Day 3: PUBLIC PARTICIPATION OF THE “COMPUTER MISUSE AND CYBERCRIMES (CRITICAL INFORMATION INFRASTRUCTURE AND CYBERCRIMES MANAGEMENT) REGULATIONS, 2023.

Amidst the ongoing online discussions surrounding the Computer Misuse and
Cybercrimes (Critical Information Infrastructure and Cybercrime Management)
Regulations, we are delighted to extend an invitation to our Twitter Space
discussion.

📌 Please mark your calendars for this Thursday at 8:00 PM – 9:00 PM EAT,
as we engage in a critical dialogue aimed at disseminating and validating
the feedback and information gathered from this mailing list and other
social channels. All of this valuable input will be incorporated into our
upcoming report.

🔗 Twitter Space Link: tinyurl.com/ed5uh5hx

Our engagements across all our social platforms and the mailing list are
still ongoing, and we encourage you to continue sharing your perspectives
in line with this matter.

KICTANet’s Communications Team

On Wed, 20 Sept 2023, 20:19 Linda Wairure via KICTANet, <
kictanet@lists.kictanet.or.ke> wrote:

> Thank you Lawrence for your cyber-secure informed inputs and views.
>
> We shall hold the Twitter Space with the disseminated/ consolidated report
> informed by the KICTANet virtual Public Participation and public forums
> tomorrow at 8pm – 9pm before official submissions.
> Welcome!!!
>
> Dear Listers,
>
> What are your views on Regulation 22 (3)(c) on Failure to Implement
> directives.
>
> *Is this justified?*
> (3) The suitable actions or administrative actions
> contemplated under paragraph (1) may include orders to⸻
> (a) provide a detailed report on non-compliance to
> the National Security Council;
> (b) inform the respective Regulator to impose
> specified actions under their respective law;
> (c*) be under twenty-four hours’ surveillance by the **Director;*
> (d) constitute a multi-agency committee to
> implement the directives;
> (e) fully implement the directives by the Director;
> (f) require investigations by the law enforcement
> agencies;
>
> *Feel free to share your concerns, justifications and recommendations on
> the same.*
>
> On Wed, 20 Sept 2023, 19:53 Lawrence Muchilwa via KICTANet, <
> kictanet@lists.kictanet.or.ke> wrote:
>
>> Linda,
>>
>> Thank you for this.
>>
>> I happened to attend the public session on monday and will be looking
>> forward to the formal submission. I would be happy to be part of the space
>> as a guest speaker.
>>
>> Please find my highlighted comments.
>>
>> PART III: CYBERSECURITY OPERATION CENTRES
>>
>> OutSourced Capabilities
>> 14. (1) An owner of a critical information infrastructure including
>> government-owned critical information infrastructure who intends to
>> outsource any operations shall, in writing, notify the Committee prior to
>> outsourcing…
>>
>> Question:●
>> How does the notification requirement to notify before outsourcing impact
>> various aspects, such as Institutional independence, business autonomy,
>> legality, decision-making, and cybersecurity and other related concerns?
>>
>> LM: I agree with Barack, there is an administrative burden here that can
>> impact business autonomy is not managed well. However, this requirement
>> introduces ‘neutral’ oversight that was lacking allowing independent review
>> and impact assessment to national socio economic factors and security. The
>> committee via its members will have visibility that a private entity might
>> lack, which can be useful in adequate impact analysis.
>>
>>
>> (2)The external service provider shall report to the owner of the
>> critical information infrastructure, at least quarterly, notifying on the
>> status of implementation of their obligations under the agreement including
>> notifying on any security incident.
>>
>> Question:
>> Is it appropriate for this reporting requirement between the external
>> service provider and the owner of critical information infrastructure to be
>> mandated by regulations,…
>>
>> Or Should it be left as a matter of business arrangement and negotiation
>> between the parties involved?
