THE CYBER SECURITY FRAMEWORK IN KENYA
The Kenya Information and Communications (Amendment) Act, (hereinafter referred to as “KICA”) defines cyber security as the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies that can be used to protect the cyber environment. To protect our systems, networks and devices, the Government created various policies and laws namely: the National Information Communications and Technology (ICT) Policy Guidelines, 2020; KICA and the Computer Misuse and Cybercrimes Act, 2018 (hereinafter referred to as “CMCA”). This is a major step since Kenya has been reported to receive the second most cyber-attacks after South Africa, as referenced in a report by Serianu. The Communications Authority of Kenya also reported that the number of internet users grew from 11.6 million in 2014 to 46.74 million in June 2021 with 38.78 million cyber security threats having been flagged.
KICA was amended to handle some concerns stakeholders had about the ever-evolving changes in the sector. Section 83C outlines the functions of the Communications Authority of Kenya in relation to electronic transactions and cyber security. These include: developing sound frameworks to reduce incidences of forgery and fraud on electronic records; creating a framework for facilitating the investigation and prosecution of offences and facilitating the efficient management of critical internet resources. Furthermore, it states that the Cabinet Secretary and the Communications Authority may make regulations concerning cyber security.
The National Kenya Computer Incident Response Team (National KE-CIRT) was established by the Communications Authority as part of its mandate under KICA to mitigate cyber security threats by detecting, preventing, or responding to them; issuing cyber security advisories, and enhancing cyber hygiene awareness. Kaspersky defines cyber hygiene as the steps users of computers and devices can take to improve their online security and mitigate potential online breaches.
Some of the practices they encourage users to embrace include: using network firewalls to prevent unauthorized access to their websites and mail servers; employing antivirus software that automatically detects and removes malicious software and using shredders when destroying confidential information. With respect to criminal cases, National KE-CIRT conducts various cybercrime investigations, forensic examinations and prepares digital evidence for the prosecution of crimes. Notably, the team operates on a 24-hour basis and has an application known as KE-CIRT to report incidences which is impressive because it shows that they understand the nature of cyber security threats.
The CMCA was challenged in the High Court by the Bloggers Association of Kenya in the case BAKE v The Attorney General & 3 Others; Article 19 East Africa & Another (Interested Parties)  eKLR for having 26 sections that were inconsistent with various Constitutional provisions, thus, limiting fundamental rights and freedoms outside the ambit stipulated in Article 24 of the Constitution. They raised concerns on the excessive limitation of the freedom of expression, inconsistent definitions of terms, and punitive penalties. For instance, Section 23 of the CMCA on publication of false information stipulates:
A person who knowingly publishes information that is false in print, broadcast, data or over a computer system, that is calculated or results in panic, chaos, or violence among citizens of the Republic, or which is likely to discredit the reputation of a person commits an offence and shall on conviction, be liable to a fine not exceeding five million shillings or to imprisonment for a term not exceeding ten years, or to both.
They contended that the provisions of the section are similar to those encapsulated in Section 29 of KICA which was declared unconstitutional in the case Geoffrey Andare v The Attorney General & 2 Others  eKLR. The Section states:
A person who by means of a licensed telecommunication system—
- sends a message or other matter that is grossly offensive or of an indecent, obscene or menacing character; or
- sends a message that he knows to be false for the purpose of causing annoyance, inconvenience, or needless anxiety to another person, commits an offence and shall be liable on conviction to a fine not exceeding fifty thousand shillings, or to imprisonment for a term not exceeding three months, or to both.
In addition to that, they contended that the Section reintroduces criminal defamation pursuant to Section 194 of the Penal Code which was declared unconstitutional in the case Jackueline Okuta & another v The Attorney General & 2 Others  eKLR. The section provides:
Any person who, by print, writing, painting or effigy, or by any means otherwise than solely by gestures, spoken words or other sounds, unlawfully publishes any defamatory matter concerning another person, with intent to defame that other person, is guilty of the misdemeanor termed libel.
It could be argued that the provisions in Section 23 are similar to the aforementioned sections in the Penal Code and KICA by being too broad, vague, and criminalizing defamation, hence, have a chilling effect on the freedom of expression. Several provisions can be relied on by parties to deal with both libel and defamation under the Civil Procedure Rules, 2010. Furthermore, it sets out a harsh custodial sentence and fine. Therefore, the section should be declared unconstitutional. However, the judge, in dismissing the petition, held that the section is neither broad nor vague; that the other sections and Act are valid; do not violate, infringe or threaten fundamental rights or freedoms and are justified under Article 24 of the Constitution. Consequently, BAKE appealed and the matter lies in the Court of Appeal for hearing and determination.
Nonetheless, the Act has been operational and some of its provisions encapsulate offences such as unauthorized interference on data, computer systems, and programs; cybersquatting; unlawful interception of electronic messages or money transfers, and cyberterrorism. In addition to that, the National Computer and Cybercrimes Coordination Committee was launched in November, 2021 to establish codes of cyber security practice; advise the Government on security-related aspects that touch on blockchain technology and critical infrastructure; receive and act on reports on cybercrimes, among other functions. Strikingly, its all-male composition is in contravention with Article 27(3) of the Constitution which stipulates that no more than two-thirds of members of an elective or appointive body shall be of the same gender.
After a review of the 2006 Policy and pursuant to Section 5C of KICA, the 2020 ICT Policy was created. It incorporates several provisions that take into account the new levels of interconnectedness in the country and our national goal to achieve Vision 2030. Notably, the Policy will be reviewed every three years and have a mid-term review after five years. It acknowledges that cyber security is a vital pillar in national security and outlines some of the commitments the government is planning to take up including:
- Protecting vulnerable groups such as children;
It resolves to adopt a multi-stakeholder approach in ensuring that children can navigate safely online. In addition to that, it aims to equip law enforcement agencies and judicial officers to handle matters on child online protection as well as set up an online database of children offenders. This is a great commitment and takes note of the engagements the Government has had with Watoto Watch Network and the youth during the Youth Internet Governance Forum to create a safe digital environment for children and young people.
- Implementing the Computer and Cybercrimes Legislation;
The Policy was gazetted on 7th August, 2020 after the Petition by BAKE was dismissed, explaining why it would rely on the CMCA. The policy also states that Government will establish an enabling legal framework in alignment with the Constitution, relevant statutory laws and adopt regional and global best practices. One of the instruments it could rely on is the African Union Convention on Cyber Security and Personal Data Protection, 2000. We ratified the Convention hence are bound by its provisions under Article 2(6) of the Constitution. The Convention sets out in its Preamble that it requires member states to respect and promote fundamental freedom and rights contained in the instruments adopted within the framework of the African Union and United Nations. Therefore, Government should ensure that it balances the limitations it imposes on rights and freedoms when deciding on matters relating to national security.
Notably, Kenya is a member of the Global Cybersecurity Agenda whose main role is to build security and confidence in the use of Information Communication Technologies. The country is yet to develop a new National Cyber Security Strategy Plan after the former expired in 2019. This presents the government with an option of engaging in a multi-stakeholder approach to develop a plan that captures all parties’ interests; has robust tools such as defensive and offensive cyber-capabilities; and operational provisions that take into account the law to avoid litigation. The progress made in relation to cyber security is impressive with respect to the policy created, amendments made in KICA, and the establishment of KE-CIRT to respond to cyber-threats.