The government has established a comprehensive regulatory framework to coordinate the country’s cybersecurity operations and protect its critical information infrastructure.
The new Computer Misuse and Cybercrime (Critical Information Infrastructure and Cybercrime Management) Regulations, 2024 lay out a multi-tiered approach to monitoring, detecting, and responding to cyber threats.
At the heart of the framework are the Cybersecurity Operations Centres, which will serve as the command and control hubs for the country’s cybersecurity efforts. As outlined in the regulations, these centres will include a National Cybersecurity Operations Centre, Sector Cybersecurity Operations Centres, and Critical Information Infrastructure Cybersecurity Operations Centres.
“The Cybersecurity Operations Centres shall be the national focal point for monitoring, detecting, preventing, responding, investigating and attribution of cyber threats, computer and cybercrimes in Kenya,” said the regulations.
The National Cybersecurity Operations Centre will have the broadest mandate, coordinating the collection and analysis of cyber threats across all sectors, while the Sector and Critical Information Infrastructure Centres will focus on their respective areas of responsibility.
“The National Cybersecurity Operations Centre shall have visibility of threats and incidents that occur in Sector Cybersecurity Operations Centres and Critical Information Infrastructure Cybersecurity Operations Centres,” the regulations state.
In addition to the Cybersecurity Operations Centres, the new framework empowers the government to designate certain systems as “critical information infrastructure” – a classification that comes with heightened security requirements and oversight.
“Pursuant to section 9 of the Act, the Director shall in designating a system as a critical infrastructure identify the system being designated, identify the owner of a critical information infrastructure, and inform the owner of their responsibilities,” the regulations outline.
Once a system is designated as critical infrastructure, the owner is required to conduct annual risk assessments, develop incident response plans, implement security measures, and ensure personnel are adequately trained, among other obligations.
“The owner of a critical information infrastructure shall adhere to the baseline security requirements to ensure the protection of the critical information infrastructure,” the regulations state.
Underpinning the entire framework is the development of a National Cyber Protection Framework, which will provide a comprehensive cyber-defense strategy for the country.
“Pursuant to section 6 (1) (j) of the Act, the Committee shall formulate a National Cyber Protection Framework,” the regulations state, adding that the framework will cover areas such as training, information sharing, and the establishment of a National Cybersecurity Academy.
