Discussion: Shaping Kenya’s Cybersecurity Ecosystem

Regarding public awareness and mental health, I would like to add a
social/soft skills angle. It is said, you cannot legislate morality.
Cyberbullying is also a social issue. What causes it? What conditions allow
it or perpetuate it? Chapter 6 of the constitution (Leadership and
Integrity) can be a helpful guide.

Regards,
Mildred Achoch.

On Friday, August 16, 2024, A Mutheu via KICTANet <
[email protected]> wrote:

> Dear Brain,
>
> Thanks for your detailed insights. I have added my comments on some of
> them to trigger further discussion with all of us listers i.e.:
>
> *Public Awareness:*
> There is definitely an urgent need to enhance public cognizance of the
> provisions and reach of the CMCA to this end how best can we achieve this
> i.e.:
> 1. What strategies can be employed by both the government and private
> sector to effectively educate the Kenyan public on the specific activities
> that are considered cybercrimes under the Computer Misuse and Cybercrimes
> Act, and the penalties associated with these offenses?
>
> 2. How can community-based organizations, schools, and mental health
> advocates collaborate to address the rise in cyberbullying and its severe
> consequences, such as mental health issues and suicide, by leveraging the
> provisions of the Computer Misuse and Cybercrimes Act?
>
> 3. What role can social media platforms and influencers play in promoting
> awareness and understanding of Kenya’s cybercrimes legislation, and how can
> this be done in a way that deters nefarious activities like cyber
> hacktivism, while fostering responsible online behavior?
>
> *Impact on privacy rights:*
> The two sections you have quoted for ease of reference of all listers are
> in the:
> *First instance S. 53 on the interception of content data*; and in the
> *Second instance S. 48 on search and seizure of stored computer data*.
>
> As regards S. 53 you noted that the CMCA grants law enforcement broad
> powers to monitor and intercept communications, which could infringe on
> citizens’ privacy rights. However, if you read the section in its entirety
> in subsection (2) it states the conditions to be met whilst making the
> application of such an order, and goes on in subsection (3)
> to clarify that courts cant grant such orders until the aforementioned
> conditions are met. S.53 goes on at subsection (4) to set a time limit
> for which such an order can be applicable and then goes on at subsection
> (5) to enumerate the conditions for extension of such a period.
>
> In cyberspace, the real-time collection of electronic evidence in
> accordance with all legal due processes is crucial because digital trails
> can quickly vanish, and attributing cybercrimes remains a significant
> challenge. However, when conducted within the bounds of legal protocols,
> this process should not infringe on privacy rights as enshrined in the
> Constitution, as it ensures that evidence is gathered with respect for
> individual freedoms, under judicial oversight, and with clear, justified
> cause.
>
> *Which brings me to my question as regards S.53 … can you and/or the
> Listers enumerate specific ways you feel these privacy rights can be better
> secured?*
>
> As regards S.48 you noted that the ‘may’ in this section implies that it
> is optional for the officers to seek a court order or warrant. This
> interpretation is erroneous as search and seizure warrants are issued
> based on probable cause (the may), meaning there is a reasonable belief
> that evidence of a crime will be found, rather than absolute certainty, to
> prevent the destruction or concealment of crucial evidence. Section 48
> enumerates the specific grounds under which courts of competent
> jurisdiction can issue those orders.
>
> *Which brings me to my question as regards S.48 … can you and/or the
> Listers enumerate specific ways you feel these grounds for granting such
> order can be better enhanced or do they suffice?*
>
> Albeit I am not privy to the full particulars of the Gen Z specific cases,
> if the law enforcement officers acted contrary to the law as alleged, then
> it’s not because the law permitted them to act in such a manner. But that’s
> a whole other conversation – smile!
>
>
> *Restriction of Freedom of Expression: *
>
> Section 22 pertains to false publication, and was one of the sections the
> Bloggers Association & others had contested as regards CMCA and whose
> petition the courts dismissed in Feb 2020.
>
>
> The Kenyan Constitution grants us the right to freedom of expression but
> limits this where it can negatively impact others, and/or put them in a
> position of danger as enumerated in Section 24 of the Constitution which
> is quoted in subsection (2) of S.22. As such it is arguable that
> definition, which you state is broad is indeed grounded in the Mother of
> All Kenyan Laws … The 2010 Constitution.
