A series of cyber attacks devastated Kenya’s digital infrastructure in July. Now, with major new digital initiatives underway, the country must find a way to restore the public’s confidence in cybersecurity.
Kenya is one of Africa’s leading digital economies. The country has undergone a digital revolution since the early aughts; steady investment in connectivity infrastructure, coupled with an enterprising populace, has seen the country’s information, communications, and technology (ICT) sector grow by an average 10.8 percent every year since 2016.1 The National ICT Policy as reviewed in 2019 outlines ambitions of leveraging ICT “as a foundation to the creation of a more robust economy” by growing the sector’s contribution to the digital and traditional economy to 10 percent of gross domestic product by 2030.2 Leaning into a continental leadership role, Kenya developed a Digital Economy Blueprint in 2019, drawing from the country’s digitalization journey to propose a framework that other African countries could adopt to invest in their own digital economies.3
Much of Kenya’s digital success is underpinned by the role of mobile technologies, as reflected prominently in policy documents. The national ICT policy prioritizes a “mobile first” strategy because most citizens access the internet via mobile phones. The National Broadband Strategy for 2018–2023 announced a proposed target of 100 percent connectivity by 2023 and Kenya’s intention to meet the 2025 UN Broadband Commission’s “one for two” affordability target—that is, one gigabyte of mobile broadband data available for 2 percent or less of gross national income per capita.4 As of March 2023, the number of mobile (SIM) subscriptions in the country was 66.1 million according to the Communications Authority of Kenya.5
A core component of Kenya’s mobile technology success has been mobile money services, notably through the M-PESA service offered by the country’s leading telco, Safaricom. With M-PESA—which marked its fifteenth anniversary in March 2022—banked and unbanked customers can send and receive money, access short-term loans and overdraft facilities, store money (savings), and pay for goods and services.6
Launched in 2007, the mobile money service has transformed Kenya’s financial ecosystem. It is now operational in six additional countries in Africa: the Democratic Republic of the Congo, Egypt, Ghana, Lesotho, Mozambique, and Tanzania. M-PESA is now integral to Kenya’s financial ecosystem, processing up to $633 million per day.7 It boasts a network of more than 918,500 active agents across the seven African markets in which it now operates, serving over 50 million monthly active customers across the continent.8
M-PESA is also embedded in the operation of other digital finance innovations through its partnerships with banks and other financial institutions to extend virtual banking services and to facilitate digital credit facilities, cross-border payments, international remittances, and e-government services.9 As fintech grows at a heady pace across the continent, Safaricom and the M-PESA platform join other telcos in positioning themselves as veritable players in this domain (“telco-to-techco”), alongside small- and medium-enterprise fintech startups.10 On its own, M-PESA has set its sights on additional services in savings, credit, and insurance, all accessible through its Super App virtual storefront.11
The rush to offer the most convenient digital finance solution to different market segments (individual consumers, small and medium-size enterprises) is setting the stage for vibrant competition among market players. A defining feature of many fintech innovations and pivots is the increasing use of digital and internet-based platforms to offer services. Cybersecurity is thus a key consideration for M-PESA in this forward march toward further entrenching the provision and inclusion of digital financial services.
