Photo credit - Blue Coat Photos
In January 2017, Kenya’s information and communication technology regulator, the Communications Authority of Kenya, announced that it was spending over 2 billion shillings (around 14 million USD) on new initiatives to monitor Kenyans’ communications and regulate their communications devices. The press lit up with claims of spying, and members of Kenya’s ICT community vowed to reject the initiatives as violating Kenyans’ constitutional rights, including the right to privacy (Article 31). Nevertheless, the Communications Authority claimed that these projects would help prevent a repeat of the post-election violence following the 2007 presidential elections.
As political tension continues to mount in the run up to next month’s presidential elections, the Kenyan government has also rushed to operationalise a cybersecurity strategy that was first articulated in 2014. But what does the development of Kenya’s cybersecurity practices practically mean for Kenyan citizens?
Privacy International was able to examine several cybersecurity initiatives, from the National Kenya Computer Incident Response Team Coordination Center (KE-CIRT/CC) to the Network Early Warning System (NEWS), to a more recent, concerning initiative – the National Intrusion Prevention and Detection System (NIPDS). This investigation is primarily based on documents provided in confidence to Privacy International. We also wrote to the Communications Authority, which did not return repeated requests for comment.
Many governments have chosen to frame cyber security as a national security issue. This ‘securitisation’ approach generally signals a government’s intention to make cyber security the domain of intelligence agencies. The Kenyan government’s existing cybersecurity initiatives share a clear emphasis on the national security framework, which is visible notably from the prominent role of the National Intelligence Service (NIS), Kenya’s primary intelligence agency and the agency with the most sophisticated signals intelligence capacity. This is particularly concerning given NIS’ routine abuse of their powers of surveillance, as detailed in a previous Privacy International investigation.
As the candidates are pledging transparency throughout the election season, clarity, too, is needed about what exactly the government’s cybersecurity initiatives mean for the voting public. This investigation is a first attempt to provide this transparency. It questions default framing of cybersecurity as equivalent to national security.
Cyber security as national security
Cybercrime attacks have been estimated to have cost Kenyan businesses 175 million USD in 2016. Popular mobile money platforms have been particularly targeted by hackers, though government agencies have not been immune: reports from April 2016 indicate that hacker collective Anonymous breached the Kenyan Ministry of Foreign Affairs' servers and published one terabyte of files online.
Against this backdrop, the Kenyan government is tightening up its cybersecurity policy framework. Privacy International is concerned about the consequences of framing cyber security predominantly as a national security issue and its impact on public understanding of cyber security, opportunities for public debate, transparency, accountability, oversight and human rights. When cyber security becomes primarily the domain of intelligence and law enforcement agencies, public scrutiny of projects and initiatives becomes much more difficult, if even possible.
The National Intelligence Service (NIS) has strategic and operational influence on Kenya’s cybersecurity program. This is particularly concerning given how the NIS operates outside of legal frameworks to surveil individuals, uses pressure to obtain information from private telecommunications operators, and is opaque even to other branches of the security services, as shown in Privacy International’s March 2017 investigation.
Cybersecurity policy in Kenya is set by the National Cybersecurity Steering Committee (NCSC) comprising the Ministry of Information, Communications and Technology (Ministry of ICT), the ICT Authority, the Ministry of Interior Coordination & National Government, the NIS, the National Police Service, the Central Bank of Kenya (CBK), the Communications Authority, the Ministry of Defence and the industry body, the Telecommunications Service Providers of Kenya (TESPOK). Private sector representatives from service providers (Safaricom, Telkom Kenya, Access, and Airtel among others) have also attended meetings. The CA appears to be the organising locus for the NCSC as it usually chairs the meetings, at least in the period 2012 to 2015. The NCSC first met in December 2013.
The NCSC itself is subordinate to the National Security Advisory Committee (NSAC), which answers in turn to the National Security Council. Staffed by the President, Vice-President, Attorney General, various Cabinet secretaries and the heads of the NIS, Police, and the Kenya Defence Forces, the National Security Council is mandated to perform supervisory control over the functions of the top security organs in the country. The NIS is thus in charge of the 'threat intelligence' branch of NCSC’s work, as the diagram reproduced below demonstrates.
The NCSC is responsible for managing the Kenya Computer Incident Response Team (KE-CIRT) through a National KE-CIRT Cyber-Security Committee (NKCC). The KE-CIRT is coordinating implementation of the national Cybersecurity Strategy, including the deployment of a national Public Key Infrastructure (PKI). Based at Communications Authority, the KE-CIRT runs a helpdesk to triage the handling process for reported cybersecurity incidents and breaches.