Yesterday, the Kenya ICT Action Network (KICTANet) submitted a comprehensive memorandum providing detailed feedback on Kenya’s Draft Cybersecurity Strategy 2025-2029.
KICTANet highlighted some of the critical gaps that need to be filled and proposed solutions that could change the country’s digital security landscape.
Their analysis reveals that Kenya’s current cybersecurity framework leans heavily toward criminalization through laws like the Computer Misuse and Cybercrimes Act (2018), while neglecting equally important areas such as prevention, resilience, and rights-protective measures.
“Kenya needs to shift from an overly punitive approach to a balanced strategy that strengthens cybercrime prevention, builds resilience, and focuses on capacity building alongside enforcement,” states the memorandum.
Concerns About Institutional Fragmentation
The document also points to institutional fragmentation as a major challenge, with multiple bodies handling cybersecurity responsibilities, including:
- National KE-CIRT/CC (Kenya Computer Incident Response Team)
- National Cybersecurity Coordination Committee (NC4)
- ICT Authority
- Communications Authority (CA)
- National Security Advisory Committee (NSAC)
- Various ministries, including Information and Digital Economy, Interior, and Defence
Rather than creating new institutions that could further complicate the landscape, KICTANet recommends strengthening existing frameworks through improved inter-agency collaboration and clearer mandates.
Critical Infrastructure Protection Needs Strengthening
With Kenya’s growing digital ecosystem, critical information infrastructures (CIIs) such as telecommunications networks, mobile money systems, and government service portals like eCitizen face increasing threats. KICTANet proposes
- Mandatory sector-specific vulnerability assessments
- Baseline cybersecurity standards for all CIIs
- Continuous monitoring systems
- Coordinated procurement standards across government levels
- Communication Channels and Reporting Systems
One of the places the memorandum places special emphasis on is expanding cybercrime reporting channels, specifically pointing out the need for accessibility across diverse demographics.
This can be achieved through mobile apps, USSD codes for non-internet users, and AI-driven chatbots.
However, KICTANet stresses that security must remain paramount and recommends audits and public reports to verify that all channels, especially USSD, implement proper end-to-end encryption.
A Multi-Stakeholder Approach Is the Best Way to Move Forward
KICTANet also advocates for moving away from the current top-down, government-centric approach to a true multi-stakeholder model that includes academia, civil society organizations, private sector entities, media, and the technical community.
“A multi-stakeholder approach promotes a culture of collective responsibility, ensuring that cybersecurity is viewed as a shared public good,” the memorandum states.
A Huge Gap Remains in Skill and Public Awareness
The document rightly mentioned how Kenya still possesses a significant gap in cybersecurity skills. Coupled with low public awareness, these are some of the critical vulnerabilities the country faces, especially as digital services expand.
Some of the recommendations put forward include
- Nationwide capacity-building programs
- Accredited training for cybersecurity professionals
- Integration of cybersecurity into educational curricula from primary to tertiary levels
- Public awareness campaigns tailored to various audiences, including vulnerable groups
KICTANet’s memorandum is a call for a more balanced, inclusive, and rights-based approach to cybersecurity in Kenya, with emphasis that digital security requires collaboration across sectors rather than isolated government action.
