In line with Kenya’s aspiration to become a globally competitive and prosperous country as envisaged by vision 2030, key social and economic sectors within the public and private domains have rapidly adopted ICTs to improve and expand the scope of service delivery. This increased reliance on ICT has led to proliferation, and increased interdependence, of information systems assets (devices, network infrastructures and data) used across the country. Moreover, the trend is likely to grow exponentially as additional digital initiatives are implemented within private and public sectors.
While this growth has greatly enhanced productivity across the affected national social and economic sectors, the national cyber threat landscape has also developed rapidly due to the resulting widened attack surface. The Cyber threat actors are increasingly being more strategic, resourced and skilled, leading to utilization of increasingly sophisticated tools of attacks (malware, ransomware etc.) that are faster in execution and can operate on a wider scale while remaining stealthier. Yet the adoption of secure cyber security practices in Kenya has not been commensurate to the adoption of ICTs. This has hugely contributed to the experienced increase in targeted attacks by cyber criminals, which will continue to increase as the digital economy grows. Implication of these attacks are varying as has been observed, ranging from disruption or paralysis of critical services or businesses processes, theft of valuable or sensitive data, financial loses among others.
The need to protect ICT infrastructures within the public and private sectors across the Kenyan cyberspace is thus paramount. One fundamental means of achieving this in enhancing cybersecurity visibility capacity of our cyberspace. Notably, efforts towards this agenda have been made by various agencies across private and public sectors. Establishment of Security operations centers (SOCs) and Computer Emergency Repose Teams (CERT) across these sectors is an important milestone towards enhancing the capacity to regularly monitor cyber threat environment isolate anomalous behavior in the cyber space on a real time basis. These informs informed action terms of prevention of attacks, response for remediation or cybercrime investigations and prosecutions.
In this regard this item proposes to strengthen cyber threat intelligence through a structured approach to enhancing visibility of the national cyberspace to effectively manage threats emanating therefrom and thus provide a better environment for efficient service delivery across the public and private sector in Kenya.
Adversaries are abusing Internet security and privacy services to execute cyber-attacks thereby necessitating the need to continuously monitor the cybersecurity situation nationally. The country currently lacks proper visibility of information and operational systems, Security Operation Centers and an actionable National Monitoring Framework. With the existing gap in National cybersecurity visibility, it becomes increasingly difficult to identify and respond to threats in the country’s cyber environment taking into account the widening attack surface due to proliferation, evolving threats, increased stealth, scale and speed of cyber-attacks. Continuous cyber security monitoring will ensure that there is visibility in identifying vulnerabilities and cyber-attacks in real-time. To cope with these threats, the Government of Kenya will adopt the following;
- Establish a National Security Operation Center (NSOC) to manage and coordinate national cyber security monitoring capacity.
- Establish and enhance existing Security Operation Centers (SOCs) at key sector headquarters to provide real-time security monitoring and visibility of critical sector systems.
- Ensure the establishment and enhancement of existing Security Operation Centers (SOCs) at Critical Information Infrastructures (CIIs) to provide real-time security monitoring of these critical systems.
- Develop collaboration and regulatory frameworks with key stakeholders in order to provide to the NSOC, security visibility of data traversing internet exchange points and gateways.
In addition, the NSOC responsibilities will be to;
- Set and maintain standards for SOC operations at sectoral and CII level.
- Provide shared situational awareness of network vulnerabilities, threats, and events across sectors and CIIs.
- Steer national protection, prevention, mitigation, and recovery activities associated with significant cyber incidents to improve the national cyber defense posture.
- Provide the national discovery, analysis, characterization and attribution of cyber threats in the cyberspace.
- Strengthen the future cybersecurity environment by developing indigenous skills and supporting knowledge transfer, research and development as well as information sharing.
Detection of cyber incidents
Most cybercrimes perpetrated in the cyberspace result in breach of personal privacy, reputational damage, financial fraud among others. Cyber incidents have many causes, such as malware (e.g., worms, viruses), attackers gaining unauthorized access to systems from the internet, and authorized users of systems who misuse their privileges or attempt to gain additional privileges for which they are not authorized. Timely detection of these cyber incidents will enable mitigation efforts to be enacted and prevent further spread and magnitude of attacks. To promote detection of cyber incidents the GoK will;
- Build national professional capacity to improve capability for log analysis, threat detection and threat neutralization. This will effectively improve day-to-day running of the NSOC and sectoral/CII SOCs.