>>
>> Risk assessment and evaluation of cybersecurity operation centres
>>
>> LM: The requirement sets a baseline that cuts across the board and
>> removes ambiguity. Room for improvement here might be to either ride on top
>> of existing reporting obligations eg CBK and Banks, Telcos and CA and
>> minimize duplication. However, not all critical infrastructure has a
>> regulator or enjoys the maturity the Telco and Fintech space have.
>>
>> 18. 3. (d) Define a treatment plan and implement business continuity
>> management controls including – …
>>
>> (4) The business impact analysis of an organization shall be based on—
>> (a) the potential impacts of business disruptions for each prioritized
>> business function and processes including financial, operational, customer,
>> legal and regulatory impacts;
>> (b) recovery time objectives, recovery point
>> objectives and maximum acceptable outage;
>> (c) internal and external inter-dependencies; and
>> (d) the resources required for recovery
>>
>> Question:
>> 1. Is this not too prescriptive?
>> LM: The requirement sets a baseline. These are standard requirement for
>> any risk management framework.
>>
>> 2. How can organizations strike a balance between complying with
>> extensive business impact analysis requirements in cybersecurity operations
>> and maintaining the flexibility to adapt these regulations to their
>> specific cybersecurity needs and circumstances?
>>
>> LM: I don’t foresee this as a challenge. BIA is a standard requirement
>> for organizations serious with business continuity, cyber and operational
>> resilience.
>>
>>
>> 3. Is the committee not assuming the role of Big bro?
>> (Business Autonomy Preservation, Regulatory Detail, Comprehensive
>> Requirements)
>> LM: Its taking the role of big brother which is a good thing for the
>> masses if not abused.
>>
>> Stay engaged, share your concerns, views, justifications and
>> recommendations to ensure a safer and more secure digital future for all.
>>
>> On Wed, Sep 20, 2023 at 4:41 PM Cherie Oyier via KICTANet <
>> kictanet@lists.kictanet.or.ke> wrote:
>>
>>> Section 13
>>>
>>> 13. (2) The cybersecurity awareness programme under paragraph (1) shall
>>> include the following topics—…..
>>>
>>> Question:
>>>
>>> Does this need to be this prescriptive? And what does this mean for
>>> emerging areas? How about emerging cyber threats?
>>>
>>> This provision is definitely too restrictive. Due to the rampant pace
>>> technology is advancing at, cybercrimes and threats are equally advancing
>>> at the same pace. It is therefore likely that mitigating measures will need
>>> to advance as we go on . Therefore such a restrictive provision will not be
>>> ideal to cover future threats and awareness programs. I would recommend
>>> that the committee publishes guidelines on topics for the awareness
>>> program. Further, owners of critical information infrastructure can come up
>>> with a curriculum. The curriculum should be formulated in collaboration
>>> with all relevant stakeholders.
>>>
>>> On Wed, 20 Sep 2023, 16:19 Cherie Oyier, <oyierlaw@gmail.com> wrote:
>>>
>>>> (l) Monitor all databases established for purposes of establishing
>>>> their integrity and confidentiality for the attainment of the objectives of
>>>> the Act and these Regulations.
>>>>
>>>> Question:
>>>>
>>>> Is this regulation realistic and can this be effectively implemented?
>>>>
>>>> What are some of the data protection and privacy rights concerns that
>>>> may arise from this regulation?
>>>>
>>>> The vastness of critical information databases across different sectors
>>>> may render this provision inoperable. It would be more realistic to put in
>>>> place provisions to measure compliance relating to integrity and
>>>> confidentiality. Perhaps provide for officers to ensure this within an
>>>> entity similar to data protection officers. Also a compliance certificate
>>>> would suffice, where an entity submits proof of compliance for a
>>>> certificate of compliance running for a specific period. Where there is
>>>> proof of noncompliance the same can be revoked.
>>>>
>>>> Several concerns arise regarding data protection. This provision is too
>>>> wide. Access to critical information infrastructure should be on a need
>>>> basis i.e where there is proof of breach, loss or disaster. Otherwise left
>>>> as is, the provision is prone to abuse leading to surveillance and other
>>>> data protection risks.
