Discussion: Shaping Kenya’s Cybersecurity Ecosystem

On 16/08/2024 16.18, A Mutheu via KICTANet wrote:
> Dear Mildred,
>
> You have raised very valid points … thank you …  as indeed
> cyberbullying is a pervasive social issue arising from the digital age’s
> anonymity. While laws can punish egregious offenses, they cannot fully
> address the underlying moral decay at the heart of the problem. The
> faceless nature of the internet emboldens bullies, allowing them to
> inflict cruelty with impunity, that they would hesitate to exhibit in
> person.
>
>
> To foster a more ethical cyberspace, society must prioritize digital
> literacy education, that promotes online and indeed offline empathy and
> respect for others. We need to encourage open dialogue about online
> behavior, support victims without shame, and hold social media platforms
> accountable for their content moderation policies, which are crucial
> steps towards creating a kinder digital environment. Ultimately,
> combating cyberbullying requires a multi-faceted approach that addresses
> both the technological and human dimensions of the issue.
>
> As regards *Chapter 6 of the Constitution that pertains to the
> constitutional mandate for leadership and integrity for state officers*,
> and the escalating prevalence of cyberbullying, Kenya’s leaders must
> exemplify ethical online conduct. Regrettably, many engage in/or
> perpetuate cyberbullying on various digital platforms, undermining their
> positions as role models. As custodians of the nation’s values, they
> must recognize the immense influence they wield and conduct themselves
> accordingly. Conversely, numerous politicians, particularly women,
> endure severe cyberbullying, especially during election periods, marring
> our electoral process, and discouraging more women to stand for
> electoral positions.
>
> Cyberbullying among the political elite can be deterred through a
> multi-faceted approach that can include :
>
> 1. *Stricter Regulations and Enforcement:* Imposing stringent penalties
> for cyberbullying by public officials, including potential
> disqualification from office, can serve as a strong deterrent.
> 2. *Media Accountability:* Encouraging media outlets to hold
> politicians accountable for their online behavior and to refrain
> from amplifying cyberbullying content.
> 3. *Digital Literacy Training:* Mandatory digital literacy training for
> politicians to enhance their understanding of online etiquette and
> the potential consequences of their actions.
> 4. *Ethical Leadership:* Encouraging political parties to adopt ethical
> codes of conduct that explicitly condemn cyberbullying and to
> promote positive online engagement.
>
>
> Would love to think what you and the other Listers think.

The culture change should not just be confined to the press and
politicians. It is something that is needed more broadly. In
particular with social media and the ability to easily put content
online the creating a culture for what is appropriate to put online is
challenging. This is also a difficult area for internet governance as
what maybe considered acceptable in one region might not be considered
acceptable in another.

>
> Stay happy,
> Mutheu.
>
>
>
> On Fri, Aug 16, 2024 at 3:00 PM Mildred Achoch <[email protected]
> <mailto:[email protected]>> wrote:
>
> Dear Listers,
>
> Regarding public awareness and mental health, I would like to add a
> social/soft skills angle. It is said, you cannot legislate morality.
> Cyberbullying is also a social issue. What causes it? What
> conditions allow it or perpetuate it? Chapter 6 of the constitution
> (Leadership and Integrity) can be a helpful guide.
>
> Regards,
> Mildred Achoch.
>
> On Friday, August 16, 2024, A Mutheu via KICTANet
> <[email protected]
> <mailto:[email protected]>> wrote:
>
> Dear Brain,
>
> Thanks for your detailed insights. I have added my comments on
> some of them to trigger further discussion with all of us
> listers i.e.:
>
> *Public Awareness:*
> There is definitely an urgent need to enhance public cognizance
> of the provisions and reach of the CMCA to this end how best can
> we achieve this i.e.:
> 1. What strategies can be employed by both the government and
> private sector to effectively educate the Kenyan public on the
> specific activities that are considered cybercrimes under the
> Computer Misuse and Cybercrimes Act, and the penalties
> associated with these offenses?
