Submissions

KICTANet submissions have been sent to our engagement partners, policymakers, and policy implementers.

Name Description Downloads Download File Size
Name Description Downloads Download File Size
The Kenya ICT Action welcomes the development of legislation for County Printers through The Office of the County Printer Bill, 2021. Of great importance will be the role the offices will play in ensuring citizen participation in governance through the availability of official government documents. In this proposal, KICTANet recommends the inclusion of digital versions of publications by the County Printers. The adoption of digital versions of documents will ensure increased accessibility of the documents to members of the public who may have limited access to physical copies of important documents published by the County Printers. It is our sincere hope that the above recommendation will be included in the law to increase public awareness on public documents through the provision of digital access. 11 downloads Download 96.1 KB
On Wednesday 7 July, 2021, six civil society organisations sent an open letter and memorandum to Garissa Township MP Hon. Aden Duale expressing deep concern over the proposed amendments to the Computer Misuse and Cybercrimes Act (CMCA), 2018 and calling for the immediate withdrawal of the Computer Misuse and Cybercrimes (Amendment) Bill, 2021 in its entirety. If enacted, an outright ban on pornography will be enforceable in Kenya, and the government will possess the power to interfere with access to communications platforms and digital technologies. The Computer Misuse and Cybercrimes (Amendment) Bill, 2021 will also expand illegitimate cyber-harassment and cyber-terrorism provisions in the CMCA, 2018. 47 downloads Download 577.7 KB
On Wednesday 7 July, 2021, six civil society organisations sent an open letter and memorandum to Garissa Township MP Hon. Aden Duale expressing deep concern over the proposed amendments to the Computer Misuse and Cybercrimes Act (CMCA), 2018 and calling for the immediate withdrawal of the Computer Misuse and Cybercrimes (Amendment) Bill, 2021 in its entirety. If enacted, an outright ban on pornography will be enforceable in Kenya, and the government will possess the power to interfere with access to communications platforms and digital technologies. The Computer Misuse and Cybercrimes (Amendment) Bill, 2021 will also expand illegitimate cyber-harassment and cyber-terrorism provisions in the CMCA, 2018. 38 downloads Download 169.7 KB
KICTANet community held a 4 day moderated discussion on it’s mailing list on the Licensing and Shared Spectrum Framework for Community Networks. The responses are archived online on this link https://lists.kictanet.or.ke/pipermail/kictanet/2021-May/subject.html#start under the subject [kictanet] Licensing and Shared Spectrum Framework for Community Networks for Kenya online discussion and [kictanet] Shared Spectrum Framework for Community Networks for Kenya online discussion 10 downloads Download 115.6 KB

The Kenya ICT Action Network (KICTAnet) presents this memorandum in response to the call by the Ministry of ICT, Innovation and Youth Affairs through a Taskforce on the development of the Data Protection Regulations for public participation on the Data Protection (General) Regulations, 2021, the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021, and the Data Protection (Compliance and Enforcement) Regulations, 2021.