DIGITAL AMBITIONS, CYBERSECURITY, AND DATA PROTECTION REALITIES
The Kenyan government under the incumbent president, William Ruto, has dubbed its ICT agenda the Digital Superhighway.12 Through additional investments in fiber connectivity, satellite, and other emerging connectivity solutions, the government aims to expand high-speed internet access nationwide to transform the country, create jobs, and enable growth.13 Through the Ministry of Information, Communications and Digital Economy (MIC&DE), the government aims to roll out 25,000 public WiFi hotspots and over 1,000 village digital hubs by 2027.14 It is also working with the private sector toward producing affordable smartphones (envisioned to be Africa’s cheapest) and has accelerated the digitization of government services.15 The government has stated its intention to roll out unique personal identifiers to serve as lifetime registration numbers from birth to death16 and a new digital identification system to provide Kenyans with “a secure and reliable way to verify their identity for a variety of purposes” at some point in the future.17
Amid the public and private sector successes and ambitions in digitalization, cybersecurity has been noted variously as a concern or challenge. The National ICT Policy lists cyber crime and cybersecurity vulnerabilities as one of the “significant challenges to be overcome” in achieving the policy’s short-term goals.18 The Digital Economy Blueprint recognizes cybersecurity as a crucial enabler of digitalization, noting that protecting the integrity of electronic and digital systems is a “paramount concern in a digitally enabled economy.”19 The document further acknowledges data security and privacy as fundamental to consumer trust in digital services and even outlines questions specific to cybersecurity and data protection in its “country checklist for development of digital economy” (see figure 1). On the legislative front, Kenya’s Computer Misuse and Cybercrimes Act (CMCA) of 2018 outlines offenses related to computer systems within the jurisdiction and modalities for international cooperation on “computer and cybercrime matters.”20 Additionally, the Data Protection Act of 2019 establishes the Office of the Data Protection Commissioner, makes provision for personal data processing regulation, and provides for the rights of data subjects and the obligations of data controllers and processors.21 The National Cybersecurity Strategy (2022–2027) was issued as a roadmap—aligned with the CMCA—to “address new challenges and emerging threats in the cyber domain.”22
Kenya, then, has a suite of progressive ICT- and cybersecurity-related policies and frameworks. But their positive value will depend on effective implementation. Here, as recent events outlined below showcase, turning digital ambitions into real-life achievements is a daunting challenge.
JULY 2023: KENYA FACES A MASSIVE CYBER ATTACK
A series of cyber incidents that occurred in Kenya in July 2023 tested the cybersecurity and resilience of the rapidly digitalizing country. These events affected government service provision and shook Kenya’s digital financial ecosystem.23 By no means the first, they certainly were the most significant cyber attacks the country has yet faced. The government has previously dealt with defaced websites24 and alleged breaches by foreign actors.25 Financial systems, banks, and M-PESA alike have been subject to cyber-related threats and vulnerabilities.26 Safaricom and the Communications Authority of Kenya are facing a class action lawsuit over SIM-swap frauds.27
The recent cyber incidents, which were primarily distributed denial-of-service (DDoS) attacks, temporarily rendered digital public services in the country unavailable and disrupted internet and mobile payment platforms. They took place just as the government had ramped up digital public service provision. On June 30, Ruto unveiled a revamped version of the country’s eCitizen platform, which had been launched in 2014 to provide “cross-agency, citizen-centric information and services.”28 It now offers over 5,000 digitized government services, with thousands more expected to be accessible on the platform by the end of 2023. Users can access eCitizen via desktop, through a phone-based application dubbed Gava Mkononi (“government in your hand”), or through an unstructured supplementary service data (USSD) code. eCitizen has also been announced as the official government digital payment platform, meaning that all payments for government services must made through a universal mobile money cash collection number, also known as a Paybill number.29
Beginning the week of July 19, 2023, reports started streaming in that some eCitizen services were inaccessible. The University of Nairobi—the largest public university in the country—issued a notification of a possible data breach affecting its student management information system. The system was taken offline and the matter escalated to the National Computer and Cybercrimes Coordination Committee (NC4)—the national cybersecurity coordination body—and to the Office of the Data Protection Commissioner. The incident flew under the news coverage radar, as did other reported downtimes, such as reported ransomware attacks on another government entity, the Kenya Bureau of Standards.30
By July 27, the attacks had affected the main national electricity transmission and distribution entity, Kenya Power, as well as Kenya Railways’ passenger services. On the same day, mobile money services through M-PESA became inaccessible. Kenya Power notified clients of a system hitch “due to a network breakdown” from its service provider, affecting the purchase of prepaid power tokens through M-PESA.31 Kenya Railways announced that its ticket purchasing system faced a similar glitch.32 The widely used M-PESA and Safaricom mobile apps could not facilitate mobile money transfers, and bank-to-M-PESA transfers were also affected, with some banks removing the option from their online portals altogether.
