Discussion: Shaping Kenya’s Cybersecurity Ecosystem

This is a timely discussion indeed, but more importantly because it affords
an opportunity into how we approach criminalization of cybercrimes/ cyber
enabled crimes.

Research is growing into cyber-criminology and cyber-delinquency which has
been seen to *predominantly occur among youth* – due to various factors
e.g. pre-disposition as digital natives – this is across the continent
(Yahooboysim) and the globe. This begs the question, what is the penal
philosophy informing criminalization of conduct in the cyberspace? The
current model of sanctions and punishment appears to take a securitized
approach which will mean that effective investigation and prosecution of
such offenders translates to a majority being highly skilled youth behind
bars.

There is an ongoing penal reform process across the justice sector
advocating for alternatives to prosecution, trial and imprisonment. This
creates an opportunity to reconsider the penal regime in the CMCA.The
anchorage of restorative justice mechanisms such as alternatives to
prosecution (e.g. diversion programmes) affords offenders (potentially
young people) a second chance to reform and utilize their skills to more
beneficial initiatives. It also creates a chance to contribute to crime
prevention efforts against cybercrime/ cyberenabled crimes.

I shall be publishing more later in the year and this was just but a
snippet on cyber-criminlogical perspectives when criminalizing conduct in
the cyberspace.
Happy to engage more on the same and good day to all!

with kind regards,
William

On Fri, Aug 16, 2024 at 3:57 PM A Mutheu via KICTANet <
[email protected]> wrote:

> Dear Mildred,
>
> You have raised very valid points … thank you … as indeed cyberbullying
> is a pervasive social issue arising from the digital age’s anonymity. While
> laws can punish egregious offenses, they cannot fully address the
> underlying moral decay at the heart of the problem. The faceless nature
> of the internet emboldens bullies, allowing them to inflict cruelty with
> impunity, that they would hesitate to exhibit in person.
>
>
> To foster a more ethical cyberspace, society must prioritize digital
> literacy education, that promotes online and indeed offline empathy and
> respect for others. We need to encourage open dialogue about online
> behavior, support victims without shame, and hold social media platforms
> accountable for their content moderation policies, which are crucial steps
> towards creating a kinder digital environment. Ultimately, combating
> cyberbullying requires a multi-faceted approach that addresses both the
> technological and human dimensions of the issue.
>
> As regards *Chapter 6 of the Constitution that pertains to the
> constitutional mandate for leadership and integrity for state officers*,
> and the escalating prevalence of cyberbullying, Kenya’s leaders must
> exemplify ethical online conduct. Regrettably, many engage in/or perpetuate
> cyberbullying on various digital platforms, undermining their positions as
> role models. As custodians of the nation’s values, they must recognize the
> immense influence they wield and conduct themselves accordingly.
> Conversely, numerous politicians, particularly women, endure severe
> cyberbullying, especially during election periods, marring our electoral
> process, and discouraging more women to stand for electoral positions.
>
> Cyberbullying among the political elite can be deterred through a
> multi-faceted approach that can include :
>
> 1. *Stricter Regulations and Enforcement:* Imposing stringent
> penalties for cyberbullying by public officials, including potential
> disqualification from office, can serve as a strong deterrent.
> 2. *Media Accountability:* Encouraging media outlets to hold
> politicians accountable for their online behavior and to refrain from
> amplifying cyberbullying content.
> 3. *Digital Literacy Training:* Mandatory digital literacy training
> for politicians to enhance their understanding of online etiquette and the
> potential consequences of their actions.
> 4. *Ethical Leadership:* Encouraging political parties to adopt
> ethical codes of conduct that explicitly condemn cyberbullying and to
> promote positive online engagement.
>
>
> Would love to think what you and the other Listers think.
>
> Stay happy,
> Mutheu.
>
>
>
> On Fri, Aug 16, 2024 at 3:00 PM Mildred Achoch <[email protected]>
> wrote:
>
>> Dear Listers,
>>
>> Regarding public awareness and mental health, I would like to add a
>> social/soft skills angle. It is said, you cannot legislate morality.
>> Cyberbullying is also a social issue. What causes it? What conditions allow
>> it or perpetuate it? Chapter 6 of the constitution (Leadership and
>> Integrity) can be a helpful guide.
>>
>> Regards,
>> Mildred Achoch.
