Discussion: Shaping Kenya’s Cybersecurity Ecosystem

0
Greetings William,

Interesting perspective. Are you implying that how we handle criminal
activities online should be differentiated from the same activities offline?

Regards

On Tue, Aug 20, 2024 at 10:44 AM william mathenge via KICTANet <
[email protected]> wrote:

> Dear Listers,
>
> This is a timely discussion indeed, but more importantly because it
> affords an opportunity into how we approach criminalization of cybercrimes/
> cyber enabled crimes.
>
> Research is growing into cyber-criminology and cyber-delinquency which has
> been seen to *predominantly occur among youth* – due to various factors
> e.g. pre-disposition as digital natives – this is across the continent
> (Yahooboysim) and the globe. This begs the question, what is the penal
> philosophy informing criminalization of conduct in the cyberspace? The
> current model of sanctions and punishment appears to take a securitized
> approach which will mean that effective investigation and prosecution of
> such offenders translates to a majority being highly skilled youth behind
> bars.
>
> There is an ongoing penal reform process across the justice sector
> advocating for alternatives to prosecution, trial and imprisonment. This
> creates an opportunity to reconsider the penal regime in the CMCA.The
> anchorage of restorative justice mechanisms such as alternatives to
> prosecution (e.g. diversion programmes) affords offenders (potentially
> young people) a second chance to reform and utilize their skills to more
> beneficial initiatives. It also creates a chance to contribute to crime
> prevention efforts against cybercrime/ cyberenabled crimes.
>
> I shall be publishing more later in the year and this was just but a
> snippet on cyber-criminlogical perspectives when criminalizing conduct in
> the cyberspace.
> Happy to engage more on the same and good day to all!
>
> with kind regards,
> William
>
> On Fri, Aug 16, 2024 at 3:57 PM A Mutheu via KICTANet <
> [email protected]> wrote:
>
>> Dear Mildred,
>>
>> You have raised very valid points … thank you … as indeed cyberbullying
>> is a pervasive social issue arising from the digital age’s anonymity. While
>> laws can punish egregious offenses, they cannot fully address the
>> underlying moral decay at the heart of the problem. The faceless nature
>> of the internet emboldens bullies, allowing them to inflict cruelty with
>> impunity, that they would hesitate to exhibit in person.
>>
>>
>> To foster a more ethical cyberspace, society must prioritize digital
>> literacy education, that promotes online and indeed offline empathy and
>> respect for others. We need to encourage open dialogue about online
>> behavior, support victims without shame, and hold social media platforms
>> accountable for their content moderation policies, which are crucial steps
>> towards creating a kinder digital environment. Ultimately, combating
>> cyberbullying requires a multi-faceted approach that addresses both the
>> technological and human dimensions of the issue.
>>
>> As regards *Chapter 6 of the Constitution that pertains to the
>> constitutional mandate for leadership and integrity for state officers*,
>> and the escalating prevalence of cyberbullying, Kenya’s leaders must
>> exemplify ethical online conduct. Regrettably, many engage in/or perpetuate
>> cyberbullying on various digital platforms, undermining their positions as
>> role models. As custodians of the nation’s values, they must recognize the
>> immense influence they wield and conduct themselves accordingly.
>> Conversely, numerous politicians, particularly women, endure severe
>> cyberbullying, especially during election periods, marring our electoral
>> process, and discouraging more women to stand for electoral positions.
>>
>> Cyberbullying among the political elite can be deterred through a
>> multi-faceted approach that can include :
>>
>> 1. *Stricter Regulations and Enforcement:* Imposing stringent
>> penalties for cyberbullying by public officials, including potential
>> disqualification from office, can serve as a strong deterrent.
>> 2. *Media Accountability:* Encouraging media outlets to hold
>> politicians accountable for their online behavior and to refrain from
>> amplifying cyberbullying content.
>> 3. *Digital Literacy Training:* Mandatory digital literacy training
>> for politicians to enhance their understanding of online etiquette and the
>> potential consequences of their actions.
