[kictanet] Kenya’s PKI Destined for Failure?

Brian Munyao Longwe blongwe at gmail.com
Wed Mar 20 18:06:30 EAT 2013 

Disclaimer: All the opinions expressed herein are my own.

 #140friday <http://140friday.com> » Business <http://140friday.com/?cat=3>»
Politics <http://140friday.com/?cat=6> »
Technology<http://140friday.com/?cat=8>» Kenya’s PKI Destined for
Failure?
March 20, 2013
Kenya’s PKI Destined for Failure?

Today I had the opportunity to attend a seminar organized by the Ministry
of Information & Communications and Samsung SDS as part of the
implementation of Kenya’s National Public Key Infrastructure (NPKI). The
project is undertaken within the framework of the Kenya Transparency &
Communications Infrastructure Project (KTCIP), a World Bank funded
initiative that will help Kenya achieve a number of the goals under the ICT
pillar of Vision 2030.

The presentations from the team from Korea consisted of representatives of
Samsung SDS (who won the International tender for Kenya’s NPKI
implementation) as well as representatives from some of the key actors in
Korea’s own NPKI. The Korean presentations were interesting, informative
and very well prepared. Over the period of a few hours they were able to
take the relatively complex subject of National Public Kenya Infrastructure
and unpack it in a way that was both easy to understand as well as clear
and straightforward. They left no shadow of doubt as to whether Samsung SDS
can successfully implement this project. They also shared the
organizational structure for the project, which is as follows:

[image: CAM00454]<http://140friday.com/wp-content/uploads/2013/03/CAM00454.jpg>

During the course of their presentations the team from Korea shared the
high level plan for the implementation of Kenya’s SDS. They made it clear
that they had spent a good deal of time working closely with Government
officials responsible from the Kenyan side.

In describing the structure and hierarchy that has proven successful in
Korea for the implementation and operation of their NPKI, the team shared
the following diagram.

[image: CAM00455]<http://140friday.com/wp-content/uploads/2013/03/CAM00455.jpg>

At the very top, there is the Ministry responsible for the NPKI, they
provide the legal and regulatory framework, national authentication plan
and other high level functions. Below them is the “Root Certification
Authority” an organization known as the Korea Internet Security Agency
(KISA), which provides operation of the National Authentication system,
licensing/accreditation of certificate authorities (CA) to provide service
to the public as well as development of technical standards. Below them are
the accredited CAs of which Korea has 5 who provide certificate issuance
and management services to the public.

In a presentation which came later, the Korean team shared the proposed
structure for the Kenyan implementation which had been arrived at after
consultations with Government. The diagram is as follows.

[image: CAM00457]<http://140friday.com/wp-content/uploads/2013/03/CAM00457.jpg>

In this structure, Government who will be responsible for legal and
regulatory framework, national authentication plan, other high level
functions as well as licensing and auditing are to be represented by the
Communications Commission of Kenya (CCK). Below them and responsible for
operation of the Root Certification Authority is CCK. Below that are a
proposed “Government CA” which will issue certificates for Government
agencies and employees and a proposed “Private Sector CA” which will issue
certificates to the rest of the country.

I have a big problem with this structure. First and foremost because CCK is
being proposed as BOTH the licensing authority as well as the licensed
operator of the Root Certification Authority. The potential for conflict of
interest is immediately evident, not to mention the fact that the
end-to-end integrity of a structure that ensures top-down accountability is
rendered completely void. Even worse was the mumbled suggestions by some of
the government participants at the seminar that CCK might also act as the
Government CA. In addition that is the fact that a project as crucial as
this has not gone through a proper stakeholder consultative process and is
seemingly being shoved down our throats. In his closing remarks a director
a the E-Government directorate asked the ICT Board to engage stakeholders
further and receive input before moving too far.

I raised this point as a question during the Q & A session at the end of
the seminar and would like to emphasise that it would be *very wrong* for
CCK to be the Root Certification Authority for a number of reasons:

   1. *Conflict of Interest:* As per the proposed structure the
   representative of Government, CCK needs to serve as the top level entity
   that handles the legal and regulatory framework and the national
   authentication plan. Adding a subsidiary role would not only compromise
   their integrity but would also expose them to all manner of challenges with
   regards to operation of an infrastructure that is supposed to be based on
   trust.
   2. *Procurement Issues:* In sharing to a certain level of detail the
   complexity of the Root Authority setup, it became evident that there would
   be a continuous need for procurement of various goods and services. As a
   government agency, CCK is subject to public procurement regulations, this
   means that even very basic, small and simple items could take months if not
   years to procure. The problems with our public procurement are well known.
   Subjecting the Root Authority to this kind of environment is in itself a
   major risk for successful implementation and operation.
   3. *Human Resource Issues:* Several times in their presentations the
   Koreans complained that they had observed a critical lack of human
   resources. They emphasized that they were not referring to
*skilled*human resources but simply to
   *enough people* for the project requirements. Shock of shocks! With the
   incredible numbers of well educated Kenyans who are unemployed or
   underemployed? They could obviously have only been referring to what they
   had seen as far as the people available for the project from the Ministry
   and CCK. It is no secret that CCK has extremely limited human resources in
   their ICT division and those few are oveworked, stretched beyond measure
   and juggling multipe roles. Isn’t adding additional responsibilities into
   this mix a formula for disaster?
   4. *Inertia*: CCK has proven to be very poor at the timely execution of
   functions that fall outside their core mandate of licensing, regulation and
   resource management. A perfect example is the implementation of the
   Universal Service Fund, which CCK insisted on handling as an inhouse
   function instead of facilitating the setup of a dedicated entity to handle
   the task. It has been over 6 years since regulation and legislation
   regarding the USF came into place and there is still nothing to speak of. I
   will reserve this as a subject for another day (it is a long and detailed
   one!)

*Recommendations*

The Government should immediately consider adopting a *Public Private
Partnership* approach for the implementation of Kenya’s NPKI. This is
especially timely because we now have a fully ratified Public Private
Partnership Policy that provides a variety of models for project
implementation. This will not only ensure involvement from crucial
stakeholders but also free the Root Authority from the problems highlighted
above (and probably many others) while at the same time ensuring that
enough private sector energy and enthusiasm is infused into the project so
that it moves with speed and determination. Success stories such as KENIC
and TEAMS show that it is not only possible but that it can be done with
ease.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20130320/fe0bae13/attachment.htm>

More information about the KICTANet mailing list