Data Hub

How legal loopholes are hurting Kenya’s cybercrime fight

cyber

Digital commerce, which was vastly accelerated by the pandemic remains the richest target for cyber-attacks. PHOTO | POOL

February 2015. Undisclosed location in Nairobi. Alex Mutuku allegedly gains access to Safaricom’s #ticker:SCOM convergent billing system by interfering with the company’s computer system.

At the end of the incursion, the telco loses Sh3.6 million worth of airtime through irregular top-ups by different mobile numbers. Two weeks later on March 9, Mutuku strikes again, obviously emboldened by his luck. This time, he allocates himself airtime amounting to Sh20,000 from the service provider.

He is later arrested and charged with electronic fraud, in violation of Section 84 (B) (b) of the Kenya Information and Communications Act.

The case is ongoing.

Cybercrime theatre

With a tech hub worth more than Sh120 billion, Kenya is not only the region’s Silicon Savannah but also the epicentre of cybercrimes. Some of the major global cyber frauds have been initiated from Nairobi, notable among them the incident where Fairfax County in the US lost Sh56.8 million to phishers in Kenya’s capital.

From frauds targeting corporations to coercion, insider trading and routine misdemeanours, Kenya's cyberspace has become a theatre of cybercrimes, the grave and the petty alike.

In 2018, business consulting firm Serianu said that Kenya loses about US$295m (Sh33.5 billion) to cyber criminals every year, an amount that has been increasing steadily, experts say.

Suits involving cybercrimes have been growing in recent years. Yet, only a handful end up in courts. Away from the glare of the public, Kenyan businesses are battling a silent, vicious and existential crisis of cybercriminals who either make illegal money transfers or encrypt data and demand ransoms running into hundreds of millions of shillings.

“A significant number of companies and individuals are choosing to negotiate with cybercriminals in order to avoid any damage to their reputation and user trust that may be caused by a public trial,” explains High Court advocate Peter Maina, who has participated in multiple cybercrime litigations.

The lawyer argues that such negotiations deny regulators the relevant experience to fight and prevent such attacks in the future.

When the cases go to court, they drag on for years, with the majority of them almost certain to flop, owing to either bungled investigations or lack of watertight evidence.

Legal and forensics experts now point to the country’s lack of technical expertise, tools and capacity, all of which affect the quality of investigations and litigation.

Cybercrime litigation is a long and complex process and Maina says identifying perpetrators remains the biggest setback for investigators.

The evidential burden that a claimant or a prosecutor has to meet to prove their case is heavy. The evolution of cybercrime and methods used by criminals will continue to cause advocates problems in the quest to bring them to justice.’’

Unsurprisingly, some of the suspects are multiple offenders. Before a group of eight Kenyan cyber-fraudsters were intercepted and jailed in Rwanda in July last year for hacking into Equity Bank’s systems, they had committed similar crimes in Kenya and Uganda.

Among those put in jail were Dedan Muchoki Muriuki, Samuel Wachira Nyuguto, Kinyua Erickson Macharia, and Godfrey Gachiri Githinji. Others were Eric Dickson Njagi Mutegi, Reuben Kirogothi Mwangi, Damaris Njeri Kamau and Steve Maina Wambugu.

The trickiest challenge

George Njoroge, a forensics expert and founder of East Africa Data Handlers, doesn’t mince his words in his description of the state of cybercrime investigation and litigation in Kenya, saying this has sown panic among victims, mostly businesses.

‘‘It’s poor and sad. There is minimal training and investigators struggle to build solid cases. Most prosecutors and judges do not understand some of the technologies in cybercrime.’’

Besides fraud, Njoroge says identity theft, cyberbullying, data leakage and DDOS Attacks (distributed denials of service) are some of the soft areas that criminals are striking.

He calls it the ‘‘trickiest challenge’’ the modern company is dealing with today, and adds that banks and saccos are in a more precarious position.

Maina agrees, noting that the increase in online interactions and transactions in Kenya in the last decade has pushed up the frequency of cybercrime litigations.

“There has been a sharp increase in cases filed against banks by depositors whose accounts have been wiped out,” says the managing partner at Prow & Company Advocates.

Tenfold attacks growth

While most of the attacks are targeted at large corporations –a majority with the financial muscle to service ransoms –mid-sized companies are not exempted either. The threat has grown tenfold for businesses during the pandemic as perpetrators strike-through hackings, phishing and Ransomware attacks.

In a market with only a handful of data scientists, however, evidence analysis by prosecutors is never a straightforward process and sometimes results in poor background checks.

In some instances, prosecutors have asked the suspects to be held for up to 40 days to conduct their investigations, which Njoroge pins down to inadequacy of forensics capacity.

A case in point is May 2018 when the Director of Public Prosecutions (DPP) Noordin Haji ordered the release of blogger Cyprian Nyakundi after his arrest for allegedly insulting then Nairobi Governor Mike Sonko. The DPP argued that Nyakundi’s ‘‘misdemeanour’’ did not warrant detention.

Then there’s the issue of evidence collection.

Five years after he allegedly defrauded Safaricom, Mutuku challenged the authenticity of the WhatsApp communication that was used in court as evidence, saying it was ‘‘doubtful’’ since the phone used in the communication was not produced in court as part of the evidence.

Poor evidence handling

He filed a Notice of Motion contending that the trial magistrate had erred by incorrectly and illegally admitting electronic evidence (WhatsApp chats) in contravention of Section 65 (8) and Section 106 (B) (2) of the Evidence Act.

Njoroge notes that poor handling of evidence in the chain of custody is a key challenge in cybercrime litigation. This often leads to its inadmissibility in court, he says.

‘‘The results of analysis of digital evidence by one expert, for instance, should return the same findings by another forensics investigator because forensics tools are mostly the same. The results must be consistent to sustain a good case for prosecution.”

So big is this area one expert tells the Business Daily that the bulk of cases he handles revolve around the chain of custody.

But if presenting waterproof evidence to court has been a shaky ground for prosecutors, conflicting provisions of the law have been quicksand.

In May last year, Justice Weldon Korir threw out a case in which blogger Nyakundi had been sued by Makueni Governor Kivutha Kibwana for defaming him. The case had been pegged on Section 66 of the Penal Code.

Conflicting law

Justice Korir ruled that the code was outdated and in violation of the Constitution, by curtailing freedom of expression, especially among journalists.

States the code: ‘‘any person who publishes any false statement, rumour or report which is likely to cause fear and alarm to the public or to disturb the public peace is guilty of a misdemeanour.’’

As technology advances and cybercriminals get smarter, so does the future of cybercriminal litigation look bleaker, experts warn.

Says Njoroge: ‘‘For us to beat them, we must have a competitive edge with the right tools. We also need to have the right training for our professionals to use these tools.’’

Having a cybercrime division at the High Court, with judges and prosecutors specially trained in cyber affairs would be a big win in this fight, the expert says.

“It would make it easier to process cases with the same efficiency and speed the antiterrorism and anti-corruption courts handle matters before them.”

[email protected]