A group called Anonymous Sudan claimed responsibility for the cyber attacks.33 The name of the group caused a stir among Kenyan information security groups and on social media; the idea that an organization of Sudanese cyber warriors had sworn to attack any entities that attempted to interfere with Sudan’s internal affairs led many to believe that Kenya’s engagements in the ongoing conflict were the cause of the attacks.34 In June 2023, prior to the cyber attacks, Ruto had been set to lead a mediation process through a regional body—the Intergovernmental Authority on Development in Eastern Africa—but the process had been rejected by Sudan’s army chief.35 The Kenyan government had “dismiss[ed]” this rejection, leading to a series of video exchanges between Kenyan and Sudanese officials.36 In one widely circulated video, a Sudanese general had warned Kenya against sending peacekeepers;37 this had drawn strong reactions from Kenyans, with a local Kenyan politician posting a video tirade on social media that skirted the diplomatic process. Another Sudanese governmental adviser had responded in turn, also on social media, with a video calling out the Kenyan politician for being out of order.
As Kenyans on social media tried to make sense of the disruptions, the cabinet secretary of the MIC&DE confirmed through a radio interview and a statement circulated via social media that cyber attack attempts had targeted both the government and private actors, but was quick to affirm that no data breaches had occurred.38 The Ministry of Foreign and Diaspora Affairs—through the principal secretary’s Twitter account—issued a communiqué stating that it was facing a challenge affecting the processing of e-visas on eCitizen and would approve visas on arrival at the country’s entry points to mitigate the issue.39 A day later, Safaricom alerted customers that they could instead access M-PESA and other services on their phones via USSD and SIM tool kit (a feature that allows SIM cards in phones to conduct value added services, such as mobile money payments in this case), but did not address the significant downtime experienced.
On July 30, the MIC&DE circulated yet another statement via social media broadly acknowledging “a new era of cyber threats” following the country’s digital transformation and announced a multistakeholder cybersecurity roundtable “with membership from Government and private sector, to discuss cyber threats management in this evolving landscape.”40 The statement, issued jointly with several tech companies (predominantly U.S. multinationals) also outlined areas for public–private sector cybersecurity cooperation. The omission of civil society, academia, and local tech players has raised concerns as to the true nature of multistakeholder engagement in the ensuing process. Additionally, it remains unclear whether the roundtable is a one-off event or a new mechanism for continuous engagement on cybersecurity in Kenya. However, it offers a useful outline for this paper to offer some practical recommendations for improving cybersecurity posture and cyber resilience in light of these events and Kenya’s digital ambitions.
IMPROVING KENYA’S CYBER RESILIENCE: THE WAY FORWARD
ENHANCING INFORMATION-SHARING, PUBLIC AWARENESS, AND EDUCATION
Cyber information-sharing between different stakeholders for situational awareness and for organizations to defend themselves is a good cybersecurity practice and one that always can be improved.41 Public-private collaborations for cybersecurity public awareness like those put forth in the press statement by the MIC&DE announcing the multistakeholder roundtable can be fine-tuned along sector-specific dimensions, such as cybersecurity and financial systems. As an immediate step, the government ought to adopt good multistakeholder practices such as courting local private sector players—especially small and medium-sized enterprises operating in and affected by developments in cyberspace—alongside the local sector leaders and tech multinationals operating in the country. Kenya also has a vibrant information security community that should be incorporated in cyber drills through professional associations. Setting up “white hat” programs, in which ethical hackers test a system’s security with the target’s consent, would also benefit the country’s cybersecurity and cyber resilience.42 Drills and information dissemination on common cyber threats and vulnerabilities that consumers may encounter in navigating the digital financial space could be conducted jointly by the associative bodies of fintechs, microfinance institutions, and the banking sector in collaboration with relevant regulatory bodies. Local information security communities and other tech associations should also be leveraged to advance iterative cybersecurity public education and awareness.
Additionally, affected organizations and governments bear some responsibility to inform the public they serve in the event of cyber incidents that lead to service disruption. Information-sharing, in this regard, should include an acknowledgment of disruption; its causes, if they are deemed feasible to share; measures the public can take to mitigate harm and practice cyber hygiene; and, when resolved, an update on restoration of services. The National Computer Incident Response Team (KE-CIRT/CC), which lists cyber security awareness as one of its duties,43 could be better leveraged to bolster information-sharing with the public by offering authoritative situational updates in the event of ongoing attacks (as in the case of the July incident) in addition to the periodic reports on emerging threat trends that it already issues based on incident reports. Proactive communication to the public led by government bodies such as KE-CIRT/CC will help establish them as authoritative and trustworthy sources of information, which is an important step to stemming speculation and misinformation, especially in times of crisis.