>> 4. *Ethical Leadership:* Encouraging political parties to adopt
>> ethical codes of conduct that explicitly condemn cyberbullying and to
>> promote positive online engagement.
>>
>>
>> Would love to think what you and the other Listers think.
>>
>> Stay happy,
>> Mutheu.
>>
>>
>>
>> On Fri, Aug 16, 2024 at 3:00 PM Mildred Achoch <[email protected]>
>> wrote:
>>
>>> Dear Listers,
>>>
>>> Regarding public awareness and mental health, I would like to add a
>>> social/soft skills angle. It is said, you cannot legislate morality.
>>> Cyberbullying is also a social issue. What causes it? What conditions allow
>>> it or perpetuate it? Chapter 6 of the constitution (Leadership and
>>> Integrity) can be a helpful guide.
>>>
>>> Regards,
>>> Mildred Achoch.
>>>
>>> On Friday, August 16, 2024, A Mutheu via KICTANet <
>>> [email protected]> wrote:
>>>
>>>> Dear Brain,
>>>>
>>>> Thanks for your detailed insights. I have added my comments on some of
>>>> them to trigger further discussion with all of us listers i.e.:
>>>>
>>>> *Public Awareness:*
>>>> There is definitely an urgent need to enhance public cognizance of the
>>>> provisions and reach of the CMCA to this end how best can we achieve this
>>>> i.e.:
>>>> 1. What strategies can be employed by both the government and private
>>>> sector to effectively educate the Kenyan public on the specific activities
>>>> that are considered cybercrimes under the Computer Misuse and Cybercrimes
>>>> Act, and the penalties associated with these offenses?
>>>>
>>>> 2. How can community-based organizations, schools, and mental health
>>>> advocates collaborate to address the rise in cyberbullying and its severe
>>>> consequences, such as mental health issues and suicide, by leveraging the
>>>> provisions of the Computer Misuse and Cybercrimes Act?
>>>>
>>>> 3. What role can social media platforms and influencers play in
>>>> promoting awareness and understanding of Kenya’s cybercrimes legislation,
>>>> and how can this be done in a way that deters nefarious activities like
>>>> cyber hacktivism, while fostering responsible online behavior?
>>>>
>>>> *Impact on privacy rights:*
>>>> The two sections you have quoted for ease of reference of all listers
>>>> are in the:
>>>> *First instance S. 53 on the interception of content data*; and in the
>>>> *Second instance S. 48 on search and seizure of stored computer data*
>>>> .
>>>>
>>>> As regards S. 53 you noted that the CMCA grants law enforcement broad
>>>> powers to monitor and intercept communications, which could infringe on
>>>> citizens’ privacy rights. However, if you read the section in its entirety
>>>> in subsection (2) it states the conditions to be met whilst making the
>>>> application of such an order, and goes on in subsection (3)
>>>> to clarify that courts cant grant such orders until the aforementioned
>>>> conditions are met. S.53 goes on at subsection (4) to set a time limit
>>>> for which such an order can be applicable and then goes on at subsection
>>>> (5) to enumerate the conditions for extension of such a period.
>>>>
>>>> In cyberspace, the real-time collection of electronic evidence in
>>>> accordance with all legal due processes is crucial because digital trails
>>>> can quickly vanish, and attributing cybercrimes remains a significant
>>>> challenge. However, when conducted within the bounds of legal protocols,
>>>> this process should not infringe on privacy rights as enshrined in the
>>>> Constitution, as it ensures that evidence is gathered with respect for
>>>> individual freedoms, under judicial oversight, and with clear, justified
>>>> cause.
>>>>
>>>> *Which brings me to my question as regards S.53 … can you and/or the
>>>> Listers enumerate specific ways you feel these privacy rights can be better
>>>> secured?*
>>>>
>>>> As regards S.48 you noted that the ‘may’ in this section implies that
>>>> it is optional for the officers to seek a court order or warrant. This
>>>> interpretation is erroneous as search and seizure warrants are issued
>>>> based on probable cause (the may), meaning there is a reasonable belief
>>>> that evidence of a crime will be found, rather than absolute certainty, to
>>>> prevent the destruction or concealment of crucial evidence. Section 48
>>>> enumerates the specific grounds under which courts of competent
>>>> jurisdiction can issue those orders.
