Professional Bodies and Associations in the technology industry have presented both oral and written submissions to the National Computer and Cybercrime Coordination Committee (NC4) on the fourth day of the Critical Information Infrastructure (CII) and Cyber Crime Management Draft Regulations Public Participation Exercise in Nairobi.
The NC4 Committee reiterated that in the technology world, the user is the weakest link in the cybersecurity chain thus, awareness is key to preventing organizations from falling prey to evolved criminals who have the ability to commit all the 32 offenses under the Computer Misuse and Cybercrimes Act 2018 (CMCA).
Through their submissions, the organizations, though appreciative of the initiative by the government to take charge and coordinate national cybersecurity matters, had their reservations on specific clauses that required deliberated and thoughtful amendments.
For instance, the bodies implored the Committee to clearly distinguish CIIs and Cyber Crime Management in relation to functions of the Taskforce on cyber security training under clause 6 of the Act which is also regarded as a major area of policy and service innovation.
Mr. Wilson Wahome, a representative of the Lawyers Hub explained that there is a bit of overlap in the functions of NC4 and other regulators as the former is viewed to be taking the bulk of the work, especially in the approval process.
He also cited clause 13 subsection 3 under the Act regarding consulting the Committee in reviewing the cybersecurity awareness programme at least once every twelve months thereby overburdening itself with functions that can be achieved by other existing regulators.
Wahome proposed the deletion of the entire Clause 14 touching on outsourced capabilities only through approval of the Committee which he termed as over-regulation when existing regulators offer license requirements regulations.
“What if there is a need for rapid action or response, will there be delays waiting for the Committee’s approval?” he posed.
He added that the Director’s approval especially in Clause 27 subsection 1 is impractical from an operation perspective, citing the probability of emergency changes or business continuity and with these processes mainly considered bureaucratic, the recommendation is to make it flexible, and collaborative and substitute approval with notification.
On taking risk assessment by owners of CIIs, Wahome claimed that it was a bit farfetched and the time frame of 6 months is such a short period for compliance owing to the numerous companies in existence. He nevertheless proposed a 2-3-year period as effective bearing in mind the cost implications and room for extensions.
In Clause 22 subsection 3(c), he termed it as heavy-handedness for 24-hour surveillance by the Director when there is a lack of compliance in risk assessment by owners of CIIs, instead urging for an ideal alternative.
He opined that it is not necessary for the regulation under Clause 28- Change of Ownership where he made reference to licensed organizations who are unable to change ownership without approval from the parent regulatory bodies they are under.
“Clause 35 (f) on utilizing secure communication protocols and encryption for data transmission through gateways is difficult to implement due to lack of enough cryptography and there is a need for changes on who to report vulnerabilities to under transparency and disclosure in (g),” stated Wahome, recommending that individual organizations should be the ones to implement the regulations themselves.
The organizations were further concerned about the violation of principles of access to huge amounts of private data when the regulations empower Auditors to inspect CIIs under Clause 44 pondering whether NC4 can indeed ascertain the safety of their client’s data.
Partners against Piracy bodies also chimed in to protect against digital piracy by appealing to the Committee to consider Digital and Online Piracy as cybercrime and include it in the regulations in order to protect the intellectual property of owners of Digital works.
Since no government body is established to set cybersecurity certification standards, NC4 was advised to leverage existing standards and not waste its limited time to come up with new ones.
They were also guided to ensure CIIs and Databases were established to align the guidelines from the data protection office and NC4 regulations to eliminate confusion.
On its part, NC4 vowed to protect CIIs and gateways insisting that these regulations should be viewed as the laws of the future of course after taking the stakeholders’ submissions into consideration for amendments when the Committee retires for deliberations after the public participation exercise closes on Friday 22nd, 2023.
By Michael Omondi