Kenya needs to enhance its capacity in the legal, institutional and capacity in addressing challenges within the cybersecurity space. There is an urgent need to understand the rate at which the business is introducing new technologies and work out strategies for evolving its controls and processes at the same pace to accommodate that change.
These are some of the critical areas that emerged during a roundtable discussion hosted by the Kenya ICT Action Network in partnership with Global Partners Digital with the support of the United Kingdom that focused on the ways increase local stakeholder awareness of cybersecurity issues and to identify common cybersecurity priorities for Kenya in 2019.
The meeting identified collaborations, partnerships and capacity building as key areas to be prioritized in building a ‘digital resilient’ economy.
Dr. Fernando Wangila, CIO & ICT Director at National Transport and Safety Authority of Kenya said at the heart of the discourse was lack of awareness among the citizens.
“We are yet again to sensitise Kenyans on the level of computer misuse, security, and data privacy. People at a level of an organisation, we are looking at principles of CIA which is confidentiality, integrity, and availability which is more of internal phasing.”
However, within the public, “Our citizens operate on the level of password hygiene. For them, a password is equated to an innerwear, you should not let people see it, change often and never share it with strangers. That is how citizens know about cybersecurity. They only think of a password.”
Therefore, to have a better strategy to address cybersecurity, “There is need collaborate and come up with policies and laws that look at cybersecurity from a risk perspective.”
From a policy and legal perspective, Kenya has enacted the 2006 ICT Policy, the ICT Master plan, 2014 – 2017 and the National Cybersecurity Strategy, 2014, the Kenya Information and Communications Act, and the Computer Misuse and Cybercrimes Act, 2018. There is also a Senate Data Protection Bill, 2018 and a draft Data Protection Bill and Policy currently under development.
However, the draft ICT Policy developed in 2016 is yet to be adopted.
Participants were in agreement that having data security laws, “This is as critical as water” and therefore, called for the Data Protection Act and the Computer Misuse and Cybercrimes Act 2018 to be within the same jurisdiction.
Further, calls were made to expedited a review of the 2014 National Cybersecurity strategy may be outdated given the rapid developments in the nature and profile of cyber threats.
Grace Githaiga, Co-Convenor, KICTANet emphasised that cybersecurity is a role that cannot be left to the government alone, as all relevant stakeholders have a role to play based on their respective mandates. “Therefore, the development and implementation of policies, laws, and strategies on cybersecurity can only be effective when done through multistakeholder approaches,” she said adding that, “Some things just require awareness to the public. And that is what we citizens can effectively play a role.”
Dr. Katherine Getao, CEO ICT Authority acknowledged that cybersecurity is gaining traction and the country already had information security standards. According to her, “ICT is emerging differently in Kenya compared to other parts of the world. We need our own research center.”
Mr. William K. Kisang, MP Marakwet West, and Chair of the National Assembly ICT Committee said they have prioritised data protection and critical infrastructure as issues to be addressed.
Kisang said the enforcement gap is largely being driven by the difficulties in being able to conduct investigations. “As we pass the law, those who prosecute, investigate are important stakeholders when it comes to technology and the need to have an effective mechanism in place to address emerging challenges,” he told the participants.
Besides the quest for skills, capabilities required, Dr. Getao said “ The philosophical issues need discussion urgently. We cannot just remain on the technical level which I think is happening. This has to do with training because computer scientists were never trained to think that way. So as we are training lawyers, we also need to train other players philosophically. It is not the technology aspect only, but also common values that are shared within a society.”