>>>>
>>>> *Which brings me to my question as regards S.48 … can you and/or the
>>>> Listers enumerate specific ways you feel these grounds for granting such
>>>> order can be better enhanced or do they suffice?*
>>>>
>>>> Albeit I am not privy to the full particulars of the Gen Z specific
>>>> cases, if the law enforcement officers acted contrary to the law as
>>>> alleged, then it’s not because the law permitted them to act in such a
>>>> manner. But that’s a whole other conversation – smile!
>>>>
>>>>
>>>> *Restriction of Freedom of Expression: *
>>>>
>>>> Section 22 pertains to false publication, and was one of the sections
>>>> the Bloggers Association & others had contested as regards CMCA and whose
>>>> petition the courts dismissed in Feb 2020.
>>>>
>>>>
>>>> The Kenyan Constitution grants us the right to freedom of expression
>>>> but limits this where it can negatively impact others, and/or put them in a
>>>> position of danger as enumerated in Section 24 of the Constitution
>>>> which is quoted in subsection (2) of S.22. As such it is arguable that
>>>> definition, which you state is broad is indeed grounded in the Mother
>>>> of All Kenyan Laws … The 2010 Constitution.
>>>>
>>>>
>>>> *Nevertheless, how do you and/or other Listers think we can better
>>>> enhance this section 22, with specific examples of how to?*
>>>>
>>>>
>>>> *Impact on Businesses and Individuals: *
>>>>
>>>> Cybersecurity, while a substantial financial outlay, is an
>>>> indispensable investment safeguarding both socioeconomic prosperity and
>>>> national security, necessitating a prioritization of the broader societal
>>>> benefits over the immediate costs of compliance when formulating relevant
>>>> legislation.
>>>>
>>>> If cybercrime were a country it would be the world’s third largest
>>>> economy after the US & China. A couple of years ago an Interpol report
>>>> noted that cybercrime cost Africa over USD 4 Billion, which is more than
>>>> the GDP of 12 African nations and for some of them double their GDP. Kenya
>>>> experiences the second highest cyber attacks on the African continent. So
>>>> it’s imperative we prioritize our cybersecurity posture and public
>>>> awareness which, yes, is costly.
>>>>
>>>> But your spot on, without financial or technical assistance, the burden
>>>> of compliance may hinder the ability of smaller organizations to meet these
>>>> stringent requirements, potentially leading to penalties or even forcing
>>>> some out of business.
>>>>
>>>> What are possible solutions:
>>>>
>>>> The government could consider implementing support mechanisms, such as
>>>> grants, subsidies, or public-private partnerships, to help alleviate the
>>>> financial strain on smaller organizations. This would promote a more
>>>> equitable landscape, ensuring that all critical infrastructure, regardless
>>>> of the size of the organization, can meet the necessary cybersecurity
>>>> standards without undue hardship.
>>>>
>>>> Another approach could involve scaling the requirements based on the
>>>> size or capacity of the organization, allowing smaller entities to comply
>>>> at a level that is both manageable and effective.
>>>>
>>>> *I would love to hear your and other listers’ suggestions as regards
>>>> possible solutions so that we can effectively but more affordably secure
>>>> our nation’s cyberspace*.
>>>>
>>>>
>>>> *Conduciveness to Technological Advancement: *
>>>>
>>>> In your response you noted “*that some sections of the CMCA might
>>>> inadvertently stifle innovation by imposing regulations that are difficult
>>>> for innovators or small organizations to navigate*” *Can you please
>>>> list the sections you deem contentious for clarity of all of us listers?
