ict summit 2- information security & pki report, november 2013

INFORMATION SECURITY AND PUBLIC KEY INFRASTRUCTURE (PKI)

1

ICT SUMMIT SERIES NO. 2

Information Security & Public Key Infrastructure (PKI)NAIROBI, 25-28 November

2013


2

The ICT AuthorityTelposta Towers, 12th Floor, Kenyatta Ave

P.O. Box 27150 - 00100 Nairobi, Kenyat: + 254-020-208 9061

e: [email protected] www.icta.go.ke


3

Information Security & Public Key Infrastructure (PKI)25 - 28 November 2013

Safari Park Hotel, Nairobi, Kenya


4

CONTENT

ACRONYMS ...........................................................................................................................................................................................................................5

EXECUTIVE SUMMARY ..........................................................................................................................................................................................................6

KEY CONFERENCE OUTCOMES ............................................................................................................................................................................................7

SUMMIT BACKGROUND .......................................................................................................................................................................................................8

SUMMARY OF CONFERENCE PROCEEDINGS ....................................................................................................................................................................10

DAY 1: PRE-CONFERENCE CAPACITY BUILDING WORKSHOPS .......................................................................................................................................11

COMESA WORKING GROUP DELIBERATIONS.....................................................................................................................................................................12

Day 2: Official Opening Session .........................................................................................................................................................................................13

DAY 3: NATIONAL STRATEGIES AND APPROACHES TO INFORMATION SECURITY ...........................................................................................................16

DAY 3: Draft AU Convention on Security in Cyberspace .......................................................................................................................................................19

CLOSING CEREMONY ..........................................................................................................................................................................................................21

ANNEXURES ........................................................................................................................................................................................................................22

APPENDIX 1: Biographies of CONFERENCE SPEAKERS ....................................................................................................................................................23

APPENDIX 2: Summit Program ...........................................................................................................................................................................................41


5

ACRONYMS

AISI African Information Society InitiativeARICEA Association of Regulators for Information and Communications in Eastern and Southern AfricaATU Africa Telecommunications UnionAUCC Africa Union Convention a Cyber SecurityAUCC Africa Union Convention on ConfidenceCCK Communication Commission of KenyaCDPC European Committee on Crime Problems CERT Computer Emergency Response TeamCIIP Critical Information Infrastructure ProtectionCIO Chief Information OfficerCIRT Computer Incident Response TeamCOMESA Common Market for Eastern and Southern AfricaCSDP Common Security and Defence PolicyCSO Civil Society Organisations DDOS Distributed Denial of Service AttacksDSC Distributed Secure Cloud EAC East Africa CommunityEACO East African Communications OrganisationEAPCCO Eastern Africa Police Chiefs Cooperation OrganisationEATPO East African Telecommunication & Postal OrganisationEC European CommissionECTEG European Cybercrime Training and Education Group eGA e-Governance AcademyFIRST Forum for Incident Response and Security Teams FOI Freedom of InformationGCA ITU Global Cyber Security Agenda GDC Government Data Centre

ICT Information & Communication TechnologyICTA Information Communication Technology Authority IGAD Intergovernmental Authority on DevelopmentIP Intellectual PropertyISACA Information Systems Audit and Control AssociationITU International Telecommunication UnionKE-CIRT/CC Kenya Computer Incident Response Team-Coordination Centre KIC Act Kenya Information and Communications Act KICTANet Kenya ICT Action NetworkKSAT MICT Ministry of Information, Communication and TechnologyNATO The North Atlantic Treaty OrganizationNATO CCD COE NATO Cooperative Cyber Defence Centre of Excellence NCSC National Cyber security Steering CommitteeNCSMP National Cyber Security Strategy Master PlanOIC-CERT Organisation of Islamic Countries-CERTPKI Public Key InfrastructureR&D Research and Development RA Registration AuthorityRCAs Root Certificate AuthorityRECs Regional economic communities SADC Southern African Development CommunityUNCITRAL United Nations Commission on International Trade LawUNECA United Nations Economic Commission for Africa UNICRI United Nations Interregional Crime and Justice Research Insti-tute


6

EXECUTIVE SUMMARY

Nearly 168 million Africans use the internet. Although much of the inter-net use is for communications, increasingly businesses and governments are using the internet to collect, store and analyze data on citizens. From financial transactions to registrations for service delivery, people in Af-rica are signing up and using electronic solutions at an increasing pace. The entry of mobile devices and cloud solutions coupled with third party applications and social media has made the challenge of information se-curity both complex and dynamic. Physical boundaries and physical se-curity have been rendered irrelevant by the evolution of technology.

Regional trading blocs EAC, COMESA, SADAC and AU are increasingly recognising the need to look at integration across all facets of economic development. Critical trade enablers such as ICT infrastructure, legal and policy frameworks and integrated strategy roadmaps for shared services make for a big agenda in most bilateral and multilateral dialogues today.

There is therefore need for common approaches to information security among countries, governments and government agencies, industry and academia.

COMESA is leading from the front by being proactive in exploring joint policy and legal frameworks for integrated ICT Infrastructure including Public Key Infrastructure on behalf of its members. The 7th Joint COME-SA Meeting of Transport and Communications, Information Technology and Energy was held in Kampala, Uganda in September 2013 devoted time to analyze the security aspect of ICT use and to review the steps the member states have taken to combat the menace.

It is also against this background that Kenya, agreed to host a follow up

Regional COMESA meeting on Cyber Security in the month of November 2013 in Nairobi, Kenya. The summit brought 300 delegates from 17 coun-tries and was preceded by a series of capacity and awareness events tar-geting University/Academia fraternity, Media, Financial Services Sector and the Developer Community. These included:

1. Public Lecture - 20th November at the University of Nairobi targeted at the Academia and specifically the student community. More than 150 students and lecturers from different universities attended. 2. Editors Round table - This event was held on 21st November targeting journalists. The objective was to build their capacity for effective report-ing on information and cyber security developments, challenges, oppor-tunities and emerging approaches to mitigating them. 3. Cyber crime workshop for financial services sector - The workshop was organised by PwC and officially opened by Joseph Tiampati, the Prin-ciple Secretary in Ministry of Information, Communication and technol-ogy accompanied by Dr Katherine Getao and Eunice Kariuki from the re-cently created The ICT Authority. It was facilitated by senior information security and forensic consultants from PwC USA and Kenya and attended by CIOs from nearly all banks and other financial institutions in Kenya. The workshop sought to build their capacity for assessing and preparing appropriate mitigation strategies dealing with fraud emanating from cy-ber crime effectively.

