[kictanet] [Security Forum] [Skunkworks] #KeIGF15 Online Discussions Day Two: Cyber Security and Trust

Mwendwa Kivuva Kivuva at transworldafrica.com
Tue Jul 21 17:24:43 EAT 2015


Sorry, here is the website for the Certifying Authority for Kenya's PKI
http://www.govca.go.ke/#

______________________
Mwendwa Kivuva, Nairobi, Kenya

"There are some men who lift the age they inhabit, till all men walk on
higher ground in that lifetime." - Maxwell Anderson


On 21 July 2015 at 16:56, Mwendwa Kivuva <Kivuva at transworldafrica.com>
wrote:

> Hosea Kandie and Fredick Wahome have raised very important points of
> institutional frameworks. I just wanted to share the National PKI website
> which has a tonne of information on what Kenya has done in that regard.
> http://www.ke-cirt.go.ke/index.php/services/national-pki/
>
> Here is a copy paste from the home page:
>
> Kenya’s National Public Key Infrastructure (NPKI)
>
> The National Public Key Infrastructure (NPKI) project is coordinated by
> the Ministry of ICT in collaboration with the Communications Authority of
> Kenya (CA) and the ICT Authority (ICTA).
>
> A Public Key Infrastructure (PKI) refers to a system for the creation,
> storage and distribution of digital certificates which are used to verify
> that a particular public key (online identity) belongs to a certain entity.
> A PKI is a technical infrastructure that comprises of a Root Certification
> Authority (RCA) and a Certification Authority (CA), referred to as an
> Electronic Certification Service Provider (E-CSP) in Kenya’s legal and
> regulatory framework. The PKI creates a framework for protecting
> communications and stored information from unauthorized access and
> disclosure by addressing the fundamentals of cyber security –
> confidentiality, integrity, authentication and non-repudiation. A PKI is
> key to the rollout of e-transaction services.
>
> The Kenya Information and Communications Act, 1998, mandates the
> Communications Authority of Kenya (CA) to issue a license to a person
> operating an Electronic Certification Service. In this regard, the
> Communications Authority of Kenya (CA) has developed a licensing framework
> for Electronic Certification Service Providers (E-CSPs).
>
> Kenya’s National PKI comprises of a Root Certification Authority (RCA),
> which is managed by the Communication Authority of Kenya (CA) as a
> regulatory function, and the Government Certification Authority (GCA), an
> E-CSP which is managed by the ICTA. The NPKI is instrumental towards the
> effectiveness of the licensing of Electronic Certification Service
> Providers (E-CSPs) by the Communications Authority since a licensed E-CSP
> must be accredited by the RCA for its digital certificates to be globally
> recognized and trusted.
>
> The ICT Authority (ICTA), which is the body responsible for the management
> of the mainstream government ICT services, operates the GCA. Other
> interested stakeholders who may be issued with an E-CSP license on
> application include the banking Sector and the Academia.
>
> The benefits of a National PKI include:
> i.    Locally available and cheaper digital certificates/signatures; and
> ii.    Operations and services that are within Kenyan law (jurisdiction),
> among others.
>
> ______________________
> Mwendwa Kivuva, Nairobi, Kenya
>
> "There are some men who lift the age they inhabit, till all men walk on
> higher ground in that lifetime." - Maxwell Anderson
>
>
> On 21 July 2015 at 11:02, fredrick Wahome via Security <
> security at lists.my.co.ke> wrote:
>
>> The fact that there is high internet penetration in Africa / Kenya where
>> an average of one user for every five has access to affordable internet has
>> created enabling environment for cyber-criminals.
>>
>> By the nature of cyberspace where the perpetrators of cyber-crime remain
>> ubiquitous. This necessitated a need for legislation to control crime, and
>> to provide confidence and security in African cyberspace, leading to the
>> drafting of the Africa Union Convention on Cybersecurity (AUCC). But some
>> groups like CIPIT and civil society opposed the convention on the ground
>> that it was prepared without their inputs. Their main argument is that the
>> convention did not make enough provisions to protect privacy and freedom of
>> speech.
>>
>> Member States have to  undertake  necessary  measures  to  encourage  the
>> establishment  of  institutions that exchange information  on  cyber
>> threats  and  the evaluation  of  vulnerabilities  such  as  Computer
>> Emergency  Response  Team (CERT). Kenya has at least done something on this
>> by establishing KE-CIRT at CA. There is also a masterplan and PKI in place
>> thou there has been implementation challenges. We will note that most
>> governments departments have not yet established cybersecurity departments
>> and this leads to low / lack of budgetary allocation.
>>
>> In summary Government bodies, policy networks, scholars, the media,
>> technology experts and the people need to engage in a global conversation
>> that will help demystify Cyber-crime and define what it constitutes of and
>> how Cyber-criminals should be dealt with.
>>
>> The role of the media (television, blogs, online news outlets and more)
>> is critical in the process of educating the public and engaging in a
>> conversation, as they will be the mediators and curators of information and
>> discourse on the issue. Thus, a concise and sensible approach, devoid of
>> fear-mongering and shock practices, should be followed. We all remember
>> recently how media has mishandled cyber crime news without a very somber
>> deep analysis
>>
>> Since this is an international issue, governments and policy networks
>> across the world have to come together and discuss openly on what is better
>> for their citizens. Something like AUCC is a positive move by African states
>>
>> Scholars and academics can provide valuable expertise on technological,
>> psychological, ethical and other issues, while highlighting any misgivings