Before any official communication was issued on the July cyber incidents, social media platforms were the primary avenue through which citizens gained any insight on the cyber attacks, with many submitting queries to official government social media channels such as eCitizen. The speculation attributing the incidents to Kenya’s involvement in the Sudan conflict—further fueled by Anonymous Sudan’s claims—were possible sources of misinformation and disinformation on the nature and scope of the attacks on critical public infrastructure.44 Curiously, KE-CIRT/CC did not issue any advisories or cyber threat warnings during the cyber attacks despite having an active social media presence. Though the MIC&DE and its cabinet secretary did acknowledge the attacks, specialized entities also have a role to play in such instances. KE-CIRT/CC could have offered technical insights, progress updates, and cyber awareness tips for a concerned public to complement the messaging from the executive and regulatory authorities.
Nigeria is compelling as a comparison in this regard. On August 2, 2023, Anonymous Sudan claimed to set its sights on the nation’s digital infrastructure.45 This was supposedly in response to Nigeria’s involvement in the proposed military response to the coup in Niger. Nigeria’s National Information Technology Development Agency—the federal agency responsible for developing and regulating information technology in the country—was quick to issue a statement acknowledging DDoS attempts on its digital infrastructure, as well as that of other government bodies, financial service providers, and telecommunications service providers.46 The Nigeria Computer Emergency Response Team (ngCERT) issued a threat alert outlining the scope of the attack, recommendations on how to prevent such attacks, and social media blasts on avenues through which cyber attacks could be reported.47 ngCERT followed up with a progress update a few days later.48 This stands out as a model for information-sharing in the face of a cyber threat.
Safaricom and M-PESA, meanwhile, are yet to issue any statement accounting for the disruptions encountered. Nor did they notify customers upon full resumption of services. During this period, however, they did communicate an increase in M-PESA transaction costs caused by the enactment of Kenya’s Finance Act, 2023.49 Not only might this selective communication have dented the company’s image, but it also provides grounds for speculation and distrust in the company and the critical service it operates, as there has been no transparency to the public who were adversely affected. It also risks setting a precedent for other service providers to ignore disclosing cyber incidents to their customers, which could undermine trust in digital service provision and in cyberspace writ large. The platform has since suffered other downtimes without any official communication acknowledging them, yet social media is awash with complaints. It is also noteworthy that neither the financial nor the telecommunications sector regulators, nor the information or finance ministries, have so far addressed the M-PESA outages.
Given how integral the digital environment is to Kenyan citizens’ daily lives and work, information-sharing with the public should also be proactive; by many accounts, markers of an ongoing cyber attack had been flagged by information security practitioners. Robust information exchange platforms and official communication of cyber incidents still being monitored could have boosted the public’s confidence and helped citizens know what measures to take. Instead, the information exchange regarding July’s events has fostered speculation as to who was conducting the attacks and impressions of government incompetence.
It should be clear that how the Kenyan government interfaces with the public on cyber incidents needs to be improved. Furthermore, digital financial sector–specific entities such as the Kenya Bankers Association (KBA) must contemplate how to address customers proactively even in the face of ongoing cyber attacks.50 That their members’ bank-to-M-PESA services were affected across multiple banks without any clear communication, even merely acknowledging service disruptions, risks fostering the impression that the services and service providers are unreliable and untrustworthy. KBA ought to update its consumer information offerings to include matters pertaining to cybersecurity.