25 downloads Download 229.8 KB
The Information Communication Technology (ICT) Practitioners Bill, 2020. KICTANet through this petition seeks to respond to the advertisement by the Clerk of the National Assembly, pursuant to Article 118(1) (b) of the Constitution and Standing Order 123 (7) inviting interested members of the public to submit any representations on the said Information Communication Technology Practitioners Bill, 2020. The Bill seeks to establish a legal framework for the training, registration, licensing, practice and standards of Information Communication Technology (ICT) professionals in Kenya. After intense consultations through the mailing lists kictanet.or.ke, and through social media, KICTANet strongly opposes the Bill for the following reasons: 1. Objective: The Bill does not seek to solve any identified problem. It in fact creates more problems in our society as outlined below with the most critical factor being the risk of loss of employment for the youth and stifling of innovation that will result if the proposed form of regulation of the ICT industry is enforced. It is our position that the level of global innovation that has been seen as a result of the ICT industry can be attributed to the freedom to innovate without boundaries, and that the proposed legislation will be a severe blocker for innovation not just in Kenya but the entire region where Kenya has been at the forefront of delivering innovation. 2. No Policy Backing: Good governance standards require that Bills to enact legislation are informed by an appropriate policy framework. Currently, there is no evidence to show the rationale that informed this Bill. This is the third time the Bill is being introduced and yet once again the proposers of the Bill have failed to show why we need the Bill or the ills it will cure. The challenges meant to be addressed by the bill are adequately covered by available legal avenues through both civil and criminal proceedings in the case of malpractice by a practitioner. Furthermore the ICT industry is so wide that it would be futile to attempt to cluster players in the industry, even users of social media and other tech platforms that are utilised in daily life for processing documents, files and enterprise resource planning (ERP) would need to be registered as practitioners. 3. Public Participation: Players in the ICT sector have had a positive history of consultations with the government since 2005 during development of the Kenya ICT Policy. This ICT Practitioners Bill goes against this spirit as it appears to have been drafted and sponsored by a single person without the robust and required level of public participation that characterises the sector, and demanded by the Constitution. This Bill was developed without input from those affected by it, namely technologists, associations of persons working in ICT related work, civil society, private bodies in the ICT industry, academics working on ICT related issues and the public at large. The Bill therefore is not a legitimate representation of the views of the stakeholders working in the ICT sector. Further it contravenes Article 10 of Kenya’s 2010 Constitution which makes it mandatory for public participation in governance, including policy and law making. 4. Incongruence with other laws and policies: The Bill does not interface with Government policies on social and economic development, movement of labour as well as ICT development. For example, it goes against the National ICT Policy 2020 whose main objectives include: Grow the contribution of ICT to the economy to 10% by 2030, by using ICT as a foundation to the creation of a more robust economy, providing secure income and livelihoods to the citizenry; leverage regional and international cooperation and engagements to ensure that Kenya is able to harness global opportunities; position the country to take advantage of emerging trends such as the shared and gig economy by enhancing our education institutions and the skills of our people, and fostering an innovation and start-up ecosystem that is able to lead on a global scale; and gain global recognition for innovation, efficiency, and quality in public service delivery. Services will be delivered in a manner that ensures we have a prosperous, free, open, and stable society. 5. Impracticality: The contents of the Bill are impractical to implement. This is a demonstration that the Bill drafters lacked a proper understanding of the needs of the sector or a holistic approach to identifying key issues affecting stakeholders, and their views on the solutions to those issues. For example, Section 10 of the Bill on the functions of the proposed institute will be required to approve courses for purposes of registration of ICT Practitioners. Given that ICT courses are always changing and almost every course now has an ICT aspect to it, it will be an almost impossible task to determine what courses one will be required to undertake to be termed as an ICT Practitioner. Further, the section also states that the institute shall administer an examination to determine whether one qualifies to be an ICT Practitioner given that the broad nature of ICT implementing this may prove an impossible task. The Bill has failed to recognise the malleable and evolving nature of ICT with the evolution of new programming languages and innovation on an almost daily basis. 6. Incoherence: The Bill contains many inconsistencies that would make it extremely difficult to implement. At a foundational level, the Bill fails to define unequivocally who an “ICT Practitioner” is. The definition given by the Bill is so broad it captures the entire population. Given that Kenyan Mobile phone penetration is at 100% going by the definition of ICT and ICT Practitioner, majority of the Kenyan population will be classified as ICT Practitioners. 