>

Some parts of the act are in need of revision. For example section 18
would prohibit general purpose computers as one can obtain password
cracking software relatively easily, an issue discussed in:

memex.craphound.com/2012/01/10/lockdown-the-coming-war-on-general-purpose-computing/

The section should just penalize use of said devices and software to
cause harm, not possession.

> 2. How can community-based organizations, schools, and mental
> health advocates collaborate to address the rise in
> cyberbullying and its severe consequences, such as mental health
> issues and suicide, by leveraging the provisions of the Computer
> Misuse and Cybercrimes Act?
>
> 3. What role can social media platforms and influencers play in
> promoting awareness and understanding of Kenya’s cybercrimes
> legislation, and how can this be done in a way that deters
> nefarious activities like cyber hacktivism, while fostering
> responsible online behavior?
>
> *Impact on privacy rights:*
> The two sections you have quoted for ease of reference of all
> listers are in the:
>  /First instance S. 53 on the interception of content data/; and
> in the
>  /Second instance S. 48  on search and seizure of stored
> computer data/.
>
> As regards S. 53 you noted that the CMCA grants law enforcement
> broad powers to monitor and intercept communications, which
> could infringe on citizens’ privacy rights. However, if you read
> the section in its entirety in subsection (2) it states the
> conditions to be met whilst making the application of such an
> order, and goes on in subsection (3)
> to clarify that courts cant grant such orders until the
> aforementioned conditions are met. S.53 goes on at subsection
> (4)to set a time limit for which such an order can be applicable
> and then goes on at subsection (5) to enumerate the conditions
> for extension of such a period.
>
> In cyberspace, the real-time collection of electronic evidence
> in accordance with all legal due processes is crucial because
> digital trails can quickly vanish, and attributing cybercrimes
> remains a significant challenge. However, when conducted within
> the bounds of legal protocols, this process should not infringe
> on privacy rights as enshrined in the Constitution, as it
> ensures that evidence is gathered with respect for individual
> freedoms, under judicial oversight, and with clear, justified
> cause.  
>
> *Which brings me to my question as regards S.53 … can you
> and/or the Listers enumerate specific ways you feel these
> privacy rights can be better secured?*
>
> As regards S.48 you noted that the ‘may’ in this section implies
> that it is optional for the officers to seek a court order or
> warrant. This interpretation is erroneous as search and seizure
> warrants are issued based on probable cause (the may), meaning
> there is a reasonable belief that evidence of a crime will be
> found, rather than absolute certainty, to prevent the
> destruction or concealment of crucial evidence. Section 48
> enumerates the specific grounds under which courts of competent
> jurisdiction can issue those orders.
>
> *Which brings me to my question as regards S.48 … can you
> and/or the Listers enumerate specific ways you feel these 
> grounds for granting such order can be better enhanced or do
> they suffice?*
>
> Albeit I am not privy to the full particulars of the Gen Z
> specific cases, if the law enforcement officers acted contrary
> to the law as alleged, then it’s not because the law permitted
> them to act in such a manner. But that’s a whole other
> conversation – smile!
>
> *
> *
>
> *Restriction of Freedom of Expression: *
>
> Section 22 pertains to false publication, and was one of the
> sections the Bloggers Association & others had contested as
> regards CMCA and whose petition the courts dismissed in Feb 2020.
>
>
> The Kenyan Constitution grants us the right to freedom of
> expression but limits this where it can negatively impact
> others, and/or put them in a position of danger as enumerated in
> Section 24 of the Constitution which is quoted in subsection (2)
> of S.22. As such it is arguable thatdefinition, which you state
> is broad is indeed grounded in the Mother of All Kenyan Laws …
> The 2010 Constitution.
