THE PHENOMENAL ADEQUACY AND EFFICIENCY OF CYBER CRIME LAWS IN KENYA

MOI UNIVERSITY SCHOOL OF LAW FLB 400: DISSERTATION TOPIC: THE PHENOMENAL ADEQUACY AND EFFICIENCY OF CYBER CRIME LAWS IN KENYA BY LITWAJI CLINTON MWALE LLB 295/14 DISSERTATION SUBMITTED TO THE FACULTY OF LAW, MOI UNIVERSITY, IN PARTIAL FULFILMENT OF THE REQUIREMENTS FOR THE AWARD OF THE BACHELOR OF LAWS DEGREE (LL.B) OF MOI UNIVERSITY SUPERVISOR; MR. DANIEL ODHIAMBO SEPTEMBER, 2017  DECLARATION I, LITWAJI CLINTON MWALE, hereby declare that this is my original research work and has not been submitted for a degree programme in any other university. Any author’s work has been given due recognition and properly referenced in the footnotes and the Bibliography. It is in this regard that I declare this work as originally mine. It is hereby presented in partial fulfilment of the requirements for the award of Bachelor of Laws Degree at Moi University. LITWAJI CLINTON MWALE ________________ ______________ (AUTHOR) DATE SIGN MR. DANIEL ODHIAMBO ________________ ______________ (SUPERVISOR) DATE SIGN DEDICATION I dedicate this dissertation to the almighty for granting the wisdom and knowledge to go through my academic calendar successfully. To my father, your desire, passion and aspiration to give me the very best education still astounds me to date. Your prayers and encouragement and sacrifice kept me going even when the situation was unbearable for both of us. You always kept my hopes alive and the need for me to concentrate on my studies’ salute you, my hero. To my mother, the love and appreciation that in my heart is beyond explanation. The late night calls I made when the road was getting rough, the encouragement and your prayers has pushed me all through. Your desire and aspirations in my studies is beyond mere words. Indeed mum you are the best, I cherish you so much. To my brothers and sisters I heart you so much. Through your sacrifice, support and dedication I made it to law school. Your prayers, motivation and good wishes have kept me going. I love you all. To my uncle Aggrey and the family, your warm welcome, support and love during my studies , your prayers and sacrifice is beyond the words. You’ve been with me every step in my studies and it’s a reality that your hopes good wishes and aspirations in my studies are recommendable. I value you so much. ACKNOWLEDGEMENT First and foremost, I take this opportunity to thank and acknowledge the Almighty God for the gift of life, good health, support and grace for without which this work would not be realized. Roy and Zigy, I found a wonderful family in you guys.. Even after it got spoiled you gave me peace and humble time not to worry about it but concentrate on my studies. The encouragement and all the good wishes are beyond words. Thank you guys you so much God bless you. Chano and Dorothy, true sisters who kept me going. No words can explain what i hold for you. The continuous love, support and morale I got from you cannot be understated. I found a team and a family that has been a backbone to my studies and research work. You remain irreplaceable women in my life. Elisha Mugabo , a brother who went beyond the expectations to see that I proceed with my studies. The prayers, support and encouragement were immersing to be ignored. The heartfelt good wishes and prayers will always remain in my mind. Your sacrifice and support is recommendable bro. You have practically showed me the importance of praying, helping others and the value of humility in the face of greatness. The great people like Natalie, Onesmus, Merebu, Nyameino, Akinyi, Brian, Sue, Dagaye,wicki, Grace, Mokua, Kariuki, Ken, Boge, Lucie have been a source of inspiration in my academic journey. Your intellectual tenacity and motivational guidance are unsurpassed. Your compassionate views of the legal career gave me a deeper perspective of what is truly important in the life of an LLB undergraduate student. I marvel at your enthusiasm and characters friends. May God bless you abundantly! TABLE OF CONTENTS LIST OF CASES R v Gold and Schifreen [1988] 2 WLR 984 LIST OF STATUTES Computer and Cybercrime Bill of 2016 Criminal Procedure Act, No 51 of 1977 Criminal Procedure Code Data Protection Act, 1998 Electronic Communications Amendment Act, No. 1 of 2014. Evidence Act Chapter 80 of the Laws of Kenya Interpretation and General Provisions Act Laws of Republic of South Africa. National Intelligence Service Act, 2012 The Central Depositories Act No 4 of 2000 (Laws of Kenya). The computer and cyber crime act,2016, The Constitution of Kenya, 2010 The Electronic Communications and Transactions Act, No 25 of 2002 (ECTA). The Mutual Legal Assistance Act, 2011 The Protection of Personal Information Act, No 4 of 2013 The Regulation of Interception of Communications and Provision of Communication-related Information Act, No 70 of 2002 (RICA) LIST OF INTERNATIONAL INSTRUMENTS Code of Conduct for Law Enforcement Officials Art.1. Annex to General Assembly Resolution 34/169, 17 December 1979 Serious Organized Crime and Police Agency, 2005 (SOCPA), Came into force 1 July 2005. The 32nd Session of the African Commission on Human and Peoples’ Rights, 17-23 October 2002 The African Charter on Human and Peoples’ Rights on 23 January 1992. The Convention on Cybercrime (The Budapest