Throughout 2017, relentless waves of cyberattacks faced individuals and businesses in Kenya and abroad. The most notable of these attacks were perhaps the Wannacry and Petya ransomware attacks, which encrypted files and restricted access on infected computers until users paid a ‘ransom’.
According to the Communications Authority of Kenya (CA) at least 19 Wannacry infection reports were made to National Kenya Computer Incident Response Team.
Similarly, in the 2017 sector second quarter statistics, the CA indicates that the team analysed and validated 4,589 cyberthreats. Some included advanced tactics such as distributed denial of service attacks, where an online system or service is overwhelmed by intentionally redirecting online traffic to it from multiple compromised sources.
However, these statistics signify only the currently identifiable forms of cyberattacks. Some attacks may never be detected, or are only discovered long after they were initiated and have fulfilled their sinister objectives.
For example, advanced persistent threats are cyberattacks programmed to infiltrate a computer network and lay low while mapping out cyber defences and collecting sensitive confidential information.
This information can then be syphoned out for fraudulent use or the entire system can be taken over for more nefarious purposes, which are often discovered long after the infiltration.
Kenya lags behind in both industry expertise to tackle such cybersecurity challenges as well as legislative and regulatory responses.
The Central Bank of Kenya has led the charge, releasing a guidance note on cybersecurity. This requires banks to revise their approach to cybersecurity and make it a responsibility of a bank’s board of directors and senior management.
Banks are also required to hire specialised personnel to monitor and audit their cybersecurity protections and to report attacks to the CBK within 24 hours of their occurrence.
Nonetheless, the cybersecurity landscape has now changed significantly, after President Uhuru Kenyatta assented to the Computer Misuse and Cybercrimes Act, 2018. The Act creates a number of offences including unauthorised access to computer systems, unauthorised interception of data, or unauthorised disclosure of passwords and access codes.
The Act also creates penalties as high as fines of Sh10 million or 10-year jail terms. The Parliament also proposed the creation of a National Computer and Cybercrimes Coordination Committee to establish local cybersecurity standards, analyse and respond to cyberthreats.
A very notable feature of this Act is that it will apply to cybercrimes committed from outside Kenya if the person committing the crime is a citizen or resident of Kenya or such crime is committed against a Kenyan or the government.
This provision is an appreciation of the borderless and global nature of the Internet. Even with this added clarity, Kenyan entities should re-strategise and prioritise cybersecurity protocols to reflect global best practices.
In sum, it is evident that Kenyans are progressively paying necessary attention to cybersecurity. Inasmuch as many still pay lip service to the dangers that exist, greater advocacy and enforcement of applicable laws will assist in strengthening defences in an increasingly digitised economy.
It is in everybody’s best interests to seek the necessary technical and legal advice to always be prepared.