4. Developers Round Table brought together software application devel-opers with cyber security experts to discuss approaches in secure online transactions. Kenya now offers secure data transactions with the imple-


7

mentation of Public-Key Infrastructure (PKI). PKI is a solution that en-ables one to create, manage, distribute, use, store, and revoke digital certificates. On the eve of the Conference, the COMESA Cyber Security Working Group held an Agenda review that agreed on:

1. The need to map judicial involvement at the national and regional levels so that theres a harmonized approach in judicial oversight and law enforcement.

2. Countries should mobilise finances for PKI trainings and also es-tablish the criteria for trainee selection. Egypt has placed forward a proposfor hosting the Computer Incident Response Team Training (CIRT) Centre.

3. There should be a regional CERT Centre that will train the initial cadre of national lead persons who can come back to the country and lead in country onsite trainings. It will also be crucial for a partnership with the E-Academy in Estonia to host a study tour which will expose trainees on model CERT facilities, curriculum, lectures and standards.

4. The agreements have to be enforceable at the region with an over-sight body that will hold countries accountable just like in Europe, theres the EU Cyber Crime Convention.

KEY CONFERENCE OUTCOMESAt the end of the Conference, delegates proposed the following out-comes:

1. INCREASE PUBLIC AWARENESS CAMPAIGNS: Theres need to create a public awareness strategy to guide stakeholder mobilisation and public awareness on cybercrime and cyber security.

2. INCREASE PARTNERSHIPS TO LEVERAGE TECHNICAL EXPERTISE: Countries should liaise with education stakeholders to include cyber se-curity in curriculum. Universities should be encouraged to create centres of excellence in conjunction with private sector. Countries should have regular networking opportunities so that they can benchmark rather than working in isolation and duplicating efforts. A model handbook and curric-ulum should be developed to ensure seamless adoption of best practices. 3. ESTABLISH REGIONAL CYBER SECURITY LEGAL AND REGULATORY FRAMEWORKS: COMESA should lead regional collaboration to address differences in investigations, prosecution and jurisprudence.

4. REVIEW AUCCS CONVENTION AND THE COMESA CYBER SECURITY STRATEGY: Theres need for more public awareness of the key features of the AU Convention on Cyber Security and discuss issues such as burden of vulnerability and guarantees tests; extensive surveilling powers with little oversight; right of privacy; requirement for full disclosure of ID information including PIN; criminalisation of peaceful online expression of permissible views and ideas.

5. INCREASE FUNDING: Governments need to increase funding of infra-structure to detect and deter cyber security as well as supporting policy and legislative initiatives


8

Way Forward

1. Put in place a regional legal framework to guide law enforcement, in-vestigations and court proceedings.

2. Address differences in investigations, prosecution and jurisprudence and develop a regional legal framework dealing with cybercrime

3. Provide proposals ahead of time for review of the Africa Union Conven-tion Cyber Security (AUCC).

4. Establish partnerships between the relevant government agencies on the one hand, and within the private sector on the other hand. 5. Develop means of sharing intelligence and information swiftly and ef-fectively between security agencies in order to deter threats and attacks.

6. Create a training framework to guide all regional training activities.

The Kenya delegation used the Pre-event period to host an ICT County Secretaries Working Group Forum that identified the need for:

1. Governors should lead the adoption of ICT in their respective counties and work closely with The ICT Authority in rolling out ICT projects.

2. County governments should work closely with The ICT Authority to put in place the necessary infrastructure to combat cyber crime within the counties.

3. County governments should put in place measures for digitisation of services. The national government has put April 2014 as the commence-ment date of online payment for all government services

SUMMIT BACKGROUND Within the last decade, the development of ICT has had a phenomenal impact in virtually every aspect of the human life. Countries and regional economic blocks have established mechanisms to harness the potential of ICT for their social and economic development.

However, the use of ICT, has inherent security threats. Unlike in the phys-ical world, it is very easy and tempting for criminals to use ICT to commit crimes that are difficult to detect.Cybercrimes such as financial fraud or deliberate damage of critical information infrastructures can have a devastating effect. In the recent past, cases of terrorist attacks using cy-berspace have become a worrying trend.

There is therefore need for common approaches to information security among government agencies, industry and academia.

COMESA is exploring joint policy and legal frameworks for integrated ICT Infrastructure including Public Key Infrastructure (PKI) on behalf of member states. The 7th Joint COMESA Meeting of Transport and Communications, Information Technology and Energy held in Kampala, Uganda in September 2013 analysed the security aspect of ICT use and reviewed the steps taken by member states to combat the menace. It is against this background that Kenya agreed to host a follow up Regional Summit on Cyber Security in November 2013.


9

Summit Objectives

The COMESA Cyber Security and Public Key Infrastructure meeting in Nairobi offered delegates an expanded platform to review key aspects that were deliberated in the Kampala meeting and propose the way for-ward on:

1. Harmonisation of National ICT Policies in line with COMESA Model ICT Policy.

2. Cyber Security Policy Guidelines and Model Law and e-transactions in line with COMESA Cyber Security Policy and Guidelines.

3. Harmonisation of PKI initiatives, standardisation of Information Society Measurements in line with Regional Indicators.

4. Implementation of COMESA Postal and Broadcasting Policies.

5. Capacity building and awareness creation on cyber security.

The Conference Organisers

1. The ICT Authority (ICTA).

2. Communications Commission of Kenya (CCK).

3. Common Market for Eastern and Southern Africa (COMESA).

Conference Sponsors

CISCO. Microsoft. PwC. Enterasys. Orange.


