Secure online procurement from attack


Government procurement finally goes online. Automation comes with greater productivity, improved citizen satisfaction, enhanced decision making, reduced cost, and increased efficiency and effectiveness.

But it may be too early to celebrate. There are landmines ahead, including increased cyber attacks owing to the fact that procurement is prickly, resistance to change and prone to sabotage.

Although Kenya has a pool of information technology (IT) graduates, they are not fully trained to withstand the anticipated challenges.

Universities rarely attempt to close the skill gap to make their graduates employable. Even more challenging is the fact that the government salary structure does not appeal to those who acquire the necessary skills.

We are in a paradoxical situation where we have the human resource but in effect we do not have it. In spite of high unemployment, experts in IT are still in short supply.


What makes automation of procurement challenging is the fact that this marks the first time the government is venturing into online interaction with the world.

We can take lessons from the banking industry since they first ventured into the virtual world through online transactions. Although the benefits outweigh the costs, they have been battling a flurry of cyber attacks that in most cases go unreported. There is greater benefit for criminals to target economic crimes in the virtual world.

In June, for example, Russian computer hackers planted viruses on hundreds of thousands of computers around the world that secretly seized customer banking information and stole more than $100 million (Sh8.7 billion) from businesses and consumers.

Such stories give fodder to people who benefit from the current procurement system and will now look for every excuse to derail the project.

The challenges that will emerge is the elimination of middlemen. While this sounds great and will lead to greater savings, there is a policy in place to favour youth, women and people with disability. Ordinarily, these groups buy from wholesalers then sell to government but online transactions will eliminate this window.

There is every likelihood several excuses, including alienating marginalised groups, may be used to mount resistance to change.

The implementation of the Integrated Financial Management Information Systems (IFMIS) took more than 10 years because of various flimsy excuses and sometimes outright sabotage to allow for manual systems to kick in.

Anytime the manual systems took over, there was always overspending leading to pending bills. It is such experiences that we must learn from to develop a better system that will lead to greater efficiency and productivity.

All this will be possible if all the data is linked to the Kenya Open Data Initiative. To achieve these noble objective, the software vendor must be made to help through the planning and implementation of the procurement system, including training.

The training must cover software and cyber security, as well as sharing system vulnerabilities from previous experiences. Those who wish to be government suppliers or contractors must be made to register for a virtual identity (Internet identity) which is possible since the government already invested in the critical infrastructure that would support this.

The weakest security points in most organisations is the lack of regular system checks. This often entails an examination of the management controls within an IT infrastructure.

The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity and operating effectively to achieve the government’s objectives.

There must be a regular software review by an outsider assessing the compliance of software products, processes with standards, specifications, contractual agreements and any other criteria. Many of the public sector systems are not reviewed and when they are reviewed, it is the users who review them.

Kenya has not developed its own data security standards and in the absence of this, we should adhere to global standards such as the Payment Card Industry Data Security Standard which is a proprietary information security standard for organisations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.

This is a requirement that needs to be jointly implemented by the Central Bank and the Communications Authority.

As Bill Gates said, “The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency. The second is that automation applied to an inefficient operation will magnify the inefficiency.” Let’s go for efficiency and propel our economic growth.

The writer is a senior lecturer, University of Nairobi, and a former permanent secretary, Ministry of Information and Communication.