Discussion: Shaping Kenya’s Cybersecurity Ecosystem

Dear Brain,

Thanks for your detailed insights. I have added my comments on some of them
to trigger further discussion with all of us listers i.e.:

*Public Awareness:*
There is definitely an urgent need to enhance public cognizance of the
provisions and reach of the CMCA to this end how best can we achieve this
i.e.:
1. What strategies can be employed by both the government and private
sector to effectively educate the Kenyan public on the specific activities
that are considered cybercrimes under the Computer Misuse and Cybercrimes
Act, and the penalties associated with these offenses?

2. How can community-based organizations, schools, and mental health
advocates collaborate to address the rise in cyberbullying and its severe
consequences, such as mental health issues and suicide, by leveraging the
provisions of the Computer Misuse and Cybercrimes Act?

3. What role can social media platforms and influencers play in promoting
awareness and understanding of Kenya’s cybercrimes legislation, and how can
this be done in a way that deters nefarious activities like cyber
hacktivism, while fostering responsible online behavior?

*Impact on privacy rights:*
The two sections you have quoted for ease of reference of all listers are
in the:
*First instance S. 53 on the interception of content data*; and in the
*Second instance S. 48 on search and seizure of stored computer data*.

As regards S. 53 you noted that the CMCA grants law enforcement broad
powers to monitor and intercept communications, which could infringe on
citizens’ privacy rights. However, if you read the section in its entirety
in subsection (2) it states the conditions to be met whilst making the
application of such an order, and goes on in subsection (3)
to clarify that courts cant grant such orders until the aforementioned
conditions are met. S.53 goes on at subsection (4) to set a time limit for
which such an order can be applicable and then goes on at subsection (5) to
enumerate the conditions for extension of such a period.

In cyberspace, the real-time collection of electronic evidence in
accordance with all legal due processes is crucial because digital trails
can quickly vanish, and attributing cybercrimes remains a significant
challenge. However, when conducted within the bounds of legal protocols,
this process should not infringe on privacy rights as enshrined in the
Constitution, as it ensures that evidence is gathered with respect for
individual freedoms, under judicial oversight, and with clear, justified
cause.

*Which brings me to my question as regards S.53 … can you and/or the
Listers enumerate specific ways you feel these privacy rights can be better
secured?*

As regards S.48 you noted that the ‘may’ in this section implies that it is
optional for the officers to seek a court order or warrant. This
interpretation is erroneous as search and seizure warrants are issued based
on probable cause (the may), meaning there is a reasonable belief that
evidence of a crime will be found, rather than absolute certainty, to
prevent the destruction or concealment of crucial evidence. Section 48
enumerates the specific grounds under which courts of competent
jurisdiction can issue those orders.

*Which brings me to my question as regards S.48 … can you and/or the
Listers enumerate specific ways you feel these grounds for granting such
order can be better enhanced or do they suffice?*

Albeit I am not privy to the full particulars of the Gen Z specific cases,
if the law enforcement officers acted contrary to the law as alleged, then
it’s not because the law permitted them to act in such a manner. But that’s
a whole other conversation – smile!

*Restriction of Freedom of Expression: *

Section 22 pertains to false publication, and was one of the sections the
Bloggers Association & others had contested as regards CMCA and whose
petition the courts dismissed in Feb 2020.

The Kenyan Constitution grants us the right to freedom of expression but
limits this where it can negatively impact others, and/or put them in a
position of danger as enumerated in Section 24 of the Constitution which is
quoted in subsection (2) of S.22. As such it is arguable that definition,
which you state is broad is indeed grounded in the Mother of All Kenyan
Laws … The 2010 Constitution.

*Nevertheless, how do you and/or other Listers think we can better enhance
this section 22, with specific examples of how to?*

*Impact on Businesses and Individuals: *

Cybersecurity, while a substantial financial outlay, is an indispensable
investment safeguarding both socioeconomic prosperity and national
security, necessitating a prioritization of the broader societal benefits
over the immediate costs of compliance when formulating relevant
legislation.

If cybercrime were a country it would be the world’s third largest economy
after the US & China. A couple of years ago an Interpol report noted that
cybercrime cost Africa over USD 4 Billion, which is more than the GDP of 12
African nations and for some of them double their GDP. Kenya experiences
the second highest cyber attacks on the African continent. So it’s
imperative we prioritize our cybersecurity posture and public awareness
which, yes, is costly.

But your spot on, without financial or technical assistance, the burden of
compliance may hinder the ability of smaller organizations to meet these
stringent requirements, potentially leading to penalties or even forcing
some out of business.

What are possible solutions:

The government could consider implementing support mechanisms, such as
grants, subsidies, or public-private partnerships, to help alleviate the
financial strain on smaller organizations. This would promote a more
equitable landscape, ensuring that all critical infrastructure, regardless
of the size of the organization, can meet the necessary cybersecurity
standards without undue hardship.

Another approach could involve scaling the requirements based on the size
or capacity of the organization, allowing smaller entities to comply at a
level that is both manageable and effective.