Convention on Cybercrime), opened for signature 23 November 2001, CET 185 (entered into force 1 July 2004). The Council of Europe Convention on Cybercrime (CETS No. 185), Art. 2 (Illegal access), Art.3 (Illegal interception), Art.4 (Data interference), Art.5 (System interference),Art 6 (Misuse of devices). The International Covenant on Civil and Political Rights (ICCPR), The Universal Declaration of Human Rights (UDHR) UNGA Resolution: Creation of a global culture of cyber surity and taking stock of national efforts to protect critical information infrastructure, A/RES/64/211. United Nations charter United Nations Convention against Transnational Organized Crime (UNTOC)UNTOC art 23 LIST OF ABBREVIATIONS CA Communication Authority of Kenya CCK Communications Commission of Kenya CERT Computer Emergency Response Team CETS Council of Europe Convention on Cybercrime CIRT Computer Incident Response Team ECTA Electronic Communications and Transactions Act ICCP Information, Computer and Communications Policy ICCPR International Covenant on Civil and Political Rights ICT Information Communication Technology IEBC Independent Electoral and Boundaries Commission IM Instant Messaging JCPS Justice, Crime Prevention and Security KICA Kenya Information and Communication Amendment Act NCA National Crime Agency NIS National Intelligence Services OECD Organization for Economic Cooperation and Development SADC Southern African Development Community TESPOK Technology Service Providers of Kenya UDHR Universal Declaration of Human Rights UNECA United Nations Economic Commission for Africa UNTOC United Nations Convention against Transnational Organized Crime WSIS World Summit on the Information Society  CHAPTER ONE 1.0 Introduction Worldwide, states are facing a major challenge arising from cyber crimes. The Kenyan government in the east Africa faces the larger percentage of cyber crimes and other related crimes. This being a challenge that can be termed as an eye opener to the state’s legal angle in curbing and controlling cyber crimes and related crimes, it has come to realization that the government and companies in Kenya, are losing million of shillings through cyber crimes. Kenya as a third world country is facing the same challenge of cyber crime and related issues just as other developed nations .the major blow to the Kenyan government in regulating cyber crimes has been the lacuna in law. The status of economy worldwide depends on ICT as a common currency and it’s also pivot point in the twenty first century. In the year 2008 Kenya, came up with the Communication and Information Act, which aimed in controlling and regulating the telecommunication sector. The Act empowers the Communication Commission of Kenya the power to protect the right to privacy of all persons but it fails to provide for legislation that will govern the control of cyber crimes in Kenya. This lacuna leaves the powers of the communication commission of Kenya suspended in the air with no base and foundation hence it’s clear that the power of protection is more of theoretical and an impossibility. In 2016 the state has come up with the Computer and Cybercrimes Act, 2016 as a means of saving the country from scars of cyber crimes which to a greater extend shaking the status of our economy. The United Nations Code of Conduct for Law Enforcement Officials1 article provides that law enforcement is mandated to fulfil duty and a responsibility that is imposed by the law ‘by serving the community’ and ‘by protecting all persons against illegal acts.’ Code of Conduct for Law Enforcement Officials Art.1. Annex to General Assembly Resolution 34/169, 17 December 1979Law enforcement in Kenya involves police officers but we have not been able to come up with specialized team officers to monitor and help in curbing cyber crime in Kenya for the past years until 2016 when we came up with anti cyber crime police unit. With this special unit in force we can equip them with computer technology that will aid in getting data from mobile phones and other computer devices that are in possession by the suspects. UNODC. Handbook on the Crime Prevention Guidelines: Making them work.(2010) 1.1 Statement Problem For the past years, Kenya has tried in curbing cyber crimes and related crimes though the steps have not been fruitful in nature in curbing cyber crimes. There is apparent lack of uniformity in the diverse pieces of legislation amended ostensibly to deal with cybercrime. The amendment in the evidence act Evidence Act Chapter 80 of the Laws of Kenya. so as to enable the admissibility of digital evidence in court but this has not been the case and as a matter of fact the section leaves the production of information and evidence generated, sent or stored in magnetic, optical or computer Memory contentious because the Interpretation and General Provisions Act Interpretation and General Provisions Act Chapter 2 of the Laws of Kenya has not been amended. The Central Depositories Act The Central Depositories Act No 4 of 2000 (Laws of Kenya).provides for stiff penalties for manipulation of electronic data, despite these legislations it hasn’t been easy and far from being termed sufficient in regulating cyber crimes. In the previous regime, Kenya relied on the Kenya Information and Communication Act, in