Got a tip? Let us know


Kenya-the safe harbor of cybercriminals

March 08,2017 4 comments


Yet I hear of several clauses being amended in various reports by major Kenyan Cybersecurity institutions. On paper. When will papers save internet users from invasions? “ Right, let's burn them up around the IT systems to create a firewall!, the written laws would protect the system!,” a Kenyan cyber security official would confidently say. Nkt, consider the following;

  • In 2011, the Kenya Police website was hacked into for several hours, and its home page defaced with an abusive message.
  • It is estimated that cybercrimes cost the country more than 2 billion Kenyan shillings (US$22.56 million) in 2013
  • 2014 saw a year of much more exciting games in the ever-lucrative tournament. The magnanimous facebook phishing attack that saw about 5,006 users lose millions of shillings, having to pay ransoms ranging from 10,000 to 100,000 to a Kenyan hacker. Teenager hacked Deputy president H.E William Ruto's and the KDF's twitter accounts. Confidential information contained in one of the local banks was compromised and the credentials used illegally to access the system and approve the fraudulent tender request in the ministry of devolution. In Garissa password of a senior IFMIS county official were stolen and used to make illegal payments. And of course, I was a victim of a major ransomware attack.
  • And, In December 2014, 77 foreigners — one Thai national and 76 Chinese — were arrested in Nairobi; they were found in possession of equipment capable of a massive cyber attack, such as infiltrating Safaricom’s M-PESA (mobile money transfer) system, cash machines and bank accounts (Agence France-Presse 2014).How can I forget this?
  • According to IDC’s 2015 cyber-security on Kenya, attacks by hackers have cost Kenya Kshs. 15 billion ($147 million). Asides companies, the public sector was most affected.
  • According to the 2016 report by International Data Corporation (IDC) relayed by The Nation, the government of Kenya increased by 15% its budget for cyber-security. Kshs. 13 billion ($127,400,000) disbursed for the fight against cyber criminality. The ramping up of budget falls in line with presidential directive aiming to protect the state’s computer system from any criminal intrusion...

The ambitious Kenya

Hiding our Achillie's heels first, let's take a look at our outer pride, our ambitions. Kenya, given its ambition to emerge as East Africa’s leading ICT innovator, has made the most effort to respond to cyber security threats. Emulating countries that have similarly emerged at the forefront of the information revolution, Kenya has made strides to adopt internationally recognized standards, seeking to offer a 'sense' of readiness to withstand cyber attacks. Kenya has also made great strides in incorporating ICTs into various industry sectors. As of 2013, it was noted that ICT contributed to 12.1 percent of the country’s GDP (Mwenesi 2014a). International organizations appear to have bet on Kenya’s ICT visions and ambitions. The World Bank Group alone invested around US$4.1 billion between 2003 and 2010 (Mwenesi 2014b).

However, Kenya has also created high expectations about its ability to adequately respond to growing risks, and will have to invest significant resources to live up to them; for this reputation can be easily eroded if Kenya is not able to face emerging challenges in ways that match its ambition to be recognized as East Africa’s ICT hub.

But what really overshadows all that pride and ambitions. Let's take a look at how the above mentioned Chinese case was handled. Chinese officials claimed that this was another fraud den aimed outwardly at China, however, and not at Kenya (Otuki 2014). Even if this was the case, the cybercrime ring was only discovered by chance, when a fire broke out in a house some members were living in, and it had been operating completely hidden from authorities. According to the Kenyan police, the suspects were charged with operating an unlicensed telecommunication facility and could face up to 15 years in jail or have to pay a 5 million Kenyan shilling fine (US$54,000), with more charges pending (Nzwili 2015). It is not clear yet under which specific law these suspects would be tried. The Chinese government assumes the criminal acts were targeted at them and has officially requested that its Kenyan counterpart extradites the suspects to face trial in China, where sound judicial procedures are in place, rather than potentially releasing the group in Kenya. The latter part of the Chinese government’s reasoning was interpreted as indicating that Kenya may not have strong enough laws under which to prosecute the cybercrime suspects, eliciting reactions that Kenya must prove it has the “capacity, and will, to investigate and prosecute crimes of such magnitude and complexity” (Gagliardone_Sambuli_CyberSecurity-2. May 2015, Daily Nation 2015).

