DAY 2: Tuesday 19/09/2023
Dear Listers,
Welcome to Day 2 of our engaging discourse and virtual Public Participation forum on the "Computer Misuse and CyberCrimes (Critical Information Infrastructure and CyberCrimes Management) Regulations 2023," KICTANet extends gratitude to every stakeholder and partner who made Day 1 an enriching experience. Thank you for being an integral part of this important discussion.
We shall also have a Twitter Space on Thursday to disseminate/validate the report before official submissions.
Today our focus of discussion will center around the following sections: S. 14( 1),( 2), S.18 3 (d), 4 .
PART III: CYBERSECURITY OPERATION CENTRES
OutSourced Capabilities14. (1) An owner of a critical information infrastructure including government-owned critical information infrastructure who intends to outsource any operations shall, in writing, notify the Committee prior to outsourcing…
Question:●How does the notification requirement to notify before outsourcing impact various aspects, such as Institutional independence, business autonomy, legality, decision-making, and cybersecurity and other related concerns?
(2)The external service provider shall report to the owner of the critical information infrastructure, at least quarterly, notifying on the status of implementation of their obligations under the agreement including notifying on any security incident.
Question:
Is it appropriate for this reporting requirement between the external service provider and the owner of critical information infrastructure to be mandated by regulations,...
Or Should it be left as a matter of business arrangement and negotiation between the parties involved?
Risk assessment and evaluation of cybersecurity operation centres
18. 3. (d) Define a treatment plan and implement business continuity management controls including – ...
(4) The business impact analysis of an organization shall be based on—(a) the potential impacts of business disruptions for each prioritized business function and processes including financial, operational, customer, legal and regulatory impacts;(b) recovery time objectives, recovery point
objectives and maximum acceptable outage;
(c) internal and external inter-dependencies; and
(d) the resources required for recovery
Question:1. Is this not too prescriptive?
2. How can organizations strike a balance between complying with extensive business impact analysis requirements in cybersecurity operations and maintaining the flexibility to adapt these regulations to their specific cybersecurity needs and circumstances?
3. Is the committee not assuming the role of Big bro?(Business Autonomy Preservation, Regulatory Detail, Comprehensive Requirements)
Stay engaged, share your concerns, views, justifications and recommendations to ensure a safer and more secure digital future for all.
~Shaping the Future of CyberSecurity ~
_______________________________________________On Mon, 18 Sept 2023, 17:04 Linda Wairure, <lindagichohi@gmail.com> wrote:
Thank you Counsel for the eye-opening feedback and very valid points. Indeed there is need for more public awareness and advocacy.
Echoing Barrack sentiments, over-legislation might not be the best way to go.As a country, we need more emphasis on implementation of the already existing regulations and laws.
To follow up and expound on the same...
Dear Listers,
What are some of your concerns, justifications and recommendations on how governments can strike a balance between securing critical information infrastructure and ensuring the privacy and civil liberties of their citizens?
On Mon, 18 Sept 2023, 16:25 Faith Kisinga via KICTANet, <kictanet@lists.kictanet.or.ke> wrote:
_______________________________________________
Hi Linda,Thanks for providing this opportunity.Indeed there’s need to create awareness on what this framework aims to do, to avoid leaving the public feeling overwhelmed.
These regulations are specifically aimed at the facilities, networks and systems, which if disrupted, would have a debilitating effect on national security, the economy, public health and safety. 16 critical infrastructure sectors are listed.
On 18 Sep 2023, at 15:58, Barrack Otieno via KICTANet <kictanet@lists.kictanet.or.ke> wrote:
Hi Linda,
I tend to think we are over legislating. Having moderated a session during this years Communications Authority ICT Week, i learnt from GSMA that while the country has 98% Infrastruture Coverage, usage is a paltry 21%. The users account for 30% of the population and are mostly in urban centres. We need to pay attention so that we dont scare away the 70% based in rural areas who are mostly using feature phones. We should also have this in mind as we frame the laws so that we avoid a scenario where we respond to mosquito bites with a hammer.
Best Regards
On Mon, Sep 18, 2023 at 3:20 PM Linda Wairure via KICTANet <kictanet@lists.kictanet.or.ke> wrote:
Can you provide examples of robust sector-specific cybersecurity regulations that have been successful ? .......What are the potential drawbacks or challenges associated with trying to monitor all databases?
_______________________________________________On Mon, 18 Sept 2023 at 04:54, Neema MASITSA <masitsaneema@gmail.com> wrote:
(l) Monitor all databases established for purposes of establishing their integrity and confidentiality for the attainment of the objectives of the Act and these Regulations.
Question:
Is this regulation realistic, and can it be effectively implemented?
My opinion is rather than to attempt to monitor all databases, we can focus on risk-based and sector-specific approaches to cybersecurity.
On Mon, Sep 18, 2023 at 10:12 AM Linda Wairure via KICTANet <kictanet@lists.kictanet.or.ke> wrote:
_______________________________________________DAY 1: Monday 18/09/2023
Dear Listers,
Welcome to the inaugural day of our lively discussion and debate centered around the "Computer Misuse and Cybercrimes (Critical Information Infrastructure and Cybercrimes Management) Regulations 2023," put forth by the Cabinet Secretary for Interior and National Administration. https://nc4.go.ke/cmca-2018-draft-regulations/
We extend a warm invitation to all Stakeholders in the Digital Space to actively engage in this conversation, as your insights are not just valued but indispensable. Together, we aim to ensure that these regulations are not only well-informed but also in perfect alignment with the swiftly evolving realm of cyber security and digital technologies. Discover how they will impact your organization and be part of the conversation that will define the future of cyber security regulations. Your perspectives will help us shape and submit a more comprehensive and effective framework.
