[kictanet] [Security Forum] [Skunkworks] #KeIGF15 Online Discussions Day Two: Cyber Security and Trust
Mwendwa Kivuva
Kivuva at transworldafrica.com
Tue Jul 21 16:56:54 EAT 2015
Hosea Kandie and Fredick Wahome have raised very important points of
institutional frameworks. I just wanted to share the National PKI website
which has a tonne of information on what Kenya has done in that regard.
http://www.ke-cirt.go.ke/index.php/services/national-pki/
Here is a copy paste from the home page:
Kenya’s National Public Key Infrastructure (NPKI)
The National Public Key Infrastructure (NPKI) project is coordinated by the
Ministry of ICT in collaboration with the Communications Authority of Kenya
(CA) and the ICT Authority (ICTA).
A Public Key Infrastructure (PKI) refers to a system for the creation,
storage and distribution of digital certificates which are used to verify
that a particular public key (online identity) belongs to a certain entity.
A PKI is a technical infrastructure that comprises of a Root Certification
Authority (RCA) and a Certification Authority (CA), referred to as an
Electronic Certification Service Provider (E-CSP) in Kenya’s legal and
regulatory framework. The PKI creates a framework for protecting
communications and stored information from unauthorized access and
disclosure by addressing the fundamentals of cyber security –
confidentiality, integrity, authentication and non-repudiation. A PKI is
key to the rollout of e-transaction services.
The Kenya Information and Communications Act, 1998, mandates the
Communications Authority of Kenya (CA) to issue a license to a person
operating an Electronic Certification Service. In this regard, the
Communications Authority of Kenya (CA) has developed a licensing framework
for Electronic Certification Service Providers (E-CSPs).
Kenya’s National PKI comprises of a Root Certification Authority (RCA),
which is managed by the Communication Authority of Kenya (CA) as a
regulatory function, and the Government Certification Authority (GCA), an
E-CSP which is managed by the ICTA. The NPKI is instrumental towards the
effectiveness of the licensing of Electronic Certification Service
Providers (E-CSPs) by the Communications Authority since a licensed E-CSP
must be accredited by the RCA for its digital certificates to be globally
recognized and trusted.
The ICT Authority (ICTA), which is the body responsible for the management
of the mainstream government ICT services, operates the GCA. Other
interested stakeholders who may be issued with an E-CSP license on
application include the banking Sector and the Academia.
The benefits of a National PKI include:
i. Locally available and cheaper digital certificates/signatures; and
ii. Operations and services that are within Kenyan law (jurisdiction),
among others.
______________________
Mwendwa Kivuva, Nairobi, Kenya
"There are some men who lift the age they inhabit, till all men walk on
higher ground in that lifetime." - Maxwell Anderson
On 21 July 2015 at 11:02, fredrick Wahome via Security <
security at lists.my.co.ke> wrote:
> The fact that there is high internet penetration in Africa / Kenya where
> an average of one user for every five has access to affordable internet has
> created enabling environment for cyber-criminals.
>
> By the nature of cyberspace where the perpetrators of cyber-crime remain
> ubiquitous. This necessitated a need for legislation to control crime, and
> to provide confidence and security in African cyberspace, leading to the
> drafting of the Africa Union Convention on Cybersecurity (AUCC). But some
> groups like CIPIT and civil society opposed the convention on the ground
> that it was prepared without their inputs. Their main argument is that the
> convention did not make enough provisions to protect privacy and freedom of
> speech.
>
> Member States have to undertake necessary measures to encourage the
> establishment of institutions that exchange information on cyber
> threats and the evaluation of vulnerabilities such as Computer
> Emergency Response Team (CERT). Kenya has at least done something on this
> by establishing KE-CIRT at CA. There is also a masterplan and PKI in place
> thou there has been implementation challenges. We will note that most
> governments departments have not yet established cybersecurity departments
> and this leads to low / lack of budgetary allocation.
>
> In summary Government bodies, policy networks, scholars, the media,
> technology experts and the people need to engage in a global conversation
> that will help demystify Cyber-crime and define what it constitutes of and
> how Cyber-criminals should be dealt with.
>
> The role of the media (television, blogs, online news outlets and more) is
> critical in the process of educating the public and engaging in a
> conversation, as they will be the mediators and curators of information and
> discourse on the issue. Thus, a concise and sensible approach, devoid of
> fear-mongering and shock practices, should be followed. We all remember
> recently how media has mishandled cyber crime news without a very somber
> deep analysis
>
> Since this is an international issue, governments and policy networks
> across the world have to come together and discuss openly on what is better
> for their citizens. Something like AUCC is a positive move by African states
>
> Scholars and academics can provide valuable expertise on technological,
> psychological, ethical and other issues, while highlighting any misgivings
> by those involved in the process. At least Strathmore has tried on this
>
> The people in their local communities, families and social networks should
> help and train each other to increase their peers’ level of Internet
> literacy and highlight the advantages of the web. A higher Internet
> literacy level can help people protect themselves even better by taking
> simple security measures, such as using anti-virus software and identifying
> potential risks or scams in their online financial transactions. More is
> needed from the technology community to provide awareness to end users even
> if through probono program.