10

SUMMARY OF CONFERENCE PROCEEDINGS


11

DAY 1: PRE-CONFERENCE CAPACITY BUILDING WORKSHOPS

County ICT Secretaries Working Group Deliberations Panel Discussants:

1. Dr. Katherine Getao Roadmap on county input into the National ICT Masterplan

2. John Sergon - County Connectivity Project, an e-government Initiative by ICTA

3. Zilpher Owiti - Proposed ICT Structures for Counties.

With respect to National ICT Masterplan, counties are to prepare a com-mon position for the Task Force to address the major needs of the coun-ties. To develop the common position document, the following will focus the crafting:

1. Ensure it is inspirational: The Masterplan should get everyone moving in the same direction both formally and informally and enhance county ICT participation. It should also be simple.

2. Provide set targets: Give a clear indication of where counties are head-ed and be effective even for the informal sectors. This provides an in-formal objective measure of progress and includes targets such as ICT penetration level, number of ICT businesses registered, and number of public services being offered online.

3. Structure and organise: Provide roadmap for counties to have fruitful outcomes. Should include and clarify enablers, develop applications and services for infrastructure, exploit commercial elements of the applica-

tions and services, and exploit ICT to drive the county growth.

4. Incentivise: Plan should have policies to incentivise ICT at the county and country level - for communications companies, education and capac-ity building incentives, industry and trade incentives, and content devel-opment incentives.

The proposal for ICT Structures for Counties is to ensure that the coun-ty ICT office has the right staff establishment; scheme of service and a standard operations manual. The following should be taken into consid-eration:

Description of roles, duties and responsibilities as well as the reporting lines and the subject matters to report.

Result oriented approach - a phased implementation plan for the or-ganisational structure is advisable. Collaboration - factor how the office will work with the public relation, information and communication functions of the county.

Needs assesment - each county to take into account their growth potential, capacity, revenue generation ability and the citizens needs. Structure management in geographic zones for ease of work rather than use every village as currently constituted.

Harmonisation - avoid the pre-existing government models, which have not worked well because they fail to be strategic in their approach.Set roles rather than substantive positions at the sub-county levels and be-low.


12

Other Recommendations

1. Draft a comprehensive proposal for county connectivity.

2. Draft a Memorandum to enhance coordination between the counties and central government.

COMESA WORKING GROUP DELIBERATIONSThe working group was established in 2008 during the ITU meeting in Lusaka-Zambia consisting of Egypt, Sudan, Kenya, Uganda, Malawi, Zim-babwe and Mauritius. The working group is the regional think tank on Cyber Security and offers technical as well as financial leadership on the implementation of the COMESA road map on cyber security, capacity building of skills and competencies, infrastructure investment and leg-islative enhancement.

The meeting shared key findings from the Regional Study on Regulatory Frameworks on Cyber Security. The study established that:

1. Theres lack of awareness of cyber security and apparent discordant between law makers and law enforcers. Theres absence of legal exper-tise of PKI

2. Most countries are not aware of the opportunity dividend for putting in place cyber security frameworks. It will be critical for many countries to understand the benefits of establishing a business and political case for cyber security and probably look for ways of projecting cyber security as

an investment indicator.

3. Theres need for a framework on national leadership on Cyber Security agree on weather it will be handled by the Security agencies, the Judici-ary, private sector or the national regulatory agencies?

The working group suggested the following action steps to address the study findings:

There is need to Map judicial involvement at the national and regional levels so that theres a harmonised approach in judicial oversight and law enforcement.

Countries should mobilise finances for PKI trainings and also establish the criteria for trainee selection. Egypt has placed forward a proposal for hosting the Computer Incident Response Team Training (CIRT) Centre.

There should be a regional CERT Centre that will train the initial cadre of national lead persons who can come back to the country and lead in country onsite trainings. It will also be crucial for a partnership with the E-Academy in Estonia to host a study tour which will expose trainees on model CERT facilities, curriculum, lectures and standards.

The agreements have to be enforceable at the region with an oversight body that will hold countries accountable just like in Europe, theres the EU Cyber Crime Convention.


13

Day 2: Official Opening Session

Speakers:

1. Victor Kyalo- Chief Executive Officer (Ag) of The ICT Authority.

2. Mr. Francis Wangusi - Director General of the Communications Com mission of Kenya.

3. Dr. Fred Matiangi - Cabinet Secretary, Ministry of ICT (Kenya).

4. Mr. Sindiso Ngwenya - Secretary General-COMESA.

5. Kah-Kin Ho - Head of Business Development- CISCO.

Mr. Francis Wangusi, the Director General of the Communications Com-mission of Kenya highlighted the following points:

CCK is leading the National Cyber-Security Steering Committee that comprise various actors in order to improve on the fight against this vice and is collaborating with EAC member states (through the East Africa (EA) level through the national CIRTs and the East African Communica-tions Organisation (EACO); and at the international level through the ITU/IMPACT.

Plans are at advanced stage for KE-CIRT/CC to join the Forum for Inci-dent Response and Security Teams (FIRST), in order to further improve our collaboration with international stakeholders.

The national KE-CIRT/CC also carries out research and analysis on computer security and is facilitating the deployment of a National Public

Key Infrastructure (PKI), a system for the creation, storage and distribu-tion of digital certificates. Upon its completion, PKI is expected to provide locally available and cheaper digital certificates and signatures to facili-tate safer online operations and services that are within our national laws (jurisdiction).

The national KE-CIRT/CC has organised a number of capacity build-ing and awareness creation forums,received and responded to various cybercrime incidents. Incidents so far responded to range from website defacement; online abuse, online fraud including theft via mobile money transfer services, online impersonation on email and social media ac-counts and denial of service attacks.

Dr. Fred Matiangi- The Cabinet Secretary underscored Kenyas leader-ship in addressing cyber threats through establishing the following ini-tiatives: 1. The National ICT Sector Policy of 2006 that addresses electronic secu-rity as the Kenya Information and Communications Act aims at securing online transactions. 2. The Electronic Certification and Domain Name Administration, in-tended to reduce on-line crimes such as hacking, identity theft and for-gery of sensitive information.

3. The National Cyber-Security Steering Committee (NCSC) whose role is to facilitate coordination and collaboration in the response to cyber security incidents in liaison with sector CIRTs and other local, regional and international cyber security management actors, among other cyber


14

security management activities.

4. A National Cyber Security Strategy Master Plan (NCSMP) was launched, in February 2013 to provide the government with a plan to defend and se-cure its digital infrastructure, and recommend Cyber security standards for the countrys ICT infrastructure.