*I would love to hear your and other listers’ suggestions as regards
possible solutions so that we can effectively but more affordably secure
our nation’s cyberspace*.

*Conduciveness to Technological Advancement: *

In your response you noted “*that some sections of the CMCA might
inadvertently stifle innovation by imposing regulations that are difficult
for innovators or small organizations to navigate*” *Can you please list
the sections you deem contentious for clarity of all of us listers? This
will also enable us all to better understand why you think they have a
potential for arbitrary enforcement, which will also create uncertainty for
innovators.*

You further stated that “*The act does not mention anything on responsible
disclosure that innovators and researchers may lean on when identifying
potential issues that can be responsibly disclosed and as a result
strengthen the security systems and infrastructure that may be exposed.” **Can
you please suggest what type of disclosures you think would better enhance
the CMCA.*

Stay happy,

Mutheu.

On Thu, Aug 15, 2024 at 5:34 PM Brian Nyali via KICTANet <
[email protected]> wrote:

> Dear David,
>
> Please find my detailed response below:
>
> *Section 1:*
>
> *Effectiveness in Preventing and Prosecuting Cybercrime *
>
> · Partially – The CMCA shows that the country has taken a step to
> put in place laws that criminalize cybercrime and allow prosecution of the
> same. It is dismally effective as a deterrent and as far as prosecution is
> concerned, I have yet to see effectiveness as it has mostly focused on
> social media-related issues on harassment and fake news, for other crimes
> the cases seem to be stuck in court for years which hardly makes it
> effective as a deterrent.
>
> *Provisions Hindering Effective Prosecution:*
>
> · Law enforcement at various stations in the country also need to
> be effectively trained on how to handle cybercrime-related incidents when
> individuals show up at police stations to either report or seek advice from
> the officers.
>
> *Public Awareness:*
>
> · Public Awareness is poorly done regarding the CMCA, a clear
> indication of this is on social media platforms where users have been
> subject to bullying, and others have called for the hacking of platforms
> all of which are crimes in the CMCA. The people don’t know what protections
> the CMCA offers
>
>
>
> *Section 2: *
>
> *Impact on Privacy Rights: *
>
> – The CMCA grants law enforcement broad powers to monitor and
> intercept communications, which could infringe on citizens’ privacy rights.
> It states that “Where a police officer or an authorised person has
> reasonable grounds to believe that the content of any specifically
> identified electronic communications is required for the purposes of a
> specific investigation in respect of an offence, the police officer or
> authorised person may apply to the court for an order” and in another
> section “ Where a police officer or an authorised person has reasonable
> grounds to believe that there may be in a specified computer system or part
> of it, computer data storage medium, program, data, that— (a) is reasonably
> required for the purpose of a criminal investigation or criminal
> proceedings which may be material as evidence; or (b) has been acquired by
> a person as a result of the commission of an offence, the police officer or
> the authorised person may apply to the court for issue of a warrant to
> enter any premises to access, search and similarly seize such data.” the ‘
> *may*’ in these section implies that it is optional for the officers
> to seek a court order or warrant.
> – During the recent “Gen Z” protests, some of the arrested people had
> their devices confiscated for ‘further analysis’ despite being released
> unconditionally. In my understanding, police should be required to
> provide a clear and specific explanation for the arrest and the reasons for
> seizing a person’s device. This explanation should be given in writing and
> should include the alleged crime and the connection of the device to the
> investigation if not a court order for the seizure.
>
> *Restriction of Freedom of Expression:*
>
> – Section 22 focuses on false publication in terms of “false”,
> “misleading” or “fictitious” information, this should not be abused to
> deter people from expressing themselves by publishing information in the
> form of opinions or satire. The broad definition of “false publications”
> under the CMCA has seemingly been used by the government and politicians to
> silence bloggers, journalists and social media users on various platforms.
>
>
>
> *Section 5: *
>
> *Impact on Businesses and Individuals:*
>
> · Impact on Businesses in Terms of Cybersecurity Practices and
> Investments- The CMCA’s requirements for critical information
> infrastructure are extensive such as the protection of, the storing of and
> archiving of data held by the critical information infrastructure; (c)
> cyber security incident management by the critical information
> infrastructure; (d) disaster contingency and recovery measures, which must
> be put in place by the critical information infrastructure; (e) minimum
> physical and technical security measures that must be implemented in order
> to protect the critical information infrastructure;
>
>
> Such requirements although necessary can be deemed as unfair since there
> are significant costs for compliance, such as hiring skilled personnel,
> training, purchasing equipment, storage, and securing licenses among
> others. The Act mandates stringent measures, but without providing
> financial or technical support, this places a disproportionate burden on
> organizations, especially smaller ones.
>
>
>
> *Section 6:*
>
> *Analysis of the Effectiveness of the CMCA in Embracing Emerging