>>
>> On Friday, August 16, 2024, A Mutheu via KICTANet <
>> [email protected]> wrote:
>>
>>> Dear Brain,
>>>
>>> Thanks for your detailed insights. I have added my comments on some of
>>> them to trigger further discussion with all of us listers i.e.:
>>>
>>> *Public Awareness:*
>>> There is definitely an urgent need to enhance public cognizance of the
>>> provisions and reach of the CMCA to this end how best can we achieve this
>>> i.e.:
>>> 1. What strategies can be employed by both the government and private
>>> sector to effectively educate the Kenyan public on the specific activities
>>> that are considered cybercrimes under the Computer Misuse and Cybercrimes
>>> Act, and the penalties associated with these offenses?
>>>
>>> 2. How can community-based organizations, schools, and mental health
>>> advocates collaborate to address the rise in cyberbullying and its severe
>>> consequences, such as mental health issues and suicide, by leveraging the
>>> provisions of the Computer Misuse and Cybercrimes Act?
>>>
>>> 3. What role can social media platforms and influencers play in
>>> promoting awareness and understanding of Kenya’s cybercrimes legislation,
>>> and how can this be done in a way that deters nefarious activities like
>>> cyber hacktivism, while fostering responsible online behavior?
>>>
>>> *Impact on privacy rights:*
>>> The two sections you have quoted for ease of reference of all listers
>>> are in the:
>>> *First instance S. 53 on the interception of content data*; and in the
>>> *Second instance S. 48 on search and seizure of stored computer data*.
>>>
>>> As regards S. 53 you noted that the CMCA grants law enforcement broad
>>> powers to monitor and intercept communications, which could infringe on
>>> citizens’ privacy rights. However, if you read the section in its entirety
>>> in subsection (2) it states the conditions to be met whilst making the
>>> application of such an order, and goes on in subsection (3)
>>> to clarify that courts cant grant such orders until the aforementioned
>>> conditions are met. S.53 goes on at subsection (4) to set a time limit
>>> for which such an order can be applicable and then goes on at subsection
>>> (5) to enumerate the conditions for extension of such a period.
>>>
>>> In cyberspace, the real-time collection of electronic evidence in
>>> accordance with all legal due processes is crucial because digital trails
>>> can quickly vanish, and attributing cybercrimes remains a significant
>>> challenge. However, when conducted within the bounds of legal protocols,
>>> this process should not infringe on privacy rights as enshrined in the
>>> Constitution, as it ensures that evidence is gathered with respect for
>>> individual freedoms, under judicial oversight, and with clear, justified
>>> cause.
>>>
>>> *Which brings me to my question as regards S.53 … can you and/or the
>>> Listers enumerate specific ways you feel these privacy rights can be better
>>> secured?*
>>>
>>> As regards S.48 you noted that the ‘may’ in this section implies that
>>> it is optional for the officers to seek a court order or warrant. This
>>> interpretation is erroneous as search and seizure warrants are issued
>>> based on probable cause (the may), meaning there is a reasonable belief
>>> that evidence of a crime will be found, rather than absolute certainty, to
>>> prevent the destruction or concealment of crucial evidence. Section 48
>>> enumerates the specific grounds under which courts of competent
>>> jurisdiction can issue those orders.
>>>
>>> *Which brings me to my question as regards S.48 … can you and/or the
>>> Listers enumerate specific ways you feel these grounds for granting such
>>> order can be better enhanced or do they suffice?*
>>>
>>> Albeit I am not privy to the full particulars of the Gen Z specific
>>> cases, if the law enforcement officers acted contrary to the law as
>>> alleged, then it’s not because the law permitted them to act in such a
>>> manner. But that’s a whole other conversation – smile!
>>>
>>>
>>> *Restriction of Freedom of Expression: *
>>>
>>> Section 22 pertains to false publication, and was one of the sections
>>> the Bloggers Association & others had contested as regards CMCA and whose
>>> petition the courts dismissed in Feb 2020.
>>>
>>>
>>> The Kenyan Constitution grants us the right to freedom of expression but
>>> limits this where it can negatively impact others, and/or put them in a
>>> position of danger as enumerated in Section 24 of the Constitution
>>> which is quoted in subsection (2) of S.22. As such it is arguable that
>>> definition, which you state is broad is indeed grounded in the Mother
>>> of All Kenyan Laws … The 2010 Constitution.
>>>
>>>
>>> *Nevertheless, how do you and/or other Listers think we can better
>>> enhance this section 22, with specific examples of how to?*
>>>
>>>
>>> *Impact on Businesses and Individuals: *
>>>
>>> Cybersecurity, while a substantial financial outlay, is an indispensable
>>> investment safeguarding both socioeconomic prosperity and national
>>> security, necessitating a prioritization of the broader societal benefits
>>> over the immediate costs of compliance when formulating relevant
>>> legislation.
