By Francis Monyango

The question of how prepared Kenya is to deal with cybercrimes can no longer be wished away. Cybercrimes not only cause damage; they leave their victims embarrassed and for corporates, their reputations tarnished . Hence, not so many incidences are reported by the victims. To address this issue, the National Assembly Majority Leader Hon. Aden Duale sponsored the Computer and Cybercrimes Bill in June, 2017. It is a major improvement from the two cybercrime bills that were published by Senate and the National Assembly last year.

The objectives of the draft act are to protect the confidentiality and integrity of computer systems, programs, data while preventing the unlawful use of computer systems. The proposed law is also meant to facilitate the investigation and prosecution of cybercrimes and facilitate international co-operation on cross-border cybercrime matters.

Offenses

Part two of the bill provides for the offenses covers various offences in the cyberspace. As expected, hacking offences feature prominently in this part:

OFFENCE/ PENALTY SECTION FINE TERM
Unauthorized access 4 5 million 3 years
Access with intent to commit further offence 5 10 million 10 years
Unathorized interference 6(1) 10 million 5 years
6(3) 20 million 10 years
Unauthorized interception 7(1) 10 million 5 years
7(2) 20 million 10 years
Illegal devices and access codes 8(1) 20 million 10 years
8(2) 10 million 5 years
Unauthorized disclosure of password or access code 9(1) 5 million 3 years
9(2) 10 million 5 years
Enhanced penalty for offences involving protected computer system 10 25 million 20 years
Cyber espionage 11(1) 10 million 20 years
11(2) 10 million 20 years
False publications 12 5 million 2 years
Child pornography 13(1) 20 million 25 years
Computer forgery 14(1) 10 million 5 years
14(2) 20 million 10 years
Computer fraud 15 20 million 10 years
Cyberstalking and cyber-bullying 16 20 million 10 years
Aiding and abetting in the commission of an offence 17(1) 7 million 4 years
17(2) 7 million 4 years
Offences by a body corporate and limitation of liability 18(1) 50 million
18(2) 5 million 3 years
Offences committed through the use of a computer system 21 3 million 4 years

 

Hacking offences are where security measures of a computer system are bypassed and unauthorised access, interference and interception take place. To complement the anti-hacking sections, the possession and use of stuff that can be used to hack for the primary purpose of committing a crime is going to be outlawed. Sharing of passwords with unauthorised persons to grant them unauthorised access, interference and interception is also going to be a crime when the bill becomes law.

New offences

The new bill comes with two new offences that were not in the Computer and Cybercrimes Bill 2016 which are the offense of cyber espionage and false publications. Another notable thing about the bill are the provisions meant to protect critical infrastructure. This includes public utilities (electricity, water), public transportation, communications infrastructure, banking and financial services among many others. This protection is crucial because the economy can really suffer in the event of an unplanned interruption such a mobile money outage. Safaricom recorded losses earlier in the year when their systems went down countrywide.

Reports of Al-Shabaab destroying telecommunication masts show us that foreign foes target critical infrastructure. From the Stuxnet attack on the Iranian nuclear program, it is clear that there is a hanging threat of cyber-attacks on our critical infrastructure. The draft law has a provision on how to deal with a resident who aids a foreigner in cyber-espionage and other attack on critical infrastructure.

As stated above, the draft law has a clause that will outlaw false publications. The motivation behind this definitely to curb the fake news menace that has become major issue. While the idea is welcome, there is the fear this provision is beyond the scope of the limits of the right to freedom of expression as contained in the constitution. A better approach would have been to perhaps set a test to check the damage caused by the fake news. The danger is that this new offence is analogous to the old crime of criminal defamation which has since been declared unconstitutional in the landmark Jackline Okuttah case.

Childrens’ rights find their way in this draft law with a provision cracking the whip on online child pornography. This provision together with the provision on cyber stalking and bullying will help save lives of many internet users who meet human predators online. Computer forgery and fraud are also going to be crimes once the bill becomes law and this will help the many who get scammed online. The bill also contains provisions on confiscation of proceeds of cybercrime and compensation of victims, which is a major plus considering this is criminal law.

Things that were left out

KICTANet organized a forum that was graced by forensic and legal experts in September to discuss the Computer & Cybersecurity Bill 2017 at the Laico Regency. Among the issues that were identified as missing in the bill are a number of cybercrimes such as:

  • Online grooming
  • Child sex tourism
  • Identity theft
  • Cyber squatting
  • Disclosure of private photographs or film
  • Phishing
  • Unlawful disclosure or obtaining of personal data
  • Liability of legal persons

Other suggestions from experts are the establishment of breach notification and remediation policies by corporations that are at perpetual risk of cyber security. This is to aid sharing of information on recurring risks in specific industries such as banking and healthcare. Another suggestion is setting an obligation for corporates to disclose data breaches just like it is in the US where Equifax recently disclosed a cyberattack that exposed the addresses, social security numbers, and financial information for 134 million customers.

In the next blogpost, we will discuss Part III of the Bill, Investigation Procedures.