The state of Cyber Security in Kenya

Cyber Security in Kenya
Cyber Security illustration

The regulatory authority responsible for ICT, and specifically CyberSec in Kenya is the Communication Authority (CA) of Kenya. It was founded in 1999. It’s the body mandated with developing our cyber security management framework.

Kenya’s national point of contact on Cyber Security matters is the National Kenya Computer Incident Response Team – Coordination Centre (National KE-CIRT/CC), a multi-agency collaboration framework which is responsible for the national coordination of cyber security.

In May 2018 the Kenyan government responded to cyber breaches and other high profile cyber attacks by signing the Computer and Cyber Crime Act into law. This seems a strange decision, since legislation already exists that deals with these issues.

The Kenya Information Communication Act and the Penal Code and its regulations already criminalized several cybercrimes. It might have been amended to, for instance, increase the penalties for certain crimes. Instead its provisions have been superseded by the Computer and Cyber Crime Act. 

The newly unveiled National Computer and Cybercrimes Coordination Committee (NC4) has been tasked with cracking down on misuse of social media especially as the country approaches the General Election in 2022.

The NC4 has its roots established within the legal framework of the Computer Misuse and Cybercrimes Act (CMCA). The CMCA designates offences relating to computer systems and provides a framework to enable timely and effective detection, prohibition, prevention, response, investigation, and prosecution of computer and cybercrimes. Initially enacted in May 2018, the CMCA was immediately challenged before court by the Bloggers Association of Kenya (BAKE) on grounds that the provisions of the CMCA were unconstitutional. In February 2020, the challenged provisions were determined to be constitutional by High Court Judge James Makau. Disconcertingly, the courts have failed to successfully prosecute any individuals suspected of committing offences under the CMCA, despite Kenya experiencing an 11.9% increase in cyber threats since February 2020.

Kenya boasts the third-highest number of internet users on the continent. As such, it is no surprise that cyberattacks are a relatively common occurrence in the country. During the first seven months of 2020, Kenya accounted for a massive 50 percent of the total cyberattacks in Africa according to Kaspersky, a cybersecurity firm.

As the Kenyan population becomes ever more reliant on internet and communications technology (ICT), so too does the country’s critical infrastructure. Although this trend dramatically increases efficiency, it also increases the vulnerability of critical infrastructure to “costly, disruptive cyber attacks.” Kenya’s Mombasa port, a linchpin of the economy, is an especially enticing target (as well as an increasingly vulnerable one) for cyberattacks launched by either criminal elements seeking a massive payoff or state-supported actors hoping to hobble the Kenyan economy.

Policy Recommendations

The objectives of Kenya’s national cybersecurity strategy rightly prioritize public-private cooperation and the need for coordination in developing and implementing cybersecurity protocols. However, the national cybersecurity strategy falls short in a significant area: There is not a standardized timeline for the regular renewal of the strategy. The current strategy states that it should be “refresh[ed] as required.” Although better than a static document, there is a real need for an established and time-specific process for reworking the strategy (perhaps every four to five years). This process is especially important given the constantly and rapidly changing cyber threat environment.

The Kenyan government should also provide incentives for private sector stakeholders involved in critical infrastructure like the port of Mombasa to prioritize cybersecurity as they continue to modernize. Although there is a natural incentive for companies to implement effective cybersecurity measures to protect against revenue loss, this can be outweighed by the rush to modernize (and thus increase efficiency and potential profits). As a result, it is important that the government work to ensure that companies overseeing critical infrastructure or working with the government adhere to cybersecurity protocols.

Given the constantly advancing cyber capabilities of both nation states and non-state actors, Kenya faces a major challenge in protecting its sensitive information and interests. There are a multitude of actions that the government could take to mitigate this constant threat. Particularly, the government should reduce the vulnerability of its supply chain to software and hardware that are especially well suited for cyber espionage. This could be addressed by conducting frequent supply chain risk assessments to identify products, services, and companies that may pose a risk to cybersecurity. These assessments should be shared with key stakeholders throughout the government.

#knowYourSecurity #cybersecurity #ca

Hot this week

The Hidden Costs of Overengineering Security

Complex security systems often create more vulnerabilities than they prevent by overwhelming teams with noise and maintenance demands while missing actual threats.

The True Cost of Chasing Compliance Over Security

Compliance frameworks create a false sense of security while modern threats evolve beyond regulatory requirements. Learn how to build actual protection rather than just checking boxes.

The Hidden Risk of Over Reliance on AI Security Tools

Over reliance on AI security tools creates dangerous blind spots by weakening human analytical skills. True resilience comes from balancing technology with continuous team training and critical thinking.

The Quiet Dangers of Overlooking Basic Security Hygiene

Basic security hygiene prevents more breaches than advanced tools, yet most teams overlook fundamentals while chasing sophisticated threats.

Your Password Strategy Is Wrong and Making You Less Secure

The decades-old advice on password complexity is forcing users into insecure behaviors. Modern security requires a shift to passphrases, eliminating mandatory rotation, and embracing passwordless authentication.

Topics

The Hidden Costs of Overengineering Security

Complex security systems often create more vulnerabilities than they prevent by overwhelming teams with noise and maintenance demands while missing actual threats.

The True Cost of Chasing Compliance Over Security

Compliance frameworks create a false sense of security while modern threats evolve beyond regulatory requirements. Learn how to build actual protection rather than just checking boxes.

The Hidden Risk of Over Reliance on AI Security Tools

Over reliance on AI security tools creates dangerous blind spots by weakening human analytical skills. True resilience comes from balancing technology with continuous team training and critical thinking.

The Quiet Dangers of Overlooking Basic Security Hygiene

Basic security hygiene prevents more breaches than advanced tools, yet most teams overlook fundamentals while chasing sophisticated threats.

Your Password Strategy Is Wrong and Making You Less Secure

The decades-old advice on password complexity is forcing users into insecure behaviors. Modern security requires a shift to passphrases, eliminating mandatory rotation, and embracing passwordless authentication.

Why API Security Is Your Biggest Unseen Threat Right Now

APIs handle most web traffic but receive minimal security attention, creating massive unseen risks that traditional web security tools completely miss.

Security Teams Are Asking the Wrong Questions About AI

Banning AI tools is a failing strategy that creates shadow IT. Security teams must pivot to enabling safe usage through approved tools, clear guidelines, and employee training.

The Illusion of Secure by Default in Modern Cloud Services

Moving to the cloud does not automatically make you secure. Default configurations often create significant risks that organizations must actively address through proper tools and processes.
spot_img

Related Articles

Popular Categories