7. Stifling Innovation: The Bill if enacted would stifle innovation in the country. Innovation is the hallmark and driver of ICTs and more so economic growth. The Bill requires innovators who normally come up with solutions such as coders, developers, network engineers, programmers, application developers, mobile phone repairers, and many others to register with an authority before they can innovate and consequently earn from their labour. Innovators need stronger protection for their innovations, access to credit, less regulation, and incentives from the government. Consequently, a more robust intellectual property law regime and policies that promote access to finance for young innovators would be more suitable under the circumstances. 8. Priorities in the ICT sector: As stated above, the ICT sector has a history of consultative policy and legislation making. Stakeholders have identified among others, Digital Taxes Policy Framework, and Data Protection Regulations to support the Data Protection Act as urgent priorities. We urge Parliament to use this legislative opportunity to assist the stakeholders in achieving these urgent priorities as they are paramount to the development of Kenya through ICTs. One critical area that needs urgent attention is the protection of ICT critical infrastructure that will ensure that the current losses of maintenance and replacing expensive infrastructure are reduced through the formulation of a legal framework for assets. 9. Youth and Development: Stakeholders in the ICT sector are as committed as the government in ensuring the use of ICTs to give youth more opportunities to develop themselves and achieve their destiny. Unfortunately, this ICT practitioners Bill does the opposite by creating hurdles in the form of academic requirements, incorporation requirements, and mandatory and annual registration before they can earn a living from ICT-related work. 10. Overrating University/Formal Education: The Bill is completely incognisant of the revolution brought about by ICTs that enables self-learning and other methods of acquiring knowledge. It makes it mandatory for one to acquire a university degree or diploma, suggesting that those are the only paths to education and training. Further, the Bill fails to recognize that there is a large number of people in the ICT sector who are self-taught and have managed to innovate without having gone to a learning institution. This Bill risks discouraging a culture of innovation and may lead to brain drain as people may leave Kenya to go seek opportunities elsewhere, where their talent is appreciated. Some of the best companies ever created such as Microsoft, Apple and Facebook came from people who did not have a university qualification. 11. Global Practices and Policies: ICTs and the Internet are by their very nature global. The ICT practitioners Bill is not anchored on any international best practice or policy. Its effect would be to isolate Kenyan skilled ICT human resources and probably lead to labour migration from the country to other jurisdictions where there is an enabling environment to practice. Further, the bill has no provision in it for bringing in external trainers and consultants and hence damages the industry by working against international knowledge sharing. Also, the Bill creates serious and deep problems with intercompany staff transfers or people in multi-nationals coming in to work on intra-company projects that require external resources. The overall result may be a reduced tax base as people will end up leaving Kenya to seek opportunities in countries that provide conducive environments for them to innovate and create thriving businesses. 12. Multistakeholder Environment: The ICT Sector is not a homogeneous sector such as medicine or engineers. It is a multi-professional sector that comprises professionals from different industries. ICT practitioners include teachers, academia, business, civil society, engineering, and other sectors registered by other institutions. Therefore, it would not be in the best interests of the country to attempt to bring under regulations all these professionals. A better solution would be to develop a conducive environment for these stakeholders to maximise their potential and contribute to nation-building. This Bill does not do that. 13. Standards prescription by a non-ICT Standard body: ICT experts and users in Kenya and globally use, implement or create products and services that are built on global technical standards. These technical standards are built on guiding principles, such as end-to-end interoperability, that ensure continued evolution and permissionless innovation. A non-ICT-standards-making body, cannot propose policy or law that defines who is a practitioner of a resource, that knows no boundaries, and is designed to empower everyone to be creative and innovative. It is evident that whoever drafted the ICT Practitioners Bill did not have the interest of the public at heart. Our humble prayer is that the Bill is withdrawn in its entirety as it shall create unnecessary problems in the space of innovation and economic development through ICTs. 87 downloads Download 235.5 KB
Date: 5th December 2020. CWG-Internet: Online Open Consultation (December 2020) The ITU Council Working Group on International Internet-related Public Policy Issues (CWG-Internet) is holding an open consultation (online and physical) on the following topic: Expanding Internet Connectivity ​CWG-Internet invites all stakeholders to submit contributions on international​​ internet-related public policy issues relating to expanding internet connectivity, focusing on the following questions:    