Mr. Sindiso Ngweya the Secretary General of COMESA underscored the following points:

The different areas of malicious cyber activity that contribute to the over-all costs associated with cyber-crime and cyber espionage include:

The loss of intellectual property and business confidential information

The loss of sensitive business information, including possible stock market manipulation.

Opportunity costs, including service and employment disruptions, and reduced trust for online activities.

The additional cost of securing networks, insurance, and recovery from cyber attacks.

Reputational damage to the hacked company.

Opportunity costs, including service and employment disruptions, and reduced trust for online activities.

The additional cost of securing networks, insurance, and recovery from cyber attacks.

Reputational damage to the hacked company.

COMESA and Association of Regulators for Information and Commu-nications in Eastern and Southern Africa (ARICEA) and ITU have been conducting a study on Public Key Infrastructure Protection. The aim of the study is to come up with frameworks for cyber-security and critical information infrastructure protection (CIIP); share best practices adopted internationally on similar CIIP efforts, review the role of various actors in promoting a culture of cyber-security and IT security assessment of measures taken in COMESA Member States.

Regional bodies i.e. COMESA, EAC and SADC should develop modalities to establish a regional CIRT and Public key Information (PKI) centers for the exchange of information, experience, evidence, registration, certifi-cations as well as enhance awareness and foster the systems.

COMESA and ARICEA will implement a programme on cyber security which will involve the judiciary system as one of the main stakeholders to enforce legislations. COMESA will also mobilise funding to ensure that the judiciary system is on board and well equipped with knowledge and experience to deal with cybercrime. Strategies concerning implemen-tation of cyber-crime programme will be developed with involvement of the public sectors, private.

Kah-Kin Ho of CISCO discussed a strategic view of cybersecurity with empha- sis on National Cyber Power. This is the capacity of a country


15

to deter threats or distract the threats if unable to deter them. Kah-Kin observed that the 21st century unlike the 20th century was characterised by private ownership of critical infrastructure. Security incidents on these infrastructures have a cascading impact private cost (to the corporation) and social cost (to the public).

An important element of cyberpower is resilience the ability to absorb and recover from an attack while always striving to recover faster. Moreo-ver, that most countries and institutions are poor in detection.

With respect to legal frameworks, Kah-Kin noted the global view of cy-ber warfare has evolved to equate cyber operations with armed attacks.

This change came about after the large-scale cyber attacks in Estonia in 2007 and Georgia in 2008. The result was the development of The Tallinn Manual on the International Law Applicable to Cyber Warfare.

Key Session Outputs

The session highlighted the need for:

i. Enhanced collaboration among member states; multi-stakeholder in-volvement in the management of cybercrime and cybersecurity.

ii. Increased public awareness campaigns on cybercrime and cyber secu-rity. Theres need to create a public awareness strategy to guide stake-holder mobilisation and public awareness. iii. Increased partnerships between private sector, academia and re

search institutions to increase capacity building and technical expertise on cyber crime detection, legislation and attacks mitigation. A model handbook and curriculum should be developed to ensure seamless adoption of best practices. Countries should liaise with education stake-holders to include cyber security in curriculum. Universities should be encouraged to create centres of excellence in conjunction with private sector. Countries should have regular networking opportunities so that they can benchmark rather than working in isolation and duplicating ef-forts.

iv. Formulation and adoption of regional cyber security legal and regula-tory frameworks to combat cyber threats. COMESA should lead regional collaboration with other regional/ global treaties and conventions e. g (Budapest, AUCC, UNCI- TRAL) to address differences in investigations, prosecution and jurisprudence. COMESA should lead the way in hosting more country deliberations on the AU convention.

v. Customisation of the Africa Union Convetion on Security in Cyber Space (AUCSC) and the COMESA Cyber Security Strategy. Theres need for more public awareness of the key features of the AU Convention on Cyber Se-curity and discuss issues such as burden of vulnerability and guarantees tests; extensive surveilling powers with little oversight; right of privacy; requirement for full disclosure of ID information including PIN; crimi-nalisation of peaceful online expression of permissible views and ideas.

vi. Increased funding by Governments to tackle cyber crime through funding of infrastructure to detect and deter cyber security as well as supporting policy and legislative initiatives.


16

DAY 3: NATIONAL STRATEGIES AND APPROACHES TO INFORMATION SECURITY

1. Michael Katundu - Director of IT-CCK, Session Moderator

2. Guibert Harrison - Organisation and Informatics Professor, Estonia Cy-ber Security Academy

3. Dr.Isaac Rutenberg - Patent Lawyer and Intellectual Property Special-ist, Strathmore University

4. Wim Horseling - Area Sales Diretor, Enterasys

5. Kingwa Kamencu- ICT Expert

Mr.Guibert Harrison presentation on Cyber Risk Management highlighted the fact that the greatest risk to any cyber security is the human factor because of social engineering. Social engineering is the act of influencing a person to perform some- thing or act in a certain way.

The training for judicial officer and law enforcement agents in the EU is undertaken at the Cybercrime IPA Project.

Kingwa Kamencus presentation covered the practical issues of mobile security enforcement specifically applies to both soft and hard tools.The soft tools included service provider controls (parental, PIN), raising

awareness and the hard tools were the actual laws and courts interpre-tations, cross border practices, treaties, and administrative actions.

Kingwa identified the following as challenges in the enforcement of mo-bile security:

1. Jurisdiction: Does a judicial tribunal have the authority to act? What happens when intent is formed in one jurisdiction and the action is com-pleted in another jurisdiction?

2. Confidentiality issues: How do you enforce traditional rights of privacy in the context of new technologies such as twitter?

3. Adduceable Testimony: Information gathering and sharing which de-viates from common practice for investigation and prosecution. For in-stance, the issue of experts of facts v. experts of opinion in anti-banking fraud. The actual tabling of that information is by the fraud expert yet the practice is that it is presented the police. This creates another issue of hearsay. Equally, how the information is presented to the court, and by who is contentious.

4. Public policy and information sensitivity: Banks are wary of reporting


17

cyber crimes as this might trigger a run of withdrawals. Thus, discretion-is given a premium over public right to know.

Wim Horseling made a presentation on computer networks and works with private sector, public sector and service providers including NATO. Enterasys has an innovative portfolio- switches, routers, intel security networks, and end to end network connectivity.

