Presentation

ITU Workshop on “ICT Security Standardization
for Developing Countries”
(Geneva, Switzerland, 15-16 September 2014)
Overview of Kenya’s Cybersecurity Framework
Michael K. Katundu
Director, Information Technology
Communications Authority of Kenya (CA)
katundu@ca.go.ke
Geneva, Switzerland, 15-16 September 2014
The Nature of the Internet
Anonymity on the Internet drives the
tendency towards abuse.
“On the Internet, nobody knows who really is on the
other end”
The Nature of the Internet …
The Nature of the Internet …
Uses of the Internet
Uses of the Internet …
Uses of the Internet …
What is Cybersecurity?
Cybersecurity is also referred to as
Information Technology (IT) Security.
The protection of computers, networks,
programs and data from unintended or
unauthorized access, change or
destruction.
Why is Cybersecurity a global
concern?
Governments, military, corporations, financial
institutions, hospitals and other businesses
collect, process and store a great deal of
confidential information on computers and
transmit that data across networks to other
computers.
With the growing volume and sophistication of
cyber attacks, ongoing attention is required to
protect sensitive business and personal
information, as well as safeguard national
security.
Examples of Cyber attacks
Hate messages: Propagated through the
Internet, Computers, Mobile phones, tablets
Common in Kenya especially during the
electioneering period
Examples of Cyber attacks …
Distributed Denial of Service (DDOS)
Examples of Cyber attacks …
Phishing scams: Kenyan banks have been
targeted.
Examples of Cyber attacks ...
Website Defacement:
103 GoK Websites defaced in 2013
3 Government Websites defaced in 2014
Government Twitter accounts hacked in 2014
Examples of Cyber attacks …
Espionage: Stealing a country’s/company
secrets.
Examples of Cyber attacks …
SPAM email: This is a global problem.
Why Cybersecurity Agenda in Kenya?
WSIS: Governments have a role to Promote
Confidence and Trust in the use of ICTs.
The landing of four undersea fiber optic cables
(TEAMs and SEACOM in 2009, EASSy in 2010
and Lion-2 in 2012) brought an additional
capacity to the country, resulting in faster
Internet connectivity rates and growth in
Internet usage.
The country is increasingly becoming
dependent on computer networks and
information infrastructure, and that
dependency is growing.
Why Cybersecurity Agenda in Kenya? …
In Kenya there are:
31.3 M mobile subscribers in (77% penetration).
26M mobile money subscribers (65% penetration).
21M Internet users (53.3% penetration).
Internet Social Networking tools such as blogs,
Facebook and Twitter, amongst others, have gained
popularity throughout the country.
Kenya Cybersecurity Report 2014 by TESPOK and
SERIANU: In 2013 the rate of increase of Cybersecurity
attacks is 108% (2.6M to 5.4M attacks).
The Boderless nature of the Internet.
Kenya’s Policy and Legal framework
in Cybersecurity
VISION 2030
ICT Sector Policy
Kenya
Information &
Communications
Act of 1998
National
Cybersecurity
Strategy (NCS)
The Kenya Computer Incident
Response Team – Coordination Centre
(National KE-CIRT/CC)
A technical means of management of Cyber
attacks.
Implemented by the Communications
Authority of Kenya in Oct. 2012.
ITU/IMPACT, under the GCA, provided
technical support.
Has speeded up resolution of cyber attacks.
Consulting with the ITU to upgrade the
operations of the National KE-CIRT/CC.
Functions of the National KE-CIRT/CC
Establish
Collaboration
(National,
Regional &
International)
on
Cybersecurity
Research &
Development
(R&D) on
Cybersecurity
Implement
National
Cybersecurity
Policies, Laws &
Regulations
Cybersecurity
Awareness &
Capacity Building
at the National
Level
National KECIRT/CC
Technical
Co-ordination &
Response to
Cybersecurity
Incidents
Development &
Implementation
of a National
Public Key
Infrastructure
(NPKI)
Early Warning &
Technical
Advisories
National KE-CIRT/CC Collaboration
National,
Regional &
International
CIRTs &
Organizations
(FIRST)
The Law
Enforcement
Agencies
Directorate of
Public
Prosecutions
(DPP)
National KECIRT/CC
Academia
Mobile Telecom
Operators & ISPs
Financial
Institutions
How to report Cyber attacks in
Kenya
CA
Website:
http://www.ca.go.ke
(Information Security);
National KE-CIRT/CC website:
http://www.ke-cirt.go.ke;
Email: incidents@ke-cirt.go.ke; or
Telephone, a letter or by visiting CA.
The National
Public Key Infrastructure (NPKI)
Coordinated by the Communications
Authority of Kenya (CA) in
collaboration with the Kenya’s Ministry
of ICT.
National KE-CIRT/CC project.
To ensure Confidentiality, Integrity
and non-repudiation and operate
under the Kenyan law.
The National
Public Key Infrastructure (NPKI) …
Root Certification Authority (RCA)
Technical Standards
Development
Awareness Creation
& Capacity Building
Licensing & Accreditation of
E-CSPs
International
Co-operation
Government-owned E-CSP
Private-owned E-CSPs
To issue Digital Certificates
To issue Digital Certificates
Key: E-CSP: Electronic Certification Service Provider licensed by the Communications
Authority of Kenya (CA) to issue Digital Certificates (Internet IDs).
Conclusions and Recommendations
Put in place relevant
Policies, Laws and
Regulatory
frameworks.
Implement a National
CIRT to be the
country’s Trusted Point
of Contact.
Encourage
implementation of
sector CIRTs to
support the National
CIRT.
Geneva, Switzerland, 15-16 September 2014
Create awareness
and capacity building
in Cybersecurity.
Put in place National,
Regional and
international
collaborations/partne
rships for effective
management of cyber
attacks.
Implement National
Public Key
Infrastructure
(NPKI).
25
Thank You
Email: katundu@ca.go.ke