
>
>
> (2)The external service provider shall report to the owner of the critical
> information infrastructure, at least quarterly, notifying on the status of
> implementation of their obligations under the agreement including notifying
> on any security incident.
>
> Question:
> Is it appropriate for this reporting requirement between the external
> service provider and the owner of critical information infrastructure to be
> mandated by regulations,…
>
> Or Should it be left as a matter of business arrangement and negotiation
> between the parties involved?
>
> Risk assessment and evaluation of cybersecurity operation centres
>
> LM: The requirement sets a baseline that cuts across the board and removes
> ambiguity. Room for improvement here might be to either ride on top of
> existing reporting obligations eg CBK and Banks, Telcos and CA and minimize
> duplication. However, not all critical infrastructure has a regulator or
> enjoys the maturity the Telco and Fintech space have.
>
> 18. 3. (d) Define a treatment plan and implement business continuity
> management controls including – …
>
> (4) The business impact analysis of an organization shall be based on—
> (a) the potential impacts of business disruptions for each prioritized
> business function and processes including financial, operational, customer,
> legal and regulatory impacts;
> (b) recovery time objectives, recovery point
> objectives and maximum acceptable outage;
> (c) internal and external inter-dependencies; and
> (d) the resources required for recovery
>
> Question:
> 1. Is this not too prescriptive?
> LM: The requirement sets a baseline. These are standard requirement for
> any risk management framework.
>
> 2. How can organizations strike a balance between complying with extensive
> business impact analysis requirements in cybersecurity operations and
> maintaining the flexibility to adapt these regulations to their specific
> cybersecurity needs and circumstances?
>
> LM: I don’t foresee this as a challenge. BIA is a standard requirement for
> organizations serious with business continuity, cyber and operational
> resilience.
>
>
> 3. Is the committee not assuming the role of Big bro?
> (Business Autonomy Preservation, Regulatory Detail, Comprehensive
> Requirements)
> LM: Its taking the role of big brother which is a good thing for the
> masses if not abused.
>
> Stay engaged, share your concerns, views, justifications and
> recommendations to ensure a safer and more secure digital future for all.
>
> On Wed, Sep 20, 2023 at 4:41 PM Cherie Oyier via KICTANet <
> [email protected]> wrote:
>
>> Section 13
>>
>> 13. (2) The cybersecurity awareness programme under paragraph (1) shall
>> include the following topics—…..
>>
>> Question:
>>
>> Does this need to be this prescriptive? And what does this mean for
>> emerging areas? How about emerging cyber threats?
>>
>> This provision is definitely too restrictive. Due to the rampant pace
>> technology is advancing at, cybercrimes and threats are equally advancing
>> at the same pace. It is therefore likely that mitigating measures will need
>> to advance as we go on . Therefore such a restrictive provision will not be
>> ideal to cover future threats and awareness programs. I would recommend
>> that the committee publishes guidelines on topics for the awareness
>> program. Further, owners of critical information infrastructure can come up
>> with a curriculum. The curriculum should be formulated in collaboration
>> with all relevant stakeholders.
>>
>> On Wed, 20 Sep 2023, 16:19 Cherie Oyier, <[email protected]> wrote:
>>
>>> (l) Monitor all databases established for purposes of establishing
>>> their integrity and confidentiality for the attainment of the objectives of
>>> the Act and these Regulations.
>>>
>>> Question:
>>>
>>> Is this regulation realistic and can this be effectively implemented?
>>>
>>> What are some of the data protection and privacy rights concerns that
>>> may arise from this regulation?
>>>
>>> The vastness of critical information databases across different sectors
>>> may render this provision inoperable. It would be more realistic to put in
>>> place provisions to measure compliance relating to integrity and
>>> confidentiality. Perhaps provide for officers to ensure this within an
>>> entity similar to data protection officers. Also a compliance certificate
>>> would suffice, where an entity submits proof of compliance for a
>>> certificate of compliance running for a specific period. Where there is
>>> proof of noncompliance the same can be revoked.
>>>
>>> Several concerns arise regarding data protection. This provision is too
>>> wide. Access to critical information infrastructure should be on a need
>>> basis i.e where there is proof of breach, loss or disaster. Otherwise left
>>> as is, the provision is prone to abuse leading to surveillance and other
>>> data protection risks.
>>>
>>>
>>> On Wed, 20 Sep 2023, 13:56 Florence Awino via KICTANet, <
>>> [email protected]> wrote:
>>>
>>>> Dear Linda,
>>>> *Should we let the existing regulatory bodies do their jobs instead of
>>>> introducing the given regulations that might cause conflicts?*
>>>> *Or on the Contrary…. Do you have any recommendations and/or reasons
>>>> to justify such regulations? *
>>>>
>>>> *My Answer: *There are valid concerns that existing regulatory bodies
>>>> should handle this without new regulations to avoid potential conflicts.