Dr.Isaac Rutenberg discussed Intellectual Property Rights in Cyberspace. The IP related issues in cyberspace include: privacy rights, copyrights, Digital Rights Management (DRM); use of security devices such as hol-ograms and the ISPs notice to take downs. There are no specific social media laws national or regional in most African countries.

Even in the USA, case law in America varies from state to state, and the same applies in Europe, yet, social media is global. Most jurisdictions rely on analogous laws that might be applied including: -

Constitution (Bill of Rights) Tort law (defamation, privacy, etc.) Contract law (ownership, etc.) Company law (disclosure rules, etc.) Media and Communications laws

Employment law (hiring, firing, discrimination, etc.) Consumer Protection Act

Key Session Outcomes

Delegates highlighted the following Key Capacity building areas:

There is need to increase public awareness of the loss and magnitude that cyber attacks can cause.

There is need to increase competency in cyber security through spe-cialised training, forensic labs and centres of excellences.

There is need to enhance Research and Development by tapping into universities.

There is need to involve private sector and strengthening capacity of local SMEs to withstand cyber attacks.


18

FACT BOX 1. Major Cyber attacks

Estonia 2007: The relocation of a Russian sculpture angered the Russia minority in Estonia and the Russian minorities leading to a series of organised cyber attacks. They were able to hijack millions of comput-ers globally and used them to jam Estonia ISPs, government and pub-lic institutions systems. The effect was disruption of communication, e-banking and misinformation. The defences applied to counter the at-tack included traffic filtering and networks capacity rising. This incident demonstrate clearly that a country should not wait for a physical mili-tary inversion-a cyber attack could be equally devastating.

Stuxnet 2010: operations at an Iranian nuclear power plant were immo-bilised by a software-stuxnet, targeting Siemens AG controllers at the nuclear plant. The software originating from the USA and Israel stalled

centrifuges and the stopping uranium enrichment. It is not known what action was taken to counter the attack. Considering how typically such a plant is secured and they succeeded, it means there are no defence is impenetrable.

Georgia 2012: 390 persons who dealt with sensitive information were the target of a major security planning and network attack. The attack-ers took out 95% of Georgian computers, stole information, changed the information, turned on the cameras to watch and record; and turned on the mikes to listen in. In effect, the infected computers were under at-tackers control. The origin of the attack was the Russian security agen-cy and it was found out that the monitoring had ongoing for two years. Georgians reaction was unique- they planted a fake Georgian-Ameri-can Agreement virus that fed to the Russian System.


19

DAY 3: Draft AU Convention on Security in Cyberspace

Speakers:

1. Michael Katundu - Director of IT, CCK.

2. Dr.Isaac Rutenberg - Patent Lawyer and Intellectual Property Spe-cialist, Strathmore University.

3. Rene Raeber - ICT Consultant, Lecturer - Strathmore University. 4. Grace Githaiga - Kenya ICT Action Network.

Dr. Rutenberg and Raeber led the discussion on the AU Convention on Security in Cyberspace. The convention sets out to:

Protect institutions against the threats and attacks capable of endan-gering their survival and efficacy.

Protect the rights of persons during data gathering and processing against the threats and attacks capable of compromising such rights.

Reduce related institutional intrusions or gaps in the event of disaster.

Facilitate the return to normal functioning at reasonable cost and within a reasonable timeframe;

Establish the legal and institutional mechanisms likely to guarantee normal exercise of human rights in cyber space.

Key Session Outcomes

The AUCCS Draft falls short in certain areas of law in which basic human rights were in danger of being reversed; also the Convention has the potential to place an undue burden on the private sector which would impact the growth of the industry.

There is need for urgent consultations before the Draft is ratified

The AUCCS was drafted for African countries and thus it is important to understand the African context with regard to certain principles.

FACT BOX: EMERGING ISSUES ON THE THE AUCCS:

[Articles 228, 236]: Permitting unsolicited access to data without con-sent leaves it open interpretation that public interests are synonymous with state security.

[Article 3]: This provision is too broad and infringes on freedom of the Press. Does it mean that a media cannot report a tribal conflict?

[Article 345]: Interception of data: does this provision specify informa-tion be intercepted? A Judge can access traffic and content data - for reasons of information that he receives. This provision must specify the information, not leave it broadly.

[Articles 40, 48]: Imposes unnecessary legal burden on individuals by total imposition of aggravation on acts online. This provision should be limited to specific criminal acts, not general usage otherwise it will be a legislative overkill.


20

[Articles 344]: Creates undue burden on corporationsthis provision fails to distinguish criminal, civil or administrative acts. Most conven-tions - limit to when the ISP fails to guarantee security; it must define the acts as criminal, administrative or civil.

[Articles 355, 353]: Grants a Judge broad powers to curtail civil liber-ties and discretionary power to disregard procedures (freedom of ex-pression). Dangerous in African context and will be subject for abuse. Again, 60% percent of judges are untrained in ICT or cyber law. Legisla-tion should be an addition to other safeguards in existence - technical, etc.

African countries lack technological security adequate enough to pre-vent and effectively control technological and informational risks. As such African States are in dire need of innovative criminal policy strat-egies that embody States, societal and technical responses to create a credible legal climate for cyber security.

While underscoring the fact that the Convention establishes a frame-work for cyber security in Africa through organisation of electronic transactions; protection of personal data, promotion of cyber security, e-governance and combating cybercrime the Kenya ICT Action Network (KICTANet) presented that there should be a two pronged approach-spe-cific amendments and a stakeholder engagement.

SPECIFIC AMENDMENTS includes:

1. The Convention should specify provisions on privacy protection.

2. Interception of data by judges should be specified in the national cyber

laws.

3. Each country must specify the nature of the liability.

4. Further limitations should be put to specify when a corporation can be held liable criminally.

5. Seizure of data or data equipment should be done only for specified purposes such as request from a state party, etc.

6. Theres need to enact provision on issues of jurisdiction especially on cross border requests e.g. extradition request, information sharing .

STAKEHOLDER ENGAGEMENT includes: 1. The AU should host various public discussions on multiple platforms around the continent and globe to gather ammendments.