IMPLEMENTING, REVISING, MONITORING, AND EVALUATING CYBERSECURITY-RELATED POLICIES, FRAMEWORKS, AND REGULATIONS
The July 30 statement by the MIC&DE pointed out that the objective of this cooperation was “to enable effective cybersecurity measures that protect both the public and private sectors, while also ensuring compliance with legal frameworks. This will include the development and implementation of a comprehensive cybersecurity framework that covers both public and private sector entities. . . [and is] regularly updated to adapt to emerging threats.”51 Kenya’s National Cybersecurity Strategy (2022–2027) already offers a viable framework for bolstering a secure and resilient cyberspace to maximize on the benefits of a digital economy. It further outlines an implementation framework and timeline.52
A multistakeholder review of what has been accomplished would be advisable to evaluate the progress that has been made on cybersecurity governance; cybersecurity policies, laws, regulations, and standards; critical information infrastructure protection; capability and capacity-building; cyber risks and cyber crimes management; and cooperation and collaboration.
Additionally, Kenya has comprehensive cyber crime legislation in the Computer Misuse and Cybercrime Act (CMCA), 2018. A task force of the National Computer and Cybercrimes Coordination Committee (NC4) is reportedly in the final stages of formulating draft regulations to operationalize the CMCA “to address gaps in the changing cyberspace.”53 Coming on the heels of widespread cyber attacks, the regulations’ public participation process will present an opportunity for the government, through the NC4, to facilitate vibrant multistakeholder engagement on how the country’s cybersecurity policies, frameworks, and regulations can be better realized.
The country’s 2022–2027 National Cybersecurity Strategy emphasizes the government’s commitment to working with stakeholders at national and international levels as is necessitated by the cross-cutting and transactional nature of cyber threats. As it develops cooperation and collaboration frameworks and seeks to establish a trusted information-sharing mechanism for knowledge exchange and incident reports, Kenya has the potential to champion continental coordination on cybersecurity and data protection as enshrined in the African Union Convention on Cybersecurity and Personal Data Protection, which recently entered into force.54 Kenya has yet to ratify the convention despite repeated commitments to do so. Working with continental partners through the modalities of the convention could also help Kenya and the other African Union member states develop and jointly promote African positions in international cybersecurity forums. Given capacity constraints in most African governments, developing sound cooperation and collaboration mechanisms could advance what Ruto, has been championing: for African countries to better leverage the African Union in representing its member states, particularly in engagements with external partners.55 The cyber domain is one area ripe for such an intervention, as Africa lags in cyber diplomacy engagements.56
AUDITING CYBERSECURITY SKILLS AND RESOURCE NEEDS IN THE PUBLIC SECTOR
Cybersecurity is undoubtedly gaining momentum as a priority in digital development, with critical sectors such as finance facing systemic risks. In countries such as Kenya, the digitalization of the financial sector, coupled with the innovations that mobile telephony has brought forth to drive digital financial inclusion, has been celebrated widely. However, the attendant cyber threats and vulnerabilities have also proliferated, given the telecommunications and banking sectors’ parallel digitalization trajectories. The term “cyber capacity-building” tends to punctuate many calls for resourcing developing countries’ digital transformation. And as Carnegie’s FinCyber Strategy Project,57 which put forth actionable policy proposals to protect financial systems against cyber threats, noted in its report, cybersecurity capacity-building has become a growing priority—yet the term capacity building is “amorphous . . . and requires clarification before we can progress from concept to action.”58
In the July 30 statement, the MIC&DE stated that “the private sector will assist Government in closing the cybersecurity skills gap by providing training and expertise to government agencies . . . [including] provision of critical expertise to aide [sic] in the cyber incidents response and recovery processes.” In its quest to seek private sector assistance to address its cybersecurity capacity, the Kenyan government has the National Cybersecurity Strategy’s implementation framework as a viable starting point.59 It clearly outlines objectives and interventions for strengthening cybersecurity capability and capacity that include promoting in-country cybersecurity research and development, establishing a cybersecurity “Centre of Excellence,” and developing more local cybersecurity specialized experts. To achieve these goals, the government—through a body like the ICT Authority, which is tasked with rationalizing and streamlining how government ICT functions are managed60—must undertake an audit of cybersecurity skills within government agencies that could start with those responsible for public-facing digital services such as eCitizen. Such a skills assessment could build upon a recent mapping of Kenya’s cybersecurity capacity-building needs conducted by the Kenya ICT Action Network following an in-country, multistakeholder consultative process.61
The National Cybersecurity Strategy also proposes that the government establish a cybersecurity professional certification/accreditation and career progression framework. While probably viable for the public sector, this tactic may face opposition from the private sector, civil society, the technical community, and academia. Previous attempts at regulating ICT practitioners in the country have faced pushback,62 as they risk creating bureaucratic processes that stifle innovation and raise barriers for professional development in an otherwise dynamic industry where even self-taught, non–academically trained practitioners can attain and have attained the requisite professional capacity.63 The government, through such a roundtable, ought to engage industry associations and other relevant stakeholder groups to arrive at more appropriate and agile ways of achieving the cybersecurity capacity objective.
