Discussion: Shaping Kenya’s Cybersecurity Ecosystem
Please find my detailed response below:
*Section 1:*
*Effectiveness in Preventing and Prosecuting Cybercrime *
· Partially – The CMCA shows that the country has taken a step to
put in place laws that criminalize cybercrime and allow prosecution of the
same. It is dismally effective as a deterrent and as far as prosecution is
concerned, I have yet to see effectiveness as it has mostly focused on
social media-related issues on harassment and fake news, for other crimes
the cases seem to be stuck in court for years which hardly makes it
effective as a deterrent.
*Provisions Hindering Effective Prosecution:*
· Law enforcement at various stations in the country also need to be
effectively trained on how to handle cybercrime-related incidents when
individuals show up at police stations to either report or seek advice from
the officers.
*Public Awareness:*
· Public Awareness is poorly done regarding the CMCA, a clear
indication of this is on social media platforms where users have been
subject to bullying, and others have called for the hacking of platforms
all of which are crimes in the CMCA. The people don’t know what protections
the CMCA offers
*Section 2: *
*Impact on Privacy Rights: *
– The CMCA grants law enforcement broad powers to monitor and intercept
communications, which could infringe on citizens’ privacy rights. It states
that “Where a police officer or an authorised person has reasonable
grounds to believe that the content of any specifically identified
electronic communications is required for the purposes of a specific
investigation in respect of an offence, the police officer or authorised
person may apply to the court for an order” and in another section “ Where
a police officer or an authorised person has reasonable grounds to believe
that there may be in a specified computer system or part of it, computer
data storage medium, program, data, that— (a) is reasonably required for
the purpose of a criminal investigation or criminal proceedings which may
be material as evidence; or (b) has been acquired by a person as a result
of the commission of an offence, the police officer or the authorised
person may apply to the court for issue of a warrant to enter any premises
to access, search and similarly seize such data.” the ‘*may*’ in these
section implies that it is optional for the officers to seek a court order
or warrant.
– During the recent “Gen Z” protests, some of the arrested people had
their devices confiscated for ‘further analysis’ despite being released
unconditionally. In my understanding, police should be required to
provide a clear and specific explanation for the arrest and the reasons for
seizing a person’s device. This explanation should be given in writing and
should include the alleged crime and the connection of the device to the
investigation if not a court order for the seizure.
*Restriction of Freedom of Expression:*
– Section 22 focuses on false publication in terms of “false”,
“misleading” or “fictitious” information, this should not be abused to
deter people from expressing themselves by publishing information in the
form of opinions or satire. The broad definition of “false publications”
under the CMCA has seemingly been used by the government and politicians to
silence bloggers, journalists and social media users on various platforms.
*Section 5: *
*Impact on Businesses and Individuals:*
· Impact on Businesses in Terms of Cybersecurity Practices and
Investments- The CMCA’s requirements for critical information
infrastructure are extensive such as the protection of, the storing of and
archiving of data held by the critical information infrastructure; (c)
cyber security incident management by the critical information
infrastructure; (d) disaster contingency and recovery measures, which must
be put in place by the critical information infrastructure; (e) minimum
physical and technical security measures that must be implemented in order
to protect the critical information infrastructure;
Such requirements although necessary can be deemed as unfair since there
are significant costs for compliance, such as hiring skilled personnel,
training, purchasing equipment, storage, and securing licenses among
others. The Act mandates stringent measures, but without providing
financial or technical support, this places a disproportionate burden on
organizations, especially smaller ones.
*Section 6:*
*Analysis of the Effectiveness of the CMCA in Embracing Emerging
Technologies and the Associated Cyberthreats*
*Conduciveness to Technological Advancement:*
Some sections of the CMCA might inadvertently stifle innovation by imposing
regulations that are difficult for innovators or small organizations to
navigate. The potential for arbitrary enforcement also creates uncertainty
for innovators.
· The act does not mention anything on responsible disclosure that
innovators and researchers may lean on when identifying potential issues
that can be responsibly disclosed and as a result strengthen the security
systems and infrastructure that may be exposed.
· The CMCA allows the government to declare certain infrastructure
as critical, with heavy regulatory requirements for cybersecurity, data
protection, and incident management. While necessary, the lack of financial
or technical support makes it difficult for smaller outfits to comply. High
compliance costs and stringent requirements could deter new entrants or
smaller firms from innovating in certain sectors or causing disruption in
others lest they are deemed as critical infrastructure, potentially leading
to reduced competition and innovation.
