<p>Well done GG.</p>
<p>Regards</p>
<div class="gmail_quote">On Apr 21, 2015 6:24 PM, "Grace Githaiga via kictanet" <<a href="mailto:kictanet@lists.kictanet.or.ke">kictanet@lists.kictanet.or.ke</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div dir="ltr"><p style="margin:0in;margin-bottom:.0001pt;background:white"><span style="font-family:"Calibri","sans-serif"">The
Secretariat,<u></u><u></u></span></p>
<p style="margin:0in 0in 0.0001pt;background:white"><span style="font-family:"Calibri","sans-serif"">Director
Programmes & Standards, ICT Authority<u></u><u></u></span></p>
<p style="margin:0in 0in 0.0001pt;background:white"><span style="font-family:"Calibri","sans-serif"">Telposta
Towers, 12th Floor, Kenyatta Avenue,<u></u><u></u></span></p>
<p style="margin:0in 0in 0.0001pt;background:white"><span style="font-family:"Calibri","sans-serif"">P.
O Box 27150-00100 Nairobi</span><span style="font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";color:gray">.<u></u><u></u></span></p>
<p style="margin:0in;margin-bottom:.0001pt;background:white"><span style="font-family:"Calibri","sans-serif""><a href="mailto:critical@ict.go.ke" target="_blank">critical@ict.go.ke</a><u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><br></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><br></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><b><u><span style="font-size:12.0pt">Kenya
ICT Action Network (KICTANet)’s input into the proposed Critical Infrastructure
Bill<u></u><u></u></span></u></b></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><br></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><b><u><span style="font-size:12.0pt">Acknowledge<u></u><u></u></span></u></b></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span> </span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:12.0pt;background:white">ICT is a tool that is
critical for operations and hence requires specialized attention: availability,
integrity and confidentiality.</span><span style="font-size:12.0pt"><u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><br></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><b><u><span style="font-size:12.0pt">Starting point:<u></u><u></u></span></u></b></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><b> </b></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:12.0pt">Have criteria for defining what critical ICT infrastructure
is.<u></u><u></u></span></li>
<li class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:12.0pt">Distinguish between critical ICT infrastructure (Registry,
content delivery networks) and traditional critical infrastructure.<u></u><u></u></span></li>
<li class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:12.0pt">Question if there is need to put transport and energy infrastructure
on Internet and if so, how is it protected? Anything put on the internet is
vulnerable.<u></u><u></u></span></li>
<li class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:12.0pt">Acknowledge that business models of ICT companies are
different from the traditional models of non-ICT critical infrastructures
such as energy utilities and industrial control systems. They require more
maintenance and upgrades that translate into much more investments.<u></u><u></u></span></li>
<li class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:12.0pt">How do we ensure we have scalable
and resilient critical infrastructure? In the past we have seen government
institutions<br>
invest in white elephants, sending them back to the procurement room before
the system goes live. </span><span style="font-size:12.0pt"><u></u><u></u></span></li>
<li class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:12.0pt">Consider the need for expertise to deal with and protect the
infrastructure (developers focusing on software security and information
security professionals specializing in critical infrastructure).<u></u><u></u></span></li>
<li class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:12.0pt">Consider cybersecurity but avoid raising fear, uncertainty
and doubt. <u></u><u></u></span></li>
<li class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:12.0pt">Avoid any type of strategy that hacks back. Hacking back will
not fix broken infrastructure, and the attribution problem makes it very
hard and sometimes impossible to find the real source of attacks. Focus on
defense and resilience. <u></u><u></u></span></li>
<li class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:12.0pt">Need to have websites running latest versions of software
including security updates otherwise we will continue to experience this: <a href="https://www.google.com/#q=%22hacked+by%22+site:go.ke" target="_blank"><span style="color:windowtext">https://www.google.com/#q=%22hacked+by%22+site:go.ke</span></a>.
There should be a big focus on identifying XP use and migrating away from
XP usage in government and critical infrastructures.<u></u><u></u></span></li>
</ol>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt 0.25in"><span style="font-size:12.0pt"> </span></p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt 0.25in"><b><u><span style="font-size:12.0pt">Management questions<u></u><u></u></span></u></b></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt 0.25in"><b><u><span style="font-size:12.0pt"><br></span></u></b></p>
<p style="margin-bottom:0.0001pt;background:white"><span style="font-size:12.0pt">10.<span style="font-stretch:normal;font-size:7pt;font-family:'Times New Roman'">
</span></span><span style="font-size:12.0pt">Who manages critical infrastructures?<u></u><u></u></span></p>
<p style="margin-bottom:0.0001pt;background:white"><span style="font-size:12.0pt">11.<span style="font-stretch:normal;font-size:7pt;font-family:'Times New Roman'">
</span></span><span style="font-size:12.0pt">Should the government own/manage/handle
infrastructures like the NOFBi?<u></u><u></u></span></p>
<p style="margin-bottom:0.0001pt;background:white"><span style="font-size:12.0pt">12.<span style="font-stretch:normal;font-size:7pt;font-family:'Times New Roman'">
</span></span><span style="font-size:12.0pt">Which infrastructure can the
government outsource? Which infrastructure is a security threat to outsource?