1. What are the challenges and opportunities for expanding Internet connectivity, particularly to remote and under-served areas? 

  • Community networks require infrastructure deployment and service provision licenses to operate in the telecommunications sector. In the majority of African countries, license categories exist only for national operators and are costly.
  • Operators’ licensing, mobile broadband spectrum assignments are also done nationally in exchange for high fees. This exclusive and broad regulatory framework results in inefficient use of spectrum, where either assigned spectrum is not used in rural and remote areas, or regulators do not find enough companies interested in paying those fees and have an unassigned mobile broadband spectrum.  
  • The majority of community networks in Africa exist in low-income areas making it challenging to get access to financing and the human capacity required to deploy, operate, and maintain these networks. The initial start-up financing for most of the CNs has been through private grant funding programs.
   

2. What are the roles of governments and non-government actors in overcoming these challenges?

Role of Government
  • Tax incentives.
  • Mandating infrastructure sharing (enabling communities to access government infrastructure or infrastructure of established operators).
  • Expansion of license-exempt frequencies.
  • Adoption of dynamic spectrum licensing and spectrum sharing.
  • Streamlining licensing procedures to make them accessible to communities.
  • Governments to mandate funding for universal network access, and allocate a portion of that funding for the growth of community networks. 
  Role of non-government actors
  • Capacity-building at the community level to ensure communities have the knowledge to implement community networks. 
  • A structured dialogue between all stakeholders to find ways community networks can be supported and be more widespread in underserved areas. For example, KICTANet has worked with Community Networks for several years, and in 2020, it produced the first Policy brief on Community Networks in the region to act as a dialog document to policymakers. Community networks have been shown to be very effective in achieving affordable access to the internet. 
   

3. How can small/community/non-profit operators help in promoting the increase of Internet connectivity?

  • Social purpose networks such as community networks offer a holistic approach to digital inclusion enabling contextualizing meaningful connectivity with local realities.
  • Communities have a wealth of knowledge that remains untapped, these communities are able to mobilize resources and information enabling them to deploy and operate connectivity infrastructure at lower costs. 
  • Beyond access community networks create a platform that promotes building local capacities, creation, and distribution of locally relevant content.
  • Community networks contribute to local economies, workforce development, and fostering social connections. 
9 downloads Download 69.6 KB
As of 23 April 2020, Kenya had 320 confirmed cases of Covid-19 virus, the highest within the East African Community with around 848 cases.[1] The government has taken steps to contain the spread of the pandemic including among others, implementing a nation-wide curfew, mandatory quarantine, contacts tracing and recommending hand washing and sanitizing, mask wearing and social distancing measures. Following the announcement of the pandemic, the Judiciary and the National Council on the Administration of Justice (NCAJ) took measures to scale down the operations of courts across the country, and made recommendations to safeguard the health of court users and court officials. However, these drastic measures have resulted in calls to balance the need to ensure access to justice, service delivery and the health and safety measures. Consequently, the NCAJ has seen it fit to find ways to upscale court operations and quickly pivot them by fast-tracking the use of technology to ensure continued access to justice.[2] In the past month, the NCAJ and various courts across the country have demonstrated their versatility, resilience, innovation and ability to leverage on video conferencing applications to hold meetings and deliver judgements and rulings respectively. These efforts to adapt are indeed commendable and KICTAnet applauds the effort. KICTAnet further welcomes the recent announcement by the Chief Justice that Microsoft has donated its Microsoft Teams video conferencing application for use by the Judiciary in the coming weeks. The rapid adoption of video conferencing technologies are not without its fair share of challenges. Courts still need to address the legal issues surrounding technology usage, capacity of court users to understand and use of the technologies, the application features and the new procedures required. Further, the financial resources to ensure the availability of functional equipment, reliable internet connectivity and technical support will be key. A critical  challenge in our view, is the lack of clear guidelines on etiquette and procedures when conducting court sessions through video conferencing. It is worth noting that while virtual court sessions are similar to open court proceedings, it is not enough to translate open court procedures to virtual sessions. [1] EAC CommonHealth Data Map https://covidcheck.eac.int/ [2] Statement on justice sector operations in the wake of the COVID-19 pandemic http://ncaj.go.ke/statement-on-justice-sector-operations-in-the-wake-of-the-covid-19-pandemic/ 121 downloads Download 262.3 KB

On the 3rd March 2020, the Communications Authority of Kenya (CA) invited all stakeholders to submit their comments with respect to the Draft Dynamic Spectrum Access Framework for Authorisation of the Use of TV White Spaces. The following organizations are herewith submitting their comments with the common objective to help create a quality and affordable telecommunications service to all Kenyans, especially those in rural and underserved areas :

  • Kenya ICT Action Network (KICTANet)
  • Tunapanda
  • Association for Progressive Communications, apc.org
  • Internet Society. www.internetsociety.org
  • Rhizomatica

General Comments

We welcome the fact that CA is moving forward with TVWS regulation and further that dynamic spectrum management may be considered for other bands in the future. Dynamic spectrum management has the potential to directly address the challenge of underutilised spectrum in rural areas.

