The National Assembly approved the regulations that will provide a framework to monitor, detect and respond to cybersecurity threats within Kenya’s cyberspace and ensure the protection of the critical information structure.
The Computer Misuse and Cybercrime (Critical Information Infrastructure and Cybercrime Management) Regulations, 2024 was approved after it was subjected to months of public participation.
Known as Legal Notice No. 44 of 2024, the regulations were drafted by the National Computer and Cybercrimes Coordination Committee (NC4) to operationalize the Computer Misuse and Cybercrimes Act, 2018.
Internal Security Principal Secretary Dr Raymond Omollo said the key aspects the CMCA Regulations address include protection measures for critical information infrastructure supporting critical economic sectors including telecoms, banking, transport and energy sectors, cybersecurity operations management using cybersecurity operations centres and cybercrimes management.
“The regulations propose establishing a National Cybersecurity Operations Center to enhance coordination and intelligence sharing among stakeholders,” he said.
The regulations also stipulate how to deal with issues of scams, identity theft, hacking and internet fraud and also address the cybercrime capacity and capability building for public, businesses, government institutions, and private entities to enhance their cybersecurity preparedness and prioritize cybersecurity.
It also provides for recovery plans in the event of a disaster, breach or loss of national critical information infrastructure or any part of it.
They require that cybercrime desks be established at all police stations and the National Police Service will organize specialized training for select officers who will be deployed to these desks.
“The personnel deployed to the cybercrimes desk contemplated under regulation 67 shall undergo specialized training in cybersecurity and digital forensics to enable them to effectively respond to cyber threats or incidents,” the regulations read.
The Ministry of Interior in September 2023 published a public participation and consultations notice inviting institutions, organizations and individuals to review and submit their comments on the draft regulations.
NC4 also held sectoral meetings with industry stakeholders of various sectors impacted by the regulations including ICT and telecommunications, energy, transport, manufacturing, industry, banking, insurance, finance, electoral and judicial.
The government says it is up to the task of ensuring a secure and resilient cyber environment in the country.
The NC4, chaired by Omollo, is a multi agency committee mandated to coordinate all cybersecurity matters in Kenya towards enabling timely and effective detection, prohibition, prevention, response, investigation and prosecution of computer and cybercrimes.
It also ensures a safe and trusted cyberspace through a coordinated approach while maximizing the benefits of a digital economy.
The Committee is composed of PS Internal Security, PS ICT, the Attorney-General, Chief of the Kenya Defense Forces, the Inspector-General, the Director-General of the National Intelligence Service and the Director-General of the Communications Authority of Kenya.
On July 24 2023, the NC4 recommended that all research and education institutions in Kenya be informed to implement necessary cybersecurity measures and share with the director of NC4 on any malicious traffic and incidents.
In a letter dated July 24, 2023 and addressed to the Executive Director of Kenya Education Network Trust (KENET), the NC4 director Col Evans Ombati said they had established in the recent past there has been increased and abnormal global internet traffic targeted at several Critical Information Infrastructures (CIIs) in Kenya, aimed at disrupting essential services.
“Telecommunications, banking and education sectors are the most targeted. These traffic constitute Distributed Denial of Service (DDoS) attacks,” Ombati said.
According to cyber experts, DDoS attacks have become more powerful and sophisticated.
In Africa, the Telecommunications industry remains the most attacked industry for the second consecutive quarter.
The Banking, Financial Services and Insurance (BFSI) industry follows as the second most attacked. The majority of the attack traffic originated from Asia (35 percent) and Europe (25 percent).
Last year, there were several unsuccessful cyber attack attempts targeting both government and the private sectors.
One of the attacks on the e-Citizen platform entailed an unsuccessful attempt to overload the system through extraordinary requests, with the intention of clogging it, but our technical teams blocked the source IP address where the requests were emanating from.
Email your news TIPS to Editor@kahawatungu.com or WhatsApp +254707482874