We shall also have a twitter space on Thursday to disseminate/validate the report before submitting it on Friday.
Feel free to share your insights, concerns, justifications and recommendations to shape these regulations effectively.
PART I - PRELIMINARY PROVISIONS
Objects of the Regulations
Section 3.
(a) Provide a framework to monitor, detect and respond to cyber security threats in the cyberspace belonging to Kenya;
(i) Promote coordination, collaboration, cooperation and shared responsibility amongst stakeholders in the cybersecurity sector including critical infrastructure protection
(g) Approve the identification and designation of critical information infrastructure Question:
Is this sufficient to allow each government related cyber unit to operate efficiently without turf wars on who is more superior?
(l) Monitor all databases established for purposes of establishing their integrity and confidentiality for the attainment of the objectives of the Act and these Regulations.
Question:
Is this regulation realistic and can this be effectively implemented?
What are some of the data protection and privacy rights concerns that may arise from this regulation?
PART III - CYBERSECURITY OPERATIONS CENTRES
Section 13
13. (2) The cybersecurity awareness programme under paragraph (1) shall include the following topics—.....
Question:
Does this need to be this prescriptive? And what does this mean for emerging areas? How about emerging cyber threats?
13(3) The owner of critical information infrastructure shall in consultation with the Committee, review the cybersecurity awareness programme at least once every twelve months to ensure that the programme is adequate and that it remains upto-date and relevant.
Question:
Is this a role for NC4? Review curriculum on infrastructure that it does not own. Any comments?
:
:
:
What are your views, justifications and recommendations regarding the following sections, and how do you interpret the regulations in question?
KICTANet mailing list -- kictanet@lists.kictanet.or.ke
To unsubscribe send an email to kictanet-leave@lists.kictanet.or.ke
Unsubscribe or change your options at: https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/
Mailing List Posts Online: https://posts.kictanet.or.ke/
Twitter: https://twitter.com/KICTANet/
Facebook: https://www.facebook.com/KICTANet/
Instagram: https://www.instagram.com/KICTANet/
LinkedIn: https://www.linkedin.com/company/kictanet/
YouTube: https://www.youtube.com/channel/UCbcLVjnPtTGBEeYLGUb2Yow/
KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation.
KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars
of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's
times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your
wares or qualifications.
KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.
KICTANet mailing list -- kictanet@lists.kictanet.or.ke
To unsubscribe send an email to kictanet-leave@lists.kictanet.or.ke
Unsubscribe or change your options at: https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/
Mailing List Posts Online: https://posts.kictanet.or.ke/
Twitter: https://twitter.com/KICTANet/
Facebook: https://www.facebook.com/KICTANet/
Instagram: https://www.instagram.com/KICTANet/
LinkedIn: https://www.linkedin.com/company/kictanet/
YouTube: https://www.youtube.com/channel/UCbcLVjnPtTGBEeYLGUb2Yow/
KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation.
KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars
of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's
times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your
wares or qualifications.
KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.
--
_______________________________________________Barrack Otieno
TrusteeKenya ICT Action Network (KICTAnet)
Skype:barrack.otieno+254721325277
KICTANet mailing list -- kictanet@lists.kictanet.or.ke
To unsubscribe send an email to kictanet-leave@lists.kictanet.or.ke
Unsubscribe or change your options at: https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/
Mailing List Posts Online: https://posts.kictanet.or.ke/
Twitter: https://twitter.com/KICTANet/
Facebook: https://www.facebook.com/KICTANet/
Instagram: https://www.instagram.com/KICTANet/
LinkedIn: https://www.linkedin.com/company/kictanet/
YouTube: https://www.youtube.com/channel/UCbcLVjnPtTGBEeYLGUb2Yow/
KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation.
KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars
of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's
times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your
wares or qualifications.
KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.
KICTANet mailing list -- kictanet@lists.kictanet.or.ke
To unsubscribe send an email to kictanet-leave@lists.kictanet.or.ke
Unsubscribe or change your options at: https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/
Mailing List Posts Online: https://posts.kictanet.or.ke/
Twitter: https://twitter.com/KICTANet/
Facebook: https://www.facebook.com/KICTANet/
Instagram: https://www.instagram.com/KICTANet/
LinkedIn: https://www.linkedin.com/company/kictanet/
YouTube: https://www.youtube.com/channel/UCbcLVjnPtTGBEeYLGUb2Yow/
KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation.
KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars
of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's
times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your
wares or qualifications.
KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.
KICTANet mailing list -- kictanet@lists.kictanet.or.ke
To unsubscribe send an email to kictanet-leave@lists.kictanet.or.ke
Unsubscribe or change your options at: https://mm3-lists.kictanet.or.ke/mm/lists/kictanet.lists.kictanet.or.ke/
Mailing List Posts Online: https://posts.kictanet.or.ke/
Twitter: https://twitter.com/KICTANet/
Facebook: https://www.facebook.com/KICTANet/
Instagram: https://www.instagram.com/KICTANet/
LinkedIn: https://www.linkedin.com/company/kictanet/
YouTube: https://www.youtube.com/channel/UCbcLVjnPtTGBEeYLGUb2Yow/
KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation.
KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars
of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's
times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your
wares or qualifications.
KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.