2. Dr. Fred Matiangi, Cabinet Secretary, Ministry of Information, Com-munication and Technology asked CCK to bring stakeholders together to craft Kenya position on the convention.

3. There should be an inclusive redrafting accommodating a wider stakeholders group will facilitate a richer text.

4. The AUCCS has been discussed for two years but the drafting was done in government circles. A broad consortium of excluded stake-holders asked the AU to slow down and stop the adoption of the AUCC. Burundi noted that the AUCCS was negotiated for two years before, but the country was never involved.


21

CLOSING CEREMONY

Speakers:

1. Victor Kyalo - CEO (Ag) The ICT Authority.2. Francis Wangusi - Director General CCK.3. Joseph Tiampati - Principal Secretary MoICT .

Victor Kyalo applauded delegates for the fruitful contributions in the con-ference. Francis Wangusi, the Director General of the CCK reviewed the objectives that were outlined at the launch of the conference, and noted they had been realised.

There was consensus on:

The need to establish a regional enforcement framework. Guide regional training activities. Public awareness strategies. Creation of conducive environment for Cyber Security.

For the County ICT secretaries, it was agreed that:

CCK to collaborate with counties in building Cyber Security resilient ICT platforms.

Capacity awareness in Cyber Security will be enhanced through a se-riesn of capacity building workshops, exchange programs and program support.

Mr. Tiampati Joseph, The Principal Secretary in the Ministry of ICT was impressed by the degree of attention and interest throughout the Sum-mit.

He restated that cyber threats and cybercrimes have become increasing sophisticated along with the evolution of ICT. Kenya records loss of KES 2billion (ATM scams and defacing of network).

The Principal Secretary thanked all the delegates and participants for their contribution and attention. He reminded the plenary that the onus was on all delegates to:

Put in place a regional legal framework to guide law enforcement, in-vestigations and court proceedings. Provide proposals ahead of time for AUCC.

Develop means of sharing intelligence and information swiftly and ef-fectively between these two spheres in order to deter threats and attacks

Challenge COMESA to lead regional collaboration with other regional and global treaties and conventions such as Budapest, AUCC and UN-CITRAL so as to address differences in investigations, prosecution and jurisprudence.

Put in place a training framework to guide all regional training activities to enable all citizens be aware of all forms of cyber crimes.


22

ANNEXURES


23

ANNEXURES :1 Biographies of Conference Speakers

Dr Fred Okengo Matiangi is the cabinet secretary, ministry of Information, Communications and Technol-ogy (ICT) in the government of Kenya.

Before his appointment, Dr. Matiangi was the Centre for International Development, Rockefeller College of Public Affairs and Policy, the State University of New York SUNY/CID Liaison in East Africa. He formerly served as Chief of Party for Kenyas Parliamentary Strengthening Program.

Dr. Matiangi held research and program implementation positions in various civil society organizations in Kenya and conducted research and training for the Commonwealth Parliamentary Association, the par-liaments of Ethiopia, Uganda, and the East African Legislative Assembly. He has also been a columnist for the Daily Nation, Kenyas leading newspaper, and has consulted extensively with USAID, the Canadian Development Agency (CIDA), the World Bank, and Transparency International.

He taught at Egerton University and the University of Nairobi.

Dr. Matiangis education includes a Ph.D. in communication and comparative literature from the University of Nairobi, an M.A. in English from the University of Nairobi, and a B.A. in education from Kenyatta Univer-sity. He speaks Swahili, English, and has a working knowledge of French.

Dr. Fred Matiangi


24

Mr. Joseph Tiampati ole Musuni.

Mr. Joseph Tiampati ole Musuni is the Principal Secretary, Ministry of Information, Communications and Tech-nology in the Government of Kenya.

Before his appointment, Mr. Tiampati worked as General Manager in charge of Social Security with the National Social Security Fund (NSSF).

Before this he had served under various capacities with Kenya Commercial Bank (KCB) until 2010 when he left to join NSSF. Prior to leaving KCB he was a Head of Department in Credit and also served briefly as Chairman of the Kenya Bankers Association (KBA) Credit sub-committee as well as member of the KBA/CBK task force which introduced credit information sharing in Kenya.

Mr. Tiampati is an alumnus of Alliance Boys High school. His education includes an executive MBA from ESAMI/ MSM and a Bachelor of Science (Hons) degree in Mathematics from the University of Nairobi.


25

Mr Sindiso Ndema Ngwenya is the third Secretary-General of the Common Market for Eastern and South-ern Africa (COMESA) since it was transformed from the PTA in 1994. He brings with him over 27 years of service in industry, regional and multilateral levels covering the public sector, private sector and qua-si-government institutions.

Before his appointment, Mr. Ngwenya was the Assistant Secretary General of COMESA in charge of Pro-grammes a position he held for ten years. In this position, he was responsible for overseeing the develop-ment and implementation of COMESA programmes. In addition, he oversaw and supervised the operations of COMESA established institutions such as the Leather and Leather Product Institute (LLPI), the Clearing House and the Regional Investment Agency.

In industry, Mr Ngwenya was involved in the design and implementation of programmes and projects in the road, airline and railway sectors. At the regional level, he was instrumental in the formulation of the PTA (now COMESA) regional integration programmes culminating in the launch of the COMESA Free Trade Area on 31st October 2000. He also worked on the establishment of COMESA specialised institutions, such as, the Eastern and Southern Africa Trade and Development Bank (PTA Bank), the COMESA Clearing House and the PTA Re-Insurance Company (ZEP-RE). More recently, he played a key role in the design of the COMESA Customs Union and Common Investment Area. He was also part of the team that crafted the COMESA Treaty and oversaw the transformation of the PTA into COMESA in 1994.

Mr Sindiso Ndema Ngwenya


26

Mr. Victor Kyalo

Victor Kyalo is the acting CEO of The ICT Authority. A long term faculty member of the University of Nairobi where he was instrumental in the development of communication network courses as well as in the set-ting up of communication labs in the faculty, Victor was involved in a number of communication networks including working in the pioneering processes of Internet in Kenya (ARCC & Kenyaweb), has participated in several government of Kenya ICT projects as an ICT infrastructure consultant in telecommunication and education sectors.

His current focus is on the deployment of communication technologies and services targeted at providing effective delivery mechanisms and processes in learning and teaching. Apart from systems design and implementation, my key interests are in the selection, measurements, and management of technology solutions, aiming at enabling an enterprise to optimize the return on its investment.