regulating cyber crimes and the act was designed in a manner that made it to specifically deal mobile transaction and electronics though it had few traces of legislation that touched on cyber crime issues in the country. Kenya participated in the 2004 convention on cybercrimes and despite the participation, we as a stated failed to provide for the detailed procedure in our legislation as it was in the convention. The Convention on Cybercrime (The Budapest Convention on Cybercrime), opened for signature 23 November 2001, CET 185 (entered into force 1 July 2004). As a result to the lacuna in law ,cyber crimes has greatly lead to massive loss of finances by the government and companies .in recent days banks have been the greatest target and in east Africa Kenya is the leading in so far as cyber crimes and related issues are concerned. 1.2 Justification of the Study This study is based on the recent incidences of cyber crime of which in east Africa Kenya is a states that has faced 100% increase in cyber crime offences .companies and the to a greater extend banks are the main target as far as cyber crime is concerned .the government is also on the losing end through institutions such as The Kenya Revenue Authority and through the system based IFMIS. The research will also focus on the legislation in the 2016 bill on cyber crime. In Kenya cyber crime legislation is at its infancy stages and it’s not only touching on commercial aspects but it has gone to an extend of being political. The political sector of cyber crimes involves the hacking of the IEBC system as a way of trying to hack the coming 2017 general elections which has been digitalized. This is a threat to national security and the current state of the nation is that hardly will a day go minus an institution facing threats of cyber crimes. These acts of cyber crimes are wide spread in the media but the part that heart breaks is that hackers and other suspects of cyber crime never face justice before the law. This has been cultivated by failures in our legislation system M. D. GOODMAN and S. BRENNER, the Emerging Consensus on Criminal Conduct in Cyberspace (Oxford, International Journal of Law and Information Technology), [2000] Vol. 10, at p. 3.and the investigating and prosecuting bodies. 1.3 Research Objectives This research paper will focus on legislation provisions in the Computer and Cybercrimes Act of 2016 (bill) .how relevant are the legislation to the current status of cyber space issues in Kenya in terms of power, investigation and prosecution of cyber crime suspects. The paper will also evaluate the efficiency of the legislation to the status in Kenya and its scope of authority. The research will also evaluate the compellability of cyber crime legislation in Kenya to the set out international standards. 1.4 Research Questions The research will address the following questions; a)To what extent does the bill on computer and Cybercrimes Act of 2016, relevant to the Kenyan situation on issues cyber security? To what level are the legislations efficient in the enforcement cyber security laws in Kenya? To what extend does the legislation in Kenya comply with the internationally set standards on cyber security? 1.5 Research Methodology This is a qualitative research that will be based on the relevant literature as primary and secondary data. This will include writings by qualified publicists, legal and policy instruments as well as data collected and recorded in secondary sources. It is basically a internet-oriented study that is centred mainly on the critical examination and analysis of secondary sources including, but not limited to, books, journal articles, dissertations and relevant studies to get the information necessary for its purposes. No primary research in strict sense has been undertaken in consideration of the study which appeals more on secondary research. However, I will engage scholars in this area to obtain their views as regards the study. This will be informal and will not take the form of administering questionnaires but simply on an impromptu one on one interview basis. 1.6 Literature Review This an area of research that has limited research resources in terms of books but the entire research is internet based with few books on record .We shall have to acknowledged the fact that cyber space is a field that is revolving so first The world summit on the information society (WSIS) The World Summit on the Information Society (WSIS), available at: www.itu.int/wsis/> accessed on 20th April .2017, acknowledges that cyber crime is a global problem .the summit also identified that risks that result out of inadequate cyber security and proliferation of cyber crime to be global and the need for union in trying to curb cyber crime issues. In the WSIS Tunis Agenda for information security, The WSIS Tunis Agenda for the Information Society, available at www.itu.int/wsis/documents/doc_multi.asp?lang=en&id=2267|0 accessed on 20th April .2017outlined plan for multi stalk holder implementation at international level of the WSIS Geneva plan of action, The WSIS Geneva Plan of Action, available at: <www.itu.int/wsis/documents/doc_multi.asp?lang=en&id=1160|0 accessed on 21st April .2017 that the WSIS and the government is designated to facilitate the implementation of WSIS action