*Addressing Emerging Technologies (AI, Blockchain, IoT, Quantum Computing,
Cryptocurrency):*
– The CMCA does not specifically address newer technologies like AI,
blockchain, IoT, quantum computing, or cryptocurrency, leaving regulatory
grey areas that could be exploited.
*Section 7: General Questions*
*Legal Uncertainties or Ambiguities in the Act:*
– The word “may” implies that obtaining a court order or warrant is
optional rather than mandatory. This leaves room for interpretation, which
could lead to inconsistent enforcement. Some officers might proceed without
a court order, while others might seek one, creating uncertainty for
individuals and organizations about their rights and protections.
*Capacity-Building Needs of Law Enforcement and Judiciary:*
– Establish comprehensive training programs on digital forensics,
cybercrime investigation, and evidence preservation. This could include
mandatory courses for officers, specialized cybercrime units, and
collaboration with cybersecurity experts.
– Increase recruitment and training of officers specifically for those
handling cybercrime-related cases. Allocate resources to ensure that these
units are adequately staffed and equipped to handle the growing number of
cases.
– Consider the creation of a specialized cybercrime court to handle all
cyber-related cases. Provide continuous training for judges and legal
practitioners in this court to keep up with evolving technologies and cyber
threats.
*Robustness of Kenya’s Cybersecurity Infrastructure:*
– Granted there have been significant improvements in Kenya’s
cybersecurity posture, but the current state of Government and parastatal
technology, resilience and infrastructure is significantly under-equipped
and unable to address the challenges posed by rapidly advancing
technologies and techniques in play by malicious actors.
*Kind regards,*
*Brian M. Nyali.*
On Thu, 15 Aug 2024 at 08:41, David Indeje via KICTANet <
[email protected]> wrote:
> Dear Listers,
>
> *Day 3:*
>
>
> The CMCA has profound implications for businesses, individuals, and the
> digital economy in Kenya. Its effectiveness in balancing innovation with
> cybersecurity, addressing emerging technologies, and protecting individual
> rights is a subject of ongoing debate. Today, we encourage discussion on
> the challenges and opportunities presented by the CMCA and explore
> potential solutions to enhance its effectiveness in shaping a secure and
> vibrant digital future for Kenya.
>
>
> *Section 5: Impact on Businesses and Individuals.*
>
> 1. How has the CMCA impacted businesses in Kenya in terms of
> cybersecurity practices and investments?
> 2. Do you believe the CMCA adequately protects the rights of
> individuals in the digital space?
> 3. Have there been any unintended consequences of the CMCA on
> businesses or individuals?
> 4. How has the CMCA affected the digital economy in Kenya?
>
> *Section 6: An analysis of the effectiveness of the CMCA to embrace
> emerging technologies and the cyberthreats they pose therein.*
>
> 1. How does the CMCA balance the need for innovation with
> cybersecurity?
> 2. Does the Act create an environment conducive to technological
> advancement or are there any provisions that stifle innovation?
> 3. How well does the CMCA address emerging technologies such as
> artificial intelligence, blockchain, Internet of Things (IoT), quantum
> computing and cryptocurrency? What can be done to enhance its ability to
> address these lacunas (if any).
> 4. How can the legal framework provided by the CMCA be enhanced to
> regulate the use of emerging technologies, while protecting individual
> digital rights?
>
> *Section 7: General Questions.*
>
> 1. Are there any legal uncertainties or ambiguities in the Act that
> hinder its effectiveness?
> 2. What are the capacity-building needs of law enforcement and the
> judiciary in addressing cybercrimes related to emerging technologies?
> 3. Is the country’s cybersecurity infrastructure sufficiently robust
> to address the challenges posed by emerging technologies?
> 4. Any other relevant comment that you may wish to include as regards
> the CMCA?
>
>
>
>
>
> —
> *Kind Regards,*
>
> *David Indeje*
>
> *@**KICTANet* <www.kictanet.or.ke/>
> * Communications *_____________________________________
> +254 (0) 711 385 945 | +254 (0) 734 024 856
> KICTANet portals
> Connect With Us <linktr.ee/Kictanet>
> ______________________________________
>
>