Time for a Reboot: Cybersecurity and Government Policy in Kenya

On May 7, 2021, a group of cybercriminals infiltrated and locked down the computer systems charged with running the Colonial Pipeline, which is responsible for delivering 45 per cent of gasoline used along the east coast of the United States. After a week-long shutdown, the cyber criminals caused gasoline shortages in several southeastern states and reportedly made off with a USD 5 million ransom. Although certainly not the first major cyber attack, the incident highlights the growing capabilities of cyber actors and impact of cyberattacks worldwide. Kenya is no exception to this trend. In fact, the ‘Silicon Savannah’ is especially vulnerable to cyber threats intended to damage or disrupt critical infrastructure or facilitate espionage. To better respond to the growing cyber threat, the Kenyan government should work to provide incentives to private sector partners in critical infrastructure to adhere to cybersecurity protocols even as they continue to modernize their operations. The Kenyan government should conduct regular supply chain risk assessments that are shared with key stakeholders across all government agencies to identify products, services, and companies that may pose a cyber espionage threat. It is also time for the seven-year-old national cybersecurity strategy to be updated. The government should establish a standard time period for reworking the critical document, given the rapidly changing nature of the cybersecurity environment.

Kenyan Businesses and Consumers

Kenya boasts the third-highest number of internet users on the continent. As such, it is no surprise that cyberattacks are a relatively common occurrence in the country. During the first seven months of 2020, Kenya accounted for a massive 50 percent of the total cyberattacks in Africa according to Kaspersky, a cybersecurity firm. Although the exact number is unknown, cyberattacks (including online theft, fraud, and identity theft) are estimated to cost the Kenyan economy billions of shillings each year. The frequency of these attacks, which tend to target Kenya’s financial sector, is increasing yearly. During the COVID-19 pandemic, cyberattacks in Kenya are especially frequent due to the shift to remote working and increasing use of e-commerce platforms. The threat posed by cyberattacks to individual consumers and businesses in Kenya is well documented by the country’s domestic media outlets. However, the cyber threats to Kenya’s national security are much less discussed.

Critical Infrastructure Security and Espionage

As the Kenyan population becomes ever more reliant on internet and communications technology (ICT), so too does the country’s critical infrastructure. Although this trend dramatically increases efficiency, it also increases the vulnerability of critical infrastructure to “costly, disruptive cyber attacks.” Kenya’s Mombasa port, a linchpin of the economy, is an especially enticing target (as well as an increasingly vulnerable one) for cyberattacks launched by either criminal elements seeking a massive payoff or state-supported actors hoping to hobble the Kenyan economy. According to The Maritime Executive, the port of Mombasa, as well as other ports around the world, are not adequately considering the cybersecurity implications of the rapid integration of new information networks and interconnected technologies. Denys Reva of the Institute for Security Studies assesses that the occurrence of a major disruptive cyber attack targeting critical maritime infrastructure in Africa is “just a matter of time.”

Cyber threats are also making it more difficult for the Kenyan government to protect itself from espionage. Spyware is proliferating across the continent as governments purchase the products and services of European, Chinese, and Israeli companies who specialize in surveillance. Although most reporting concentrates on the use of spyware in Africa for domestic surveillance, privately developed spyware can also be used for inter-state espionage. As the Kenyan government ministries shift to more digitized and more connected information networks, they become an easier target for cyber espionage. China is a particularly notable threat in this area, as Chinese companies helped to develop facial-recognition surveillance for Kenya and constructed over 70 percent of Africa’s 4G networks.

Current Government Response

The Kenyan government has taken steps to address the increasing cyber threat. Kenya’s national cybersecurity strategy, developed by the Ministry of Information, Communications, and Technology in 2014, has four primary objectives. First, to protect “critical information infrastructure.” Second, to promote awareness of cybersecurity by “informing and educating the Kenyan public and workforce.” Third, to establish a cybersecurity framework that fosters collaboration and reduces “duplication of effort.” Fourth, to ensure the strategy is effectively implemented and updated in response to the changing threat environment. In 2017, Kenya established the National Cyber Command Center (known as NC3) to spearhead and coordinate national cybersecurity efforts. The NC3 works with national and international stakeholders in government, civil society, and the private sector.

Policy Recommendations

The objectives of Kenya’s national cybersecurity strategy rightly prioritize public-private cooperation and the need for coordination in developing and implementing cybersecurity protocols. However, the national cybersecurity strategy falls short in a significant area: There is not a standardized timeline for the regular renewal of the strategy. The current strategy states that it should be “refresh[ed] as required.” Although better than a static document, there is a real need for an established and time-specific process for reworking the strategy (perhaps every four to five years). This process is especially important given the constantly and rapidly changing cyber threat environment.

The Kenyan government should also provide incentives for private sector stakeholders involved in critical infrastructure like the port of Mombasa to prioritize cybersecurity as they continue to modernize. Although there is a natural incentive for companies to implement effective cybersecurity measures to protect against revenue loss, this can be outweighed by the rush to modernize (and thus increase efficiency and potential profits). As a result, it is important that the government work to ensure that companies overseeing critical infrastructure or working with the government adhere to cybersecurity protocols.

Given the constantly advancing cyber capabilities of both nation states and non-state actors, Kenya faces a major challenge in protecting its sensitive information and interests. There are a multitude of actions that the government could take to mitigate this constant threat. Particularly, the government should reduce the vulnerability of its supply chain to software and hardware that are especially well suited for cyber espionage. This could be addressed by conducting frequent supply chain risk assessments to identify products, services, and companies that may pose a risk to cybersecurity. These assessments should be shared with key stakeholders throughout the government.

Joseph Hartung is a Researcher at the HORN Institute.

Photo Credit: Fact24

The contents of this article are copyright of © The HORN Institute 2022. All rights reserved. Any redistribution or reproduction of part or all of the contents in any form and for whatever reason is prohibited. You may use the content of this article for personal reasons, but acknowledge the website as the source of the material.

Comments are disabled.