Why State wants MPs to pass draft cyber crime regulations

The government will be able to monitor, detect, prevent, respond and investigate cyber threats, computers and cybercrimes in the country should parliament pass proposed new regulations from the Ministry of interior.

The Computer Misuse and Cybercrimes (Critical Information Infrastructure and Cybercrimes Management) regulations 2024, seek to form a National Cybersecurity Operations center will be able to cooperate with computer incident response team through sharing intelligence to inform response to cyber incidents as well as receive real time information on cyber threats and incidents from cyber security operation centers.

The costs of operating each sector, the regulations says will be borne by the regulator of the respective sector.

The regulations expected to be discussed when parliament resumes sittings next week also seek to help the government to be able to detect possible threats, share information as well as conduct joint exercises and training of cybersecurity operations centers.

Timely reporting

The Cybersecurity center will also be required to report to the National Computer and Cybercrime Coordination committee on all cyber incidents reported by the centers as well as facilitate cooperation of the committee with sectors cybersecurity operations.

The Cybersecurity Operations will also be able to utilize threat intelligence from internal and external sources to enhance its situational awareness and response capabilities.

Adds the regulations: “A national cybersecurity operations center shall facilitate the implementation of standards operating procedures formulated by the committee to guide the operations of the cyber security centers.”

The new regulations comes weeks after Interior Cabinet Secretary Kithure Kindiki gazzetted controversial preacher Paul Makenzie’s Good News International Ministries as an organised criminal group.

The CS in gazette a notice said the declaration is in accordance with Section 22(1) of the Prevention of Organised Crimes.

He explained that the move is part of the government’s efforts to deal with organised criminals that have taken up the Kenyan space.

Interior Principal Secretary Raymond Omollo who had appeared before the departmental committee on Administration and Internal Security to appraise on the regulations  said there is a need for the said regulations to be -passed to protect Kenyans from further cyber-attacks

He said: “These regulations emanated from various stakeholder engagements on cyber security and we need to have them operationalized as soon as possible.”

Surveillance and analysis

The regulations also seeks to create a Critical Information Infrastructure Cybersecurity Operations Center that shall be able to provide real time information on cyber threats and incidents to the National Cybersecurity Operations Center and Sector Operations Centers  as well as collaborate with relevant agencies on cyber threats surveillance and analysis.

Adds the regulations: “the critical information infrastructure cybersecurity operations center will also have the requisite capability to detect, monitor, prohibit, prevent, respond and investigate cyber threats, computer and cybercrimes in the concerned organization.”

The Critical Information Infrastructure Cybersecurity Operations Center will also be responsible for incidents detection, analysis and response in the organisation.

The owner of a critical information infrastructure, the regulations says will be expected on an annual basis to conduct a cyber-risk assessment and business impact analysis for all relevant activities including products, services, business functions and processes.

Every organisation will be required to undertake a risk assessment within 12 months from the date of the commencement of the said regulations.

The Cyber risk assessment will also have powers to assess and prioritize potential risks and evaluate potential impact and probability of their occurrence as well as analyse and evaluate any dangers that may result from operating systems with any deficiencies discovered during the risk assessment exercise.

Reads the regulations: “The cyber risk assessment of an organization shall identify potential internal and external threats including single points of failures that may cause disruption of critical activities.”