- Utilize SOCs to continuously collect and analyze log data to filter out anomalous behavior in information system infrastructures and devices across CIIs for mitigation, correction, improvement and / or prosecution where necessary.
- Establish procedures for best practice to guide the detection process based on best practices.
Incident reporting and response
The ability to report, respond and expeditiously mitigate the potential consequences of cyber-attacks while minimizing the impact, is crucial for sustainable governance, national security and social-economic wellbeing of Kenyan people. Timely and effective response to cyber incidents will enable GoK to minimize losses, restore services and processes thus reducing the risk that future incidents pose. To promote response to cybersecurity incidents within the Kenyan cyberspace, GoK will;
- Establish a Computer Emergency and Response Team (CERT) at the National and Sectoral levels with a mandate to receive cyber incident reports and subsequently respond to cyber security incidents in the Kenyan cyber space.
- Establish, through CERT, and continuously review cyber-incident response procedures suitable for different incident response scenarios.
- Establish a cyber-incident response program under CERT to build capacity amongst cyber incident responders from across all sectors and CIIs through regular preparation exercises. This is geared towards building readiness and resilience against a wide range of cyber threats scenarios.
- Establish collaboration mechanisms (with internationally and locally) through threat intelligence sharing, exchange programs, training and other related activities meant to strengthen incident response function.
Deter and prevent cybercrime
With the ever increasing opportunities for offenders to commit crime through the use of technology, it is imperative that the Government of Kenya puts in place measures to assure trust and confidence while using ICT systems. The GoK therefore needs to put in place measures that will discourage cyber offenses and subsequently ensure measures of preventing occurrence of cybercrime. This can be achieved through;
- Increasing security controls with regards to access to critical information systems across all sectors and CIIs.
- Dissuading potential cyber offenders by accelerating enforcement of existing cyber security laws to increase prosecutions as well as review of existing cyber laws to include more stringent punishments to cyber offenders.
- Running a sustained national cybersecurity education campaign to raise public awareness on the risks an impacts of malicious cyber activity and the need for adoption of basic protection measures on digital devices.
- Instituting regular information system audits within CIIs to regularly monitor bad behavior in use of government information systems and dissuade potential insider offenders.
Increased connectivity has brought about increased risk of theft, fraud, and other cyber related crimes. As Kenyans become more reliant on modern technology, they also become more vulnerable to cyberattacks such as corporate security breaches, spear phishing, and social media fraud. Complementary cybersecurity and law enforcement capabilities are critical to safeguarding and securing the Kenyan cyberspace. GoK will put in place appropriate measures necessary to effectively address threats and attacks against our cyberspace ranging from terrorism to sabotage of critical infrastructure through;
- Developing training programs to equip law enforcement and judicial officers, with knowledge to gather electronic evidence, investigate, prosecute and convict cyber criminals.
- Enhancing collaboration between GoK and relevant stakeholders in the private sector and internationally, in addressing actual and potential cyber offenses with a view to strengthen prosecution.
The GoK intends to implement a proactive approach to prevent cyber-attacks from infecting critical computer systems, devices and networks thereby avoiding irreparable disruption and damages. The GoK will also develop and implement a cyber-defense strategy that will take active steps to anticipate adversarial cyber actions while maintaining the benefits and flexibility of an open cyberspace for government, international business and society in general. This will be achieved by;
- Enhancing security to protect confidentiality, integrity & availability of systems and data in all sectors/CIIs
- Building capacity to improve risk assessment capability within the country.
- Conducting cyber risk assessments regularly to evaluate potential cyber threats, vulnerabilities and status of implementation of cyber security best practices and standards in CIIs.
- Promoting use of secure communication tools and mediums as well as encourage utilization of encryption for all data in transit and at rest generated across all sectors and CIIs.
- Implementing a National Public Key Infrastructure (PKI) to be used by all GoK CIIs to secure data in transit.
- Collaborating with the academia and industry to develop Cyber Security Research and Development(R&D) programs.
- Encouraging investment in cybersecurity across CIIs in relation to infrastructural improvements, education and cyber threat intelligence information sharing programs.