>
>
> *Nevertheless, how do you and/or other Listers think we can better enhance
> this section 22, with specific examples of how to?*
>
>
> *Impact on Businesses and Individuals: *
>
> Cybersecurity, while a substantial financial outlay, is an indispensable
> investment safeguarding both socioeconomic prosperity and national
> security, necessitating a prioritization of the broader societal benefits
> over the immediate costs of compliance when formulating relevant
> legislation.
>
> If cybercrime were a country it would be the world’s third largest economy
> after the US & China. A couple of years ago an Interpol report noted that
> cybercrime cost Africa over USD 4 Billion, which is more than the GDP of 12
> African nations and for some of them double their GDP. Kenya experiences
> the second highest cyber attacks on the African continent. So it’s
> imperative we prioritize our cybersecurity posture and public awareness
> which, yes, is costly.
>
> But your spot on, without financial or technical assistance, the burden of
> compliance may hinder the ability of smaller organizations to meet these
> stringent requirements, potentially leading to penalties or even forcing
> some out of business.
>
> What are possible solutions:
>
> The government could consider implementing support mechanisms, such as
> grants, subsidies, or public-private partnerships, to help alleviate the
> financial strain on smaller organizations. This would promote a more
> equitable landscape, ensuring that all critical infrastructure, regardless
> of the size of the organization, can meet the necessary cybersecurity
> standards without undue hardship.
>
> Another approach could involve scaling the requirements based on the size
> or capacity of the organization, allowing smaller entities to comply at a
> level that is both manageable and effective.
>
> *I would love to hear your and other listers’ suggestions as regards
> possible solutions so that we can effectively but more affordably secure
> our nation’s cyberspace*.
>
>
> *Conduciveness to Technological Advancement: *
>
> In your response you noted “*that some sections of the CMCA might
> inadvertently stifle innovation by imposing regulations that are difficult
> for innovators or small organizations to navigate*” *Can you please list
> the sections you deem contentious for clarity of all of us listers? This
> will also enable us all to better understand why you think they have a
> potential for arbitrary enforcement, which will also create uncertainty for
> innovators.*
>
>
>
> You further stated that “*The act does not mention anything on
> responsible disclosure that innovators and researchers may lean on when
> identifying potential issues that can be responsibly disclosed and as a
> result strengthen the security systems and infrastructure that may be
> exposed.” **Can you please suggest what type of disclosures you think
> would better enhance the CMCA.*
>
>
> Stay happy,
>
> Mutheu.
>
>
>
> On Thu, Aug 15, 2024 at 5:34 PM Brian Nyali via KICTANet <
> [email protected]> wrote:
>
>> Dear David,
>>
>> Please find my detailed response below:
>>
>> *Section 1:*
>>
>> *Effectiveness in Preventing and Prosecuting Cybercrime *
>>
>> · Partially – The CMCA shows that the country has taken a step to
>> put in place laws that criminalize cybercrime and allow prosecution of the
>> same. It is dismally effective as a deterrent and as far as prosecution is
>> concerned, I have yet to see effectiveness as it has mostly focused on
>> social media-related issues on harassment and fake news, for other crimes
>> the cases seem to be stuck in court for years which hardly makes it
>> effective as a deterrent.
>>
>> *Provisions Hindering Effective Prosecution:*
>>
>> · Law enforcement at various stations in the country also need to
>> be effectively trained on how to handle cybercrime-related incidents when
>> individuals show up at police stations to either report or seek advice from
>> the officers.
>>
>> *Public Awareness:*
>>
>> · Public Awareness is poorly done regarding the CMCA, a clear
>> indication of this is on social media platforms where users have been
>> subject to bullying, and others have called for the hacking of platforms
>> all of which are crimes in the CMCA. The people don’t know what protections
>> the CMCA offers
>>
>>
>>
>> *Section 2: *
>>
>> *Impact on Privacy Rights: *
>>
>> – The CMCA grants law enforcement broad powers to monitor and
>> intercept communications, which could infringe on citizens’ privacy rights.
