Cyber criminals, convicted of hacking into government databases to mine State secrets for sale to foreign countries, will serve 20 years in jail if Parliament passes a Bill seeking to tame the growing white-collar crime.
The Computer and Cybercrimes Bill 2017, a revised version of a 2016 law, also proposes fines of up to Sh10 million for “unlawful” access or interception of data from a national critical information infrastructure to “benefit a foreign State against” Kenya.
ICT secretary Joe Mucheru said that revisions to the proposed law, which was published in June 2017, had been inspired by the Russian hacking scandal in the 2016 US elections.
“We had an election in the United States and it became very clear that cyber espionage is actually the way things are going,” said Mr Mucheru.
American officials are investigating allegations that Russian hackers influenced the election in favour of Donald Trump.
The French elections held earlier this year were also marred by hacking claims while Germany has been warned of serious security flaws in some of the software it uses in voting.
Kenya has had its own election hacking scandal arising from opposition National Super Alliance’s (Nasa) claim that the electoral commission’s systems were electronically compromised during the August 8 elections.
There have been no allegations that foreign governments were involved.
The proposed law’s purview extends beyond government-held data or systems. The critical information infrastructure covered in the law includes systems which, were they to be destroyed or corrupted, would have adverse effects on the nation.
Some of this infrastructure, such as telecommunications systems, are not held by the government but by private companies.
So, for instance, it could be argued that Safaricom’s network, due to its breadth and depth, is critical infrastructure for proper functioning of the Kenyan nation.
Under the proposed law, hacking into systems that have been declared critical infrastructure and sharing or selling the data obtained for the benefit of other States amounts to a crime of cyber espionage.
The proposed law also targets purveyors of fake news, which was prevalent during the August elections.
A clause in the Bill sets a penalty of Sh5 million and a prison term of two years for publishers of “false, misleading or fictitious data” with the intention that such “data shall be considered or acted upon as authentic.”
Mr Mucheru said that the government had been informed by trends in US elections and expected fake news to become an issue of concern in Kenya too.
Research by Geopoll and Portland communications showed that 90 per cent of Kenyans had come across fake news related to the elections in the past year.
The cybercrimes Bill is meant to seal a gap in Kenya’s regulatory framework and to harmonise disjointed laws.
The Access to Information Act provides penalties for access and sharing of crucial government data while the Kenya Information Communication Act (KICA) also has clauses on hacking. However, Mr Mucheru says the new law is meant to get rid of ambiguities in the legal framework.
The proposed law also arms the investigating agencies of government with the procedure for investigating and collecting evidence on cybercrimes.
Police officers will obtain court orders to intercept, access and seize data stored on computers and from Internet service providers.
When the police suspect that the law is about to be broken, they would also be empowered to seize data without a warrant.
Companies compelled to provide the information, on mobile subscribers for instance, could also be gagged from informing their customers or the public of warrants on the data. The law would also compel those with technical know-how to assist law enforcement in carrying out investigations.
People hacking into computer systems or sharing passwords and access codes without authority will face jail terms of three years or fines of Sh5 million.
Where the target of the hack was a protected system — the military, law enforcement, banks, telecoms firms, and public utilities — the fines are hiked to Sh25 million or 20 years in prison.
These fines are significantly higher than those contained in KICA, sections of which would be repealed if the proposed law is adopted. For instance, KICA imposes a fine of Sh500,000 for unauthorised access to material and a fine of Sh200,000 for unauthorised disclosure of passwords.