>>>>
>>>>
>>>> On Wed, 20 Sep 2023, 13:56 Florence Awino via KICTANet, <
>>>> kictanet@lists.kictanet.or.ke> wrote:
>>>>
>>>>> Dear Linda,
>>>>> *Should we let the existing regulatory bodies do their jobs instead of
>>>>> introducing the given regulations that might cause conflicts?*
>>>>> *Or on the Contrary…. Do you have any recommendations and/or reasons
>>>>> to justify such regulations? *
>>>>>
>>>>> *My Answer: *There are valid concerns that existing regulatory bodies
>>>>> should handle this without new regulations to avoid potential conflicts.
>>>>> However, justifications for this provision lie in securing critical
>>>>> information infrastructure.
>>>>> Critical information infrastructure is a prime target for
>>>>> cyberattacks, and outsourcing can introduce vulnerabilities. Notification
>>>>> should help to assess risks and align with cybersecurity standards.
>>>>> Provided that new regulations address our evolving cyber threats and offer
>>>>> specific guidance.
>>>>> It is also hard to argue with the potential of this regulation to
>>>>> facilitate stakeholder information sharing, which is crucial for
>>>>> cybersecurity.
>>>>> Regards
>>>>> Florence Awino Ouma <www.linkedin.com/in/flo-ouma-profile/>
>>>>>
>>>>>
>>>>> On Tue, Sep 19, 2023 at 11:25 PM Linda Wairure via KICTANet <
>>>>> kictanet@lists.kictanet.or.ke> wrote:
>>>>>
>>>>>> Thank you for the informative input Barrack.
>>>>>>
>>>>>> I agree with your sentiments that the enactment of such regulations
>>>>>> supplants the functions of well-established regulatory authorities and may
>>>>>> potentially cause a discord leading to contradiction, ambiguity and
>>>>>> operational inefficacy.
>>>>>>
>>>>>> Dear Listers,
>>>>>>
>>>>>> *Should we let the existing regulatory bodies do their jobs instead
>>>>>> of introducing the given regulations that might cause conflicts?*
>>>>>>
>>>>>> *Or on the Contrary…. Do you have any recommendations and/or
>>>>>> reasons to justify such regulations? *
>>>>>>
>>>>>> “14. (1) An owner of a critical information infrastructure including
>>>>>> government-owned critical information infrastructure who intends to
>>>>>> outsource any operations shall, in writing, notify the Committee prior to
>>>>>> outsourcing….. “
>>>>>>
>>>>>> *Any other concerns on the regulations below? *
>>>>>>
>>>>>> *Feel free to share your insights on the same.*
>>>>>>
>>>>>> (2)The external service provider shall report to the owner of the
>>>>>> critical information infrastructure, at least quarterly, notifying on the
>>>>>> status of implementation of their obligations under the agreement including
>>>>>> notifying on any security incident…
>>>>>>
>>>>>> Sent from Outlook for Android <aka.ms/AAb9ysg>
>>>>>> ——————————
>>>>>> *From:* Barrack Otieno <barrack@kictanet.or.ke>
>>>>>> *Sent:* Tuesday, September 19, 2023 10:19:01 PM
>>>>>> *To:* Kenya’s premier ICT Policy engagement platform <
>>>>>> kictanet@lists.kictanet.or.ke>
>>>>>> *Cc:* Linda Wairure <lindagichohi@gmail.com>
>>>>>> *Subject:* Re: [kictanet] Re: Day 2: PUBLIC PARTICIPATION OF THE
>>>>>> “COMPUTER MISUSE AND CYBERCRIMES (CRITICAL INFORMATION INFRASTRUCTURE AND
>>>>>> CYBERCRIMES MANAGEMENT) REGULATIONS, 2023.
