Surveillance Does Not Equal Security: Analysing Kenya’s Approach To Cyber Security.
‘Security’ in the policy world has practically no currency without a specific prefix. For example, we could discuss ‘national’ security as distinct from ‘consumer’ security or ‘energy’ security. ‘Cyber’ security is the new prefix on the policy block, and it is gradually forcing a rethink on what it means to be secure in a modern society. In the course of Privacy International’s work globally, we have observed that many governments frame cyber security as national security. However, when ill- or broadly defined ‘cyber’ security is equated with national security, there can be negative consequences for transparency, accountability, oversight and human rights.
Privacy International recently published an investigation into cyber security in Kenya detailing several technical cybersecurity initiatives, and exploring the practical implications for Kenyan citizens. We found a significant disconnect between the Kenyan government’s strategy to promote ICT and the policies and practices underpinning its cyber security.
A prestigious vision for Kenya?
Publicly available documents from the Ministry of ICT present a vision of Kenya as a regional ICT leader, with the goal that ICT will be a key driver of industry and innovation. However, at times the cyber security policy and regulatory landscape in Kenya is difficult to follow. The National Cyber Security Strategy, drafted by the Ministry of ICT was published in 2014.
Around the same time, the 2014-2017 National ICT Masterplan was published by a government-assigned taskforce made up of academia, industry and government actors. It called for a national ICT policy; the latest draft of which is from August 2016 and is currently in circulation, with no indication of when it will be approved. It states that a key policy objective is to “recognise cyber security as a key pillar of national security.”
It is true that certain cyber security threats can be categorised as impacting national security, for example, attacks against critical infrastructure like power grids. However, other cyber security threats, including common criminality committed by cyber means, are outside that scope and should not be categorised as national security threats, such as child online protection, which Kenya’s draft National ICT Policy includes in the section focused on national security. It is important to distinguish genuine national cyber security threats from detection of cybercrime, which should be handled by law enforcement and subject to the related legal safeguards, accountability and transparency.
Security for whom?
Our investigation also demonstrated the prominent operational and strategic role of Kenya’s main intelligence agency, the National Intelligence Service (NIS), in rolling out cybersecurity projects. While the involvement of an intelligence agency in genuine national security matters is not per se cause for alarm, Privacy International detailed in a previous investigation the NIS’ routine abuse of its surveillance powers of surveillance and its facilitation of grave human rights abuses including torture and extrajudicial killing.
When cyber security initiatives are deemed as national security (which in itself can be over-broad), and put under the domain of intelligence agencies, they are harder to scrutinise. Without strong safeguards, they are open to abuse.
This risk is compounded by the fact that, in Kenya, there is insufficient legislation regarding cyber security or cyber crime. Currently in circulation are the Computer and Cybercrimes Bill (2016) the Cyber Security and Protection Bill (2016) the Critical Infrastructure Bill (2014), a Data Protection Bill (2013) and proposed Cybersecurity Regulations. It will be up to the new government to move them along once parliament is convened following August’s elections.
More surveillance, less security
Nevertheless, the government of Kenya has steamed ahead with two traffic monitoring projects. The Network Early Warning System (NEWS) “detect[s] at the earliest instance, cyber threats targeting Kenya’s Internet infrastructure” and the National Intrusion Detection and Prevention System (NIPDS) “provide[s] a cyber-early warning on any possible attacks on critical government Internet infrastructure.”
Both initiatives could arguably fall under a genuine national security priority of protecting national critical infrastructure from attack. However, documents obtained by Privacy International suggest the NIPDS threat analysis centre is monitoring content as well as internet traffic, as one of its components is specifically designed to monitor social media content. As the project has been classed as a “security” project, and the tender is restricted, effective scrutiny of the project is nearly impossible.
One of the main issues with NIPDS is that it is unnecessary to centralise such a system. The best people to identify and remedy cyber attacks are those who have deep understanding of the networks they are defending, such as the system administrators of a telecommunications operator. By contrast, centralising the surveillance of traffic allows detection, but hinders response times and thus proactive defence. If a government wants to protect its citizens, it would be wiser to spend its money training companies to defend themselves.
Moreover, both NEWS and NIPDS are run without a clear and transparent legislative framework. Without a law specifying the circumstances and conditions for the exercise of the activities that amount to monitoring of communications data (content and metadata), they are open to abuse. Evidence suggests that NIPDS is capable of monitoring content and may already be used for such purposes, without the necessary safeguards. In addition, the prominent role of the NIS, and the presentation of NEWS and NIPDS as cyber security initiatives, strongly suggest the government of Kenya is increasing its surveillance capabilities under the guise of cyber security, which contradicts the vision that has been publicly set out by the Ministry of ICT.
Epic folly of ethics
Prioritising surveillance in cyber security is likely to weaken rather than strengthen security. Putting it succinctly, it is an epic folly of ethics to imagine you can protect your citizens from having others read their email, by reading their emails. To quote the European Court of Human Rights, this is undermining democracy under the cloak of defending it. Additionally, there is a good chance that essential measures to strengthen consumer protection (security for everyone, every day) will be under-resourced or ignored, such as identifying vulnerabilities and supporting security research.
Security is hard. Protecting and defending individuals, devices and networks should form the basis of any cyber security strategy. We therefore call on the government of Kenya to adopt crucial legislation related to cyber security and data protection. We ask the government to justify why projects such as NIPDS cannot be discussed and scrutinised publicly. Surveillance and secrecy does not equal security. More transparency is needed around these initiatives if they are to keep individuals safe.
Without strong legislation, safeguards and policy, Kenya’s vision of being a global ICT leader will not materialise.