BY PETER WANYONYI
Kenya lacks a workable cyber-security strategy. Vision 2030, our much-touted strategic set of goals in various sectors that is supposed to foster economic growth and promote the country to middle-income status by the year 2030, has a section on cyber-security that is further expanded upon in the National ICT Master Plan, with specific goals and milestones to be achieved on the path to enhancing and then trying to achieve cybersecurity. The whole plan is a complete farce.
This would be funny if it weren’t so tragic: just a couple months ago, the Cabinet Secretary for Devolution informed the public that someone stole the password of a senior National Youth Service official, and used it to authorise payments running into the hundreds of millions. This is far from the only incident involving dodgy access to State computer systems: Kenyans will remember the innumerable occasions on which government has blamed one or other nebulous entity for allegedly hacking into government computer systems to carry out unauthorised tasks, either for monetary or political purposes.
And of course users of mobile money will be familiar with the thousands of cases in which innocent subscribers are conned of money by criminals masquerading as either mistaken money transfer agents, or even pretending to be the mobile phone companies themselves. Cyber-crime in Kenya is real, and as we move more and more towards m-commerce and related activities, it will get worse and will invariably involve unscrupulous individuals trying to defraud the public or the state using one or other electronic medium.
Against this backdrop, it is disappointing to see that the National Cyber-Security Strategy is little more than a wishy-washy listing of pointless bullet-points. The strategy claims that the government is “working with other countries to increase the security of cyberspace as a whole”. There’s nothing said about what the government agency concerned is actually doing about cybersecurity in Kenya, and in particular the common crimes that afflict Kenyans using mobile and internet commerce – and which we now know include those targeting state agencies. The cyber-security strategy then goes on to say it “aims at working with academia to develop cyber-security curriculum”, and claims it is “implementing incentive programmes to increase the appeal of cybersecurity career paths”. It drones on about outreach and cultivating a culture of information security, and ends with a whimper by declaring that cyber-security is “a top priority for the government of Kenya”. What twaddle. What is needed is actions, not wish lists, so this is a quick and dirty approach to actually doing something to enhance cyber-security in Kenya.
First: government needs to bear down on the havens of cyber-crime in Kenya. The most common form of cyber-crime in the country is the theft of money using mobile platforms. A large proportion of the criminals involved in these scams are to be found in Kenya’s prisons, and it is from there that they hatch and carry out their swindling acts against citizens. This sometimes takes the form of bogus adverts, or fake money transfers that are then sent back, and the like. The Prisons department needs to be cracked down upon, and the law enforced to ensure that prisoners simply do not have access to mobile phones or computers. This alone would almost end mobile money theft in the country. The legislation already exists to do this, so it is largely a matter of political will to hammer the Prisons department into compliance.
Second: we need to set up a National Cyber Crime Unit. This would lead operations against cyber-crime, and would be tasked with liaising with other countries’ cyber-crime organisations to ensure that cyber-criminals do not find a haven in Kenya. Training would be provided to this unit to ensure they have the skills to carry out broad digital investigations, and the many half-thought-out initiatives around cyber-safety in the country – like CCTV cameras and bank account monitoring – would come under the unit.
Third: Build resilience into government systems, so that should a serious incident occur, services delivered via digital platforms would still be available. If a bomb hit the server room of the ministry of finance or the Central Bank of Kenya today, our entire financial infrastructure would come crashing down. Despite the claims of resilience, this column is aware that there’s no such thing built into the systems of those two crucial departments, as indeed is the case with virtually every other important state department.
Fourth: Enforce the incorporation of cyber-risk into the risk management regimes of all government boards and all key strategic corporations in the country. If the two leading mobile phone providers in Kenya were hit by a massive cyber-attack, the economy of the country would be paralysed. Government therefore needs to work with these and similar organisations – Kenya Power, state security agencies, county governments – to ensure that they do not merely pay lip service to risk management.
Finally: International cooperation with more technologically advanced countries is important as both a learning experience and for personal skills transfer and actual field-tested tactics in fighting cyber-crime.