According to ISACA there are about 1000 certified ICT professionals in Kenya, compare to 26.1million Kenyans internet users (64% of the Kenyan populace, 70% of which are 25years and below) and find out the ratio on your own, very worrying of course. That's a whoppingly large misbalance. Bear in mind that the number of internet users and that of cyber criminals increase exponentially against the linear (or let us just say stagnant, Kenya having achieved independence 5 decades ago) growth of the counter-crime 'intelligent' individuals. In 2012 home-grown cyber criminals were opportunistic in nature but have soon evolved to become more skilled, focussed and targetted in their attacks. (statistics from cyber security report 2015 by Serianu)

Statistics also show that in 2012-many organizations were concerned about what security tools they should buy. But having tools without the proper knowledge of cyber intelligence leaves them with the name script kiddies. Common methods of attacks by then were-keylogging, stealing of passwords through majorly phishing and ATM skimming. The year 2015 however, saw an advance in techniques used by our local criminals. Major attack methods experienced were; ransomware, database transaction manipulation, and social engineering hacking the user being easier than hacking the reinforced system. It is to be noted also that their career is becoming cheaper as their tools are moving to the cloud and being offered as a service. Giving them much compute power added with being up and running 24/7.

And will Kenya survive the next age of ICT revolution?? The internet of things is indeed a technological revolution that will revolutionize all industries. Kenya, I can assure you will mostly employ foreign expatriates to install such systems for them or will just purchase ready products of the same. For even their own future, individuals who could have tackled such in-depth details, aren't being trained. A look at the Kenyan institutions of higher education spells a big risk. Kenyatta University and JKUAT are among Kenyan universities topping a list of hackers in Africa, says a report by Cyberoam. The Hacktivists tamper with school systems to adjust grades and fee balances, says the report. Even some of the institutions' network systems are no longer owned by themselves but belong to the hacktivists. Experiencing frequent distributed denial of service attacks (DDoS), the institutions' network administrators are forced to have stressful moments in their works. They only manage to keep the servers running though overwhelmed by service requests, leaving students with limited network throughput, a large portion of bandwidth being owned by the criminals.

The institutions have also not made significant efforts to educate students in such matters. So far in the list of KUCCPS offered courses, very few points to the cyber security section yet this is a subject to be learned from the degree level. They might claim they have computer science, but this only educates the students basics of the ICT, practicals being the major indicator. Though students have been successful from this field, the number of developers having increased of late, it is majorly personal efforts and feelings of personal inadequacy. Most engineering students also are learning to manufacture sophisticated products, without security in mind. In the next ten years, most of these products will be in the cyber realm. No course touching on the coming IoT, have I witnessed, yet South African case may smell aroma in this case. Mind you, the Cyberoam report placed Kenya among African countries leading in cyber attacks, after Egypt, Morocco, and South Africa.

Without forgetting the recent moves by the government towards the digital world, there is more to worry about. Major moves include IFMIS, ITAX, E-government, the huge M-pesa (check out the post on what if's of Safaricom's M-pesa, the soon coming mobile money transfer platform by the kenyan banks ,the huduma smart cards, E-procurement and many other moves. All these systems are vulnerable to attacks and worse, they are at the core of the Kenyan economy. Recent upgrades and widening of fiber optics connectivity coupled with latest generations of networks like Safaricom's 4g see the nation connected over faster speeds. There has also been a proposal to bring all these systems together. Five ever- overflowing rivers when joined together will create a big lake (ever-overflowing too). Until then, much has to be done.

Kenya’s strategy to strengthen the country’s cyber resilience is caught between recognition of the still fragile status of the country in the digital realm and the ambition to make Kenya one of East Africa’s leading players, emulating and seeking partnerships with actors that are better prepared to respond to emerging threats. I will speak not of the so far established counter-cyberthreat units.

Michael Jaroya

He is a technology enthusiast, a writer, and motivator.An individual with the love for humanity..

More in this category: Phishing attacks-part 1 ยป