We would like to urge CA to move forward with all reasonable haste in implementing TVWS regulation. The current pandemic has brought home to the world how important affordable access to communication when people’s movements are restricted. TVWS technology can enable network operators to offer innovative and affordable connectivity in underserved regions.

25 downloads Download 107 KB
ICTs are already playing a critical role in the management of the COVID-19 situation through information dissemination and availing tools that support business continuity, education and commerce just to mention a few.  KICTAnet notes that it is important to support the continuity of activities such as learning, business and civic activities, and citizens' access to information.  Pursuant to the notice requesting for public input into the COVID-19 Situation, and after intense consultation with our stakeholders, and as an ICT community, we acknowledge that there are many suggestions necessary. However, our interest is in how ICTs can be utilized in the 3 thematic areas highlighted by the Senate COVID19 Adhoc Committee. 315 downloads Download 85.7 KB
Data Protection (Civil Registration) Regulations, 2020

Executive Report

ARTICLE 19 Eastern Africa (or ARTICLE 19 EA ) and the Kenya ICT Action Network (or KICTANet ) present this memorandum in response to the call for public participation on the said Data Protection (Civil Registration) Regulations, 2020 currently being considered by the Principal Secretary, State Department of Information Communication and Technologies (or ICT ) and Innovation.

Recommendations

The following is a summary of our key recommendations:
1. The civil registration and identity management framework should be enacted through a stand-alone Act of Parliament. This should be subjected to (bicameral) legislative oversight and effective public participation. Notably, regulations should in practice provide general guidelines of practice, and cannot be used to regulate and create substantive systems which have implications on the effective and proper functioning of government, and which directly affect individuals’ identity.
a. Recommendation: Enact an ‘appropriate and comprehensive’ civil registration and identity management through an Act of Parliament introducing a Bill to amend the Registration of Persons Act (CAP 107).

2. The Data Protection Act (2019) cannot be used to give statutory effect to this civil registration system (or CRS ) as that is not the objective of the Act. CRSs provide the ‘foundation for national identity management systems’1 and are inherently linked to the generation, collection and utilisation of vital statistics which inform a nation’s development agenda, amongst other core functions. In Kenya, national identity management systems are provided for under the Registration of Persons Act (CAP 107) and the Citizenship and Immigration Act, 2011, the Refugees Act all of which legislate on CRS related issues, including national identity and the National Integrated Identity Management System (or NIIMS ) in Kenya.
a. Recommendation: Introduce a bill with these substantive amendments to the Registration of Persons Act which deals with civil registration, to address the inadequacies of the Act relating to civil registration. These regulations should not be anchored under the Data Protection Act, 2019.

3. The Regulations do not comply with the Data Protection Act (2019). In particular:
a. Section 18 of the Data Protection Act (2019), requires the prior registration and certification of all data controllers collecting and processing copious amounts of sensitive personal data by the Data Commissioner. The provisions dealing with automated decision-making provide limited duties for data controllers and limit the rights of data subjects, in violation of the Data Protection
Act (2019).
b. Regulations 10 and 13 impose fees which are not stated and therefore could be a challenge for low income data subjects.
c. The Regulations permit the retention of personal data by data controllers in perpetuity, despite the requirement for data to be retained in accordance with the ‘reasonably necessary' requirement, and in any event, should provide the period of retention.
d. The Regulations do not explicitly cater for, or have a mechanism to ensure that data breaches are notified to both the Data Commissioner, and data subjects, in line with section 43, Data Protection Act (2019) and international standards.
e. The Regulations fail to provide for a mechanism capable of ensuring that the transfer of personal data through a public network is transmitted using strong encryption methods given the known weaknesses of commonly used encryption systems.
f. The Regulations permit the transfer of personal data outside Kenya and directly contravenes sections 48 and 49 of the Data Protection Act (2019) as well as international standards.
g. The Regulations fail to flesh out the ‘adequacy’ requirement.
Recommendation: The government should fast-track the operationalisation of the Office of the Data Protection Commissioner (or ODPC ) to ensure that there is proper oversight over the collection and processing of sensitive personal data in accordance with the Data Protection Act (2019). The provisions of the proposed regulations should comply with the Data Protection Act, 2019.