>>>
>>> If cybercrime were a country it would be the world’s third largest
>>> economy after the US & China. A couple of years ago an Interpol report
>>> noted that cybercrime cost Africa over USD 4 Billion, which is more than
>>> the GDP of 12 African nations and for some of them double their GDP. Kenya
>>> experiences the second highest cyber attacks on the African continent. So
>>> it’s imperative we prioritize our cybersecurity posture and public
>>> awareness which, yes, is costly.
>>>
>>> But your spot on, without financial or technical assistance, the burden
>>> of compliance may hinder the ability of smaller organizations to meet these
>>> stringent requirements, potentially leading to penalties or even forcing
>>> some out of business.
>>>
>>> What are possible solutions:
>>>
>>> The government could consider implementing support mechanisms, such as
>>> grants, subsidies, or public-private partnerships, to help alleviate the
>>> financial strain on smaller organizations. This would promote a more
>>> equitable landscape, ensuring that all critical infrastructure, regardless
>>> of the size of the organization, can meet the necessary cybersecurity
>>> standards without undue hardship.
>>>
>>> Another approach could involve scaling the requirements based on the
>>> size or capacity of the organization, allowing smaller entities to comply
>>> at a level that is both manageable and effective.
>>>
>>> *I would love to hear your and other listers’ suggestions as regards
>>> possible solutions so that we can effectively but more affordably secure
>>> our nation’s cyberspace*.
>>>
>>>
>>> *Conduciveness to Technological Advancement: *
>>>
>>> In your response you noted “*that some sections of the CMCA might
>>> inadvertently stifle innovation by imposing regulations that are difficult
>>> for innovators or small organizations to navigate*” *Can you please
>>> list the sections you deem contentious for clarity of all of us listers?
>>> This will also enable us all to better understand why you think they have a
>>> potential for arbitrary enforcement, which will also create uncertainty for
>>> innovators.*
>>>
>>>
>>>
>>> You further stated that “*The act does not mention anything on
>>> responsible disclosure that innovators and researchers may lean on when
>>> identifying potential issues that can be responsibly disclosed and as a
>>> result strengthen the security systems and infrastructure that may be
>>> exposed.” **Can you please suggest what type of disclosures you think
>>> would better enhance the CMCA.*
>>>
>>>
>>> Stay happy,
>>>
>>> Mutheu.
>>>
>>>
>>>
>>> On Thu, Aug 15, 2024 at 5:34 PM Brian Nyali via KICTANet <
>>> [email protected]> wrote:
>>>
>>>> Dear David,
>>>>
>>>> Please find my detailed response below:
>>>>
>>>> *Section 1:*
>>>>
>>>> *Effectiveness in Preventing and Prosecuting Cybercrime *
>>>>
>>>> · Partially – The CMCA shows that the country has taken a step
>>>> to put in place laws that criminalize cybercrime and allow prosecution of
>>>> the same. It is dismally effective as a deterrent and as far as prosecution
>>>> is concerned, I have yet to see effectiveness as it has mostly focused on
>>>> social media-related issues on harassment and fake news, for other crimes
>>>> the cases seem to be stuck in court for years which hardly makes it
>>>> effective as a deterrent.
>>>>
>>>> *Provisions Hindering Effective Prosecution:*
>>>>
>>>> · Law enforcement at various stations in the country also need
>>>> to be effectively trained on how to handle cybercrime-related incidents
>>>> when individuals show up at police stations to either report or seek advice
>>>> from the officers.
>>>>
>>>> *Public Awareness:*
>>>>
>>>> · Public Awareness is poorly done regarding the CMCA, a clear
>>>> indication of this is on social media platforms where users have been
>>>> subject to bullying, and others have called for the hacking of platforms
>>>> all of which are crimes in the CMCA. The people don’t know what protections
>>>> the CMCA offers
>>>>
>>>>
>>>>
>>>> *Section 2: *
>>>>
>>>> *Impact on Privacy Rights: *
>>>>
>>>> – The CMCA grants law enforcement broad powers to monitor and
>>>> intercept communications, which could infringe on citizens’ privacy rights.
