In 2023, the eCitizen platform—Kenya’s gateway to vital government services—was crippled by a cyberattack, disrupting millions of lives and highlighting critical weaknesses in the nation’s digital defenses. This incident was a wake-up call: as Kenya’s digital footprint continues to expand, the risks grow more significant.

With mobile penetration now exceeding 128.3 per cent, 66.1 million active mobile connections, and e-government platforms driving public service delivery, the nation stands at a critical crossroads.

To tackle these growing challenges, the Ministry of Interior and National Administration has unveiled the draft National Cybersecurity Strategy 2025–2029, inviting public input to refine and strengthen the framework. This call for commentary is more than just a procedural exercise—it is an opportunity for all stakeholders to help secure Kenya’s digital future.

The cyberattack on eCitizen in 2023 was not an isolated incident. Over 650 million cyber threats were reported by the Communications Authority of Kenya between July and September 2024 alone, targeting financial institutions, telecommunications, and public utilities.

Disruption caused by these attacks reveals critical weaknesses in Kenya’s digital infrastructure. If left unaddressed, these vulnerabilities could lead to widespread service interruptions, financial losses, and an erosion of public trust in digital platforms.

The draft National Cybersecurity Strategy 2025–2029 provides a comprehensive blueprint to protect Kenya’s digital ecosystem. It emphasises the need for stronger governance structures, enhanced threat intelligence capabilities, and coordinated national responses to cyber incidents. Central to the strategy is the goal of training 10,000 cybersecurity professionals by this year, ensuring the country has a robust talent pipeline to address increasingly complex threats.

By fostering public-private partnerships, the strategy also recognises that cybersecurity is a shared responsibility among government, businesses, and civil society. Strengthening legal frameworks, safeguarding critical infrastructure, and improving public awareness are key pillars that form the foundation of the strategy.

While the draft strategy sets a solid foundation, it is clear that more must be done. One critical enhancement is leveraging AI for cybersecurity.

Attackers are already using artificial intelligence to create more sophisticated phishing scams, deepface impersonations, and self-learning malware. Kenya must respond by integrating AI into its defenses. AI-driven tools can help detect and neutralize threats in real time, automate response mechanisms, and prevent incidents from escalating. Including specific measures to govern and harness AI will ensure that Kenya stays ahead of emerging challenges.

Strengthening data protection laws and digital trust frameworks is another pressing need. As more businesses and government services migrate online, securing personal data becomes paramount. Kenya’s Data Protection Act (2019) is a step in the right direction, but enforcement has been inconsistent.

Stricter compliance measures, heavier penalties for data breaches, and mandatory encryption protocols for sensitive information are essential to protect citizens from identity theft and financial fraud. Small and Medium Enterprises (SMEs) are particularly vulnerable. These businesses often lack the resources or expertise to defend against sophisticated cyberattacks.

To address this gap, the government should consider cybersecurity funding programmes, tax incentives, and affordable Cybersecurity-as-a-Service (CaaS) models. Without targeted support, SMEs risk devastating losses that could ripple through the economy.

To ensure long-term resilience, Kenya must also implement national cybersecurity drills. By simulating large-scale cyberattacks on critical systems—such as banks, hospitals, and government databases—organisations can identify vulnerabilities, refine response protocols, and improve recovery times. These controlled exercises build confidence in Kenya’s ability to withstand real-world incidents.

Lastly, embedding cybersecurity education into the national curriculum is essential. By equipping students from primary school through higher education with digital safety skills, Kenya can cultivate a tech-savvy generation ready to meet future challenges. Collaborative initiatives with universities, technology companies, and government agencies can offer free or subsidized training programs, closing the skills gap and creating a workforce well-prepared for evolving threats.

The ministry’s invitation for public feedback is a rare chance for all Kenyans to directly influence the nation’s cybersecurity policies. By contributing their insights and expertise, businesses, tech professionals, and ordinary citizens can help shape a strategy that is both practical and forward-looking. This collective input ensures that the final framework reflects Kenya’s diverse needs and addresses real-world challenges.

Public participation is crucial not just for refining the strategy but for fostering a culture of digital security. A more informed public can better identify cyber threats, adopt safer online practices, and hold institutions accountable for protecting sensitive information.

Ultimately, cybersecurity is not just a government responsibility—it is a shared national duty that impacts every sector, from healthcare and education to banking and e-commerce. The next five years will determine whether Kenya emerges as a cybersecurity leader in Africa or remains vulnerable to escalating digital risks.

The Writer is a Machine Learning Researcher and Technology Policy Analyst