Thank you everyone for the enriching contributions.Without cybersecurity, users cannot be assured when transacting online.  A special mention to the security experts who have interesting and practical views to the cybersecurity issues. We may need to seek more information from those in bodies such as ICTA, from experts who helped to set up the systems as well as from private sector. Would be interesting to hear how banks achieve security, especially with Internet and mobile banking. 

The issue of mobile money payments will be part of our discussion tomorrow as we tackle "the Internet Economy". 

The discussions on all the topics remain open so please continue on. We shall pick all the recommendations and suggestions and present them to stakeholders during the IGF. Hopefully, some of them will find their way into policy and use in our institutions. 

Once again thank you. 

Regards, 

Grace

2015-07-21 18:11 GMT+03:00 Lesley Leposo via Security <security@lists.my.co.ke>:

@fredrick

Good point.

I can see why they would use open source software, other than it being free.

But, my point of view only makes sense if the GOK, businesses and universities also fostered/sponsored some (moderately) experienced COMODO tinkerers/hackers.

On Jul 21, 2015, at 5:55 PM, fredrick Wahome via Security <security@lists.my.co.ke> wrote:

This far we can say they have tried but one thing I don't understand with government system is the implementation. Is it that hard or their is some laxity. With PKI in place most departments are still using FREE systems like COMODO. But again as a loyal citizen I stopped complaining and just doing the bit I can even if its sharing information..

On Jul 21, 2015 5:29 PM, "Mwendwa Kivuva via Security" <security@lists.my.co.ke> wrote:

Sorry, here is the website for the Certifying Authority for Kenya's PKI  http://www.govca.go.ke/#

______________________
Mwendwa Kivuva, Nairobi, Kenya

"There are some men who lift the age they inhabit, till all men walk on higher ground in that lifetime." - Maxwell Anderson

On 21 July 2015 at 16:56, Mwendwa Kivuva <Kivuva@transworldafrica.com> wrote:

Hosea Kandie and Fredick Wahome have raised very important points of institutional frameworks. I just wanted to share the National PKI website which has a tonne of information on what Kenya has done in that regard. http://www.ke-cirt.go.ke/index.php/services/national-pki/

Here is a copy paste from the home page:

Kenya’s National Public Key Infrastructure (NPKI)

The National Public Key Infrastructure (NPKI) project is coordinated by the Ministry of ICT in collaboration with the Communications Authority of Kenya (CA) and the ICT Authority (ICTA).

A Public Key Infrastructure (PKI) refers to a system for the creation, storage and distribution of digital certificates which are used to verify that a particular public key (online identity) belongs to a certain entity. A PKI is a technical infrastructure that comprises of a Root Certification Authority (RCA) and a Certification Authority (CA), referred to as an Electronic Certification Service Provider (E-CSP) in Kenya’s legal and regulatory framework. The PKI creates a framework for protecting communications and stored information from unauthorized access and disclosure by addressing the fundamentals of cyber security – confidentiality, integrity, authentication and non-repudiation. A PKI is key to the rollout of e-transaction services.

The Kenya Information and Communications Act, 1998, mandates the Communications Authority of Kenya (CA) to issue a license to a person operating an Electronic Certification Service. In this regard, the Communications Authority of Kenya (CA) has developed a licensing framework for Electronic Certification Service Providers (E-CSPs).

Kenya’s National PKI comprises of a Root Certification Authority (RCA), which is managed by the Communication Authority of Kenya (CA) as a regulatory function, and the Government Certification Authority (GCA), an E-CSP which is managed by the ICTA. The NPKI is instrumental towards the effectiveness of the licensing of Electronic Certification Service Providers (E-CSPs) by the Communications Authority since a licensed E-CSP must be accredited by the RCA for its digital certificates to be globally recognized and trusted.

The ICT Authority (ICTA), which is the body responsible for the management of the mainstream government ICT services, operates the GCA. Other interested stakeholders who may be issued with an E-CSP license on application include the banking Sector and the Academia.

The benefits of a National PKI include:

i.    Locally available and cheaper digital certificates/signatures; and

ii.    Operations and services that are within Kenyan law (jurisdiction), among others.

______________________
Mwendwa Kivuva, Nairobi, Kenya

"There are some men who lift the age they inhabit, till all men walk on higher ground in that lifetime." - Maxwell Anderson

On 21 July 2015 at 11:02, fredrick Wahome via Security <security@lists.my.co.ke> wrote:

The fact that there is high internet penetration in Africa / Kenya where an average of one user for every five has access to affordable internet has created enabling environment for cyber-criminals.

By the nature of cyberspace where the perpetrators of cyber-crime remain ubiquitous. This necessitated a need for legislation to control crime, and to provide confidence and security in African cyberspace, leading to the drafting of the Africa Union Convention on Cybersecurity (AUCC). But some groups like CIPIT and civil society opposed the convention on the ground that it was prepared without their inputs. Their main argument is that the convention did not make enough provisions to protect privacy and freedom of speech.

Member States have to  undertake  necessary  measures  to  encourage  the establishment  of  institutions that exchange information  on  cyber threats  and  the evaluation  of  vulnerabilities  such  as  Computer  Emergency  Response  Team (CERT). Kenya has at least done something on this by establishing KE-CIRT at CA. There is also a masterplan and PKI in place thou there has been implementation challenges. We will note that most governments departments have not yet established cybersecurity departments and this leads to low / lack of budgetary allocation.

In summary Government bodies, policy networks, scholars, the media, technology experts and the people need to engage in a global conversation that will help demystify Cyber-crime and define what it constitutes of and how Cyber-criminals should be dealt with.

