The state of Cyber Security in Kenya

Cyber Security in Kenya
Cyber Security illustration

The regulatory authority responsible for ICT, and specifically CyberSec in Kenya is the Communication Authority (CA) of Kenya. It was founded in 1999. It’s the body mandated with developing our cyber security management framework.

Kenya’s national point of contact on Cyber Security matters is the National Kenya Computer Incident Response Team – Coordination Centre (National KE-CIRT/CC), a multi-agency collaboration framework which is responsible for the national coordination of cyber security.

In May 2018 the Kenyan government responded to cyber breaches and other high profile cyber attacks by signing the Computer and Cyber Crime Act into law. This seems a strange decision, since legislation already exists that deals with these issues.

The Kenya Information Communication Act and the Penal Code and its regulations already criminalized several cybercrimes. It might have been amended to, for instance, increase the penalties for certain crimes. Instead its provisions have been superseded by the Computer and Cyber Crime Act. 

The newly unveiled National Computer and Cybercrimes Coordination Committee (NC4) has been tasked with cracking down on misuse of social media especially as the country approaches the General Election in 2022.

The NC4 has its roots established within the legal framework of the Computer Misuse and Cybercrimes Act (CMCA). The CMCA designates offences relating to computer systems and provides a framework to enable timely and effective detection, prohibition, prevention, response, investigation, and prosecution of computer and cybercrimes. Initially enacted in May 2018, the CMCA was immediately challenged before court by the Bloggers Association of Kenya (BAKE) on grounds that the provisions of the CMCA were unconstitutional. In February 2020, the challenged provisions were determined to be constitutional by High Court Judge James Makau. Disconcertingly, the courts have failed to successfully prosecute any individuals suspected of committing offences under the CMCA, despite Kenya experiencing an 11.9% increase in cyber threats since February 2020.

Kenya boasts the third-highest number of internet users on the continent. As such, it is no surprise that cyberattacks are a relatively common occurrence in the country. During the first seven months of 2020, Kenya accounted for a massive 50 percent of the total cyberattacks in Africa according to Kaspersky, a cybersecurity firm.

As the Kenyan population becomes ever more reliant on internet and communications technology (ICT), so too does the country’s critical infrastructure. Although this trend dramatically increases efficiency, it also increases the vulnerability of critical infrastructure to “costly, disruptive cyber attacks.” Kenya’s Mombasa port, a linchpin of the economy, is an especially enticing target (as well as an increasingly vulnerable one) for cyberattacks launched by either criminal elements seeking a massive payoff or state-supported actors hoping to hobble the Kenyan economy.

Policy Recommendations

The objectives of Kenya’s national cybersecurity strategy rightly prioritize public-private cooperation and the need for coordination in developing and implementing cybersecurity protocols. However, the national cybersecurity strategy falls short in a significant area: There is not a standardized timeline for the regular renewal of the strategy. The current strategy states that it should be “refresh[ed] as required.” Although better than a static document, there is a real need for an established and time-specific process for reworking the strategy (perhaps every four to five years). This process is especially important given the constantly and rapidly changing cyber threat environment.

The Kenyan government should also provide incentives for private sector stakeholders involved in critical infrastructure like the port of Mombasa to prioritize cybersecurity as they continue to modernize. Although there is a natural incentive for companies to implement effective cybersecurity measures to protect against revenue loss, this can be outweighed by the rush to modernize (and thus increase efficiency and potential profits). As a result, it is important that the government work to ensure that companies overseeing critical infrastructure or working with the government adhere to cybersecurity protocols.

Given the constantly advancing cyber capabilities of both nation states and non-state actors, Kenya faces a major challenge in protecting its sensitive information and interests. There are a multitude of actions that the government could take to mitigate this constant threat. Particularly, the government should reduce the vulnerability of its supply chain to software and hardware that are especially well suited for cyber espionage. This could be addressed by conducting frequent supply chain risk assessments to identify products, services, and companies that may pose a risk to cybersecurity. These assessments should be shared with key stakeholders throughout the government.

#knowYourSecurity #cybersecurity #ca

Hot this week

The Myth of Perfect Security

Perfect security is a myth, and focusing on resilience rather than prevention can better protect your organization from inevitable breaches.

Why Traditional Passwords Are Failing Us

Password fatigue from complex rules often causes more security breaches than weak passwords, requiring a shift toward user-friendly tools and behaviors.

Why Your Employees Are Your Best Security Defense

Empowering employees with security awareness training often provides better protection than stacking more technology, turning human factors from a weakness into your strongest defense.

Why Most Security Awareness Training Fails and What to Do About It

Security awareness training often fails because it focuses on knowledge rather than behavior, but shifting to a behavior-based approach can lead to better outcomes and fewer incidents.

The Myth of Multifactor Authentication Security

Multifactor authentication enhances security but is not foolproof, as it can be bypassed through social engineering and technical exploits. Understanding its limitations and adopting stronger methods is essential for effective protection.

Topics

The Myth of Perfect Security

Perfect security is a myth, and focusing on resilience rather than prevention can better protect your organization from inevitable breaches.

Why Traditional Passwords Are Failing Us

Password fatigue from complex rules often causes more security breaches than weak passwords, requiring a shift toward user-friendly tools and behaviors.

Why Your Employees Are Your Best Security Defense

Empowering employees with security awareness training often provides better protection than stacking more technology, turning human factors from a weakness into your strongest defense.

Why Most Security Awareness Training Fails and What to Do About It

Security awareness training often fails because it focuses on knowledge rather than behavior, but shifting to a behavior-based approach can lead to better outcomes and fewer incidents.

The Myth of Multifactor Authentication Security

Multifactor authentication enhances security but is not foolproof, as it can be bypassed through social engineering and technical exploits. Understanding its limitations and adopting stronger methods is essential for effective protection.

Why MFA Is Not Enough Anymore

Multi-factor authentication is no longer a silver bullet for security as attackers develop new bypass methods, requiring a layered defense approach with phishing-resistant tools and continuous monitoring.

Why Phishing Still Works and What to Do About It

Phishing remains a top threat because it exploits human psychology, not just technical gaps. Shifting focus to employee awareness and habits can build stronger defenses than relying solely on technology.

Rethinking Password Security

Complex password rules often increase risk by encouraging poor habits. Learn how password managers and multi-factor authentication offer more practical protection for organizations of all sizes.
spot_img

Related Articles

Popular Categories