Claire Benedix, Research Analyst, Security & Intelligence Policy Lab
cbenedix@africacfsp.org

The digital landscape in Kenya is rapidly evolving, leaving critical infrastructure exposed to data breaches and malicious activity. Remote workers and businesses are easy targets for cyber criminals seeking to extract Personal Identifiable Information (PII) and valuable data. Phishing attempts, malware attacks, and other cyber threats are becoming increasingly concerning due to the rise in organized cybercrime groups, ransomware gangs, and bots seeking to exploit vulnerable cloud networks, outdated software, and unprotected devices.

Implications of Recent Attacks

The rise of cyber-attacks conducted by cyber criminals and state-sponsored hackers is posing a serious threat to Kenya’s critical infrastructure and financial sector. Advancements and increasing accessibility to information and communication technology (ICT) are opening the door to a new terrorist landscape – creating opportunities for exploitation, attacks, and information warfare. In July 2021, Kenya was identified as one of seventeen countries affected by a Russia-linked cyber operation affiliated with REvil, a ransomware gang responsible for major breaches like the Colonial Pipeline ransomware attack and the extortion of JBS Foods for $11 million. In 2018, “network reconnaissance activities” were recorded on UN networks in Kenya; these activities allegedly originated at Tsinghua University in Beijing, China. A 2016 attack claimed by the international hacktivist movement Anonymous sought to expose Kenya’s Ministry of Foreign Affairs and International Trade by publishing emails and sensitive documents on Twitter. Many incidents are unidentifiable such as the 2020 Transnational Bank data leak in Kenya where unnamed hackers extracted and released sensitive user and financial information. This trend of data leaks and cyber-attacks is an expensive, growing, and potentially destructive threat to the security and stability of Kenya’s private and public sectors.

Cyber-Attacks and Responses

There are considerable difficulties in monitoring the cybersphere and conducting counterterrorism activities due to the vague application of international law and understanding of how non-intervention principles and state sovereignty are enforced in the cyber domain. The fine line between state and non-state actors and the abstract nature of cyber anonymity convolutes “use of force” thresholds and conditions needed to justify a response. With rising cyber-attacks posing the number-one risk to the global financial system, preventing and responding to these attacks is an absolute necessity for Kenya.

Cybersecurity and the COVID-19 Pandemic

With many businesses operating remotely due to the COVID-19 pandemic, Kenyan companies are reporting an increase in malware and phishing attacks targeting unsuspecting employees and testing system vulnerabilities. The cyber and digital threat landscape continues to evolve in Kenya with data breaches and cloud network disruptions becoming more sophisticated and widespread. From April to June 2021, the Communications Authority of Kenya (KE-CIRT/CC) detected 38.8 million cyber threats, representing an increase of 37.3 percent from January to March 2021. Most of these documented cyber threats targeted Internet of Things (IoT) devices (physical objects/ things embedded with information exchanging technology) to gather information and data on hardware, networks, and business operations. The attacks were largely perpetrated by organized cybercrime groups, ransomware gangs, and bots.

Addressing Key Threat Areas

There are numerous risks when primarily operating in a digital and decentralized cyber environment. For emerging economies with under-resourced governments and immature cybersecurity posture, incident response policies, regulatory responsibilities, and legal frameworks are difficult to implement. Fostering the development of critical information infrastructure and prioritizing response and prevention is a long-term, multifaceted mission. Evolving cyber threats require comprehensive and consistent government-led cyberterrorism strategies, private-sector partnerships, and an aggressive expansion of educational cyber-focused programs, all of which are expensive to coordinate.

Two key threat areas that must be addressed are unsecured infrastructure and inadequate, or limited, security awareness training. By prioritizing the management of controlled user access and implementation of network security across hardware, software, and cloud services, Kenyan businesses and individuals may be able to curb the number of compromised consumer platforms and corporate systems. To deter future hacking attempts, businesses and individuals must create and abide by best practices and training by educating their workforce through awareness campaigns, developing new cybersecurity policy, and complying with cybersecurity laws in Kenya. If these cyber threats are not confronted soon, individuals risk personal identifiable information (PII) leaks and companies jeopardize account details such as passwords and financial information, customer data and privacy, loss of revenue, and their reputations.

References

“African Businesses’ Vulnerability To Cyber Attacks Worsened By Pandemic: Report”. 2021. News.Cn. http://www.news.cn/english/2021-09/01/c_1310162251.htm.

Bajak, Frank. 2021. “Scale, Details Of Massive Kaseya Ransomware Attack Emerge”. AP NEWS. https://apnews.com/article/joe-biden-europe-government-and-politics-technology-business-fc0df4c42f8cd6148bf936ca24bb5cbe.

Communications Authority of Kenya. 2021. “FOURTH QUARTER SECTOR STATISTICS REPORT FOR THE FINANCIAL YEAR 2020/21 (APRIL-JUNE 2021)”. Communications Authority of Kenya. https://www.ca.go.ke/wp-content/uploads/2021/09/Sector-Statistics-Report-Q4-2020-2021.pdf.

Fung, Brian. 2021. “Cyberattacks Are The Number-One Threat To The Global Financial System, Fed Chair Says”. CNN. https://www.cnn.com/2021/04/12/business/jerome-powell-cyberattacks-global-threat/index.html.

Gray, Christine. 2018. International Law And The Use Of Force. Oxford: Oxford University Press.

Liquid Cyber Security. 2021. “The Evolving Cyber Security Threat In Africa: IT And Financial Decision Makers Respond To Critical Developments In South Africa, Kenya And Zimbabwe”. Africa’s Digital Future. Liquid Cyber Security. https://liquid.tech/wps/wcm/connect/corp/00d614b5-e6cf-4552-9085-c12e47b6246c/Liquid+Intelligent+Technologies+Cyber+security+Report+2021.pdf?MOD=AJPERES&CVID=nKxjVS0.

Lynch, Justin. 2018. “China Is Hacking The Same Countries It Trades With”. https://www.fifthdomain.com/international/2018/08/17/china-is-hacking-countries-is-trades-with/.

Mares, Octavio. 2020. “Kenya Transnational Bank Was Hacked; All Customers’ Data Leaked”. Information Security Newspaper | Hacking News. https://www.securitynewspaper.com/2020/08/07/kenya-transnational-bank-was-hacked-all-customers-data-leaked/.

Mohapi, Tefo. 2019. “Safaricom Sued For Alleged Data Leak”. Iafrikan.Com. https://www.iafrikan.com/2019/06/26/kenyas-safaricom-sued-for-alleged-data-breach-and-leak/.

Moynihan, Harriet. 2019. “The Application Of International Law To State Cyberattacks Sovereignty And Non-Intervention”. Chatham House The Royal Institute of International Affairs. https://www.chathamhouse.org/sites/default/files/publications/research/2019-11-29-Intl-Law-Cyberattacks.pdf.

Obulutsa, George. 2016. “Hackers Leak Stolen Kenyan Foreign Ministry Documents”. U.S.. https://www.reuters.com/article/us-cyber-kenya/hackers-leak-stolen-kenyan-foreign-ministry-documents-idUSKCN0XP2K5.

Sambuli, Nanjira, Juliet Maina, and Tyrus Kamau. 2016. “Mapping The Cyber Policy Landscape: Kenya”. Global Partners Digital. https://www.gp-digital.org/wp-content/uploads/2016/12/Kenya-Cyber-Policy-Mapping-final-i-1.pdf.