Kenya s Presentation to CAFRAD Conference of ICT Security and Defence Experts Tangier, Morocco, June 2014

Transcription

1 Kenya s Presentation to CAFRAD Conference of ICT Security and Defence Experts Tangier, Morocco, June July 2014 RESTRICTED 1

2 ICT as a Modern Solution Security Threats, Early Detection and Prevention of Crimes. Kenya s National Cyber Security Framework By Lt. Col. Hans Nyange, KMOD... 1 July 2014 RESTRICTED 2

3 SITUATION OVERVIEW A Brief Look Back: The Emergence of Kenya in the ICT Map ICTs have assumed a highly strategic role in the development of the Kenyan economy in the current millennium Between the years 2000 and 2012, the country's wider transport and communications sector, of which ICT is a part of, grew by a Compounded Annual Growth Rate (CAGR) of 7.7 percent, outperforming all other sectors of the national economy Estimates indicate that ICT spending in Kenya has surged considerably over the past five years, growing from 8.9% of gross domestic product (GDP) in 2006 to an estimated 12.1% of GDP in July 2014 RESTRICTED 3

4 SITUATION OVERVIEW Cont d The enactment of the Kenya Communications Act in 1998, which introduced competition in the mobile communications sector and liberalized the larger telecommunications market, was the critical catalyst that triggered the country s ICT development - in 1999, prior to the issuance of the first two mobile licenses, there were only 15,000 mobile subscribers throughout the country The landing of four undersea fiber optic cables (TEAMs and SEACOM in 2009, EASSy in 2010 and Lion-2 in 2012) brought an additional capacity to the country, resulting in faster connectivity rates As of September 2013, there were 31.3 million mobile subscribers in Kenya, equating to a mobile penetration rate of 76.9 percent Approximately 19.1 million Kenyans now have access to the Internet, equating to a penetration rate of 47.1 percent 1 July 2014 RESTRICTED 4

5 SITUATION OVERVIEW cont d A Brief Look Back: Government of Kenya (GoK) Initiatives; It is important to note that the development of ICTs in Kenya has been brought about by the Government s (GoK) efforts, through the Ministry of Information and Communication Technologies (MoICT), in encouraging investments in Internet Infrastructure ICT has been recognized, in Kenya s Vision 2030, as one of the enablers in achieving transformation into a middle-income country providing high quality life to all citizens i.e. the use of ICT provides government, the private sector and other stakeholders with an efficient and timely means of delivering essential services to their stakeholders With the landing of the undersea fiber optic cables (FOC) along the coast of Kenya and the rollout of the National Optic Fiber Backbone Infrastructure (NOFBI), Internet use has exploded and is expected to grow exponentially 1 July 2014 RESTRICTED 5

6 SITUATION OVERVIEW cont d Internet social networking tools such as blogs, Facebook and Twitter, amongst others, have gained popularity throughout the country, and coupled with the ease of access to such services, has led to the proliferation of communities of interest with global membership thus presenting convenient channels through which cyber criminals can reach unsuspecting users Towards this end, cybersecurity has become a global concern and a key item in the information agenda of many countries and various international fora Kenya has recognized this and, as a result, has facilitated the development of a national cybersecurity management framework 1 July 2014 RESTRICTED 6

7 SITUATION OVERVIEW cont d The cybersecurity management framework incorporates the Kenya Information and Communications Technology Sector Policy of 2006, the Kenya Information and Communications Act of 1998 and the Kenya Information and Communications (Electronic Certification and Domain Name Administration) Regulations of 2010 (KICR 2010), the relevant provisions of international cybercrime conventions - including the proposed draft African Union Convention on Cybercrime, among other legal instruments Cybercrime management requires collaboration with various stakeholders including law enforcement, various government agencies, military, the private sector and academia, among others In this regard, GoK has established a collaboration framework through the setup of a national computer incident response team (CIRT) 1 July 2014 RESTRICTED 7

8 SITUATION OVERVIEW cont d Looking Ahead: ICT's role in the future of Kenya; For Kenya to achieve the full benefits of ICT, three focus areas have been identified as key strategic pillars as part of its National ICT Master Plan These three pillars are in-line with the Vision 2030 roadmap to transform the country into a modern, globally competitive, middle income nation offering a high quality of life for all citizens, as well as the Jubilee Government Manifesto s vision of leveraging ICTs to propel Kenya into Africa s high-tech capital and create a Silicon Savannah 1 July 2014 RESTRICTED 8

9 SITUATION OVERVIEW cont d The first pillar of the ICT Master Plan covers the domain of e-government services, by seeking to ensure that the provision of e-government information and services support national efforts to improve productivity, efficiency, effectiveness and governance The second pillar is ICT as a driver of industry, which aims at transforming key economic sectors, and Small and Medium Enterprises (SMEs), in particular, through ICT; and The third pillar is developing Kenyan ICT businesses to deliver exportable quality products and services that are comparable to the best in the world, which will in turn help to develop a thriving local ICT sector 1 July 2014 RESTRICTED 9