> Technologies and the Associated Cyberthreats*
>
> *Conduciveness to Technological Advancement:*
>
> Some sections of the CMCA might inadvertently stifle innovation by
> imposing regulations that are difficult for innovators or small
> organizations to navigate. The potential for arbitrary enforcement also
> creates uncertainty for innovators.
>
> · The act does not mention anything on responsible disclosure that
> innovators and researchers may lean on when identifying potential issues
> that can be responsibly disclosed and as a result strengthen the security
> systems and infrastructure that may be exposed.
>
> · The CMCA allows the government to declare certain infrastructure
> as critical, with heavy regulatory requirements for cybersecurity, data
> protection, and incident management. While necessary, the lack of financial
> or technical support makes it difficult for smaller outfits to comply. High
> compliance costs and stringent requirements could deter new entrants or
> smaller firms from innovating in certain sectors or causing disruption in
> others lest they are deemed as critical infrastructure, potentially leading
> to reduced competition and innovation.
>
> *Addressing Emerging Technologies (AI, Blockchain, IoT, Quantum Computing,
> Cryptocurrency):*
>
> – The CMCA does not specifically address newer technologies like AI,
> blockchain, IoT, quantum computing, or cryptocurrency, leaving regulatory
> grey areas that could be exploited.
>
>
>
> *Section 7: General Questions*
>
> *Legal Uncertainties or Ambiguities in the Act:*
>
> – The word “may” implies that obtaining a court order or warrant is
> optional rather than mandatory. This leaves room for interpretation, which
> could lead to inconsistent enforcement. Some officers might proceed without
> a court order, while others might seek one, creating uncertainty for
> individuals and organizations about their rights and protections.
>
> *Capacity-Building Needs of Law Enforcement and Judiciary:*
>
> – Establish comprehensive training programs on digital forensics,
> cybercrime investigation, and evidence preservation. This could include
> mandatory courses for officers, specialized cybercrime units, and
> collaboration with cybersecurity experts.
> – Increase recruitment and training of officers specifically for those
> handling cybercrime-related cases. Allocate resources to ensure that these
> units are adequately staffed and equipped to handle the growing number of
> cases.
> – Consider the creation of a specialized cybercrime court to handle
> all cyber-related cases. Provide continuous training for judges and legal
> practitioners in this court to keep up with evolving technologies and cyber
> threats.
>
> *Robustness of Kenya’s Cybersecurity Infrastructure:*
>
> – Granted there have been significant improvements in Kenya’s
> cybersecurity posture, but the current state of Government and parastatal
> technology, resilience and infrastructure is significantly under-equipped
> and unable to address the challenges posed by rapidly advancing
> technologies and techniques in play by malicious actors.
>
>
>
>
> *Kind regards,*
> *Brian M. Nyali.*
>
>
> On Thu, 15 Aug 2024 at 08:41, David Indeje via KICTANet <
> [email protected]> wrote:
>
>> Dear Listers,
>>
>> *Day 3:*
>>
>>
>> The CMCA has profound implications for businesses, individuals, and the
>> digital economy in Kenya. Its effectiveness in balancing innovation with
>> cybersecurity, addressing emerging technologies, and protecting individual
>> rights is a subject of ongoing debate. Today, we encourage discussion on
>> the challenges and opportunities presented by the CMCA and explore
>> potential solutions to enhance its effectiveness in shaping a secure and
>> vibrant digital future for Kenya.
>>
>>
>> *Section 5: Impact on Businesses and Individuals.*
>>
>> 1. How has the CMCA impacted businesses in Kenya in terms of
>> cybersecurity practices and investments?
>> 2. Do you believe the CMCA adequately protects the rights of
>> individuals in the digital space?
>> 3. Have there been any unintended consequences of the CMCA on
>> businesses or individuals?
>> 4. How has the CMCA affected the digital economy in Kenya?
>>
>> *Section 6: An analysis of the effectiveness of the CMCA to embrace
>> emerging technologies and the cyberthreats they pose therein.*
>>
>> 1. How does the CMCA balance the need for innovation with
>> cybersecurity?
>> 2. Does the Act create an environment conducive to technological
>> advancement or are there any provisions that stifle innovation?
>> 3. How well does the CMCA address emerging technologies such as
>> artificial intelligence, blockchain, Internet of Things (IoT), quantum
>> computing and cryptocurrency? What can be done to enhance its ability to
>> address these lacunas (if any).
>> 4. How can the legal framework provided by the CMCA be enhanced to
>> regulate the use of emerging technologies, while protecting
>> individual digital rights?
>>
>> *Section 7: General Questions.*
>>
>> 1. Are there any legal uncertainties or ambiguities in the Act that
>> hinder its effectiveness?
>> 2. What are the capacity-building needs of law enforcement and the
>> judiciary in addressing cybercrimes related to emerging technologies?
>> 3. Is the country’s cybersecurity infrastructure sufficiently robust
>> to address the challenges posed by emerging technologies?
>> 4. Any other relevant comment that you may wish to include as regards
>> the CMCA?
>>
>>
>>
>>
>>
>> —
>> *Kind Regards,*
>>
>> *David Indeje*
>>
>> *@**KICTANet* <www.kictanet.or.ke/>
>> * Communications *_____________________________________
>> +254 (0) 711 385 945 | +254 (0) 734 024 856
>> KICTANet portals
>> Connect With Us <linktr.ee/Kictanet>
>> ______________________________________
>>
>>