>>>> This will also enable us all to better understand why you think they have a
>>>> potential for arbitrary enforcement, which will also create uncertainty for
>>>> innovators.*
>>>>
>>>>
>>>>
>>>> You further stated that “*The act does not mention anything on
>>>> responsible disclosure that innovators and researchers may lean on when
>>>> identifying potential issues that can be responsibly disclosed and as a
>>>> result strengthen the security systems and infrastructure that may be
>>>> exposed.” **Can you please suggest what type of disclosures you think
>>>> would better enhance the CMCA.*
>>>>
>>>>
>>>> Stay happy,
>>>>
>>>> Mutheu.
>>>>
>>>>
>>>>
>>>> On Thu, Aug 15, 2024 at 5:34 PM Brian Nyali via KICTANet <
>>>> [email protected]> wrote:
>>>>
>>>>> Dear David,
>>>>>
>>>>> Please find my detailed response below:
>>>>>
>>>>> *Section 1:*
>>>>>
>>>>> *Effectiveness in Preventing and Prosecuting Cybercrime *
>>>>>
>>>>> · Partially – The CMCA shows that the country has taken a step
>>>>> to put in place laws that criminalize cybercrime and allow prosecution of
>>>>> the same. It is dismally effective as a deterrent and as far as prosecution
>>>>> is concerned, I have yet to see effectiveness as it has mostly focused on
>>>>> social media-related issues on harassment and fake news, for other crimes
>>>>> the cases seem to be stuck in court for years which hardly makes it
>>>>> effective as a deterrent.
>>>>>
>>>>> *Provisions Hindering Effective Prosecution:*
>>>>>
>>>>> · Law enforcement at various stations in the country also need
>>>>> to be effectively trained on how to handle cybercrime-related incidents
>>>>> when individuals show up at police stations to either report or seek advice
>>>>> from the officers.
>>>>>
>>>>> *Public Awareness:*
>>>>>
>>>>> · Public Awareness is poorly done regarding the CMCA, a clear
>>>>> indication of this is on social media platforms where users have been
>>>>> subject to bullying, and others have called for the hacking of platforms
>>>>> all of which are crimes in the CMCA. The people don’t know what protections
>>>>> the CMCA offers
>>>>>
>>>>>
>>>>>
>>>>> *Section 2: *
>>>>>
>>>>> *Impact on Privacy Rights: *
>>>>>
>>>>> – The CMCA grants law enforcement broad powers to monitor and
>>>>> intercept communications, which could infringe on citizens’ privacy rights.
>>>>> It states that “Where a police officer or an authorised person has
>>>>> reasonable grounds to believe that the content of any specifically
>>>>> identified electronic communications is required for the purposes of a
>>>>> specific investigation in respect of an offence, the police officer or
>>>>> authorised person may apply to the court for an order” and in another
>>>>> section “ Where a police officer or an authorised person has reasonable
>>>>> grounds to believe that there may be in a specified computer system or part
>>>>> of it, computer data storage medium, program, data, that— (a) is reasonably
>>>>> required for the purpose of a criminal investigation or criminal
>>>>> proceedings which may be material as evidence; or (b) has been acquired by
>>>>> a person as a result of the commission of an offence, the police officer or
>>>>> the authorised person may apply to the court for issue of a warrant to
>>>>> enter any premises to access, search and similarly seize such data.” the ‘
>>>>> *may*’ in these section implies that it is optional for the
>>>>> officers to seek a court order or warrant.
>>>>> – During the recent “Gen Z” protests, some of the arrested people
>>>>> had their devices confiscated for ‘further analysis’ despite being released
>>>>> unconditionally. In my understanding, police should be required to
>>>>> provide a clear and specific explanation for the arrest and the reasons for
>>>>> seizing a person’s device. This explanation should be given in writing and
>>>>> should include the alleged crime and the connection of the device to the
>>>>> investigation if not a court order for the seizure.
>>>>>
>>>>> *Restriction of Freedom of Expression:*
>>>>>
>>>>> – Section 22 focuses on false publication in terms of “false”,
>>>>> “misleading” or “fictitious” information, this should not be abused to
>>>>> deter people from expressing themselves by publishing information in the
>>>>> form of opinions or satire. The broad definition of “false publications”
>>>>> under the CMCA has seemingly been used by the government and politicians to
>>>>> silence bloggers, journalists and social media users on various platforms.