>
> *
> *
>
> *Nevertheless, how do you and/or other Listers think we can
> better enhance this section 22, with specific examples of how to?*
>
> *
> *
>
> *Impact on Businesses and Individuals: *
>
> Cybersecurity, while a substantial financial outlay, is an
> indispensable investment safeguarding both socioeconomic
> prosperity and national security, necessitating a prioritization
> of the broader societal benefits over the immediate costs of
> compliance when formulating relevant legislation.
>
> If cybercrime were a country it would be the world’s third
> largest economy after the US & China. A couple of years ago an
> Interpol report noted that cybercrime cost Africa over USD 4
> Billion, which is more than the GDP of 12 African nations and
> for some of them double their GDP. Kenya experiences the second
> highest cyber attacks on the African continent. So it’s
> imperative we prioritize our cybersecurity posture and public
> awareness which, yes, is costly.
>
> But your spot on, without financial or technical assistance, the
> burden of compliance may hinder the ability of smaller
> organizations to meet these stringent requirements, potentially
> leading to penalties or even forcing some out of business. 
>
> What are possible solutions: 
>
> The government could consider implementing support mechanisms,
> such as grants, subsidies, or public-private partnerships, to
> help alleviate the financial strain on smaller organizations.
> This would promote a more equitable landscape, ensuring that all
> critical infrastructure, regardless of the size of the
> organization, can meet the necessary cybersecurity standards
> without undue hardship.
>
> Another approach could involve scaling the requirements based on
> the size or capacity of the organization, allowing smaller
> entities to comply at a level that is both manageable and effective.
>
> *I would love to hear your and other listers’ suggestions as
> regards possible solutions so that we can effectively but more
> affordably secure our nation’s cyberspace*.
>
> *
> *
>
> *Conduciveness to Technological Advancement: *
>
> In your response you noted “/that some sections of the CMCA
> might inadvertently stifle innovation by imposing regulations
> that are difficult for innovators or small organizations to
> navigate/” *Can you please list the sections you deem
> contentious for clarity of all of us listers? This will also
> enable us all to better understand why you think they have a
> potential for arbitrary enforcement, which will also create
> uncertainty for innovators.*
>
>  
>
> You further stated that “/The act does not mention anything on
> responsible disclosure that innovators and researchers may lean
> on when identifying potential issues that can be responsibly
> disclosed and as a result strengthen the security systems and
> infrastructure that may be exposed.” /*Can you please suggest
> what type of disclosures you think would better enhance the CMCA.*
>
> *
> *
>
> Stay happy,
>
> Mutheu.
>
>
>
>
> On Thu, Aug 15, 2024 at 5:34 PM Brian Nyali via KICTANet
> <[email protected]
> <mailto:[email protected]>> wrote:
>
> Dear David,
>
> Please find my detailed response below:
>
>   *Section 1:*
>
> *Effectiveness in Preventing and Prosecuting Cybercrime *
>
> ·        Partially – The CMCA shows that the country has
> taken a step to put in place laws that criminalize
> cybercrime and allow prosecution of the same. It is dismally
> effective as a deterrent and as far as prosecution is
> concerned, I have yet to see effectiveness as it has mostly
> focused on social media-related issues on harassment and
> fake news, for other crimes the cases seem to be stuck in
> court for years which hardly makes it effective as a
> deterrent.**
>
> *Provisions Hindering Effective Prosecution:*
>
> ·        Law enforcement at various stations in the country
> also need to be effectively trained on how to handle
> cybercrime-related incidents when individuals show up at
> police stations to either report or seek advice from the
> officers.**
>
> *Public Awareness:*
>
> ·        Public Awareness is poorly done regarding the CMCA,
> a clear indication of this is on social media platforms
> where users have been subject to bullying, and others have
> called for the hacking of platforms all of which are crimes
> in the CMCA. The people don’t know what protections the CMCA
> offers
>
> * *
>
> *Section 2: *
>
> *Impact on Privacy Rights: *
>
> * The CMCA grants law enforcement broad powers to monitor
> and intercept communications, which could infringe on
> citizens’ privacy rights. It states that “Where a police
> officer or an authorised person has reasonable grounds
> to believe that the content of any specifically
> identified electronic communications is required for the
> purposes of a specific investigation in respect of an
> offence, the police officer or authorised person may
> apply to the court for an order” and in another section
> “ Where a police officer or an authorised person has
> reasonable grounds to believe that there may be in a
> specified computer system or part of it, computer data
> storage medium, program, data, that— (a) is reasonably
> required for the purpose of a criminal investigation or
> criminal proceedings which may be material as evidence;
> or (b) has been acquired by a person as a result of the
> commission of an offence, the police officer or the
> authorised person may apply to the court for issue of a
> warrant to enter any premises to access, search and
> similarly seize such data.” the ‘*may*’ in these section
> implies that it is optional for the officers to seek a
> court order or warrant.