>>>>>>
>>>>>> Dear Linda,
>>>>>>
>>>>>> My responses inline:
>>>>>>
>>>>>> On Tue, Sep 19, 2023 at 11:25 AM Linda Wairure via KICTANet <
>>>>>> kictanet@lists.kictanet.or.ke> wrote:
>>>>>>
>>>>>> DAY 2: Tuesday 19/09/2023
>>>>>>
>>>>>> Dear Listers,
>>>>>>
>>>>>> Welcome to Day 2 of our engaging discourse and virtual Public
>>>>>> Participation forum on the “Computer Misuse and CyberCrimes (Critical
>>>>>> Information Infrastructure and CyberCrimes Management) Regulations 2023,”
>>>>>> KICTANet extends gratitude to every stakeholder and partner who made Day 1
>>>>>> an enriching experience. Thank you for being an integral part of this
>>>>>> important discussion.
>>>>>>
>>>>>> We shall also have a Twitter Space on Thursday to
>>>>>> disseminate/validate the report before official submissions.
>>>>>>
>>>>>> Today our focus of discussion will center around the following
>>>>>> sections: S. 14( 1),( 2), S.18 3 (d), 4 .
>>>>>>
>>>>>> *PART III: CYBERSECURITY OPERATION CENTRES *
>>>>>>
>>>>>> *OutSourced Capabilities *
>>>>>> 14. (1) An owner of a critical information infrastructure including
>>>>>> government-owned critical information infrastructure who intends to
>>>>>> outsource any operations shall, in writing, notify the Committee prior to
>>>>>> outsourcing…
>>>>>>
>>>>>> Question*:● *
>>>>>> *How does the notification requirement to notify before outsourcing
>>>>>> impact various aspects, such as Institutional independence, business
>>>>>> autonomy, legality, decision-making, and cybersecurity and other related
>>>>>> concerns?*
>>>>>>
>>>>>> BO: This requirement does not make sense. It is usurping roles of
>>>>>> Regulatory bodies such as the Communications Authority and Office of the
>>>>>> Data Protection Commissioner which Registers Data Controllers.
>>>>>>
>>>>>>
>>>>>>
>>>>>> (2)The external service provider shall report to the owner of the
>>>>>> critical information infrastructure, at least quarterly, notifying on the
>>>>>> status of implementation of their obligations under the agreement including
>>>>>> notifying on any security incident.
>>>>>>
>>>>>> Question*:*
>>>>>> *Is it appropriate for this reporting requirement between the
>>>>>> external service provider and the owner of critical information
>>>>>> infrastructure to be mandated by regulations,…*
>>>>>>
>>>>>> BO: This will become an administrative burden, again, Service
>>>>>> providers report periodically to the agencies overseeing their ecosystem
>>>>>> such as the communications Authority.
>>>>>>
>>>>>>
>>>>>>
>>>>>> *Or Should it be left as a matter of business arrangement and
>>>>>> negotiation between the parties involved? *
>>>>>>
>>>>>> *Risk assessment and evaluation of cybersecurity operation centres*
>>>>>>
>>>>>> 18. 3. (d) Define a treatment plan and implement business continuity
>>>>>> management controls including – …
>>>>>>
>>>>>> (4) The business impact analysis of an organization shall be based on—
>>>>>> (a) the potential impacts of business disruptions for each
>>>>>> prioritized business function and processes including financial,
>>>>>> operational, customer, legal and regulatory impacts;
>>>>>> (b) recovery time objectives, recovery point
>>>>>> objectives and maximum acceptable outage;
>>>>>> (c) internal and external inter-dependencies; and
>>>>>> (d) the resources required for recovery
>>>>>>
>>>>>> Question:
>>>>>>
>>>>>> *1. Is this not too prescriptive? *
>>>>>>
>>>>>> *2. How can organizations strike a balance between complying with
>>>>>> extensive business impact analysis requirements in cybersecurity operations
>>>>>> and maintaining the flexibility to adapt these regulations to their
>>>>>> specific cybersecurity needs and circumstances?*
>>>>>>
>>>>>> *3. Is the committee not assuming the role of Big bro? *
>>>>>> *(*Business Autonomy Preservation, Regulatory Detail, Comprehensive
>>>>>> Requirements)
>>>>>>
>>>>>> Stay engaged, share your concerns, views, justifications and
>>>>>> recommendations to ensure a safer and more secure digital future for all.