>>>> It states that “Where a police officer or an authorised person has
>>>> reasonable grounds to believe that the content of any specifically
>>>> identified electronic communications is required for the purposes of a
>>>> specific investigation in respect of an offence, the police officer or
>>>> authorised person may apply to the court for an order” and in another
>>>> section “ Where a police officer or an authorised person has reasonable
>>>> grounds to believe that there may be in a specified computer system or part
>>>> of it, computer data storage medium, program, data, that— (a) is reasonably
>>>> required for the purpose of a criminal investigation or criminal
>>>> proceedings which may be material as evidence; or (b) has been acquired by
>>>> a person as a result of the commission of an offence, the police officer or
>>>> the authorised person may apply to the court for issue of a warrant to
>>>> enter any premises to access, search and similarly seize such data.” the ‘
>>>> *may*’ in these section implies that it is optional for the
>>>> officers to seek a court order or warrant.
>>>> – During the recent “Gen Z” protests, some of the arrested people
>>>> had their devices confiscated for ‘further analysis’ despite being released
>>>> unconditionally. In my understanding, police should be required to
>>>> provide a clear and specific explanation for the arrest and the reasons for
>>>> seizing a person’s device. This explanation should be given in writing and
>>>> should include the alleged crime and the connection of the device to the
>>>> investigation if not a court order for the seizure.
>>>>
>>>> *Restriction of Freedom of Expression:*
>>>>
>>>> – Section 22 focuses on false publication in terms of “false”,
>>>> “misleading” or “fictitious” information, this should not be abused to
>>>> deter people from expressing themselves by publishing information in the
>>>> form of opinions or satire. The broad definition of “false publications”
>>>> under the CMCA has seemingly been used by the government and politicians to
>>>> silence bloggers, journalists and social media users on various platforms.
>>>>
>>>>
>>>>
>>>> *Section 5: *
>>>>
>>>> *Impact on Businesses and Individuals:*
>>>>
>>>> · Impact on Businesses in Terms of Cybersecurity Practices and
>>>> Investments- The CMCA’s requirements for critical information
>>>> infrastructure are extensive such as the protection of, the storing of and
>>>> archiving of data held by the critical information infrastructure; (c)
>>>> cyber security incident management by the critical information
>>>> infrastructure; (d) disaster contingency and recovery measures, which must
>>>> be put in place by the critical information infrastructure; (e) minimum
>>>> physical and technical security measures that must be implemented in order
>>>> to protect the critical information infrastructure;
>>>>
>>>>
>>>> Such requirements although necessary can be deemed as unfair since
>>>> there are significant costs for compliance, such as hiring skilled
>>>> personnel, training, purchasing equipment, storage, and securing licenses
>>>> among others. The Act mandates stringent measures, but without providing
>>>> financial or technical support, this places a disproportionate burden on
>>>> organizations, especially smaller ones.
>>>>
>>>>
>>>>
>>>> *Section 6:*
>>>>
>>>> *Analysis of the Effectiveness of the CMCA in Embracing Emerging
>>>> Technologies and the Associated Cyberthreats*
>>>>
>>>> *Conduciveness to Technological Advancement:*
>>>>
>>>> Some sections of the CMCA might inadvertently stifle innovation by
>>>> imposing regulations that are difficult for innovators or small
>>>> organizations to navigate. The potential for arbitrary enforcement also
>>>> creates uncertainty for innovators.
>>>>
>>>> · The act does not mention anything on responsible disclosure
>>>> that innovators and researchers may lean on when identifying potential
>>>> issues that can be responsibly disclosed and as a result strengthen the
>>>> security systems and infrastructure that may be exposed.
>>>>
>>>> · The CMCA allows the government to declare certain
>>>> infrastructure as critical, with heavy regulatory requirements for
>>>> cybersecurity, data protection, and incident management. While necessary,
>>>> the lack of financial or technical support makes it difficult for smaller
>>>> outfits to comply. High compliance costs and stringent requirements could
>>>> deter new entrants or smaller firms from innovating in certain sectors or
>>>> causing disruption in others lest they are deemed as critical
>>>> infrastructure, potentially leading to reduced competition and innovation.
>>>>
>>>> *Addressing Emerging Technologies (AI, Blockchain, IoT, Quantum
>>>> Computing, Cryptocurrency):*
>>>>
>>>> – The CMCA does not specifically address newer technologies like
>>>> AI, blockchain, IoT, quantum computing, or cryptocurrency, leaving
>>>> regulatory grey areas that could be exploited.
>>>>
>>>>
>>>>
>>>> *Section 7: General Questions*
>>>>
>>>> *Legal Uncertainties or Ambiguities in the Act:*
>>>>
>>>> – The word “may” implies that obtaining a court order or warrant is
>>>> optional rather than mandatory. This leaves room for interpretation, which
>>>> could lead to inconsistent enforcement. Some officers might proceed without
>>>> a court order, while others might seek one, creating uncertainty for
>>>> individuals and organizations about their rights and protections.
