Cyber security in Kenya
Few days ago, I met a bloke who is working on Cyber security related projects in several African countries including Kenya and wanted to seek my advisory on the subject.In our chinwag, we focused on his core clientele market which is Kenya.As an advisor in the yet to published 2016 Cyber Crime laws that have been described as a ploy to curtain freedom of expression in the country especially on social media, the gap is likely widening between the scale and scope of harm experienced to Kenya’s sovereignty, government systems, and commercial and intellectual property, and the ability of National Intelligence Service and partner agencies to successfully mitigate that harm to an economy whose GDP currently stands at USD $70 Billion.Most can relate to the Nairobi government’s plan to build a standard gauge railway line USD$5 billion, at least in principle. But you might be alarmed to hear the Kenyan government is investing only a fraction of that amount on protecting us from cyberattacks. Recent research suggests that now may be the time to think more deeply about having fewer infrastructures so that Kenya can afford to pay for the cyber defence of the civil sector.This is because Kenya is not spending anywhere near as much as other African countries on cyber defence, especially in the civil sector.In early this year, having declared cyberattacks to be a national security threats, South Africa announced a spending plan of $800 million for urgent remedial policies largely to protect the non-defence sector.In Nigeria, defence ministry described the cyber threat as one of the great challenges facing the country and announced a broadly similar remedial plan to spend almost USD$400.By comparison, the latest Kenyan budget allocated around USD$50 million for one year based on its new cyber security strategy released months back. Yet the threats these three countries face are not different by the orders of magnitude suggested by budget comparisons.Early this year, the Kenyan government said that the country had never suffered a cyberattack seriously compromising national security, stability or prosperity.At the same time it admitted that cyberattacks posed an “extraordinary threat to the national security, foreign policy and economy of Kenya.
There are two important areas where Kenya is doing less than its African compatriots, and less than it need in protecting critical cyber infrastructure and fighting cybercrime.
Both these areas of cyber policy have separate strategy documents. And there are no strong linkages between them and with the current Cyber Security Strategy action plan.At the beginning of the second half of this year, Kenyan government issued two documents on critical infrastructure, a policy statement and a plan, one of which has a single page on cyberattack. But these documents use anodyne statements, such as ensuring the continuity of service delivery, rather than using the concept of an extreme cyber emergency that underpins planning assumptions, exercises, research and operational preparation of the Nigeria and South Africa.In terms of research, Kenya is yet to set up a credible laboratory to conduct research on national resilience in the face of catastrophic and potentially cascading events that will likely require substantial time to assess, respond to, and recover from. For example South Africa has already prepared for a terrorist cyber enabled attack on nuclear power stations.This helps explain how the rainbow nation has taken cyber crime seriously. In his preface to the cyber security strategy,authorities have said Kenya needed to prepare for a significant cyber event, with an unspecified scale of effect.This exemplifies the laid-back tone of most Kenya policy documents on this subject.
On cybercrime, the gap between need and and policy is even more starkly visible.In the Cyber Security Strategy,Kenyan government did not see cybercrime as an important focus. It did say that the country doesn’t have a good handle on how much such crime was costing the economy, citing one estimate of USD$400 Million and another of USD$700 Million.While collection of data on the cost of cybercrime is notoriously difficult, the wide range for this estimate is strong evidence of how low a priority this area of policy has been.The Kenyan Cyber Security Strategy does make a commitment to develop and implement a training plan for specialists in the field of countering cybercrime, with no further detail.It also commits in the broadest terms to increasing the capacity of the Kenya Police Service and the Kenyan Criminal Investigation Directorate to counter cybercrime. In this area, the cyber strategy basically passed the buck. It suggested that the main source of policy was the national plan to combat cyber crime by the previous government.This is not much consolation, as that document lacks detail and certainly does not reveal a commitment of funding on a level likely to contain or reduce a cost to the economy estimated in the hundreds of millions of dollars.Kenyan government needs a more open and candid conversation in public with key stakeholders about the sort of threat scenarios it face, but especially for cybercrime and significant cyber attack.It also needs to develop policies and agencies, funded appropriately, that can begin to perform on a level that matches the threats.