10 KENYA NATIONAL CYBERSECURITY FRAMEWORK Kenya s national cybersecurity framework (NCSF) aims at enhancing the security of Kenya s cyber space and creating confidence in the use and adoption of ICTs in Kenya The NCSF consists of the following: The National Cybersecurity Strategy (NCS) The National Public Key Infrastructure (NPKI) and its licensing regime, the Electronic Certifications Service Provider (E-CSP) The National Kenya Computer Incident Response Team - Coordination Centre (KE- CIRT/CC) The current NCSF was launched on 24 June 2014, at the Communications Authority of Kenya (CAK) grounds, Nairobi The objective of the launch was to formally present the reviewed NCSF to the public in order to create awareness of the Government s efforts towards the management of cyber crime 1 July 2014 RESTRICTED 10

11 THE NATIONAL CYBERSECURITY STRATEGY Kenya s MoICT has undertaken the task of spearheading the process of developing the national cybersecurity strategy (NCS) and has since invited stakeholders and all Kenyans in general to participate in the review of the draft strategy The NCS defines Kenya s cybersecurity vision, key objectives, and ongoing commitment to support national priorities by encouraging ICT growth and aggressively protecting critical information infrastructure The NCS covers the following: GoK regulatory, policy and legal framework GoK cybersecurity governance maturity analysis NCS goals Development impacts and key benefits 1 July 2014 RESTRICTED 11

12 THE NATIONAL CYBERSECURITY STRATEGY cont d The GoK Regulatory, Policy, and Legal Framework essential inputs include: Analyzing GoK s baseline cybersecurity governance model Analyzing GoK s baseline cybersecurity governance model Evaluating GoK s cybersecurity maturity Highlighting national cybersecurity master plan considerations from other nations; and, Providing recommendations for a GoK Regulatory, Policy, and Legal Framework that; Identify needed laws, regulations, and policies Define governance roles and responsibilities Prescribe measures to secure critical cyber infrastructure in the public and private sectors Involve the private sector in policy development Facilitate international cooperation Define and protects against cybercrime Balance information security and privacy considerations; and, Promote secure online transactions through trusted identities 1 July 2014 RESTRICTED 12

13 THE NATIONAL CYBERSECURITY STRATEGY cont d The NCS proposes Cybersecurity governance as follows: The National Security Advisory Council (NSAC); This is the overall committee that is chaired by the Head of Public Service and draws membership from various GoK ministries and agencies whose functions relate to national security and reports to the National Security Council (NSC), which is chaired by the President of the Republic of Kenya The National Cyber Security Committee (NCSC); The NCSC provides policy over-sight and advice on cybersecurity issues The NCSC comprises of the Principal Secretaries (PSs) and CEO s of relevant GoK ministries, agencies and parastatals, and reports to NSAC The NCSC is chaired by the PS MoICT 1 July 2014 RESTRICTED 13

14 THE NATIONAL CYBERSECURITY STRATEGY cont d The National Kenya Computer Incident Response Team - Coordination Centre (KE- CIRT/CC) Cybersecurity Committee (NKCC); The National KE-CIRT/CC Cybersecurity Committee (NKCC) main purpose is to participate in the implementation of the National KE-CIRT/CC and facilitate coordination and collaboration in the response to Cybersecurity incidents, among other cyber-crime management activities The NKCC reports to the NCSC The NKCC is chaired by CAK and draws its membership from the MoICT, ICTA, law enforcement, the Directorate of Public Prosecutions (DPP), public utility service providers, Internet Service Providers (ISPs), telecommunication operators, academia, the banking/financial sector, among others 1 July 2014 RESTRICTED 14

15 THE NATIONAL CYBERSECURITY STRATEGY cont d Strategic Goals: To promote the Government s commitment to cybersecurity, the Strategy includes four strategic goals; Enhance the nation s cybersecurity posture in a manner that facilitates the country s growth, safety, and prosperity Build national capability by raising cybersecurity awareness and developing Kenya s workforce to address cybersecurity needs Foster information sharing and collaboration among relevant stakeholders to facilitate an information sharing environment focused on achieving the Strategy s goals and objectives Provide national leadership by defining the national cybersecurity vision, goals, and objectives and coordinating cybersecurity initiatives at the national level 1 July 2014 RESTRICTED 15