4. The Regulations should provide explicit ( technical, personnel and procedural ) safeguards to ensure that personal information is accorded the highest safety and security, management and governance protection.

5. In conjunction with civil society and other stakeholders, the Ministry should develop ‘appropriate and comprehensive regulatory frameworks’ which adhere to the High Court’s orders in Consolidated Petitions No. 56, 58 and 59 (2019) and which pay proper homage to the letter and the spirit of the Data Protection Act (2019) and international standards which Kenya is bound by.

23 downloads Download 250.6 KB
Registration of Persons (National Integrated Identity Management System) Regulations, 2020

Executive Summary

ARTICLE 19 Eastern Africa (or ARTICLE 19 EA ) and the Kenya ICT Action Network (or KICTANet ) present this memorandum in response to the call for public participation on the said Registration of Persons (National Integrated Identity Management System) Regulations, 2020 currently being considered by the Cabinet Secretary, Ministry of Interior, and Coordination of National Government.

Key Recommendations

The following is a summary of our key recommendations:

1. The civil registration and identity management framework should be enacted through a stand-alone Act of Parliament. This should be subjected to (bicameral) legislative oversight and effective public participation. Notably, regulations, which generally provide guidelines of practice, cannot be used to regulate and create substantive systems which have implications on the effective and proper functioning of government, and which directly affect individuals’ identity.
a. Recommendation: Enact an ‘appropriate and comprehensive’ civil registration and identity management through an Act of Parliament introducing a Bill to amend the Registration of Persons Act (CAP 107).

2. The Regulations exceed the ambit of the Registration of Persons Act (CAP 107) and should not provide for the registration of infants and minors.

3. The Registration of Persons Act (CAP 107) should be amended to provide for a specific government entity responsible for the NIIMS, other than the Principal Secretary (whose docket is not named in either Act or the Regulations). All the functions relating to the registration of persons should be with the Principal Registrar and staff under section 4 (and Schedule) of the Registration of Persons Act (CAP 107).

4. The regulations should provide explicit ( technical, personnel and procedural ) safeguards to ensure that registration information is accorded the highest safety and security, management and governance protection. This will ensure that trust is maintained in the digital ecosystem, by providing sufficient protection against abuse by authorised persons (public organs and private entities), independent
contractors, amongst others.

5. The regulations should provide explicit ( technical, personnel and procedural ) safeguards for the collection, processing, use, and transfer of NIIMS data relating to the registration of persons in line with the requirements under the Data Protection Act, 2019.

6. In conjunction with civil society and other stakeholders, the Ministry should develop ‘appropriate and comprehensive regulatory frameworks’ which adhere to the High Court’s orders in Consolidated Petitions No. 56, 58 and 59 (2019) and which pay appropriate homage to the Data Protection Act (2019). This will ensure that the Regulations adhere to and respect fundamental rights of freedom of expression (or FOE ), the right to information (or RTI ), the right to privacy in the Constitution of Kenya, 2010 and international law.