> * During the recent “Gen Z” protests, some of the arrested
> people had their devices confiscated for ‘further
> analysis’ despite being released unconditionally. In my
> understanding, police should be required to provide a
> clear and specific explanation for the arrest and the
> reasons for seizing a person’s device. This explanation
> should be given in writing and should include the
> alleged crime and the connection of the device to the
> investigation if not a court order for the seizure.
>
> *Restriction of Freedom of Expression:*
>
> * Section 22 focuses on false publication in terms of
> “false”, “misleading” or “fictitious” information, this
> should not be abused to deter people from expressing
> themselves by publishing information in the form of
> opinions or satire. The broad definition of “false
> publications” under the CMCA has seemingly been used by
> the government and politicians to silence bloggers,
> journalists and social media users on various platforms.
>
>  
>
> *Section 5: *
>
> *Impact on Businesses and Individuals:*
>
> ·        Impact on Businesses in Terms of Cybersecurity
> Practices and Investments- The CMCA’s requirements for
> critical information infrastructure are extensive such as
> the protection of, the storing of and archiving of data held
> by the critical information infrastructure; (c) cyber
> security incident management by the critical information
> infrastructure; (d) disaster contingency and recovery
> measures, which must be put in place by the critical
> information infrastructure; (e) minimum physical and
> technical security measures that must be implemented in
> order to protect the critical information infrastructure;
>
>
> Such requirements although necessary can be deemed as unfair
> since there are significant costs for compliance, such as
> hiring skilled personnel, training, purchasing equipment,
> storage, and securing licenses among others. The Act
> mandates stringent measures, but without providing financial
> or technical support, this places a disproportionate burden
> on organizations, especially smaller ones.
>
>  
>
> *Section 6:*
>
> *Analysis of the Effectiveness of the CMCA in Embracing
> Emerging Technologies and the Associated Cyberthreats*
>
> *Conduciveness to Technological Advancement:*
>
> Some sections of the CMCA might inadvertently stifle
> innovation by imposing regulations that are difficult for
> innovators or small organizations to navigate. The potential
> for arbitrary enforcement also creates uncertainty for
> innovators.
>
> ·        The act does not mention anything on responsible
> disclosure that innovators and researchers may lean on when
> identifying potential issues that can be responsibly
> disclosed and as a result strengthen the security systems
> and infrastructure that may be exposed.
>
> ·        The CMCA allows the government to declare certain
> infrastructure as critical, with heavy regulatory
> requirements for cybersecurity, data protection, and
> incident management. While necessary, the lack of financial
> or technical support makes it difficult for smaller outfits
> to comply. High compliance costs and stringent requirements
> could deter new entrants or smaller firms from innovating in
> certain sectors or causing disruption in others lest they
> are deemed as critical infrastructure, potentially leading
> to reduced competition and innovation.
>
> *Addressing Emerging Technologies (AI, Blockchain, IoT,
> Quantum Computing, Cryptocurrency):*
>
> * The CMCA does not specifically address newer
> technologies like AI, blockchain, IoT, quantum
> computing, or cryptocurrency, leaving regulatory grey
> areas that could be exploited.