27

Mr Francis W. Wangusi the Director-General of the Communications Commissions of Kenya (CCK). He was appointed to the position on 21st August 2012.

With over 20 yeras of experience in the ICT sector, Mr Wangusi has previously served in various capacities at CCK. Before his appointment, he served in the same position in an acting capacity for a period of a year. He is the immediate former Director in charge of Broadcasting, and had earlier served as the Director in Charge of Licencing, Compliance and standards (LCS). He joined CCK in the year 2000 at the level of Assis-tant Director, and rose through the ranks to the current position.

Prior to joining CCK, Mr Wangusi worked in various capacities at the defunct Kenya Posts and Telecommu-nications Cooperation (KP&TC). He has also worked as a Senior Lecturer at the former Kenya College for Communications Technology (KCCT - now Multimedia University College).

Mr Wangusi has played a pivotal role in a number of key projects, most notably as the Head of the imple-menting team for the development of Regulations and related instruments. As the Director in charge of Broadcasting, he coordinated the Digital Secretariat responsible for the implementation of decisions by the National Committee on the from analogue to digital broacasting in Kenya. He is also a member of the Commission charged with the preparation of the Kenya/Italy bilateral agreement on the utilization of the National San Marco Space Centre and operationalization of the National Space Secretariat.

Mr Wangusi holds a Master of Space Science (Satellite Communications) from the International Space Uni-versity, France, and a Bachelor of Technology (Telcoms Engineering) from University of Rome, Italy. He also holds a Chartered Engineering Certificate from the Engineering Council, United Kingdom.

Mr Francis W. Wangusi


28

Mr. Kah-Kin Ho

Kah-Kin Ho has been with Cisco for more than 17 years and in his current position as the Head of Cyber Security Business Development he has been involved in providing thought leadership, both externally and internally, on how to respond to cyber risk and threat. In addition Kah-Kin has been working in the Europe-an Commission NIS (Network Information Security) Platform in helping to identify incentives that could be implemented to help stimulate security investment by EU companies. Kah-Kin also serves in the Advisory Group of EUROPOL European Cyber Crime Center (EC3).

Prior to this, he was a Solution Architect in the Global Government Solutions Group responsible for man-aging US Foreign Military Sales (FMS) to Taiwan, serving as Security Advisor to the Indian Military on their Tactical Communication Systems program, and managing large and strategic programs in South Korea. In addition Kah-Kin had spent 4 years working with Defense System Integrators such as EADS and Thales to jointly develop solutions for the Tactical Battlefield. Kah-Kin has also filed 2 US Patents on IP Networking protocols.

Kah-Kin graduated from the State University of New York at Buffalo with Bachelor and Master of Science degrees in Electrical .

Engineering. He also has a Master degree in Security Policy and Crisis Management, a program jointly or-ganized by the Swiss Armed Forces College and Swiss Federal Institute of Technology (ETH). His research area during the course of his study was on Terrorism related issues. He has since been engaged to teach Cyber Security Strategy and Policy to Swiss General Staff Officers in the same program. His favorite pas-times are skiing, swimming, and reading.


29

Kariuki is the Marketing Director at ICT Authority but also doubles up as a Deputy CEO. She participates in strategy formulation, directs marketing of Kenya as an ICT investment destination and drives promo-tion of ICT as a tool for improving livelihoods.

She has also contributed towards development of the Konza Technology City master plan and supports World Bank funded projects and lead the European Commission, Bill and Melinda Gates foundation and Rockefeller foundation research funded projects for ICT Authority.

She holds an MBA in Strategic Management from Maastricht School of Management affiliated to ESAMI, a BSc (Hons) degree in Business Studies from UK, a Higher National Diploma in Business Information Technology (BITech), and Chartered Institute of Marketing (CIM) Diploma.

Eunice Mueni Kariuki


30

Mr. Xavier Villegas

Xavier Villegas is the Chief Business Market Officer, Orange Telkom. He joined the company in 2011 from the Orange Group, where he served as the Director for Orange Corporate Sales in the French West Indies.

He has more than 20 years experience in the telecom business market and has also worked for several years in Spain and in the USA as a Solutions Consultant. Xavier holds a Masters degree in Robotics and an Engineering degree from lEcole Nationale Superieure dIngenieurs, Besancon (France)


31

Dr. Isaac Rutenberg is a Visiting Professor at the Strathmore Law School. He obtained a JD from Santa Clara University School of Law in May 2011 and is registered to practice law in California, and also before the United States Patent and Trademark Office.

Dr. Rutenberg has authored articles for a variety of publications and spoken at numerous conferences in Kenya, primarily focusing on practical aspects of intellectual property (IP). He continuously advocates for Kenyan organizations and individuals to expand their use of worldwide IP systems.

In addition to his affiliation with Strathmore Law School, Dr. Rutenberg is currently a practicing patent attorney with Science & Technology Law Group (www.sci-tech.com). His practice includes patent pros-ecution, due diligence, and preparation of legal opinions (patentability, validity, and freedom to operate) for subject matter that included chemistry, materials science, polymers, pharmaceuticals, biotechnology, drug delivery, medical devices, and electronic devices. His practice includes all aspects of patent prosecu-tion, including US and foreign prosecution. Dr. Isaac Rutenberg


32

Mr. Alex kioni

Mr Kioni is the Security Systems and Tivoli Technical Sales Consultant at IBM East Africa, with over 13 years experience in the Information Technology and Cyber Security industry. Before joining IBM he was a Senior Security Engineer & Consultant at the U.S. House of Representatives in Washington DC. Mr Kioni holds a BSc. in Networks and Communications Management from De Vry University, Dallas Texas, and currently pursuing a dual MSc. in CeberSecurity and M.B.A from University of Maryland University College, Adelphi Maryland. a recognised National Center of Academic Excellence in Information Assurance & Cyber Security Education by the U.S Department of Homeland Security and the U.S. National Security Agency.

He also holdsseveral industry designations, including, Certified Information Security Manager (CISM), Cer-tified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), Microsoft Certi-fied IT Professional, Enterprise Administration (MCITP: EA), MCSE: Security, and Comp TLA Security.


