Introduction
Vide Legal Notice No. 44 of 2024, the Ministry of Interior on 11th April 2024 confirmed that the National Assembly had approved the Computer Misuse and Cybercrime (Critical Information Infrastructure and Cybercrime Management) Regulations, 2024 (the Regulations). This enactment is in pursuit of aligning with the Constitution, the Statutory Instruments Act of 2023, and the Computer Misuse and Cybercrimes Act of 2018 (the Act).
The Regulations, provide a robust framework to ensure the protection of critical information structures as well as monitor, prevent, detect, and respond to cybersecurity threats within Kenya’s cyberspace.
Notable Aspects
The Regulations emphasize the importance of building cybercrime capacity and capabilities by the public, government institutions, businesses, and private entities to improve readiness and elevate the priority of cybersecurity measures. The following are the key highlights of the Regulations to ensure enhanced cybersecurity operations management:
- Establishment of Cybersecurity Operation Centres mandated to protect, monitor, detect, analyze, respond, and report on cybersecurity incidents and threats.
- Enforce Critical Information Infrastructure protection measures that support essential sectors such as banking, telecommunications, energy, and transport.
- Establishment of special cybercrime desks with trained personnel at every police station in Kenya.
- Requirement for the conduct of annual cyber-risk assessment and business impact analyses by all critical information sectors including services, products, business operations, and processes.
- Recovery and business continuity plans when a disaster occurs.
- Methods for tackling scams, identity theft, hacking, and online fraud in cyberspace and IoT.
To ensure an understanding of the above highlights, this article will delve into the key propositions captured in the Regulations that will help in navigating the everchanging cybersecurity space.
Sector Implications
To sustain effectiveness, the Regulations will greatly affect the following stakeholders:
- The general public will benefit from the guidelines on cybersecurity responsibilities and rights.
- Owners of critical infrastructure will be tasked with adhering to stringent security measures and reporting requirements outlined in the Regulations.
- Internet Service Providers and Cybersecurity Service Providers must align operations with the Regulations to ensure compliance and enhance the overall security posture of the nation.
National Cyber Protection Framework: Enhancing Cybersecurity in Kenya
Under the guidance of the National Computer and Cybercrimes Coordination Committee (the Committee), established under the Act, the government is set to implement a robust National Cyber Protection Framework to strengthen cybersecurity capabilities support educational initiatives, and promote information sharing. This would entail creating national cybersecurity training and capacity building, establishing a detailed cyber-defense strategy, and developing a trusted network or system for information sharing.
The Committee will also undertake collaborations with public bodies research institutions private sector and international organizations toward the development of training programs, create standards, conduct research, and develop policies. For instance, in establishment of the National Cybersecurity Certification Standards, will ensure compliance with security requirements and develop operational standards for security automation. This will mandate the Committee to maintain an up-to-date database for certified cybersecurity institutions and professionals to ensure transparency and credibility. This will be done through the creation and adoption of reference materialism checklists and policy frameworks to sustain continuous monitoring in a bid to minimize risks associated with information technology systems used by the government.
Additionally, the Committee will be instrumental in researching emerging technologies providing practical cybersecurity approaches, formulating administrative guides, and measuring the impact of training programs.
With the framework in place, it will ensure a secure cyber environment and improvement of cybersecurity practices promote continuous learning, and help Kenya foster collaborations to combat cyber threats effectively.
Critical Information Infrastructure
Under the Act, Critical Information Infrastructure (CII) entails systems or data deemed essential for national security and public welfare located within Kenya. If disruption of such a system would result in interrupting sensitive services such as energy and health services, hence adversely affecting the Republic’s economy, causing massive casualties or fatalities, disrupting the money market significantly, and severely impacting national security including military and intelligence operations, it will be classified as CII.
As such, the Regulations mandate owners or operators of CIIs and related sectors to conduct cyber risk assessments and business impact analyses within twelve (12) months of the Regulations’ commencement to identify and prioritize potential internal and external threats to all products, services, business processes, and functions. To ensure this, the Director of the Committee must inform the systems owner or operator of the designation of their infrastructure as CII within seven days. This directive will require the owner or operator to conduct risk assessments annually, develop incident response plans, implement suitable security measures, and ensure personnel are adequately trained in security best practices. The owner can also apply in writing to the Director for a system to be declared as CII and receive feedback from the Director within seven days. Significant changes to CII must be notified to the Director in advance such as plans to locate critical information outside Kenya which require the Committee’s approval in compliance with security standards.
The Regulations provide that CII must be protected with access restricted to authorized personnel. To ensure adherence and effective follow-up, a Chief Information Security Officer (CISO) must be appointed by the owner to oversee periodic reviews and awareness programs are conducted. Their presence is vital in ensuring a backup system is maintained to help information retrieval in case of loss as well as integration with other infrastructures once safety standards are met.
Cybersecurity Operation Centres
They will include:
- Critical Information Infrastructure Cybersecurity Operations Centres (CIICOC),
- National Cybersecurity Operations Centre (NCOC), and
- Sector Cybersecurity Operations Centres (SCOC).
The CIICOC will undertake real-time monitoring, detection and investigation of threats to critical infrastructure, reporting to both national and sector centres. SCOC will focus on sector-specific threats and reporting to the national centre and the NCOC will serve as the primary point for national cybersecurity monitoring and investigation. Once these operations centres are in place, their main function in aiding the coordination of the collection and analysis of cyber threats through submission of monthly briefs and annual compliance reports to the committee to evaluate adherence. They shall also monitor, analyze and collect information in real time, analyze and test malware, detect, monitor and prevent threats, respond to and manage incidences, vulnerability management, act as an alert system and detect intrusion.
Cyber Crime Reporting
In the event of a cybersecurity threat or incident, owners of critical information infrastructures will be required to facilitate investigations, mitigate the impacts of the incidents according to set cybersecurity standards and report these incidents to relevant Sectoral Cybersecurity Operations centres within a stipulated timeframe. This reporting will specify the type and description of the threat, attack or disruption along with relevant evidence such. These reports will be submitted electronically or physically to the Committee using CMCA 7 to ensure detailed reporting.
With the establishment of computer crime and cyber crime desks manned by appropriately trained personnel at every police station, these will handle the reception, assessment and escalation of cyber threats and incidents. With personnel receiving specialized training in cybersecurity and digital forensics, public awareness campaigns will be conducted towards sensitizing the citizens and organizations on the role of the cybersecurity desks and reporting methods.
Most importantly, anonymous reporting channels will allow disclosure of cyber incidents or crimes without fear ensuring that such reporting is done in the public interest and based on reasonable belief in the veracity of the information. As such, the Regulations emphasize on implementation of the Data Protection Act 2019 when processing of personal data under the Act.
Conclusion
Safeguarding the nation’s digital infrastructure remains key for Kenya to mitigate cyber threats and ensure a secure digital space. Investing in advanced technologies and solutions, promoting a culture of cybersecurity awareness and fostering public-private partnerships will go a long way to ensure resilience and bolster economic growth. By integrating robust regulatory frameworks and fostering collaboration between stakeholders, the Regulations aim to safeguard critical information infrastructure, bolster cybersecurity defenses and reduce cyber incidents whilst in effect operationalizing the mandate of the Computer Misuse and Cybercrimes Act.