Thanks Ali. Noted. CC: kictanet@lists.kictanet.or.ke From: ali@hussein.me.ke Subject: Re: [kictanet] Proposed Kictanet’s input into Kenya’s Draft Cyber Security Strategy Date: Wed, 26 Mar 2014 03:32:15 +0300 To: ggithaiga@hotmail.com Grace, Victor Thanks for your input. The one thing that I would add is the mitigation of mass surveillance against the backdrop of international terrorism. Whilst this is an issue of personal freedom vis a vis the issue of national security we must have in place a mechanism to ensure that personal freedoms are not trampled on in the interest of individuals who clock the violations as necessary in the interest of national security. Ali Hussein +254 0770 906375 / 0713 601113 Twitter: @AliHKassimSkype: abu-jomoLinkedIn: http://ke.linkedin.com/in/alihkassimBlog: www.alyhussein.com "I fear the day technology will surpass human interaction. The world will have a generation of idiots". ~ Albert Einstein Sent from my iPad On Mar 25, 2014, at 10:09 PM, Grace Githaiga <ggithaiga@hotmail.com> wrote: Dear Listers On March 14, the GOK through the ICT Authority released a 13 page draft Cyber Security Strategy (http://www.scribd.com/doc/212456939/GOK-National-Cybersecurity-Strategy). We had considered conducting an online discussion on the draft as is usually the tradition, but this has not been possible. I therefore requested Victor Kapiyo to give us some initial thoughts that can we can build on, and which will form part of our submission. The deadline for submission is this coming Friday, March 28. We propose to send the comments by Thursday March 27, 2013. I wish to kindly request you to add/ subtract/amend by Thursday 1.00 pm (March 27, 2013). General Comments The strategy appears to be generic. It lacks specifics and glosses over several key issues: · It lacks a detailed discussion of the current context - current statistics of internet usage, threats to the internet, key bodies, resolutions, policies, directives, key public concerns, challenges facing the country, current legal and policy framework for ICT etc. · Lacks clear justification for the strategy. · Fails to identify the key players/stakeholders/institutions in governmet, private sector, civil society – and their roles and responsibilities in addressing CS issues, how they will be involved and their coordination mechanisms. · Does not provide reasons or demonstrate how and why the prioritized goals were arrived at/chosen. · The actions under the goals are few and not SMART. · It fails to discuss the current legal and policy framework to address CS on which it should be anchored. Proposals/ Recommendations The strategy should clearly articulate what the government intends to do, viz: · Enhance protection and promotion of fundamental rights and freedoms in the Bill of Rights in particular on expression, media, participation, personal data and privacy, · Promote the national values under article. 10 of the constitution – rule of law, democracy, participation, good governance etc. · Improve preparedness, rapid response and capabilities to respond - CERTs · Improve cooperation with, clarify obligations, and manage roles and responsibilities of operators of critical infrastructure and key providers of on-line services, such as e-commerce platforms, Internet payment gateways, social networks, search engines, cloud computing services, app stores. · Improve transparency and accountability in the management of the net and CS · Address public concerns over censorship / mass surveillance in a post-snowden era · Improve information sharing and cooperation - how should the info flow, which routes? · Improve the reporting and publicity of cyber-security incidents to the relevant authorities · Promote openness of the internet, GoK commitments under open government. · Regulate - who is currently covered/who is responsible? · Improve international cooperation and engagement with international instruments - EAC treaties, Budapest convention. · Set standards and common minimum requirements for government bodies and market, · Maintain the reliability and interoperability of the Internet, · Promote research, innovation and development in CS, · Improve governance of the internet, · Promote access to the internet, · Promote CS through strategic procurement, · Improve the policy and legal framework on CS, · Mainstream CS into national security agenda, · Improve coordination of CS initiatives, and · Facilitate training of law enforcement, judicial and technical personnel to address cyber threats. _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/info%40alyhussein.com The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

MblayoNoted and forwarded to ICTA. RgdsGrace Date: Fri, 28 Mar 2014 15:05:29 +0300 Subject: Re: [kictanet] Proposed Kictanet's input into Kenya's Draft Cyber Security Strategy From: blongwe@gmail.com To: ggithaiga@hotmail.com CC: kictanet@lists.kictanet.or.ke Dear all, I've looked through the draft and to be completely honest I do not think that this document is ready to be considered for adoption. Among others: It is very scarce on specific actions that relate to implementation of strategy. It does not adequately identify the key stakeholders and outline their roles, contributions towards the overall objectives/vision. It does not set out how resources are to be mobilized towards achievement of specified goals/objectives. Please take a look through cyber security strategies that have been developed by other countries (India and Hungary are