line, that is dedicated to promote and build a confidence and security of using ICTs. The line of action here involves legislation and investigation mechanisms that will help reduce cyber crime issues. WSIS Action Line C5: Building confidence and surity in the use of ICTs, available at www.itu.int/wsis/c5/> accessed on 21st April .2017 Uchema Jerome Orji’s book ,Cyber Law and Regulation Uchema Jerome Orji, Cyber Law and Regulation.WLP (2012). expound the notion of cyber issues in two major categories that touches on international initiatives on cyber crime and the idea of cyber crime security laws and regulations. Cyber crime is defined to mean the technologies, practices designed and framed to secure and protect networks, computer, programs and data from unauthorized access, attack and damage. The author goes further to state the concepts of cyber security which are; The nine Ds of cyber security of which the concept expounds on practical defensive tactics in scheme that can easily remembered A five model of computing systems A payload vs. protection paradigm Differentiating security threats into classes. The author also touches on a range of malicious conducts that cyber security laws is determined to prohibit and other contextual legal issues that are affecting cyber security.The Commonwealth Model Law on Computer and Computer Related Crime, the Draft International Convention to Enhance Protection from Cybercrime and Terrorism, and the Global Protocol on Cyber security and Cybercrime is part of the analysis that is captured by the author in addition to analysis of the Council of Europe Convention on Cybercrime. African multilateral regulatory responses to cyber security at both regional and sub-regional levels are also detailed on the cyber security initiatives by the African Union. This analysis forms part of the legal frame work on cyber security in Africa. Dr Marco Roscini in, Cyber Operations and the use of Force in International Law Dr. Marco Roscini, ‘Cyber Operations and the use of Force in International Law’. Oxford University Press (2014). provides a picture of cyber security in a way that captures the real identity of cyber security in the current century .the author also captures the issues that have given rise to cyber security and it opens up a discussion about the real identity of cyber security. The author categorizes his concept on cyber crime into two, that is jus ad bellum and jus in bell sections (with a short supplementary chapter on neutrality).jus ad bellum is a principle that is concerned with reconciling cyber attacks with a well-entrenched law system that is proportional to the war fare in the cyber space. The united nation charter provisions provide for the Security Council’s vast discretion in determining the existence of a threat to the peace, breach of the peace or act of aggression. United Nations charter, article 39 With departure from this provision as pivotal points it implies that, all armed attacks must be subject to the same criteria, whatever weapon is resorted to. Ibid ,article 51 In the 2010 UN General Assembly resolutions on cyber security, UNGA Resolution: Creation of a global culture of cyber surity and taking stock of national efforts to protect critical information infrastructure, A/RES/64/211.the current regime and the 21stcentury, the naked truth is that we cannot disconnect the environment we live in with cyber crime and cyber security issues. This poses a challenge that is major and that should be dealt with as faster as possible. Cyber security Terms and Definitions, available at: www.itu.int/dms_pub/itut/oth/0A/0D/T0A0D00000A0002MSWE.do>c accessed on 25th April .2017is a pivot to the development of information and technology and all development that touches on internet services. ITU Cyber surity Work Programme to Assist Developing Countries 2007-2009, 2007, available at:< www.itu.int/ITU-D/cyb/cybersurity/docs/itu-cybersurity-workprogramme-developing-countries.pdf>. accessed on 25th April .2017The need to enhance and promote cyber security is an essential part and progress by a state in promoting other activities that back up growth and development. The urge and need to ensure that the internet is at a level that can be trusted and it’s safe is part and parcel of all the governments in the world because the government greatly relies on the cyberspace in its activities and to greater extend promoting national security. ITU WTSA Resolution 50 (Rev. Johannesburg, 2008), on Cyber surity, available at: www.itu.int/dms_pub/itu-t/opb/res/T-RES-T.50-2008-PDF-E.pdf accessed on 27th April .2017 In formulating and implementing of national strategy and framework for cyber security, is corded to a comprehensive approach The ITU Cyber surity Work Programme to Assist Developing Countries (2007-2009), 2007, available at: www.itu.int/ITU-D/cyb/cybersurity/docs/itu-cybersurity-work-programmedeveloping-countries.pdf>. accessed on 27 April .2017 which incorporates the technical protection system, promoting civic education on cyber security and cyber crime and its illegality. Kellermann, Technology risk checklist, Cybercrime and Surity, IIB-2, page 1. Olowu, D., in ‘Cyber-Crimes and the Boundaries of Domestic Legal Responses: Case for an Inclusionary Framework for Africa Olowu, D., ‘Cyber-Crimes and