>>>>>
>>>>>
>>>>>
>>>>> *Section 5: *
>>>>>
>>>>> *Impact on Businesses and Individuals:*
>>>>>
>>>>> · Impact on Businesses in Terms of Cybersecurity Practices and
>>>>> Investments- The CMCA’s requirements for critical information
>>>>> infrastructure are extensive such as the protection of, the storing of and
>>>>> archiving of data held by the critical information infrastructure; (c)
>>>>> cyber security incident management by the critical information
>>>>> infrastructure; (d) disaster contingency and recovery measures, which must
>>>>> be put in place by the critical information infrastructure; (e) minimum
>>>>> physical and technical security measures that must be implemented in order
>>>>> to protect the critical information infrastructure;
>>>>>
>>>>>
>>>>> Such requirements although necessary can be deemed as unfair since
>>>>> there are significant costs for compliance, such as hiring skilled
>>>>> personnel, training, purchasing equipment, storage, and securing licenses
>>>>> among others. The Act mandates stringent measures, but without providing
>>>>> financial or technical support, this places a disproportionate burden on
>>>>> organizations, especially smaller ones.
>>>>>
>>>>>
>>>>>
>>>>> *Section 6:*
>>>>>
>>>>> *Analysis of the Effectiveness of the CMCA in Embracing Emerging
>>>>> Technologies and the Associated Cyberthreats*
>>>>>
>>>>> *Conduciveness to Technological Advancement:*
>>>>>
>>>>> Some sections of the CMCA might inadvertently stifle innovation by
>>>>> imposing regulations that are difficult for innovators or small
>>>>> organizations to navigate. The potential for arbitrary enforcement also
>>>>> creates uncertainty for innovators.
>>>>>
>>>>> · The act does not mention anything on responsible disclosure
>>>>> that innovators and researchers may lean on when identifying potential
>>>>> issues that can be responsibly disclosed and as a result strengthen the
>>>>> security systems and infrastructure that may be exposed.
>>>>>
>>>>> · The CMCA allows the government to declare certain
>>>>> infrastructure as critical, with heavy regulatory requirements for
>>>>> cybersecurity, data protection, and incident management. While necessary,
>>>>> the lack of financial or technical support makes it difficult for smaller
>>>>> outfits to comply. High compliance costs and stringent requirements could
>>>>> deter new entrants or smaller firms from innovating in certain sectors or
>>>>> causing disruption in others lest they are deemed as critical
>>>>> infrastructure, potentially leading to reduced competition and innovation.
>>>>>
>>>>> *Addressing Emerging Technologies (AI, Blockchain, IoT, Quantum
>>>>> Computing, Cryptocurrency):*
>>>>>
>>>>> – The CMCA does not specifically address newer technologies like
>>>>> AI, blockchain, IoT, quantum computing, or cryptocurrency, leaving
>>>>> regulatory grey areas that could be exploited.
>>>>>
>>>>>
>>>>>
>>>>> *Section 7: General Questions*
>>>>>
>>>>> *Legal Uncertainties or Ambiguities in the Act:*
>>>>>
>>>>> – The word “may” implies that obtaining a court order or warrant
>>>>> is optional rather than mandatory. This leaves room for interpretation,
>>>>> which could lead to inconsistent enforcement. Some officers might proceed
>>>>> without a court order, while others might seek one, creating uncertainty
>>>>> for individuals and organizations about their rights and protections.
>>>>>
>>>>> *Capacity-Building Needs of Law Enforcement and Judiciary:*
>>>>>
>>>>> – Establish comprehensive training programs on digital forensics,
>>>>> cybercrime investigation, and evidence preservation. This could include
>>>>> mandatory courses for officers, specialized cybercrime units, and
>>>>> collaboration with cybersecurity experts.
>>>>> – Increase recruitment and training of officers specifically for
>>>>> those handling cybercrime-related cases. Allocate resources to ensure that
>>>>> these units are adequately staffed and equipped to handle the growing
>>>>> number of cases.