>>>> However, justifications for this provision lie in securing critical
>>>> information infrastructure.
>>>> Critical information infrastructure is a prime target for cyberattacks,
>>>> and outsourcing can introduce vulnerabilities. Notification should help to
>>>> assess risks and align with cybersecurity standards. Provided that new
>>>> regulations address our evolving cyber threats and offer specific guidance.
>>>> It is also hard to argue with the potential of this regulation to
>>>> facilitate stakeholder information sharing, which is crucial for
>>>> cybersecurity.
>>>> Regards
>>>> Florence Awino Ouma <www.linkedin.com/in/flo-ouma-profile/>
>>>>
>>>>
>>>> On Tue, Sep 19, 2023 at 11:25 PM Linda Wairure via KICTANet <
>>>> [email protected]> wrote:
>>>>
>>>>> Thank you for the informative input Barrack.
>>>>>
>>>>> I agree with your sentiments that the enactment of such regulations
>>>>> supplants the functions of well-established regulatory authorities and may
>>>>> potentially cause a discord leading to contradiction, ambiguity and
>>>>> operational inefficacy.
>>>>>
>>>>> Dear Listers,
>>>>>
>>>>> *Should we let the existing regulatory bodies do their jobs instead of
>>>>> introducing the given regulations that might cause conflicts?*
>>>>>
>>>>> *Or on the Contrary…. Do you have any recommendations and/or reasons
>>>>> to justify such regulations? *
>>>>>
>>>>> “14. (1) An owner of a critical information infrastructure including
>>>>> government-owned critical information infrastructure who intends to
>>>>> outsource any operations shall, in writing, notify the Committee prior to
>>>>> outsourcing….. “
>>>>>
>>>>> *Any other concerns on the regulations below? *
>>>>>
>>>>> *Feel free to share your insights on the same.*
>>>>>
>>>>> (2)The external service provider shall report to the owner of the
>>>>> critical information infrastructure, at least quarterly, notifying on the
>>>>> status of implementation of their obligations under the agreement including
>>>>> notifying on any security incident…
>>>>>
>>>>> Sent from Outlook for Android <aka.ms/AAb9ysg>
>>>>> ——————————
>>>>> *From:* Barrack Otieno <[email protected]>
>>>>> *Sent:* Tuesday, September 19, 2023 10:19:01 PM
>>>>> *To:* Kenya’s premier ICT Policy engagement platform <
>>>>> [email protected]>
>>>>> *Cc:* Linda Wairure <[email protected]>
>>>>> *Subject:* Re: [kictanet] Re: Day 2: PUBLIC PARTICIPATION OF THE
>>>>> “COMPUTER MISUSE AND CYBERCRIMES (CRITICAL INFORMATION INFRASTRUCTURE AND
>>>>> CYBERCRIMES MANAGEMENT) REGULATIONS, 2023.
>>>>>
>>>>> Dear Linda,
>>>>>
>>>>> My responses inline:
>>>>>
>>>>> On Tue, Sep 19, 2023 at 11:25 AM Linda Wairure via KICTANet <
>>>>> [email protected]> wrote:
>>>>>
>>>>> DAY 2: Tuesday 19/09/2023
>>>>>
>>>>> Dear Listers,
>>>>>
>>>>> Welcome to Day 2 of our engaging discourse and virtual Public
>>>>> Participation forum on the “Computer Misuse and CyberCrimes (Critical
>>>>> Information Infrastructure and CyberCrimes Management) Regulations 2023,”
>>>>> KICTANet extends gratitude to every stakeholder and partner who made Day 1
>>>>> an enriching experience. Thank you for being an integral part of this
>>>>> important discussion.
>>>>>
>>>>> We shall also have a Twitter Space on Thursday to disseminate/validate
>>>>> the report before official submissions.
>>>>>
>>>>> Today our focus of discussion will center around the following
>>>>> sections: S. 14( 1),( 2), S.18 3 (d), 4 .
>>>>>
>>>>> *PART III: CYBERSECURITY OPERATION CENTRES *
>>>>>
>>>>> *OutSourced Capabilities *
>>>>> 14. (1) An owner of a critical information infrastructure including
>>>>> government-owned critical information infrastructure who intends to
>>>>> outsource any operations shall, in writing, notify the Committee prior to
>>>>> outsourcing…
>>>>>
>>>>> Question*:● *
>>>>> *How does the notification requirement to notify before outsourcing
>>>>> impact various aspects, such as Institutional independence, business
>>>>> autonomy, legality, decision-making, and cybersecurity and other related
>>>>> concerns?*
>>>>>
>>>>> BO: This requirement does not make sense. It is usurping roles of
>>>>> Regulatory bodies such as the Communications Authority and Office of the
>>>>> Data Protection Commissioner which Registers Data Controllers.