Relying on the private sector to provide critical expertise may assist the government in plugging cybersecurity skills gaps; however, overly relying on the private sector, be it for free services or for seconded personnel can create dependencies that undermine sustainable cyber capability. The government should establish mechanisms of resourcing for its cybersecurity skills needs, with private and development sector support supplementing this increasingly core need for the digital government Kenya prides itself on having. Arguably, ultimate success in cyber capacity-building—whether facilitated in collaboration with the private and development sectors or by the government on its own—is not only in a flurry of training initiatives or benchmarking exercises, but also in entrenching adequate and sustainable resourcing (personnel and monetary) of institutions such as the KE-CIRT/CC to deliver on their missions. In addition, critical evaluation of training programs—such as on whether they embed interdisciplinary approaches to cybersecurity—is a measure worth considering in cyber capacity-building for the nation’s cyber defense posture.64
CONCLUSION
Kenya’s digital superhighway plans are laudable, but they are not without challenges and near-term risks. The July cyber attacks aside, the digitalization plans the government is pursuing come at a time when ordinary Kenyans are increasingly exposed to online threats, with confidentiality and privacy breaches topping the lists of complaints registered by the Communications Authority of Kenya.65 Cybersecurity and resilience must thus factor into the ambitious rollout of digitalization initiatives in the public sector. The government would do well to leverage the proposed roundtable and other multistakeholder avenues to take stock of cybersecurity measures in place for its own systems, as well as those affecting critical sectors like finance, energy, and transportation; also, and just as importantly, strategies must account for how cyber threats affect individuals and smaller businesses.66 The vast array of policies, regulations, strategies, and frameworks offers a viable starting point; measuring progress on implementing all these tools is an appropriate way to effectively identify insights on improvements and iterations to be made.
Trust in and reliability of the country’s digital financial infrastructure is also at stake. M-PESA’s critical role in facilitating payments in the country is just as significant during downtimes. That the company has not been communicative during outages, despite causing inconvenience, has drawn public ire. It also does not bode well for the government’s push for all payments for government services to be directed through one mobile money payment platform—a directive that is now being challenged in court as being unilateral, arbitrary, and not grounded in any framework subject to public participation.67 Because of the popularity of mobile money, not only are banking systems affected when M-PESA services are down, but the country’s whole financial system is also jeopardized. This poses a systemic risk, as M-PESA’s success and ubiquity also risks a single point of failure for the country’s financial system; the service commands 96.5 percent of the mobile money market share in Kenya.68 However, the Kenya Bankers Association has its own interbank, real-time settlement system, which it could better promote as an alternative to the bank/mobile money wallet system.69 Responsiveness to feedback (in both the public and private sector), acknowledging receipt of complaints, and periodic reports on cyber threat trends and mitigation measures will be helpful steps toward fostering trust in the ability of public and private sector digital service providers to act on cyber incidents reported, thus creating a virtuous circle of cyber incident reporting, public awareness, and education.
The July cyber attacks can be viewed as a litmus test for Kenya. The country’s cybersecurity-related policies, legislations, proposed regulations, frameworks, and strategies read well in theory, but must pass muster in practice in an ever-shifting cyber threat landscape, and with increased digitalization of critical public and private sector services. To ensure the country’s cyber resilience, the government’s drive for digitalization must embrace a continuous multistakeholder engagement stance, while correcting for shortcomings and emerging systemic risks as exposed by the cyber attacks the country has been subjected to—and will likely continue to face in the future.
BY: Nanjira Sambuli :: Nanjira Sambuli is a fellow in the Technology and International Affairs Program.