>> It states that “Where a police officer or an authorised person has
>> reasonable grounds to believe that the content of any specifically
>> identified electronic communications is required for the purposes of a
>> specific investigation in respect of an offence, the police officer or
>> authorised person may apply to the court for an order” and in another
>> section “ Where a police officer or an authorised person has reasonable
>> grounds to believe that there may be in a specified computer system or part
>> of it, computer data storage medium, program, data, that— (a) is reasonably
>> required for the purpose of a criminal investigation or criminal
>> proceedings which may be material as evidence; or (b) has been acquired by
>> a person as a result of the commission of an offence, the police officer or
>> the authorised person may apply to the court for issue of a warrant to
>> enter any premises to access, search and similarly seize such data.” the ‘
>> *may*’ in these section implies that it is optional for the officers
>> to seek a court order or warrant.
>> – During the recent “Gen Z” protests, some of the arrested people had
>> their devices confiscated for ‘further analysis’ despite being released
>> unconditionally. In my understanding, police should be required to
>> provide a clear and specific explanation for the arrest and the reasons for
>> seizing a person’s device. This explanation should be given in writing and
>> should include the alleged crime and the connection of the device to the
>> investigation if not a court order for the seizure.
>>
>> *Restriction of Freedom of Expression:*
>>
>> – Section 22 focuses on false publication in terms of “false”,
>> “misleading” or “fictitious” information, this should not be abused to
>> deter people from expressing themselves by publishing information in the
>> form of opinions or satire. The broad definition of “false publications”
>> under the CMCA has seemingly been used by the government and politicians to
>> silence bloggers, journalists and social media users on various platforms.
>>
>>
>>
>> *Section 5: *
>>
>> *Impact on Businesses and Individuals:*
>>
>> · Impact on Businesses in Terms of Cybersecurity Practices and
>> Investments- The CMCA’s requirements for critical information
>> infrastructure are extensive such as the protection of, the storing of and
>> archiving of data held by the critical information infrastructure; (c)
>> cyber security incident management by the critical information
>> infrastructure; (d) disaster contingency and recovery measures, which must
>> be put in place by the critical information infrastructure; (e) minimum
>> physical and technical security measures that must be implemented in order
>> to protect the critical information infrastructure;
>>
>>
>> Such requirements although necessary can be deemed as unfair since there
>> are significant costs for compliance, such as hiring skilled personnel,
>> training, purchasing equipment, storage, and securing licenses among
>> others. The Act mandates stringent measures, but without providing
>> financial or technical support, this places a disproportionate burden on
>> organizations, especially smaller ones.
>>
>>
>>
>> *Section 6:*
>>
>> *Analysis of the Effectiveness of the CMCA in Embracing Emerging
>> Technologies and the Associated Cyberthreats*
>>
>> *Conduciveness to Technological Advancement:*
>>
>> Some sections of the CMCA might inadvertently stifle innovation by
>> imposing regulations that are difficult for innovators or small
>> organizations to navigate. The potential for arbitrary enforcement also
>> creates uncertainty for innovators.
>>
>> · The act does not mention anything on responsible disclosure
>> that innovators and researchers may lean on when identifying potential
>> issues that can be responsibly disclosed and as a result strengthen the
>> security systems and infrastructure that may be exposed.
>>
>> · The CMCA allows the government to declare certain
>> infrastructure as critical, with heavy regulatory requirements for
>> cybersecurity, data protection, and incident management. While necessary,
>> the lack of financial or technical support makes it difficult for smaller
>> outfits to comply. High compliance costs and stringent requirements could
>> deter new entrants or smaller firms from innovating in certain sectors or
>> causing disruption in others lest they are deemed as critical
>> infrastructure, potentially leading to reduced competition and innovation.
>>
>> *Addressing Emerging Technologies (AI, Blockchain, IoT, Quantum
>> Computing, Cryptocurrency):*
>>
>> – The CMCA does not specifically address newer technologies like AI,
>> blockchain, IoT, quantum computing, or cryptocurrency, leaving regulatory
>> grey areas that could be exploited.
>>
>>
>>
>> *Section 7: General Questions*
>>
>> *Legal Uncertainties or Ambiguities in the Act:*
>>
>> – The word “may” implies that obtaining a court order or warrant is
>> optional rather than mandatory. This leaves room for interpretation, which
>> could lead to inconsistent enforcement. Some officers might proceed without
>> a court order, while others might seek one, creating uncertainty for
>> individuals and organizations about their rights and protections.