The role of the media (television, blogs, online news outlets and more) is critical in the process of educating the public and engaging in a conversation, as they will be the mediators and curators of information and discourse on the issue. Thus, a concise and sensible approach, devoid of fear-mongering and shock practices, should be followed. We all remember recently how media has mishandled cyber crime news without a very somber deep analysis

Since this is an international issue, governments and policy networks across the world have to come together and discuss openly on what is better for their citizens. Something like AUCC is a positive move by African states

Scholars and academics can provide valuable expertise on technological, psychological, ethical and other issues, while highlighting any misgivings by those involved in the process. At least Strathmore has tried on this

The people in their local communities, families and social networks should help and train each other to increase their peers’ level of Internet literacy and highlight the advantages of the web. A higher Internet literacy level can help people protect themselves even better by taking simple security measures, such as using anti-virus software and identifying potential risks or scams in their online financial transactions. More is needed from the technology community to provide awareness to end users even if through probono program.

The technology community needs a unity of purpose. Looking at programmers / developers, DBA, network admins, infosec there has been lack of proper coordination. Developers are working hard to prove that their products cant be broken. Infosec on the other hand are working so hard to prove to blue team / developers that they can break their products. At the end no one benefit from such a contest. Many technical conferences / seminars should be encouraged to enable sharing of information / knowledge in the local technology community.

Great day comrades.

On Tue, Jul 21, 2015 at 9:28 AM, Stephen Munguti via Security <security@lists.my.co.ke> wrote:

Hello all,

I think most of our security concerns stem from internal users and this is the reason many banks and telecos refuse to part with this information,  i could be wrong though

On Tue, Jul 21, 2015 at 8:58 AM, Grace Mutung'u (Bomu) via skunkworks <skunkworks@lists.my.co.ke> wrote:

Dear Listers, 

Kenya has had its fair share of high profile cyber threats, hacking etc, the latest being the alleged compromise of the IFMIS system at NYS/Ministry of Devolution. The country and  Africa at large is making efforts to assure cyber-security. These include among others her involvement in the Africa Union Convention on Cybercrime and a proposal for a Cybercrime law, an initiative led by the Office of the Director of Public Prosecutions. Significant financial resources have also been earmarked by government for security and cyber security in particular. There are also partnerships between government and private sector in deploying cybersecurity centres.  

The private sector has employed practical measures to protect their businesses. However, businesses such as mobile money providers and banks have been shy to divulge their cyber security concerns to protect their interests.

Civil society on the other hand has raised concern about the line between protecting the cyber space and creating a facilitative environment for innovators as well as protecting the rights of users.

 

Are our efforts at deterring cyber-crime the correct way to assure cyber security? Are fears about a partnership between government and private sector and the general fears about stifling innovation and human rights in the name of cybersecurity legitimate? Are there other practical approaches that different stakeholders can take to enhance cyber security? 

Over to you. 

--

Grace L.N. Mutung'u
Nairobi Kenya
Skype: gracebomu
Twitter: @Bomu

<http://www.diplointernetgovernance.org/profile/GraceMutungu>

_______________________________________________
skunkworks mailing list
skunkworks@lists.my.co.ke
------------
List info, subscribe/unsubscribe
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------

Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
------------

Other services @ http://my.co.ke

--

Best Regards,
Stephen Munguti.

+254720425104

_______________________________________________
Security mailing list
Security@lists.my.co.ke
http://lists.my.co.ke/cgi-bin/mailman/listinfo/security

--

-------------------------------------
Kind Regards;

Fredrick Wahome Ndung'u
Team Leader
Secunets Technologies Ltd
Website: www.secunets.com
Cell: +254725264890
Email: fred@secunets.com
Facebook: secunetstech
Twitter: @secunets
Skype: secunets.technologies
Experts in: Domain Registration, Web Hosting, Open Source Solutions, Information Security & Training, Digital Forensic Investigations, Web 2.0 Applications & I.C.T Consultancy.

"Secure Business Technology"

------------------------------------------------------------------------------------------------------------------------------------------------

SECUNETS TECHNOLOGIES DISCLAIMER:

This email message and any file(s) transmitted with it is intended solely for the individual or entity to whom it is addressed and may contain confidential and/or legally privileged information which confidentiality and/or privilege is not lost or waived by reason of mistaken transmission. If you have received this message by error you are not authorized to view disseminate distribute or copy the message without the written consent of Secunets Technologies and are requested to contact the sender by telephone or e-mail and destroy the original. Although Secunets Technologies takes all reasonable precautions to ensure that this message and any file transmitted with it is virus free, Secunets Technologies accepts no liability for any damage that may be caused by any virus transmitted by this email.

_______________________________________________
Security mailing list
Security@lists.my.co.ke
http://lists.my.co.ke/cgi-bin/mailman/listinfo/security

_______________________________________________
Security mailing list
Security@lists.my.co.ke
http://lists.my.co.ke/cgi-bin/mailman/listinfo/security

_______________________________________________
Security mailing list
Security@lists.my.co.ke
http://lists.my.co.ke/cgi-bin/mailman/listinfo/security

_______________________________________________
Security mailing list
Security@lists.my.co.ke
http://lists.my.co.ke/cgi-bin/mailman/listinfo/security

--

Grace L.N. Mutung'u
Nairobi Kenya
Skype: gracebomu
Twitter: @Bomu

<http://www.diplointernetgovernance.org/profile/GraceMutungu>

_______________________________________________
kictanet mailing list
kictanet@lists.kictanet.or.ke
https://lists.kictanet.or.ke/mailman/listinfo/kictanet

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/allanmaseghe3%40gmail.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.