By M. Mutua
On the 29th of April 2016, online activists, allegedly associated with Anonymous (a global network of activists and hactivists), reported that they had begun leaking 1 terabyte (TB) of [non] confidential files — acquired from Kenya’s Ministry of Foreign Affairs (MFA) servers — as part of a campaign to expose corruption across Africa’s public and private sectors. The files, supposedly, include; letters, agreements and internal email correspondence — not least, an email warning MFA staff of attempted phishing (an attempt to acquire confidential information through the internet for malicious purposes while masquerading as a trustworthy entity). In a quick rejoinder, Information, Communications and Technology (ICT) Cabinet Secretary, Joe Mucheru, allayed fears over a successful hack or loss of classified information.
Even as foreign policy analysts ponder the politico-economic ramifications of the intermittent release of the [non] confidential files into the unchartered “deep web”, circumstantial evidence suggesting that an MFA employee may have, unwittingly, triggered the [phishing] attack projects two critical points to the fore. First, the increasing role of employees’ actions and inactions in cyber attacks. Second, the case for increasing cyber education in the workplace as part of an inward-looking cyber defense strategy. Of course, this is not to undervalue efforts seeking to secure public and private servers from day-to-day intrusions by external adversaries — rogue state and non-state groups.
More could, however, be developed with Kenya’s cyber defense. A growing interdependence between the cyber world and the economic sphere, coupled with projections of an increase in cyber attacks [following accessibility of sophisticated tools required to hack into networks and the lucrative payouts involved], warrant concerted international efforts in addressing cyber terrorism. Given the insufficiencies of global cyber governance, Kenya’s Foreign Ministry should seize this unusual opportunity to expand or deepen cyber collaboration with revered cyber states (Russia, US, China, India and Brazil) and leverage cyber international relations to engender her national interests.
Kenya’s cyber defense should not be left to the Ministries of Foreign Affairs, ICT, Interior and Defense. The government should also reach-out to the private sector, civil society and the tech-community. The communiqué of a successful meeting should, amongst other outcomes; identify cyber vulnerabilities, establish rules for cyber security governance in Kenya, provide a mechanism for reviewing cyber defenses in light of evolving cyber threats and set-up a real-time cyber security center — where motivated geeks act upon intelligence on cyber attacks directed at public or private servers.
Ostensive investments by Kenya’s public and private sector in cyber research, insurance and security (complex tools which monitor and prevent anomalous activities in servers) must also be applauded. These noble efforts should be complimented by cyber awareness campaigns targeting employees – in light of the current cyber threat realities. Mandatory executive cyber education for employees — across all cadres — should provide remarkable benefits toward this noble end.
Given that older — as well as younger — employees may not respond well to compulsory cyber lectures, ICT department heads must think creatively how to attract cyber education candidacies. Mindful that most Kenyan’s naturally respond well to freebies, I would propose sending a test email to all employees informing them that the first 10 people to click the link at the bottom of the email and fill-in their personal information will receive a sh10,000 shopping voucher. Inform the “winning candidacies” that the shopping vouchers should be collected from building “x”, room “y” on date “z”, at 12 noon. As the excited “extreme couponing shoppers” troop into room “y” at noon, they walk into an unlikely event: a lecture on basic cyber etiquette!
The author is a commentator on policy and social issues.