>>>>> – Consider the creation of a specialized cybercrime court to
>>>>> handle all cyber-related cases. Provide continuous training for judges and
>>>>> legal practitioners in this court to keep up with evolving technologies and
>>>>> cyber threats.
>>>>>
>>>>> *Robustness of Kenya’s Cybersecurity Infrastructure:*
>>>>>
>>>>> – Granted there have been significant improvements in Kenya’s
>>>>> cybersecurity posture, but the current state of Government and parastatal
>>>>> technology, resilience and infrastructure is significantly under-equipped
>>>>> and unable to address the challenges posed by rapidly advancing
>>>>> technologies and techniques in play by malicious actors.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> *Kind regards,*
>>>>> *Brian M. Nyali.*
>>>>>
>>>>>
>>>>> On Thu, 15 Aug 2024 at 08:41, David Indeje via KICTANet <
>>>>> [email protected]> wrote:
>>>>>
>>>>>> Dear Listers,
>>>>>>
>>>>>> *Day 3:*
>>>>>>
>>>>>>
>>>>>> The CMCA has profound implications for businesses, individuals, and
>>>>>> the digital economy in Kenya. Its effectiveness in balancing innovation
>>>>>> with cybersecurity, addressing emerging technologies, and protecting
>>>>>> individual rights is a subject of ongoing debate. Today, we encourage
>>>>>> discussion on the challenges and opportunities presented by the CMCA
>>>>>> and explore potential solutions to enhance its effectiveness in shaping a
>>>>>> secure and vibrant digital future for Kenya.
>>>>>>
>>>>>>
>>>>>> *Section 5: Impact on Businesses and Individuals.*
>>>>>>
>>>>>> 1. How has the CMCA impacted businesses in Kenya in terms of
>>>>>> cybersecurity practices and investments?
>>>>>> 2. Do you believe the CMCA adequately protects the rights of
>>>>>> individuals in the digital space?
>>>>>> 3. Have there been any unintended consequences of the CMCA on
>>>>>> businesses or individuals?
>>>>>> 4. How has the CMCA affected the digital economy in Kenya?
>>>>>>
>>>>>> *Section 6: An analysis of the effectiveness of the CMCA to embrace
>>>>>> emerging technologies and the cyberthreats they pose therein.*
>>>>>>
>>>>>> 1. How does the CMCA balance the need for innovation with
>>>>>> cybersecurity?
>>>>>> 2. Does the Act create an environment conducive to technological
>>>>>> advancement or are there any provisions that stifle innovation?
>>>>>> 3. How well does the CMCA address emerging technologies such as
>>>>>> artificial intelligence, blockchain, Internet of Things (IoT), quantum
>>>>>> computing and cryptocurrency? What can be done to enhance its ability to
>>>>>> address these lacunas (if any).
>>>>>> 4. How can the legal framework provided by the CMCA be enhanced to
>>>>>> regulate the use of emerging technologies, while protecting
>>>>>> individual digital rights?
>>>>>>
>>>>>> *Section 7: General Questions.*
>>>>>>
>>>>>> 1. Are there any legal uncertainties or ambiguities in the Act
>>>>>> that hinder its effectiveness?
>>>>>> 2. What are the capacity-building needs of law enforcement and
>>>>>> the judiciary in addressing cybercrimes related to emerging technologies?
>>>>>> 3. Is the country’s cybersecurity infrastructure sufficiently
>>>>>> robust to address the challenges posed by emerging technologies?
>>>>>> 4. Any other relevant comment that you may wish to include as
>>>>>> regards the CMCA?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> —
>>>>>> *Kind Regards,*
>>>>>>
>>>>>> *David Indeje*
>>>>>>
>>>>>> *@**KICTANet* <www.kictanet.or.ke/>
>>>>>> * Communications *_____________________________________
>>>>>> +254 (0) 711 385 945 | +254 (0) 734 024 856
>>>>>> KICTANet portals
>>>>>> Connect With Us <linktr.ee/Kictanet>
>>>>>> ______________________________________
>>>>>>
>>>>>>

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.