 

 

17 downloads Download 207.9 KB

KICTANet’s submission to the intersessional meeting, 2-4 December 2019, New York UN Headquarters: 405 East 42nd Street, New York, NY, 10017 EU Delegation: 666 3rd Ave, New York, NY 10017

12 downloads Download 191 KB

Submissions done one 11th November 2019 at the National Assembly

7 downloads Download 275 KB

Submission done one 11th November 2019 at the National Assembly Chambers

14 downloads Download 213.9 KB
We wish to submit the following recommendations for amendment of the Data Protection Bill. While overall we are highly supportive and enthusiastic as to the positive impact of the Bill, there are several provisions that if left as is could negatively impact innovation in the technology and finance sectors, and hinder both competition and consumer rights. Generally, it is a good bill that is well improved compared to previous versions. For example, the object of the proposed law is positive as opposed to previous versions that included exemptions in the objects. There are also fewer limitations on the right to privacy. There could be further sharpness on engagement of data subjects with data controllers and processors. There are several clauses that propose response to the the data subject “within a reasonable period”. While the rationale behind this is to ensure that data processors can continue with their core business even where there are numerous requests, there should be a better balance between business interests and data subject right to information. 28 downloads Download 444.8 KB
The Finance Bill 2019 currently being considered by the Finance Committee of the National Assembly needs significant revisions to ensure that its protections are in harmony with those of fundamental rights of freedom of expression (or FOE) and the right to information (or RTI) as recognized by the Constitution of Kenya and international law. The current draft fails to recognise that the Kenyan jurisdiction has a nascent digital economy whose dynamism will be stifled via the imposition of onerous taxation burdens which are not adequate to protect freedom of expression and no provisions on ensuring that the law is consistent with the Access to Information Act and the Constitution. Instructively, Uganda’s failed imposition of Over the To (or OTT) taxation not only led to declining internet penetration rates, but also denied existing, vulnerable and marginalised communities their rights to access information and freely express themselves. Recommendations: 1. The Finance Committee of the National Assembly should re-define its definition of a ‘digital marketplace’ which is vague and may impact FOE and RTI disproportionately. 2. The Finance Committee of the National Assembly should postpone the imposition of taxation on Kenya’s nascent digital economy1 until a thorough cost-benefit assessment has been conducted and takes account of the difficulty latent in determining economic presence in dynamic digital transactions. 17 downloads Download 67 KB
Memorandum on Elections Laws Amendment Bill to the Senate Standing Committee on Justice Legal Affairs and Human Rights 2019
11 downloads Download 137.6 KB
13 downloads Download 676.6 KB
Memorandum on Proposals for the Amendment of the Computer and Cybercrimes Bill 2017,
12 downloads Download 472.1 KB
15 downloads Download 220.2 KB
19 downloads Download 430.3 KB
10 downloads Download 122.1 KB
The Secretariat, Director Programmes & Standards, ICT Authority Telposta Towers, 12th Floor, Kenyatta Avenue, P.O Box 27150-00100 Nairobi. To: critical@ict.go.ke,pnyambura@ict.go.ke.   21 April 2015   Kenya ICT Action Network (KICTANet)’s input into the proposed Critical Infrastructure Bill   Acknowledge   ICT is a tool that is critical for operations and hence requires specialized attention: availability, integrity, and confidentiality.   Starting point:  
  1. Have criteria for defining what critical ICT infrastructure is.
  2. Distinguish between critical ICT infrastructure (Registry, content delivery networks) and traditional critical infrastructure.
  3. Question if there is need to put transport and energy infrastructure on the Internet and if so, how is it protected? Anything put on the internet is vulnerable.
  4. Acknowledge that business models of ICT companies are different from the traditional models of non-ICT critical infrastructures such as energy utilities and industrial control systems. They require more maintenance and upgrades that translate into much more investments.
  5. How do we ensure we have scalable and resilient critical infrastructure? In the past we have seen government institutions invest in white elephants, sending them back to the procurement room before the system goes live.
  6. Consider the need for expertise to deal with and protect the infrastructure (developers focusing on software security and information security professionals specializing in critical infrastructure).
  7. Consider cybersecurity but avoid raising fear, uncertainty and doubt.
  8. Avoid any type of strategy that hacks back. Hacking back will not fix broken infrastructure, and the attribution problem makes it very hard and sometimes impossible to find the real source of attacks. Focus on defense and resilience.