Who are trusted partners for outsourcing?<u></u><u></u></span></p>
<p style="margin-bottom:0.0001pt;background:white"><span style="font-size:12.0pt">15.<span style="font-stretch:normal;font-size:7pt;font-family:'Times New Roman'">
</span></span><span style="font-size:12.0pt">What is the value of investment in NOFBI
while there is no last mile connectivity? Should the NOFBI operator be able to
go the long haul and provide last mile services to all intended recipient(s) of
the service? <u></u><u></u></span></p>
<p style="margin-bottom:0.0001pt;background:white"><span style="font-size:12.0pt">16.<span style="font-stretch:normal;font-size:7pt;font-family:'Times New Roman'">
</span></span><span style="font-size:12.0pt">What levels of approvals are there (change
management) for any change to happen in a critical internet resource? (Just
last month, a misguided change at KENIC affecting DNSSEC affected the entire
.ke domains for a whole day. No domain was accessible).<u></u><u></u></span></p>
<p style="margin-bottom:0.0001pt;background:white"><span style="font-size:12.0pt">17.<span style="font-stretch:normal;font-size:7pt;font-family:'Times New Roman'">
</span></span><span style="font-size:12.0pt">How is the security and integrity of PKI
maintained?<u></u><u></u></span></p>
<p style="margin-bottom:0.0001pt;background:white"><span style="font-size:12.0pt">18.<span style="font-stretch:normal;font-size:7pt;font-family:'Times New Roman'">
</span></span><span style="font-size:12.0pt">How are the counties managing ICT county
specific infrastructure and what capacities exist at that level?<u></u><u></u></span></p>
<p style="margin-bottom:0.0001pt;background:white"><span style="font-size:12.0pt"> </span></p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt 0.25in;background:white"><span style="font-size:12.0pt"> <u></u><u></u></span></p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt 0.25in;background:white"><b><u><span style="font-size:12.0pt">Roll out/ Rapid
Response questions<u></u><u></u></span></u></b></p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt 0.25in;background:white"><span style="font-size:12.0pt"><br>
19. How fast can we rollout, upgrade, and repaired our fibre optic infrastructure?
(There has been a deliberate systematic plot to ensure there are no ducts on
wayleaf to pull fibre optic cable within minimum time, and cost effectively).<b><u><u></u><u></u></u></b></span></p>
<p style="margin-bottom:0.0001pt;background:white"><span style="font-size:12.0pt">20.<span style="font-stretch:normal;font-size:7pt;font-family:'Times New Roman'">
</span></span><span style="font-size:12.0pt">Can we vet the software that runs on
and support critical infrastructure? We have had cases of defective and
compromised<br>
firmware, and compromised software that has payloads executed at certain times
by malicious actors. Which software and hardware do we trust? Can we audit this
software?<u></u><u></u></span></p>
<p style="margin-bottom:0.0001pt;background:white"><span style="font-size:12.0pt">21.<span style="font-stretch:normal;font-size:7pt;font-family:'Times New Roman'">
</span></span><span style="font-size:12.0pt">What is the role of standards? (</span><span> </span><span style="font-size:12.0pt">ISO 27000 series Standards on Information Security and the ISO
20,000 series on Service<br>
Management).</span><span style="font-size:12.0pt"><u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;background:white"><span style="font-size:12.0pt"> </span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt;background:white"><span style="font-size:12.0pt"> </span><b style="font-size:12pt"><u><span style="font-size:12.0pt;font-family:"Calibri","sans-serif"">Regulation vs Legislation and questions regarding scope</span></u></b></p><p class="MsoNormal" style="margin-bottom:0.0001pt;background:white"><span style="font-size:12pt"><br></span></p><p class="MsoNormal" style="margin-bottom:0.0001pt;background:white"><span style="font-size:12pt">22.<span style="font-stretch:normal;font-size:7pt;font-family:'Times New Roman'"> </span></span><span style="font-size:12pt">Is it necessary to have an Act on critical infrastructure considering the dynamism and complexity of ICT? Would a few amendments under the KICA 2013 not suffice?</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt;background:white"><span style="font-size:12pt">23.<span style="font-stretch:normal;font-size:7pt;font-family:'Times New Roman'"> </span></span><span style="font-size:12pt">Would it perhaps not be useful to have separate acts or regulations for critical internet infrastructure on the one hand, and critical infrastructures like (power and transport) connected to the internet on the other hand? The two types of critical infrastructure are related but require different and specialized approaches.</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt;background:white"><span style="font-size:12pt">24.