On 11th April 2024, the Ministry of Interior confirmed that the National Assembly had approved the Computer Misuse and Cybercrime (Critical Information Infrastructure and Cybercrime Management) Regulations, 2024, referenced as Legal Notice No. 44 of 2024. The regulations were thoroughly reviewed and have now been aligned with the Constitution, the Statutory Instruments Act of 2023, and section 70 of the Computer Misuse and Cybercrimes Act, 2018.
Below, we discuss some of the key highlights of the regulations.
Overview
The new regulations provide a framework to monitor, detect, and respond to cybersecurity threats within Kenya’s cyberspace and ensure the protection of critical information infrastructure. Some of the key aspects addressed by the regulations include:
- Protection measures for critical information infrastructure supporting essential economic sectors such as telecommunications, banking, energy, and transport, including the localization of all such critical information infrastructure within Kenya.
- The establishment of Cybersecurity Operations Centres, whose mandate is to protect, monitor, detect, analyze, respond, and report on cybersecurity incidents and threats.
- The requirement for all critical information sectors to conduct annual cyber-risk assessment and business impact analyses for all relevant activities including products, services, business functions and processes.
- The establishment of special cybercrimes desks with trained personnel at every police station in Kenya.
Thus, the aim of the new regulations is to enhance cybersecurity operations management through the use of cybersecurity operations centers and improved cybercrime management.
The regulations also outline methods for tackling scams, identity theft, hacking, and online fraud. They emphasize the importance of building cybercrime capacity and capabilities across various sectors, including the public, businesses, government institutions, and private entities. The goal is to improve their cybersecurity readiness and elevate the priority of cybersecurity measures. The regulations also provide for recovery plans when a disaster occurs.
Cybersecurity operations centres
The main function of cybersecurity operations centres is to aid in the coordination of the collection and analysis of cyber threats. These cybersecurity operations centres include the following; national cybersecurity operations centre, sector cybersecurity operations centres, and the critical information infrastructure cybersecurity operations centres. These operation centres shall perform the following functions; monitor, analyze, and collect real time event, act as an alert system, vulnerability management, analyze and test malware, detect, monitor, and prevent threat, respond to and manage incidences, and detect intrusion, among others.
National Cyber Protection Framework: Enhancing Cybersecurity in Kenya
The Kenyan government is set to implement a robust National Cyber Protection Framework to enhance the country’s cyber-defense strategy. Under the guidance of the Committee established by section 6 (1) (j) of the Act, this framework aims to strengthen cybersecurity capabilities, promote information sharing, and support educational initiatives. The framework includes establishing a detailed cyber-defense strategy, creating a National Cybersecurity Academy for training and capacity building, and developing a system for information sharing among trusted networks.
In addition to these core elements, the framework will establish National Cybersecurity Certification Standards to ensure compliance with security requirements and develop operational standards for security automation within twelve months. These measures will include reference materials, checklists, and frameworks for continuous monitoring of information security, specifically designed to minimize risks associated with IT systems used by the government. The Committee will also maintain an up-to-date database of certified cybersecurity institutions and professionals to ensure transparency and credibility.
Furthermore, the Committee will collaborate with various entities, including public bodies, research institutions, private sector entities, and international organizations, to develop training programs, conduct research, create standards, and develop policies. The Committee’s additional responsibilities include formulating administrative guidance notes, researching emerging technologies, providing practical cybersecurity approaches, and measuring the impact of training programs. By implementing this framework, Kenya aims to create a secure cyber environment, promote continuous learning and improvement in cybersecurity practices, and foster collaboration across sectors to combat cyber threats effectively.
Cyber threats reporting
Under section 40 of the Act, the basis for reporting cyber threats includes several key objectives. Firstly, it aims to provide actionable information and complaints to form the basis for investigations and prosecutions. It also seeks to identify and measure cybercrime threats to citizens and organizations, helping to understand trends. Furthermore, it establishes communication channels between citizens, including victims and witnesses of cybercrime, and law enforcement agencies. Coordination between law enforcement and public authorities is emphasized, along with fostering a culture of cooperation and information sharing between the public and private sectors, as well as international cooperation.
In the event of a cybersecurity incident, owners of critical information infrastructure must comply with specific protocols. They are required to facilitate investigations by law enforcement agencies, mitigate the impact of incidents according to cybersecurity standards, and report incidents to the relevant Sectoral Cybersecurity Operations Centre within 24 hours. Detailed reporting is mandated, specifying the type and description of the threat, attack, or disruption, along with relevant evidence such as screenshots and malicious social media accounts. Reports can be submitted electronically or physically to the Committee using Form CMCA 7.
The establishment of cybercrimes desks at every police station and police post is mandated within twelve months, staffed by appropriately trained personnel. These desks will handle the reception, assessment, and escalation of cyber threats and incidents. Personnel will receive specialized training in cybersecurity and digital forensics. Public awareness campaigns will be conducted to educate citizens and organizations on the role of the cybersecurity desk and reporting methods. Additionally, anonymous reporting channels will be provided to allow individuals to disclose cyber incidents or crimes without fear of reprisal, ensuring that the reporting is done in the public interest and based on a reasonable belief in the veracity of the information.
Conclusion
Enhancing cybersecurity in Kenya through the establishment of robust Cybersecurity Operations Centres and efficient cyber threat reporting mechanisms is imperative for safeguarding the nation’s digital infrastructure. By investing in advanced technologies, fostering public-private partnerships, and promoting a culture of cybersecurity awareness, Kenya can effectively mitigate cyber threats and ensure a secure digital environment. These measures will not only protect sensitive data but also bolster economic growth and national security, positioning Kenya as a resilient and forward-thinking nation in the digital age.
For more insights pertaining to this matter, you can reach the writer at ndirangu@mmsadvocates.co.ke . You can also contact us at MMS Advocates, Lower Duplex Apartments, LOWER HILL ROAD, or email us at info@mmsadvocates.co.ke