>>>>>>
>>>>>> *~Shaping the Future of CyberSecurity ~*
>>>>>>
>>>>>> On Mon, 18 Sept 2023, 17:04 Linda Wairure, <lindagichohi@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>> Thank you Counsel for the eye-opening feedback and very valid points.
>>>>>> Indeed there is need for more public awareness and advocacy.
>>>>>>
>>>>>> Echoing Barrack sentiments, over-legislation might not be the best
>>>>>> way to go.
>>>>>> As a country, we need more emphasis on implementation of the already
>>>>>> existing regulations and laws.
>>>>>>
>>>>>> To follow up and expound on the same…
>>>>>>
>>>>>> Dear Listers,
>>>>>>
>>>>>> What are some of your concerns, justifications and recommendations
>>>>>> on how governments can strike a balance between securing critical
>>>>>> information infrastructure and ensuring the privacy and civil liberties of
>>>>>> their citizens?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, 18 Sept 2023, 16:25 Faith Kisinga via KICTANet, <
>>>>>> kictanet@lists.kictanet.or.ke> wrote:
>>>>>>
>>>>>>
>>>>>> Hi Linda,
>>>>>> Thanks for providing this opportunity.
>>>>>> Indeed there’s need to create awareness on what this framework aims
>>>>>> to do, to avoid leaving the public feeling overwhelmed.
>>>>>>
>>>>>> These regulations are specifically aimed at the facilities, networks
>>>>>> and systems, which if disrupted, would have a debilitating effect on
>>>>>> national security, the economy, public health and safety. 16 critical
>>>>>> infrastructure sectors are listed.
>>>>>>
>>>>>>
>>>>>> On 18 Sep 2023, at 15:58, Barrack Otieno via KICTANet <
>>>>>> kictanet@lists.kictanet.or.ke> wrote:
>>>>>>
>>>>>> 
>>>>>> Hi Linda,
>>>>>>
>>>>>> I tend to think we are over legislating. Having moderated a session
>>>>>> during this years Communications Authority ICT Week, i learnt from GSMA
>>>>>> that while the country has 98% Infrastruture Coverage, usage is a paltry
>>>>>> 21%. The users account for 30% of the population and are mostly in urban
>>>>>> centres. We need to pay attention so that we dont scare away the 70% based
>>>>>> in rural areas who are mostly using feature phones. We should also have
>>>>>> this in mind as we frame the laws so that we avoid a scenario where we
>>>>>> respond to mosquito bites with a hammer.
>>>>>>
>>>>>> Best Regards
>>>>>>
>>>>>> On Mon, Sep 18, 2023 at 3:20 PM Linda Wairure via KICTANet <
>>>>>> kictanet@lists.kictanet.or.ke> wrote:
>>>>>>
>>>>>> Can you provide examples of robust sector-specific cybersecurity
>>>>>> regulations that have been successful ? …….What are the potential
>>>>>> drawbacks or challenges associated with trying to monitor all databases?
>>>>>>
>>>>>>
>>>>>> On Mon, 18 Sept 2023 at 04:54, Neema MASITSA <masitsaneema@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>> (l) Monitor all databases established for purposes of establishing
>>>>>> their integrity and confidentiality for the attainment of the objectives of
>>>>>> the Act and these Regulations.
>>>>>>
>>>>>> Question:
>>>>>>
>>>>>> Is this regulation realistic, and can it be effectively implemented?
>>>>>>
>>>>>> My opinion is rather than to attempt to monitor all databases, we can
>>>>>> focus on risk-based and sector-specific approaches to cybersecurity.