>>>>
>>>> *Capacity-Building Needs of Law Enforcement and Judiciary:*
>>>>
>>>> – Establish comprehensive training programs on digital forensics,
>>>> cybercrime investigation, and evidence preservation. This could include
>>>> mandatory courses for officers, specialized cybercrime units, and
>>>> collaboration with cybersecurity experts.
>>>> – Increase recruitment and training of officers specifically for
>>>> those handling cybercrime-related cases. Allocate resources to ensure that
>>>> these units are adequately staffed and equipped to handle the growing
>>>> number of cases.
>>>> – Consider the creation of a specialized cybercrime court to handle
>>>> all cyber-related cases. Provide continuous training for judges and legal
>>>> practitioners in this court to keep up with evolving technologies and cyber
>>>> threats.
>>>>
>>>> *Robustness of Kenya’s Cybersecurity Infrastructure:*
>>>>
>>>> – Granted there have been significant improvements in Kenya’s
>>>> cybersecurity posture, but the current state of Government and parastatal
>>>> technology, resilience and infrastructure is significantly under-equipped
>>>> and unable to address the challenges posed by rapidly advancing
>>>> technologies and techniques in play by malicious actors.
>>>>
>>>>
>>>>
>>>>
>>>> *Kind regards,*
>>>> *Brian M. Nyali.*
>>>>
>>>>
>>>> On Thu, 15 Aug 2024 at 08:41, David Indeje via KICTANet <
>>>> [email protected]> wrote:
>>>>
>>>>> Dear Listers,
>>>>>
>>>>> *Day 3:*
>>>>>
>>>>>
>>>>> The CMCA has profound implications for businesses, individuals, and
>>>>> the digital economy in Kenya. Its effectiveness in balancing innovation
>>>>> with cybersecurity, addressing emerging technologies, and protecting
>>>>> individual rights is a subject of ongoing debate. Today, we encourage
>>>>> discussion on the challenges and opportunities presented by the CMCA
>>>>> and explore potential solutions to enhance its effectiveness in shaping a
>>>>> secure and vibrant digital future for Kenya.
>>>>>
>>>>>
>>>>> *Section 5: Impact on Businesses and Individuals.*
>>>>>
>>>>> 1. How has the CMCA impacted businesses in Kenya in terms of
>>>>> cybersecurity practices and investments?
>>>>> 2. Do you believe the CMCA adequately protects the rights of
>>>>> individuals in the digital space?
>>>>> 3. Have there been any unintended consequences of the CMCA on
>>>>> businesses or individuals?
>>>>> 4. How has the CMCA affected the digital economy in Kenya?
>>>>>
>>>>> *Section 6: An analysis of the effectiveness of the CMCA to embrace
>>>>> emerging technologies and the cyberthreats they pose therein.*
>>>>>
>>>>> 1. How does the CMCA balance the need for innovation with
>>>>> cybersecurity?
>>>>> 2. Does the Act create an environment conducive to technological
>>>>> advancement or are there any provisions that stifle innovation?
>>>>> 3. How well does the CMCA address emerging technologies such as
>>>>> artificial intelligence, blockchain, Internet of Things (IoT), quantum
>>>>> computing and cryptocurrency? What can be done to enhance its ability to
>>>>> address these lacunas (if any).
>>>>> 4. How can the legal framework provided by the CMCA be enhanced to
>>>>> regulate the use of emerging technologies, while protecting
>>>>> individual digital rights?
>>>>>
>>>>> *Section 7: General Questions.*
>>>>>
>>>>> 1. Are there any legal uncertainties or ambiguities in the Act
>>>>> that hinder its effectiveness?
>>>>> 2. What are the capacity-building needs of law enforcement and the
>>>>> judiciary in addressing cybercrimes related to emerging technologies?
>>>>> 3. Is the country’s cybersecurity infrastructure sufficiently
>>>>> robust to address the challenges posed by emerging technologies?
>>>>> 4. Any other relevant comment that you may wish to include as
>>>>> regards the CMCA?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> —
>>>>> *Kind Regards,*
>>>>>
>>>>> *David Indeje*
>>>>>
>>>>> *@**KICTANet* <www.kictanet.or.ke/>
>>>>> * Communications *_____________________________________
>>>>> +254 (0) 711 385 945 | +254 (0) 734 024 856
>>>>> KICTANet portals
>>>>> Connect With Us <linktr.ee/Kictanet>
>>>>> ______________________________________
>>>>>
>>>>>