good examples) at the following link: https://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-se... Even a simple benchmarking exercise from the above link would have led to a better initial draft. Let us not make ourselves look incompetent by passing this current document. We are far from what can be considered a solid strategy paper. More work is needed on this. I propose that the timelines related to completion of this document be extended to allow more thorough work. The team that has come up with this needs to be modified/expanded to include others who can bring in better strategic input. my two cents, Mblayo On Wed, Mar 26, 2014 at 8:09 AM, Grace Githaiga <ggithaiga@hotmail.com> wrote: Thanks Ali. Noted. CC: kictanet@lists.kictanet.or.ke From: ali@hussein.me.ke Subject: Re: [kictanet] Proposed Kictanet’s input into Kenya’s Draft Cyber Security Strategy Date: Wed, 26 Mar 2014 03:32:15 +0300 To: ggithaiga@hotmail.com Grace, Victor Thanks for your input. The one thing that I would add is the mitigation of mass surveillance against the backdrop of international terrorism. Whilst this is an issue of personal freedom vis a vis the issue of national security we must have in place a mechanism to ensure that personal freedoms are not trampled on in the interest of individuals who clock the violations as necessary in the interest of national security. Ali Hussein +254 0770 906375 / 0713 601113 Twitter: @AliHKassim Skype: abu-jomo LinkedIn: http://ke.linkedin.com/in/alihkassim Blog: www.alyhussein.com "I fear the day technology will surpass human interaction. The world will have a generation of idiots". ~ Albert Einstein Sent from my iPad On Mar 25, 2014, at 10:09 PM, Grace Githaiga <ggithaiga@hotmail.com> wrote: Dear Listers On March 14, the GOK through the ICT Authority released a 13 page draft Cyber Security Strategy (http://www.scribd.com/doc/212456939/GOK-National-Cybersecurity-Strategy). We had considered conducting an online discussion on the draft as is usually the tradition, but this has not been possible. I therefore requested Victor Kapiyo to give us some initial thoughts that can we can build on, and which will form part of our submission. The deadline for submission is this coming Friday, March 28. We propose to send the comments by Thursday March 27, 2013. I wish to kindly request you to add/ subtract/amend by Thursday 1.00 pm (March 27, 2013). General Comments The strategy appears to be generic. It lacks specifics and glosses over several key issues: · It lacks a detailed discussion of the current context - current statistics of internet usage, threats to the internet, key bodies, resolutions, policies, directives, key public concerns, challenges facing the country, current legal and policy framework for ICT etc. · Lacks clear justification for the strategy. · Fails to identify the key players/stakeholders/institutions in governmet, private sector, civil society – and their roles and responsibilities in addressing CS issues, how they will be involved and their coordination mechanisms. · Does not provide reasons or demonstrate how and why the prioritized goals were arrived at/chosen. · The actions under the goals are few and not SMART. · It fails to discuss the current legal and policy framework to address CS on which it should be anchored. Proposals/ Recommendations The strategy should clearly articulate what the government intends to do, viz: · Enhance protection and promotion of fundamental rights and freedoms in the Bill of Rights in particular on expression, media, participation, personal data and privacy, · Promote the national values under article. 10 of the constitution – rule of law, democracy, participation, good governance etc. · Improve preparedness, rapid response and capabilities to respond - CERTs · Improve cooperation with, clarify obligations, and manage roles and responsibilities of operators of critical infrastructure and key providers of on-line services, such as e-commerce platforms, Internet payment gateways, social networks, search engines, cloud computing services, app stores. · Improve transparency and accountability in the management of the net and CS · Address public concerns over censorship / mass surveillance in a post-snowden era · Improve information sharing and cooperation - how should the info flow, which routes? · Improve the reporting and publicity of cyber-security incidents to the relevant authorities · Promote openness of the internet, GoK commitments under open government. · Regulate - who is currently covered/who is responsible? · Improve international cooperation and engagement with international instruments - EAC treaties, Budapest convention. · Set standards and common minimum requirements for government bodies and market, · Maintain the reliability and interoperability of the Internet, · Promote research, innovation and development in CS, · Improve governance of the internet, · Promote access to the internet, · Promote CS through strategic procurement, · Improve the policy and legal framework on CS, · Mainstream CS into national security agenda, · Improve coordination of CS initiatives, and · Facilitate training of law enforcement, judicial and technical personnel to address cyber threats. _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/info%40alyhussein.com The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications. _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/blongwe%40gmail.com The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.