Home / National

Parliament approves new cybersecurity regulations

A file image of a hacker. (Photo: Courtesy)

By Hanifa Adan | 12 Apr 2024

Law enforcement agencies will provide platforms for anonymous reporting to allow any person to disclose useful information relating to cyber incidents or crimes.

The National Assembly has approved the Computer Misuse and Cybercrime (Critical Information Infrastructure and Cybercrime Management) Regulations of 2024, which enhance the enforcement of the laws established in 2018.

These new regulations will boost the security apparatus to ensure the Computer Misuse and Cybercrimes Act, 2018, signed into law by former President Uhuru Kenyatta, is fully implemented.

Keep reading

Among the objectives of the new regulations are the establishment of a framework for monitoring, detecting, and responding to cybersecurity threats within Kenya's cyberspace and the creation of a structure for the setup and administration of cybersecurity operations centres.

Through these centres, the government will protect, preserve, and manage critical information infrastructure and also coordinate the collection and analysis of cyber threats.

The establishment of the Cybersecurity Operations Centres will act as a roadmap to address new challenges and emerging threats to cyber domains.

According to the regulations, the cybersecurity centres will include the National Cybersecurity Operations Centre, Sector Cybersecurity Operations Centres and Critical Information Infrastructure Cybersecurity Operations Centres.

A National Cybersecurity Operations Centre will be the national focal point for monitoring, detecting, preventing, responding, investigating, and attribution of cyber threats, computers, and cybercrimes in Kenya.

These organisations will function under the oversight of the National Computer and Cybercrimes Coordination Committee, which consists of senior officials from different government bodies.

The committee will collaborate with computer incident response teams by exchanging threat intelligence to enhance responses to cyber incidents and will also receive real-time information on cyber threats and incidents from the Cybersecurity Operations Centres.

Meanwhile, owners of important computer systems must create a programme to help everyone using, running, or overseeing those systems understand cybersecurity better under the regulations.

The programme should teach about cybersecurity, how to spot and report strange behaviour, what to do during an emergency, and how to handle insider threats.

Owners of crucial computer systems can boot out anyone who accesses sensitive information without permission, or if they're allowed in but break the rules and refuse to follow them.

The regulation adds that the basis for reporting cyber threats should be to give useful information or complaints that could lead to investigations and legal actions, to identify cybercrime threats against citizens and organisations, and to establish a channel of communication between citizens, including victims, witnesses to cybercrime, and law enforcement agencies.

Critical information infrastructure owners are mandated to report any cybersecurity incidents to the respective Sectoral Cybersecurity Operations Centre within a strict timeframe of 24 hours from the time they become aware of the incident.

Law enforcement agencies will provide platforms for anonymous reporting to allow any person to disclose useful information relating to cyber incidents or crimes, like the interruption of a life-sustaining service, including the supply of water and health services.

Anonymous reporting will also include reporting of an adverse effect on the economy or an event that would result in massive casualties or fatalities.

The Computer Misuse and Cybercrimes Act was signed into law to curb the spread of fake news. Under the law, a person who intentionally publishes false, misleading, or fictitious data or misinforms with the intent that the data shall be considered or acted upon as authentic, with or without any financial gain, commits an offence and shall, on conviction, be liable to a fine not exceeding Sh5 million or to imprisonment for a term not exceeding two years, or to both.

It also imposes stiff penalties on computer forgery and espionage, with fines exceeding 20 years, not more than Sh10 million, or both.