>>
>> *Capacity-Building Needs of Law Enforcement and Judiciary:*
>>
>> – Establish comprehensive training programs on digital forensics,
>> cybercrime investigation, and evidence preservation. This could include
>> mandatory courses for officers, specialized cybercrime units, and
>> collaboration with cybersecurity experts.
>> – Increase recruitment and training of officers specifically for
>> those handling cybercrime-related cases. Allocate resources to ensure that
>> these units are adequately staffed and equipped to handle the growing
>> number of cases.
>> – Consider the creation of a specialized cybercrime court to handle
>> all cyber-related cases. Provide continuous training for judges and legal
>> practitioners in this court to keep up with evolving technologies and cyber
>> threats.
>>
>> *Robustness of Kenya’s Cybersecurity Infrastructure:*
>>
>> – Granted there have been significant improvements in Kenya’s
>> cybersecurity posture, but the current state of Government and parastatal
>> technology, resilience and infrastructure is significantly under-equipped
>> and unable to address the challenges posed by rapidly advancing
>> technologies and techniques in play by malicious actors.
>>
>>
>>
>>
>> *Kind regards,*
>> *Brian M. Nyali.*
>>
>>
>> On Thu, 15 Aug 2024 at 08:41, David Indeje via KICTANet <
>> [email protected]> wrote:
>>
>>> Dear Listers,
>>>
>>> *Day 3:*
>>>
>>>
>>> The CMCA has profound implications for businesses, individuals, and the
>>> digital economy in Kenya. Its effectiveness in balancing innovation with
>>> cybersecurity, addressing emerging technologies, and protecting individual
>>> rights is a subject of ongoing debate. Today, we encourage discussion on
>>> the challenges and opportunities presented by the CMCA and explore
>>> potential solutions to enhance its effectiveness in shaping a secure and
>>> vibrant digital future for Kenya.
>>>
>>>
>>> *Section 5: Impact on Businesses and Individuals.*
>>>
>>> 1. How has the CMCA impacted businesses in Kenya in terms of
>>> cybersecurity practices and investments?
>>> 2. Do you believe the CMCA adequately protects the rights of
>>> individuals in the digital space?
>>> 3. Have there been any unintended consequences of the CMCA on
>>> businesses or individuals?
>>> 4. How has the CMCA affected the digital economy in Kenya?
>>>
>>> *Section 6: An analysis of the effectiveness of the CMCA to embrace
>>> emerging technologies and the cyberthreats they pose therein.*
>>>
>>> 1. How does the CMCA balance the need for innovation with
>>> cybersecurity?
>>> 2. Does the Act create an environment conducive to technological
>>> advancement or are there any provisions that stifle innovation?
>>> 3. How well does the CMCA address emerging technologies such as
>>> artificial intelligence, blockchain, Internet of Things (IoT), quantum
>>> computing and cryptocurrency? What can be done to enhance its ability to
>>> address these lacunas (if any).
>>> 4. How can the legal framework provided by the CMCA be enhanced to
>>> regulate the use of emerging technologies, while protecting
>>> individual digital rights?
>>>
>>> *Section 7: General Questions.*
>>>
>>> 1. Are there any legal uncertainties or ambiguities in the Act that
>>> hinder its effectiveness?
>>> 2. What are the capacity-building needs of law enforcement and the
>>> judiciary in addressing cybercrimes related to emerging technologies?
>>> 3. Is the country’s cybersecurity infrastructure sufficiently robust
>>> to address the challenges posed by emerging technologies?
>>> 4. Any other relevant comment that you may wish to include as
>>> regards the CMCA?
>>>
>>>
>>>
>>>
>>>
>>> —
>>> *Kind Regards,*
>>>
>>> *David Indeje*
>>>
>>> *@**KICTANet* <www.kictanet.or.ke/>
>>> * Communications *_____________________________________
>>> +254 (0) 711 385 945 | +254 (0) 734 024 856
>>> KICTANet portals
>>> Connect With Us <linktr.ee/Kictanet>
>>> ______________________________________
>>>
>>>