>> by those involved in the process. At least Strathmore has tried on this
>>
>> The people in their local communities, families and social networks
>> should help and train each other to increase their peers’ level of Internet
>> literacy and highlight the advantages of the web. A higher Internet
>> literacy level can help people protect themselves even better by taking
>> simple security measures, such as using anti-virus software and identifying
>> potential risks or scams in their online financial transactions. More is
>> needed from the technology community to provide awareness to end users even
>> if through probono program.
>>
>> The technology community needs a unity of purpose. Looking at programmers
>> / developers, DBA, network admins, infosec there has been lack of proper
>> coordination. Developers are working hard to prove that their products cant
>> be broken. Infosec on the other hand are working so hard to prove to blue
>> team / developers that they can break their products. At the end no one
>> benefit from such a contest. Many technical conferences / seminars should
>> be encouraged to enable sharing of information / knowledge in the local
>> technology community.
>>
>> Great day comrades.
>>
>>
>>
>>
>>
>>
>> On Tue, Jul 21, 2015 at 9:28 AM, Stephen Munguti via Security <
>> security at lists.my.co.ke> wrote:
>>
>>> Hello all,
>>>
>>> I think most of our security concerns stem from internal users and this
>>> is the reason many banks and telecos refuse to part with this information,
>>> i could be wrong though
>>>
>>> On Tue, Jul 21, 2015 at 8:58 AM, Grace Mutung'u (Bomu) via skunkworks <
>>> skunkworks at lists.my.co.ke> wrote:
>>>
>>>> Dear Listers,
>>>>
>>>>
>>>> Kenya has had its fair share of high profile cyber threats, hacking
>>>> etc, the latest being the alleged compromise of the IFMIS system at
>>>> NYS/Ministry of Devolution. The country and  Africa at large is making
>>>> efforts to assure cyber-security. These include among others her
>>>> involvement in the Africa Union Convention on Cybercrime and a proposal for
>>>> a Cybercrime law, an initiative led by the Office of the Director of Public
>>>> Prosecutions. Significant financial resources have also been earmarked by
>>>> government for security and cyber security in particular. There are also
>>>> partnerships between government and private sector in deploying
>>>> cybersecurity centres.
>>>>
>>>> The private sector has employed practical measures to protect their
>>>> businesses. However, businesses such as mobile money providers and banks
>>>> have been shy to divulge their cyber security concerns to protect their
>>>> interests.
>>>>
>>>> Civil society on the other hand has raised concern about the line
>>>> between protecting the cyber space and creating a facilitative environment
>>>> for innovators as well as protecting the rights of users.
>>>>
>>>>
>>>>
>>>> Are our efforts at deterring cyber-crime the correct way to assure
>>>> cyber security? Are fears about a partnership between government and
>>>> private sector and the general fears about stifling innovation and human
>>>> rights in the name of cybersecurity legitimate? Are there other practical
>>>> approaches that different stakeholders can take to enhance cyber security?
>>>>
>>>>
>>>> Over to you.
>>>>
>>>> --
>>>> Grace L.N. Mutung'u
>>>> Nairobi Kenya
>>>> Skype: gracebomu
>>>> Twitter: @Bomu
>>>>
>>>> <http://www.diplointernetgovernance.org/profile/GraceMutungu>
>>>>
>>>>
>>>> _______________________________________________
>>>> skunkworks mailing list
>>>> skunkworks at lists.my.co.ke
>>>> ------------
>>>> List info, subscribe/unsubscribe
>>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
>>>> ------------
>>>>
>>>> Skunkworks Rules
>>>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
>>>> ------------
>>>> Other services @ http://my.co.ke
>>>>
>>>
>>>
>>>
>>> --
>>>
>>> Best Regards,
>>> Stephen Munguti.
>>>
>>> +254720425104
>>>
>>> _______________________________________________
>>> Security mailing list
>>> Security at lists.my.co.ke
>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/security
>>>
>>
>>
>>
>> --
>>
>>
>>
>>
>> *-------------------------------------*
>> *Kind Regards**;*
>>
>>
>>
>>
>>
>>
>>
>> *Fredrick Wahome Ndung'uTeam LeaderSecunets Technologies LtdWebsite:
>> www.secunets.com <http://www.secunets.com>Cell: +254725264890Email:
>> fred at secunets.com <fred at secunets.com>**Facebook: secunetstech*
>> *Twitter: @secunets*
>>
>> *Skype: secunets.technologiesExperts in: *Domain Registration, Web
>> Hosting, Open Source Solutions, Information Security & Training, Digital
>> Forensic Investigations, Web 2.0 Applications & I.C.T Consultancy.
>>
>> *"Secure Business Technology"*
>>
>>
>>
>> ------------------------------------------------------------------------------------------------------------------------------------------------
>> *SECUNETS TECHNOLOGIES DISCLAIMER:*
>>
>> This email message and any file(s) transmitted with it is intended solely
>> for the individual or entity to whom it is addressed and may contain
>> confidential and/or legally privileged information which confidentiality
>> and/or privilege is not lost or waived by reason of mistaken transmission.
>> If you have received this message by error you are not authorized to view
>> disseminate distribute or copy the message without the written consent of
>> Secunets Technologies and are requested to contact the sender by telephone
>> or e-mail and destroy the original. Although Secunets Technologies takes
>> all reasonable precautions to ensure that this message and any file
>> transmitted with it is virus free, Secunets Technologies accepts no
>> liability for any damage that may be caused by any virus transmitted by
>> this email.
>>
>>
>> _______________________________________________
>> Security mailing list
>> Security at lists.my.co.ke
>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/security
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20150721/0ed824d0/attachment.htm>


More information about the KICTANet mailing list