16 THE NATIONAL PUBLIC KEY INFRASTRUCTURE The National Public Key Infrastructure (NPKI) project is coordinated by MoICT in collaboration with CAK and ICTA A PKI refers to a system for the creation, storage and distribution of digital certificates which are used to verify that a particular public key (online identity) belongs to a certain entity A PKI is a technical infrastructure that comprises of a Root Certification Authority (RCA) and a Certification Authority (CA), referred to as an Electronic Certification Service Provider (E-CSP) in Kenya s legal and regulatory framework The PKI creates a framework for protecting communications and stored information from unauthorized access and disclosure by addressing the fundamentals of Cybersecurity - confidentiality, integrity, authentication and non-repudiation A PKI is, therefore, key to the rollout of e-transaction services 1 July 2014 RESTRICTED 16

17 THE NATIONAL PUBLIC KEY INFRASTRUCTURE cont d The Kenya Information and Communications Act of 1998 mandates the CAK to issue a licence to a person operating an Electronic Certification Service through a licensing framework for E-CSPs Kenya s NPKI comprises of a Root Certification Authority (RCA), which is managed by CAK, as a regulatory function, and the Government Certification Authority (GCA), an E- CSP managed by ICTA The NPKI is instrumental towards the effectiveness of the licensing of E-CSPs by ICTA since a licensed E-CSP must be accredited by the RCA for its digital certificates to be globally recognized and trusted Other countries within Africa who have deployed an NPKI include Cameroon, Mauritius, Algeria, Tunisia and Rwanda 1 July 2014 RESTRICTED 17

18 KENYA COMPUTER INCIDENT RESPONSE TEAM - COORDINATION CENTRE (KE-CIRT/CC) The National KE-CIRT/CC was established in October 2012 with the technical assistance of the International Telecommunication Union (ITU) through the International Multilateral Partnership Against Cyber Threats (IMPACT) program KE-CIRT/CC is Kenya s national cybersecurity trusted point of contact and is mandated with offering advice on cybersecurity matters nationally and coordinating responses to cyber incidents in collaboration with relevant stakeholders locally, regionally and globally The functions of KE-CIRT/CC include: Offering advisories on cybersecurity matters and coordinating cyber incidents responses, in collaboration with relevant actors locally, regionally and internationally Acting as the national trusted point of contact for information security matters Gathering and disseminating technical information on computer security incidents Carrying out research and analysis on computer security Capacity building in information security and creating and maintaining awareness on cybersecurity-related activities Facilitating the development of NPKI, among others 1 July 2014 RESTRICTED 18

19 KENYA COMPUTER INCIDENT RESPONSE TEAM - COORDINATION CENTRE (KE-CIRT/CC) cont d KE-CIRT/CC collaborates with various stakeholders as follows: National Level; Collaboration with various stakeholders in cybercrime management through NKCC i.e. law enforcement agencies, ICTA, ISPs, telecommunication operators, academia, the banking/financial sector, among others Acting as the point of contact for local sector computer Incident response teams (CIRTs) including law enforcement sector CIRT, e-government sector CIRT, ISPs/Telkom Operators sector CIRT, academia sector CIRT, banking/financial sector CIRT, among others Regional Level; Collaboration with the other East African national CIRTs under the East Africa Communications Organization (EACO) Cybersecurity Working Group which is chaired by Kenya 1 July 2014 RESTRICTED 19

20 KENYA COMPUTER INCIDENT RESPONSE TEAM - COORDINATION CENTRE (KE-CIRT/CC) cont d At the Global Level; Collaboration with ITU) through the IMPACT program Collaboration with national CIRTs in jurisdictions outside of East Africa such as the US-CERT and the Japanese CERT (JP-CERT), among others. Collaboration with the Forum for Incident Response and Security Teams (FIRST), an international confederation of trusted CIRTs who cooperatively handle computer security incidents and promote incident prevention programs Cyber crime incidents can be reported to KE-CIRT/CC through: Web portal: cirt@ke-cirt.go.ke Tel: /446 or /446; Fax: A letter addressed to:`director-general, Communications Authority of Kenya, P.O. Box 14448, Nairobi 00800, KENYA 1 July 2014 RESTRICTED 20

21 GROUP PRESENTATION/CASE STUDY ICT and Modern Criminality in Africa Cause or Cure: ICTs have contributed immensely to both causes and cures of modern criminality in Africa modern as opposed to traditional criminality that did not involve use of technology; Al Shabaab / Al Qaida Case Study: Spread ideology through internet websites e.g. Twitter Conduct recruitment and financial transactions Conduct trainings and convey instructions as part of command and control (C2) Implement plans and execute attacks Efficient Technologies: Soft Technologies; Information based technologies e.g. GIS mapping, PKIs for online transactions, GPS tracking, Data sharing and analysis, Finger print identification software Hard Technologies; Material based technologies e.g. CCTV monitors, Computers, Biometrics scanners, GPS bracelets and Data Centers 1 July 2014 RESTRICTED 21

22 CLARIFICATIONS 1 July 2014 RESTRICTED 22