According to the Communication Authority of Kenya’s (CA) at least 19 Wannacry infection reports were made to National Kenya Computer Incident Response Team (KE-CIRT).
The Central Bank of Kenya has led the charge, releasing a Guidance Note on Cybersecurity.
This requires banks to revise their approach to cybersecurity, prioritising it and making it a responsibility of a bank’s board of directors and senior management.
Throughout 2017, relentless waves of cyberattacks faced persons and businesses in Kenya and abroad. The most notable of these attacks were perhaps the Wannacry and Petya ransomware attacks, which encrypted files and restricted access on infected computers until users paid a ‘ransom’. According to the Communication Authority of Kenya’s (CA) at least 19 Wannacry infection reports were made to National Kenya Computer Incident Response Team (KE-CIRT).
Similarly, in sector statistics for Q2 of 2017, the CA indicates that the KE-CIRT analysed and validated 4,589 cyberthreats in that quarter alone. Some of these included advanced tactics like distributed denial of service (DDoS) attacks, where an online system or service is overwhelmed by intentionally redirecting online traffic to it from multiple compromised sources.
However, these statistics signify only the currently identifiable forms of cyberattacks. Some types of attacks may never be detected, or are only detected long after they were initiated and have fulfilled their sinister objectives.
For example, advanced persistent threats (APTs) are cyberattacks programmed to infiltrate an entity’s computer network and lay low while mapping out cyber defences and collecting sensitive confidential information.
This information can then be siphoned out for fraudulent use or the entire system can be taken over for more nefarious purposes, which are often discovered long after the infiltration occurred.
Kenya has so far lagged behind in both industry expertise to tackle such cybersecurity challenges as well as legislative and regulatory responses to tackle the menace.
The Central Bank of Kenya has led the charge, releasing a Guidance Note on Cybersecurity. This requires banks to revise their approach to cybersecurity, prioritising it and making it a responsibility of a bank’s board of directors and senior management. Banks are also required to hire specialised personnel to monitor and audit their cybersecurity protections and to report cybersecurity incidents to the CBK within 24 hours of their occurrence.
Nonetheless, the cybersecurity landscape is about to change significantly, should the President assent to the Computer and Cybercrimes Bill, 2017 as passed by the National Assembly. The Cybercrimes Bill proposes to create a number of offences including unauthorised access to computer systems, unauthorised interception of data, or unauthorised disclosure of passwords and access codes.
The Bill also proposes penalties as high as fines of Sh10 million or ten-year prison terms. In the latter stages of this Bill’s consideration, Parliament also proposed the creation of a National Computer and Cybercrimes Coordination Committee to establish local cybersecurity standards while analysing and responding to cyberthreats to Kenya’s cyberspace.
A very notable feature of this Bill, is that it will apply to cybercrimes committed from outside Kenyan territory if the person committing the crime is a citizen or resident of Kenya or such crime is committed against a Kenyan or the Government. This provision is an appreciation of the borderless and global nature of the internet, where illegal conduct may affect persons across conventional state boundaries and jurisdictions.
Even with this added clarity, Kenyan entities should re-strategize and prioritise cybersecurity protocols to reflect global best practices. This is especially critical for entities engaged in trust-based transactions or which host sensitive data - such as banks, insurance companies and telecommunications operators.
This can be done by inclusion of cybersecurity as a performance metric, or hiring of key cybersecurity personnel as the CBK requires from banks.
Third-party vendors of internal software and hardware should be intensely vetted, and liabilities apportioned adequately through contracts. Cyber-risk insurance policies would also provide an additional layer of protection from the financial losses that could result.
In sum, it is evident that Kenyans are progressively paying necessary attention to cybersecurity. Inasmuch as many still pay lip service to the dangers that exist, greater advocacy and enforcement of applicable laws will assist in strengthening defences in an increasingly digitised economy.
Mutugi Mutegi, lawyer, Nairobi
PAYE Tax Calculator
Note: The results are not exact but very close to the actual.