>>>>>
>>>>>
>>>>>
>>>>> (2)The external service provider shall report to the owner of the
>>>>> critical information infrastructure, at least quarterly, notifying on the
>>>>> status of implementation of their obligations under the agreement including
>>>>> notifying on any security incident.
>>>>>
>>>>> Question*:*
>>>>> *Is it appropriate for this reporting requirement between the external
>>>>> service provider and the owner of critical information infrastructure to be
>>>>> mandated by regulations,…*
>>>>>
>>>>> BO: This will become an administrative burden, again, Service
>>>>> providers report periodically to the agencies overseeing their ecosystem
>>>>> such as the communications Authority.
>>>>>
>>>>>
>>>>>
>>>>> *Or Should it be left as a matter of business arrangement and
>>>>> negotiation between the parties involved? *
>>>>>
>>>>> *Risk assessment and evaluation of cybersecurity operation centres*
>>>>>
>>>>> 18. 3. (d) Define a treatment plan and implement business continuity
>>>>> management controls including – …
>>>>>
>>>>> (4) The business impact analysis of an organization shall be based on—
>>>>> (a) the potential impacts of business disruptions for each prioritized
>>>>> business function and processes including financial, operational, customer,
>>>>> legal and regulatory impacts;
>>>>> (b) recovery time objectives, recovery point
>>>>> objectives and maximum acceptable outage;
>>>>> (c) internal and external inter-dependencies; and
>>>>> (d) the resources required for recovery
>>>>>
>>>>> Question:
>>>>>
>>>>> *1. Is this not too prescriptive? *
>>>>>
>>>>> *2. How can organizations strike a balance between complying with
>>>>> extensive business impact analysis requirements in cybersecurity operations
>>>>> and maintaining the flexibility to adapt these regulations to their
>>>>> specific cybersecurity needs and circumstances?*
>>>>>
>>>>> *3. Is the committee not assuming the role of Big bro? *
>>>>> *(*Business Autonomy Preservation, Regulatory Detail, Comprehensive
>>>>> Requirements)
>>>>>
>>>>> Stay engaged, share your concerns, views, justifications and
>>>>> recommendations to ensure a safer and more secure digital future for all.
>>>>>
>>>>> *~Shaping the Future of CyberSecurity ~*
>>>>>
>>>>> On Mon, 18 Sept 2023, 17:04 Linda Wairure, <[email protected]>
>>>>> wrote:
>>>>>
>>>>> Thank you Counsel for the eye-opening feedback and very valid points.
>>>>> Indeed there is need for more public awareness and advocacy.
>>>>>
>>>>> Echoing Barrack sentiments, over-legislation might not be the best way
>>>>> to go.
>>>>> As a country, we need more emphasis on implementation of the already
>>>>> existing regulations and laws.
>>>>>
>>>>> To follow up and expound on the same…
>>>>>
>>>>> Dear Listers,
>>>>>
>>>>> What are some of your concerns, justifications and recommendations on
>>>>> how governments can strike a balance between securing critical information
>>>>> infrastructure and ensuring the privacy and civil liberties of their
>>>>> citizens?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Mon, 18 Sept 2023, 16:25 Faith Kisinga via KICTANet, <
>>>>> [email protected]> wrote:
>>>>>
>>>>>
>>>>> Hi Linda,
>>>>> Thanks for providing this opportunity.
>>>>> Indeed there’s need to create awareness on what this framework aims to
>>>>> do, to avoid leaving the public feeling overwhelmed.
>>>>>
>>>>> These regulations are specifically aimed at the facilities, networks
>>>>> and systems, which if disrupted, would have a debilitating effect on
>>>>> national security, the economy, public health and safety. 16 critical
>>>>> infrastructure sectors are listed.
>>>>>
>>>>>
>>>>> On 18 Sep 2023, at 15:58, Barrack Otieno via KICTANet <
>>>>> [email protected]> wrote:
>>>>>
>>>>> 
>>>>> Hi Linda,
>>>>>
>>>>> I tend to think we are over legislating. Having moderated a session
>>>>> during this years Communications Authority ICT Week, i learnt from GSMA
>>>>> that while the country has 98% Infrastruture Coverage, usage is a paltry
>>>>> 21%. The users account for 30% of the population and are mostly in urban
>>>>> centres. We need to pay attention so that we dont scare away the 70% based
>>>>> in rural areas who are mostly using feature phones. We should also have
>>>>> this in mind as we frame the laws so that we avoid a scenario where we
>>>>> respond to mosquito bites with a hammer.
>>>>>
>>>>> Best Regards
>>>>>
>>>>> On Mon, Sep 18, 2023 at 3:20 PM Linda Wairure via KICTANet <
>>>>> [email protected]> wrote:
>>>>>
>>>>> Can you provide examples of robust sector-specific cybersecurity
>>>>> regulations that have been successful ? …….What are the potential
>>>>> drawbacks or challenges associated with trying to monitor all databases?