>
> The technology community needs a unity of purpose. Looking at programmers
> / developers, DBA, network admins, infosec there has been lack of proper
> coordination. Developers are working hard to prove that their products cant
> be broken. Infosec on the other hand are working so hard to prove to blue
> team / developers that they can break their products. At the end no one
> benefit from such a contest. Many technical conferences / seminars should
> be encouraged to enable sharing of information / knowledge in the local
> technology community.
>
> Great day comrades.
>
>
>
>
>
>
> On Tue, Jul 21, 2015 at 9:28 AM, Stephen Munguti via Security <
> security at lists.my.co.ke> wrote:
>
>> Hello all,
>>
>> I think most of our security concerns stem from internal users and this
>> is the reason many banks and telecos refuse to part with this information,
>> i could be wrong though
>>
>> On Tue, Jul 21, 2015 at 8:58 AM, Grace Mutung'u (Bomu) via skunkworks <
>> skunkworks at lists.my.co.ke> wrote:
>>
>>> Dear Listers,
>>>
>>>
>>> Kenya has had its fair share of high profile cyber threats, hacking etc,
>>> the latest being the alleged compromise of the IFMIS system at NYS/Ministry
>>> of Devolution. The country and Africa at large is making efforts to assure
>>> cyber-security. These include among others her involvement in the Africa
>>> Union Convention on Cybercrime and a proposal for a Cybercrime law, an
>>> initiative led by the Office of the Director of Public Prosecutions.
>>> Significant financial resources have also been earmarked by government for
>>> security and cyber security in particular. There are also partnerships
>>> between government and private sector in deploying cybersecurity centres.
>>>
>>> The private sector has employed practical measures to protect their
>>> businesses. However, businesses such as mobile money providers and banks
>>> have been shy to divulge their cyber security concerns to protect their
>>> interests.
>>>
>>> Civil society on the other hand has raised concern about the line
>>> between protecting the cyber space and creating a facilitative environment
>>> for innovators as well as protecting the rights of users.
>>>
>>>
>>>
>>> Are our efforts at deterring cyber-crime the correct way to assure cyber
>>> security? Are fears about a partnership between government and private
>>> sector and the general fears about stifling innovation and human rights in
>>> the name of cybersecurity legitimate? Are there other practical approaches
>>> that different stakeholders can take to enhance cyber security?
>>>
>>>
>>> Over to you.
>>>
>>> --
>>> Grace L.N. Mutung'u
>>> Nairobi Kenya
>>> Skype: gracebomu
>>> Twitter: @Bomu
>>>
>>> <http://www.diplointernetgovernance.org/profile/GraceMutungu>
>>>
>>>
>>> _______________________________________________
>>> skunkworks mailing list
>>> skunkworks at lists.my.co.ke
>>> ------------
>>> List info, subscribe/unsubscribe
>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
>>> ------------
>>>
>>> Skunkworks Rules
>>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
>>> ------------
>>> Other services @ http://my.co.ke
>>>
>>
>>
>>
>> --
>>
>> Best Regards,
>> Stephen Munguti.
>>
>> +254720425104
>>
>> _______________________________________________
>> Security mailing list
>> Security at lists.my.co.ke
>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/security
>>
>
>
>
> --
>
>
>
>
> *-------------------------------------*
> *Kind Regards**;*
>
>
>
>
>
>
>
> *Fredrick Wahome Ndung'uTeam LeaderSecunets Technologies LtdWebsite:
> www.secunets.com <http://www.secunets.com>Cell: +254725264890Email:
> fred at secunets.com <fred at secunets.com>**Facebook: secunetstech*
> *Twitter: @secunets*
>
> *Skype: secunets.technologiesExperts in: *Domain Registration, Web Hosting
> , Open Source Solutions, Information Security & Training, Digital
> Forensic Investigations, Web 2.0 Applications & I.C.T Consultancy.
>
> *"Secure Business Technology"*
>
>
>
> ------------------------------------------------------------------------------------------------------------------------------------------------
> *SECUNETS TECHNOLOGIES DISCLAIMER:*
>
> This email message and any file(s) transmitted with it is intended solely
> for the individual or entity to whom it is addressed and may contain
> confidential and/or legally privileged information which confidentiality
> and/or privilege is not lost or waived by reason of mistaken transmission.
> If you have received this message by error you are not authorized to view
> disseminate distribute or copy the message without the written consent of
> Secunets Technologies and are requested to contact the sender by telephone
> or e-mail and destroy the original. Although Secunets Technologies takes
> all reasonable precautions to ensure that this message and any file
> transmitted with it is virus free, Secunets Technologies accepts no
> liability for any damage that may be caused by any virus transmitted by
> this email.
>
>
> _______________________________________________
> Security mailing list
> Security at lists.my.co.ke
> http://lists.my.co.ke/cgi-bin/mailman/listinfo/security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20150721/fca12005/attachment.htm>
More information about the KICTANet
mailing list