  9. Need to have websites running latest versions of software including security updates otherwise we will continue to experience this: https://www.google.com/#q=%22hacked+by%22+site:go.ke. There should be a big focus on identifying XP use and migrating away from XP usage in government and critical infrastructures.
  Management questions  
  1. Who manages critical infrastructures?
  2.  Should the government own/manage/handle infrastructures like the NOFBi?
  3. Which infrastructure can the government outsource? Which infrastructure is a security threat to outsource? Who are trusted partners for outsourcing?
  4. What is the value of investment in NOFBI while there is no last-mile connectivity? Should the NOFBI operator be able to go the long haul and provide last-mile services to all intended recipient(s) of the service?
  5. What levels of approvals are there (change management) for any change to happen in a critical internet resource? (Just last month, a misguided change at KENIC affecting DNSSEC affected the entire .ke domains for a whole day. No domain was accessible).
  6. How is the security and integrity of PKI maintained?
  7. How are the counties managing ICT county-specific infrastructure and what capacities exist at that level?
    Roll out/ Rapid Response questions  
  1. How fast can we roll out, upgrade, and repaired our fiber optic infrastructure? (There has been a deliberate systematic plot to ensure there are no ducts on wayleaves to pull fiber optic cable within minimum time, and cost-effectively).
  2. Can we vet the software that runs on and support critical infrastructure? We have had cases of defective and compromised firmware and compromised software that has payloads executed at certain times by malicious actors. Which software and hardware do we trust? Can we audit this software?
  3. What is the role of standards? ( ISO 27000 series Standards on Information Security and the ISO 20,000 series on Service Management).
   Regulation vs Legislation and questions regarding scope  
  1. Is it necessary to have an Act on critical infrastructure considering the dynamism and complexity of ICT? Would a few amendments under the KICA 2013 not suffice?
  2. Would it perhaps not be useful to have separate acts or regulations for critical internet infrastructure on the one hand, and critical infrastructures like (power and transport) connected to the internet on the other hand? The two types of critical infrastructure are related but require different and specialized approaches.
  3. The development of a critical infrastructure policy framework should precede the bill to contextualize the Critical Infrastructure bill. The policy framework should also have an implementation framework, a result of which could be the development of law. Before the development of the policy it may be necessary to conduct a study and expert consultation on the matter that includes a review of global best practices.
  4. The protection of critical infrastructure may be better managed under regulations rather than Bills/Acts. This is because in the fast-changing world of IT, what is critical today may not be tomorrow and vice versa. Who would have known five years ago that M-PESA would move beyond just sending money, to becoming a lifestyle for millions of Kenyans aka a critical infrastructure? You don’t manage such issues through hard-wired Acts, but through Regulation.
  Recommendations on Policy and law   The said policy and law should clearly outline:  
  • Definition of what constitutes critical infrastructure.
  • Distinguish between critical internet/ICT infrastructures and critical infrastructures connected to the internet.
  • Criteria for identification of CI.
  • Threat analysis to various CI in Kenya.
  • A risk management framework for the CI.
  • The requirement of mandatory minimum protection of critical infrastructure as well as demonstrated assurance through compliance. 
  • Coordination framework (including PPP arrangements, lead coordinating org, and perhaps the need for a single body?).
  • Investigate frameworks for threat intelligence and information sharing between all concerned stakeholders.
  • Incident reporting mechanisms and investigations of possible requirements for breach disclosure to all affected stakeholders.
  • Research and development strategies.
  • Capacity assessment and development. 
  • Funding mechanisms.
  • Implementation plan.
   Note: It will be important for institutions (private and public) to meet the law and associated regulatory requirements (Consistent with the 2010 constitution). In addition, Institutions must integrate their plans with agencies/bodies (e.g. fire, security, emergency, hospitals, etc.) that are critical to an effective response.     Submitted on behalf of KICTANet by Grace Githaiga, Victor Kapiyo, Barrack Otieno, Mwendwa Kivuva, John Walubengo, Matunda Nyanchama, Alex Comninos and Ali Hussein.
10 downloads Download 122.7 KB

 152 total views,  2 views today

Translate »
Share This