>
>  
>
> *Section 7: General Questions*
>
> *Legal Uncertainties or Ambiguities in the Act:*
>
> * The word “may” implies that obtaining a court order or
> warrant is optional rather than mandatory. This leaves
> room for interpretation, which could lead to
> inconsistent enforcement. Some officers might proceed
> without a court order, while others might seek one,
> creating uncertainty for individuals and organizations
> about their rights and protections.
>
> *Capacity-Building Needs of Law Enforcement and Judiciary:*
>
> * Establish comprehensive training programs on digital
> forensics, cybercrime investigation, and evidence
> preservation. This could include mandatory courses for
> officers, specialized cybercrime units, and
> collaboration with cybersecurity experts.
> * Increase recruitment and training of officers
> specifically for those handling cybercrime-related
> cases. Allocate resources to ensure that these units are
> adequately staffed and equipped to handle the growing
> number of cases.
> * Consider the creation of a specialized cybercrime court
> to handle all cyber-related cases. Provide continuous
> training for judges and legal practitioners in this
> court to keep up with evolving technologies and cyber
> threats.
>
> *Robustness of Kenya’s Cybersecurity Infrastructure:*
>
> * Granted there have been significant improvements in
> Kenya’s cybersecurity posture, but the current state of
> Government and parastatal technology, resilience and
> infrastructure is significantly under-equipped and
> unable to address the challenges posed by rapidly
> advancing technologies and techniques in play by
> malicious actors.
>
>
>
> *Kind regards,
> *
> *Brian M. Nyali.*
>
>
> On Thu, 15 Aug 2024 at 08:41, David Indeje via KICTANet
> <[email protected]
> <mailto:[email protected]>> wrote:
>
> Dear Listers,
>
> *Day 3:*
>
> *
> *
>
> The CMCA has profound implications for businesses,
> individuals, and the digital economy in Kenya. Its
> effectiveness in balancing innovation with
> cybersecurity, addressing emerging technologies, and
> protecting individual rights is a subject of ongoing
> debate. Today, we encourage discussion on the challenges
> and opportunities presented by the CMCAand explore
> potential solutions to enhance its effectiveness in
> shaping a secure and vibrant digital future for Kenya.
>
>
> *Section 5: Impact on Businesses and Individuals.*
>
> 1. How has the CMCA impacted businesses in Kenya in
> terms of cybersecurity practices and investments?
> 2. Do you believe the CMCA adequately protects the
> rights of individuals in the digital space?
> 3. Have there been any unintended consequences of the
> CMCA on businesses or individuals?
> 4. How has the CMCA affected thedigital economy in Kenya?
>
> *Section 6: An analysis of the effectiveness of the CMCA
> to embrace emerging technologies and the
> cyberthreatsthey pose therein.*
>
> 1. How does the CMCA balance the need for innovation
> with cybersecurity? 
> 2. Does the Act create an environment conducive to
> technological advancement or are there any
> provisions that stifle innovation?
> 3. How well does the CMCA address emerging technologies
> such as artificial intelligence, blockchain,
> Internet of Things (IoT), quantum computing and
> cryptocurrency? What can be done to enhance its
> ability to address these lacunas (if any).
> 4. How can the legal framework provided by the CMCA be
> enhanced to  regulatethe use of emerging
> technologies, while protecting individual digital
> rights?
>
> *Section 7: General Questions.*
>
> 1. Are there any legal uncertainties or ambiguities in
> the Act that hinder its effectiveness?
> 2. What are the capacity-building needs of law
> enforcement and the judiciary in addressing
> cybercrimes related to emerging technologies?
> 3. Is the country’s cybersecurity infrastructure
> sufficiently robust to address the challenges posed
> by emerging technologies?
> 4. Anyother relevant comment that you may wish to
> include as regards the CMCA?
>
>
>
>
>
> —
> *Kind Regards,*
>
> **
>
> *David Indeje*
>