33

Isiaho is a Manager in Deloittes Enterprise Risk Services practice where he focuses on information risk and assurance solutions. His primary focus includes Controls Assurance, IT and Security Governance Re-views, Information System Audits and Information Security Assessments. He has served clients in Kenya, Uganda, Tanzania, DRC and Mozambique.

Isiahos experience spans systems vulnerability scans; gap analysis; system post-implementation reviews, secure coding reviews, vulnerability assessments & attack simulations and system configuration review. As part of his responsibilities, he has served various telecommunication & media, financial, manufacturing, and hospitality industry companies across Africa in reviewing leading application systems and ERPs e.g. Telco billing systems, SAP R/3, Oracle Financials, major core banking applications, among others

Raymond Simbi Isiaho


34

Lillian Makanga

Lillian Makanga holds an LLB (Hons) degree from the Catholic University of Eastern Africa (CUEA) a post graduate diploma in law from the Kenya School of Law and currently and is an Advocate of the High Court of Kenya.

She works at the Centre for Intellectual Property and Information Technology Law(CIPIT) where she is in-volved in the CIPIT-IP Clinic providing legal advice and cost effective solutions to innovators on all aspects of their Intellectual Property Rights. She also engages with startups on branding strategies. Further, she analyses developments in Kenyan and International IP Case law as well as the implications on the Intel-lectual Property Landscape.

In addition, at @iBiz Africa a Business Incubation Centre in Strathmore University,she is involved in men-toring individuals and start-up organizations on maximizing on their business ideas.Her goal is to foster an innovative culture among individuals and within organizations


35

Muchemi Wambugu is a Director in the Information Technology Advisory practice of Price waterhouse Coopers Kenya Ltd in Nairobi, Kenya. Muchemi joined the firm in 2011 having worked at Deloitte Consult-ing Ltd in Kenya, and IBM Global Services in California, USA. Muchemi is a certified Project Management Professional (PMP), member of the Project Management Institute (PMI) and is a Microsoft Certified Techni-cal Trainer. He holds an Honors degree in Commerce, majoring in Management Information Systems from the University of Manitoba, Canada, and a Masters degree in Project Management from the University of California- Berkeley, USA.

Muchemi is an ICT Management professional, with more than 16 years of experience in advising organi-zations both private and public on business- centric ICT solutions. He has extensive experience in global technology implementations, ICT Transformation, Strategy, Operations, governance and Program Man-agement. He has advised government and private organizations on how to unlock business value from investments in ICT.

He has proven managerial skills in leading and directing highly successful technology teams in the bio-pharmaceutical, technology, educational, financial industries as well as the Public Sector.

Muchemi Wambugu


36

Kebaso George Mokogi

Kebaso George MokogiHe is the chief carrier services officer. Prior to his appointment, Kebaso was Oranges head of public sector. He has seventeen years experience working in the software development and telecommunications fields in Kenya, Uganda and the US. Kebaso holds a masters degree in human resources management from the Dallas Baptist University, Texas, and a bachelors degree in business administration from the University of North Texas.


37

Tyrus Muya KamauIs a Information Security professional with over 6 years industry experience in the region with domain expertise in the following areas:

Penetration testing & vulnerability assessment Signaling Intelligence & Radio Frequency research Active threat modeling. R&D in cyber warfare ISO 27001 compliance enforcement

His work experience spans across different clientel including the Kenyan Government where he was part of the team that developed and delivered the National Cyber Security Master plan, Ministry of Defence (De-partment of Military Intelligence), various corporations and learning institutions (Strathmore University).

Tyrus has partnered with Strathmores iLab to develop a dedicated IT Security Institution which will train and create much needed capacity in the country in the area of Cyber Security. In addition, the partnership is carrying out dedicated Cyber Security R&D in collaboration with various banks, MFIs and regulators.

He is a regular speaker at various security conferences in the EA region crusading for active participation from various stakeholders in establishing an IT Risk aware generation of IT professionals.

He also lectures Web & Wireless Security units at Strathmore University in the Msc Telecommunications for Innovation and Development. In his spare time Tyrus is an avid reader, gamer, budding photographer and has taste for fine dining.

Tyrus Muya Kamau


38

Eno-Akpa Rene Nkongho, a winner of the 2012 Central European MA (Public Policy) Fellowship Award, is specialized in International Public Policy. Also, Rene is an MA - International Relations and Diplomatic Studies graduate (2010) of Makerere University and an Upper Second BA -Social Science graduate (2005) of Uganda Martyrs University, Nkozi.

Currently, Rene is the 2013 Google Policy Research Fellow hosted at CIPIT, Strathmore University Law School, where he has just concluded a research paper entitled: The Case for an African Solution to Cyber-crime: A critical Review of the Draft AU Convention on the Confidence and Security in Cyberspace.

Rene is an emerging scholar with a keen interest on how international organisations impact on statebuild-ing and social, political and economic development in Africa. Building on that interest, he previously served as Co-Lecturer on the Modules: Government and Politics in Africa; and, International Organisation at Cav-endish University, Kampala in 2010/2011. He served as Programme Consultant for Governance, Democracy and Human Rights Programme from 2010 to 2012 with Twezimbe Centre, Uganda, a local Catholic NGO. In 2006, Rene served as Research Assistant for Global Network for Good Governance, Limbe, Cameroon. Some of Renes scholarly works include: A Critique of MACKINNON REBECCA, Internet Freedom Starts at Home: The United States needs to practice what it preaches online, Foreign Policy Magazine (2012); The Fragility of the Liberal Peace Export: An Advocacy for the Extension of Formal Education Access in the Liberal Peace Project in South Sudan (2013) ; and, The Impact of Multilateral (Liberal) Trade on Growth and Poverty Reduction in Uganda (Forthcoming in UMU Journal of Development Studies, December 2013).

Eno-Akpa Rene Nkongho


39

APPENDIX 2: Summit Program


40

Brought to you by

Rebulic Of Kenya

Ministry Of Information,Communication and Technology

Conveners

Host


41

Sponsors

Bronze

Platinum

ict summit 2- information security & pki report, november 2013

Documents

kenyainformation security

conference outcomes

conference proceedings

safari park hotel

kenyatta avep

draft au convention

national strategies

official opening session