The state is on course to operationalize its first robust law on cyber security to safeguard the country against cyberattacks.
The State Department for Internal Security and National Administration developed the Computer Misuse and Cybercrimes (Critical Information Infrastructure and Cybercrime Management) 2023 draft regulations to operationalize the Computer Misuse and Cybercrimes Act (CMCA), 2018.
Implementation of the act faced headwinds; it was slowed down by court cases that challenged its constitutionality. However, in 2021, the Court of Appeal gave the green light, paving the way for the formulation of the regulations.
The regulations, among others, propose the establishment of cyber security operation centres, critical information infrastructure, cyber security capability and capacity, and cyberthreat reporting mechanisms.
“The regulations cover several areas; on governance at the national level, we are expecting to have a national coordination centre where all issues on cyber security will be handled.
We will also have sector cyber security centres that will handle issues in each of the various sectors,” said Col. Evans Ombati, Co-Chair of the taskforce, during a public participation forum for Mombasa, Kwale, and Taita-Taveta held at the Regional Commissioner’s boardroom.
He added that all organisations offering critical infrastructure systems to the public will be expected to have operational centres.
“All police stations will have technically qualified officers who will be responsible for receiving reports from the public. The reports will be translated from the police stations to the sector operational centres to the national operations centres,” said Col. Ombati.
“Our objective is to ensure a holistic, stable, and secure environment for Kenyans to do business, buy products online, and have their information safe on their mobile phones,” he added.
The regulations also provide for sensitization and capacity building for the public to conduct their business hygienically on the Internet. All the owners of critical infrastructure will be required to keep their data in the country to facilitate any changes that may occur in their spaces.
All critical information infrastructure institutions will be registered and obliged to obey the minimum security features that are required, including taking protective measures to safeguard those critical systems.
“They must be available, redundant, and not fail even one second. At the same time, they will have staff to monitor the systems that are available and are not accessed illegally,” explained Col. Ombati.
Wanjiku Mbiyu, a member of the National Computer and Cybercrimes Coordination Committee (NC4), said they want many views from Kenyans from all walks of life to be incorporated in the final report before submission to parliament.
She said the laws were necessitated by the rapid digitization and the need to protect Kenyans and the critical national information infrastructures from cyberattacks.
“We are in a worldwide stage of digitization; we are in a digital economy where we are transacting digitally. It’s not like when our mothers were raising us, they would go to the bank physically. Right now I don’t need to go to the bank; I will just transact through my laptop, computer, or even my phone,” said Mbiyu.
Lina Rosa, a Mombasa resident, lauded the government for the regulations that she said will protect children who are vulnerable to online sexual exploitation and trafficking.
Barke Omar, another resident, called for the amendment of SIM card registration by telecommunication operators to use fingerprints in the acquisition of SIM cards instead of identity card numbers, which are prone to abuse.
By Sadik Hassan
