The
Secretariat,
Director
Programmes & Standards, ICT Authority
Telposta
Towers, 12th Floor, Kenyatta Avenue,
P.
O Box 27150-00100 Nairobi.
critical@ict.go.ke
Kenya
ICT Action Network (KICTANet)’s input into the proposed Critical Infrastructure
Bill
Acknowledge
ICT is a tool that is
critical for operations and hence requires specialized attention: availability,
integrity and confidentiality.
Starting point:
Management questions
10.
Who manages critical infrastructures?
11.
Should the government own/manage/handle
infrastructures like the NOFBi?
12.
Which infrastructure can the
government outsource? Which infrastructure is a security threat to outsource?
Who are trusted partners for outsourcing?
15.
What is the value of investment in NOFBI
while there is no last mile connectivity? Should the NOFBI operator be able to
go the long haul and provide last mile services to all intended recipient(s) of
the service?
16.
What levels of approvals are there (change
management) for any change to happen in a critical internet resource? (Just
last month, a misguided change at KENIC affecting DNSSEC affected the entire
.ke domains for a whole day. No domain was accessible).
17.
How is the security and integrity of PKI
maintained?
18.
How are the counties managing ICT county
specific infrastructure and what capacities exist at that level?
Roll out/ Rapid
Response questions
19. How fast can we rollout, upgrade, and repaired our fibre optic infrastructure?
(There has been a deliberate systematic plot to ensure there are no ducts on
wayleaf to pull fibre optic cable within minimum time, and cost effectively).
20.
Can we vet the software that runs on
and support critical infrastructure? We have had cases of defective and
compromised
firmware, and compromised software that has payloads executed at certain times
by malicious actors. Which software and hardware do we trust? Can we audit this
software?
21.
What is the role of standards? ( ISO 27000 series Standards on Information Security and the ISO
20,000 series on Service
Management).
Regulation vs Legislation and questions regarding scope
22. Is it necessary to have an Act on critical infrastructure considering the dynamism and complexity of ICT? Would a few amendments under the KICA 2013 not suffice?
23. Would it perhaps not be useful to have separate acts or regulations for critical internet infrastructure on the one hand, and critical infrastructures like (power and transport) connected to the internet on the other hand? The two types of critical infrastructure are related but require different and specialized approaches.
24. The development of a critical infrastructure policy framework should precede the bill to contextualize the Critical Infrastructure bill. The policy framework should also have an implementation framework, a result of which could be the development of a law. Before the development of the policy it may be necessary to conduct a study and expert consultation on the matter that includes a review of global best practices.
25. The protection of critical infrastructure may be better managed under regulations rather than Bills/Acts. This is because in the fast changing world of IT, what is critical today may not be tomorrow and vice versa. Who would have known five years ago that M-PESA would move beyond just sending money, to becoming a lifestyle for millions of Kenyans aka a critical infrastructure? You don’t manage such issues through hard-wired Acts, but through Regulation.
Recommendations on Policy and law
The said policy and law should
clearly outline:
- Definition
of what constitutes critical infrastructure.
- Distinguish
between critical internet/ICT infrastructures and critical infrastructures
connected to the internet.
- Criteria for identification of CI.
- Threat analysis to various CI in Kenya.
- Risk management framework for the CI.
- Requirement of mandatory minimum protection of
critical infrastructure as well as demonstrated assurance through compliance.
- Coordination framework (including PPP arrangements, lead coordinating org and
perhaps the need for a single body?).
- Investigate frameworks for threat intelligence and information sharing
between all concerned stakeholders.
- Incident
reporting mechanisms and investigations of possible requirements for breach
disclosure to all affected stakeholders.
- Research and
development strategies.
- Capacity assessment and development.
- Funding mechanisms.
- Implementation plan.
Note: It will be important for institutions (private and public) to meet the law and associated regulatory requirements
(Consistent with with the 2010 constitution). In addition, Institutions
must integrate their plans with agencies/bodies (e.g. fire, security,
emergency, hospitals, etc.) that are critical to effective response.
Submitted on behalf of KICTANet by Grace Githaiga, Victor Kapiyo, Barrack Otieno, Mwendwa Kivuva, John Walubengo, Matunda Nyanchama, Alex Comninos and Ali Hussein