The state is on course to operationalize its first robust law on cyber security to safeguard the country against cyber-attacks.
The State Department for Internal Security and National Administration developed the Computer Misuse and Cybercrimes (Critical Information Infrastructure and Cybercrime Management) 2023 draft regulations to operationalize the Computer Misuse and Cybercrimes Act (CMCA), 2018.
Implementation of the act faced headwinds, it was slowed down by court cases that challenged its constitutionality. However, in 2021 the Court of Appeal gave the green light paving the way for the formulation of the regulations.
The regulations among others propose the establishment of cyber security operation centers, critical information infrastructure, cyber security capability and capacity, and cyber threats reporting mechanisms.
“The regulations cover several areas, on governance at the national level we are expecting to have a national coordination center where all issues on cyber security will be handled.
We will also have sector cyber security centers which will handle issues on each of the various sectors,” said Col. Evans Ombati Co-Chair of the task force during a public participation forum for Mombasa, Kwale, and Taita-Taveta held at the Regional Commissioner’s boardroom.
He added that all organizations offering critical infrastructure systems to the public will be expected to have operational centers.
“All police stations will have technical qualified officers who will be responsible for receiving reports from the public. The reports will be translated from the police stations to the sector operational centers to the national operations centers,” said Col. Ombati.
“Our objective is to ensure a whole time holistic stable secure environment for Kenyans to do business, buy products online, and have their information safe on their mobile phones,” he added.
The regulations also provide for sensitization and capacity building to the public to conduct their business hygienically on the Internet. All the critical infrastructure owners will be required to keep their data in the country to facilitate any that may occur in their spaces.
All critical information infrastructure institutions will be registered and obliged to obey the minimum security features that are required including putting protective measures to safeguards those critical systems.
“They must be available, redundant, and not fail even one second at the same time they will have staff to monitor the systems that are available and are not accessed illegally,” explained Col. Ombati.
Wanjiku Mbiyu, a member of the National Computer and Cybercrimes Coordination Committee (NC4) said they want many views from Kenyans from all walks of life to be incorporated in the final report before submission to parliament.
The laws, she said, were necessitated by the rapid digitization and the need to protect Kenyans and the national critical information infrastructures from cyber-attacks.
“We are in a worldwide stage of digitization; we are in a digital economy where we are transacting digitally. It’s not like when our mothers were raising us they would go to the banks physically. Right now I don’t need to go to the bank I will just transact through the laptop or computer or even my phone,” said Mbiyu.
Lina Rosa, a Mombasa resident lauded the government for the regulations that she said will protect children who are vulnerable to online sexual exploitation and trafficking.
Barke Omar, another resident called for the amendment of sim card registration by telecommunication operators to use fingerprints in the acquisition of sim cards instead of Identity card numbers which are prone to abuse.