>>>>>>
>>>>>> On Mon, Sep 18, 2023 at 10:12 AM Linda Wairure via KICTANet <
>>>>>> kictanet@lists.kictanet.or.ke> wrote:
>>>>>>
>>>>>> DAY 1: Monday 18/09/2023
>>>>>>
>>>>>> Dear Listers,
>>>>>>
>>>>>> Welcome to the inaugural day of our lively discussion and debate
>>>>>> centered around the *”Computer Misuse and Cybercrimes (Critical
>>>>>> Information Infrastructure and Cybercrimes Management) Regulations 2023,*”
>>>>>> put forth by the Cabinet Secretary for Interior and National
>>>>>> Administration. nc4.go.ke/cmca-2018-draft-regulations/
>>>>>>
>>>>>> We extend a warm invitation to all Stakeholders in the Digital Space
>>>>>> to actively engage in this conversation, as your insights are not just
>>>>>> valued but indispensable. Together, we aim to ensure that these
>>>>>> regulations are not only well-informed but also in perfect alignment with
>>>>>> the swiftly evolving realm of cyber security and digital technologies.
>>>>>> Discover how they will impact your organization and be part of the
>>>>>> conversation that will define the future of cyber security regulations.
>>>>>> Your perspectives will help us shape and submit a more comprehensive and
>>>>>> effective framework.
>>>>>>
>>>>>> *We shall also have a twitter space on Thursday to
>>>>>> disseminate/validate the report before submitting it on Friday. *
>>>>>>
>>>>>>
>>>>>> *Feel free to share your insights, concerns, justifications and
>>>>>> recommendations to shape these regulations effectively.*
>>>>>>
>>>>>>
>>>>>> PART I – PRELIMINARY PROVISIONS
>>>>>>
>>>>>>
>>>>>> Objects of the Regulations
>>>>>>
>>>>>> *Section 3.*
>>>>>>
>>>>>> (a) Provide a framework to monitor, detect and respond to cyber
>>>>>> security threats in the cyberspace belonging to Kenya;
>>>>>>
>>>>>> (i) Promote coordination, collaboration, cooperation and shared
>>>>>> responsibility amongst stakeholders in the cybersecurity sector including
>>>>>> critical infrastructure protection
>>>>>>
>>>>>> (g) Approve the identification and designation of critical
>>>>>> information infrastructure *Question:*
>>>>>>
>>>>>> * Is this sufficient to allow each government related cyber unit to
>>>>>> operate efficiently without turf wars on who is more superior?*
>>>>>>
>>>>>>
>>>>>> (l) Monitor all databases established for purposes of establishing
>>>>>> their integrity and confidentiality for the attainment of the objectives of
>>>>>> the Act and these Regulations.
>>>>>>
>>>>>> Question:
>>>>>>
>>>>>> Is this regulation realistic and can this be effectively
>>>>>> implemented?
>>>>>>
>>>>>> What are some of the data protection and privacy rights concerns
>>>>>> that may arise from this regulation?
>>>>>>
>>>>>> PART III – CYBERSECURITY OPERATIONS CENTRES
>>>>>>
>>>>>> Section 13
>>>>>>
>>>>>> 13. (2) The cybersecurity awareness programme under paragraph (1)
>>>>>> shall include the following topics—…..
>>>>>>
>>>>>> Question:
>>>>>>
>>>>>> Does this need to be this prescriptive? And what does this mean for
>>>>>> emerging areas? How about emerging cyber threats?
>>>>>>
>>>>>>
>>>>>> 13(3) The owner of critical information infrastructure shall in
>>>>>> consultation with the Committee, review the cybersecurity awareness
>>>>>> programme at least once every twelve months to ensure that the programme is
>>>>>> adequate and that it remains upto-date and relevant.
>>>>>>
>>>>>>
>>>>>> Question:
>>>>>>
>>>>>> Is this a role for NC4? Review curriculum on infrastructure t*hat it
>>>>>> does not own*. Any comments?
>>>>>>
>>>>>> :
>>>>>>
>>>>>> :
>>>>>>
>>>>>> :
>>>>>>
>>>>>> *What are your views, justifications and recommendations regarding
>>>>>> the following sections, and how do you interpret the regulations in
>>>>>> question?*
>>>>>>
>>>>>>
>>>>>>