<span style="font-stretch:normal;font-size:7pt;font-family:'Times New Roman'"> </span></span><span style="font-size:12pt"> </span><span style="font-size:12pt;background-image:initial;background-repeat:initial">The development of a critical infrastructure policy framework should precede the bill to contextualize the Critical Infrastructure bill. The policy framework should also have an implementation framework, a result of which could be the development of a law.</span><span style="font-size:12pt"> Before the development of the policy it may be necessary to conduct a study and expert consultation on the matter that includes a review of global best practices.</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt;background:white"><span style="font-size:12pt">25.<span style="font-stretch:normal;font-size:7pt;font-family:'Times New Roman'"> </span></span><span style="font-size:12pt"> The protection of critical infrastructure may be better managed under regulations rather than Bills/Acts. This is because in the fast changing world of IT, what is critical today may not be tomorrow and vice versa. Who would have known five years ago that M-PESA would move beyond just sending money, to becoming a lifestyle for millions of Kenyans aka a critical infrastructure? You don’t manage such issues through hard-wired Acts, but through Regulation.</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:12.0pt"> </span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><b><u><span style="font-size:12.0pt">Recommendations on Policy and law <u></u><u></u></span></u></b></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:12.0pt"> </span></p>
<p style="margin:0in;margin-bottom:.0001pt;background:white"><span style="font-family:"Calibri","sans-serif"">The said policy and law should
clearly outline:<u></u><u></u></span></p>
<p style="margin:0in;margin-bottom:.0001pt;background:white"><span style="font-family:"Calibri","sans-serif""> </span></p>
<p style="margin:0in 0in 0.0001pt;background:white"><span style="font-family:"Calibri","sans-serif"">- Definition
of what constitutes critical infrastructure.<u></u><u></u></span></p>
<p style="margin:0in;margin-bottom:.0001pt;background:white"><span style="font-family:"Calibri","sans-serif"">- Distinguish
between critical internet/ICT infrastructures and critical infrastructures
connected to the internet.<br>
- Criteria for identification of CI.<br>
- Threat analysis to various CI in Kenya.<br>
- Risk management framework for the CI.<u></u><u></u></span></p>
<p style="margin:0in;margin-bottom:.0001pt;background:white"><span style="font-family:"Calibri","sans-serif"">-<span style="background-image:initial;background-repeat:initial"> Requirement of mandatory minimum protection of
critical infrastructure as well as demonstrated assurance through compliance.<span> </span></span></span><br>
- Coordination framework (including PPP arrangements, lead coordinating org and
perhaps the need for a single body?).<br>
- Investigate frameworks for threat intelligence and information sharing
between all concerned stakeholders.<u></u><u></u></p>
<p style="margin:0in;margin-bottom:.0001pt;background:white"><span style="font-family:"Calibri","sans-serif"">- Incident
reporting mechanisms and investigations of possible requirements for breach
disclosure to all affected stakeholders.<br>
</span><span style="font-family:"Calibri","sans-serif"">- Research and
development strategies.<br>
- Capacity assessment and development.<span> </span><br>
- Funding mechanisms.<br>
- Implementation plan.</span><span style="font-family:"Calibri","sans-serif""><u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:12.0pt"> </span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span><span style="font-size:12.0pt;background:white"> </span></span><span style="font-size:12.0pt;background:white">Note: It will be important for institutions (private and public) to meet the law and associated regulatory requirements
(Consistent with</span> with the 2010 constitution). In addition, Institutions
must integrate their plans with agencies/bodies (e.g. fire, security,
emergency, hospitals, etc.) that are critical to effective response.<span style="font-size:12.0pt"><u></u><u></u></span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><br></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><br></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><b>Submitted on behalf of KICTANet</b> by Grace Githaiga, Victor Kapiyo, Barrack Otieno, Mwendwa Kivuva, John Walubengo, Matunda Nyanchama, Alex Comninos and Ali Hussein</p> </div></div>
<br>_______________________________________________<br>
kictanet mailing list<br>
<a href="mailto:kictanet@lists.kictanet.or.ke">kictanet@lists.kictanet.or.ke</a><br>
<a href="https://lists.kictanet.or.ke/mailman/listinfo/kictanet" target="_blank">https://lists.kictanet.or.ke/mailman/listinfo/kictanet</a><br>
<br>
Unsubscribe or change your options at <a href="https://lists.kictanet.or.ke/mailman/options/kictanet/otieno.barrack%40gmail.com" target="_blank">https://lists.kictanet.or.ke/mailman/options/kictanet/otieno.barrack%40gmail.com</a><br>
<br>
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.<br>
<br>
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.<br></blockquote></div>