>>>>>
>>>>>
>>>>> On Mon, 18 Sept 2023 at 04:54, Neema MASITSA <[email protected]>
>>>>> wrote:
>>>>>
>>>>> (l) Monitor all databases established for purposes of establishing
>>>>> their integrity and confidentiality for the attainment of the objectives of
>>>>> the Act and these Regulations.
>>>>>
>>>>> Question:
>>>>>
>>>>> Is this regulation realistic, and can it be effectively implemented?
>>>>>
>>>>> My opinion is rather than to attempt to monitor all databases, we can
>>>>> focus on risk-based and sector-specific approaches to cybersecurity.
>>>>>
>>>>> On Mon, Sep 18, 2023 at 10:12 AM Linda Wairure via KICTANet <
>>>>> [email protected]> wrote:
>>>>>
>>>>> DAY 1: Monday 18/09/2023
>>>>>
>>>>> Dear Listers,
>>>>>
>>>>> Welcome to the inaugural day of our lively discussion and debate
>>>>> centered around the *”Computer Misuse and Cybercrimes (Critical
>>>>> Information Infrastructure and Cybercrimes Management) Regulations 2023,*”
>>>>> put forth by the Cabinet Secretary for Interior and National
>>>>> Administration. nc4.go.ke/cmca-2018-draft-regulations/
>>>>>
>>>>> We extend a warm invitation to all Stakeholders in the Digital Space
>>>>> to actively engage in this conversation, as your insights are not just
>>>>> valued but indispensable. Together, we aim to ensure that these
>>>>> regulations are not only well-informed but also in perfect alignment with
>>>>> the swiftly evolving realm of cyber security and digital technologies.
>>>>> Discover how they will impact your organization and be part of the
>>>>> conversation that will define the future of cyber security regulations.
>>>>> Your perspectives will help us shape and submit a more comprehensive and
>>>>> effective framework.
>>>>>
>>>>> *We shall also have a twitter space on Thursday to
>>>>> disseminate/validate the report before submitting it on Friday. *
>>>>>
>>>>>
>>>>> *Feel free to share your insights, concerns, justifications and
>>>>> recommendations to shape these regulations effectively.*
>>>>>
>>>>>
>>>>> PART I – PRELIMINARY PROVISIONS
>>>>>
>>>>>
>>>>> Objects of the Regulations
>>>>>
>>>>> *Section 3.*
>>>>>
>>>>> (a) Provide a framework to monitor, detect and respond to cyber
>>>>> security threats in the cyberspace belonging to Kenya;
>>>>>
>>>>> (i) Promote coordination, collaboration, cooperation and shared
>>>>> responsibility amongst stakeholders in the cybersecurity sector including
>>>>> critical infrastructure protection
>>>>>
>>>>> (g) Approve the identification and designation of critical information
>>>>> infrastructure *Question:*
>>>>>
>>>>> * Is this sufficient to allow each government related cyber unit to
>>>>> operate efficiently without turf wars on who is more superior?*
>>>>>
>>>>>
>>>>> (l) Monitor all databases established for purposes of establishing
>>>>> their integrity and confidentiality for the attainment of the objectives of
>>>>> the Act and these Regulations.
>>>>>
>>>>> Question:
>>>>>
>>>>> Is this regulation realistic and can this be effectively
>>>>> implemented?
>>>>>
>>>>> What are some of the data protection and privacy rights concerns
>>>>> that may arise from this regulation?
>>>>>
>>>>> PART III – CYBERSECURITY OPERATIONS CENTRES
>>>>>
>>>>> Section 13
>>>>>
>>>>> 13. (2) The cybersecurity awareness programme under paragraph (1)
>>>>> shall include the following topics—…..
>>>>>
>>>>> Question:
>>>>>
>>>>> Does this need to be this prescriptive? And what does this mean for
>>>>> emerging areas? How about emerging cyber threats?
>>>>>
>>>>>
>>>>> 13(3) The owner of critical information infrastructure shall in
>>>>> consultation with the Committee, review the cybersecurity awareness
>>>>> programme at least once every twelve months to ensure that the programme is
>>>>> adequate and that it remains upto-date and relevant.
>>>>>
>>>>>
>>>>> Question:
>>>>>
>>>>> Is this a role for NC4? Review curriculum on infrastructure t*hat it
>>>>> does not own*. Any comments?
>>>>>
>>>>> :
>>>>>
>>>>> :
>>>>>
>>>>> :
>>>>>
>>>>> *What are your views, justifications and recommendations regarding the
>>>>> following sections, and how do you interpret the regulations in question?*
>>>>>
>>>>>
>>>>>