the Boundaries of Domestic Legal Responses: Case for an Inclusionary Framework for Africa’, (2009) (1) Journal of Information, Law & Technology (JILT), available at <http://go.warwick.ac.uk/jilt/2009_1/olowu> accessed on 27 April .2017,recognizes the challenges facing African nations in the fight against cyber crimes. The world generally is growing at a faster rate in the phase of digital migration and revolution. This is a tremendous gain of internet era being faced with formidable menace of cyber crime. The increase of cybercrime and its effects in Africa is based on a country’s state of economy, literacy level, population and legislative capability in combating cyber crime. African states are advised to develop its domestic laws and domesticate international laws that are entrenched to combat cyber crimes and related issues. The paper also points out weakness of African states in controlling cyber crimes and it also draws attention to the inherent limitations’ and failures in the currently domestic legal response to cyber crime. 1.7 Chapter Breakdown The paper will be divided in to five chapters. Each chapter will contain its own idea and approach and shall be discussed independently and conclusively. Chapter One Introduction Problem statement Objectives of the research Research hypothesis Methodology Limitation Literature review Chapter breakdown. Chapter Two The Phenomena of Cybercrime In Kenya Typology of cybercrime in Kenya Illegal access (hacking, cracking) Illegal data acquisition [data espionage] System interference illegal interception Types of cyber crimes in Kenya Malware Cyber stalking Ransom ware Fraud Mobile payment system attacks Chapter Three Cyber Crime Legislations The 2010 constitution International standards National provisions Emerging issues and challenges on cyber security in Kenya Chapter Four: Comparative Study Republic of South Africa Legislation Power to investigate search and seize International cooperation and structures The United Kingdom Legal measures Institutional mechanisms Chapter Five Conclusion Recommendation CHAPTER TWO 2.0 Typology of Cyber Crime in Kenya Cyber crime can also be referred to as computer crime or electronic crimes. It involves the use of computer and network system. The growth in use of computer and related devices in the 21st century facilitates the growth of cyber crime not only in Kenya but in the whole world. Definition of what cyber crime is cannot be narrowed down since cyber crime is a wide form of a criminal offence. The definition has not been captured in the computer and cyber crime act but the act starts by defining specific terms used in the cyber space. The act Computer and Cybercrime Bill of 2016,s 3 recognizes the breadth of Cyber crime offences which are understood in four categories Offences against the confidentiality, integrity and availability of computer data and systems; The Council of Europe Convention on Cybercrime (CETS No. 185), Art. 2 (Illegal access), Art.3 (Illegal interception), Art.4 (Data interference), Art.5 (System interference),Art 6 (Misuse of devices). Copyright-related offences. Ibid, Art.10 (Offences related to infringements of copyright and related rights)a Computer-related offences; Ibid , Art.7 (Computer-related forgery), Art. 8 (Computer-related fraud) Content-related offences; Ibid , Art.9 (Offences related to child pornography) Part 2 of the act recognizes offences that are punishable in Kenya: 2.1Unauthorized access The act criminalizes the act of causing, whether temporarily or permanently, a computer system to perform a function, by infringing security measures. The intention of gaining access to information that you are not authorized to, is an offence punishable on conviction, with a fine not exceeding five million shillings or to imprisonment for a term not exceeding three years, or to both. Supra note 1, s 4 Any disclosure of any password, access code or other means of gaining access to any program or data held in any computer system without permission commits an offence. Ibid s9 2.2 Unauthorised interference. The illegal interference on the computer, program and data without authority with intent to cause results significant financial loss to any person, threaten national security, cause physical injury or death to any person; or to threaten public health or public safety, is an offence punishable with fine not exceeding twenty million shillings or to imprisonment for a term not exceeding ten years, or to both. Ibid s 6 2.3 Computer forgery and fraud It involves unlawfully gains, occasional unlawful loss to another person, or obtains an economic benefit for oneself or for another person, through any of the means described as offences under the act. Any form of communication to an individual or a group of persons that is likely to cause those persons apprehension or fear of violence to them , damage or loss on that persons’ property or detrimentally affects that person is an offence under the act. Ibid s 13 & 14 2.4 Aiding or abetting of commission of a crime The act criminalizes the acts that aid or abets commission of a crime. wilful attempts to commit an offence or any acts of preparatory to or in furtherance of the commission of any offence under the Act, is an offence and is liable for punishment. Ibid s 15 2.5 Child pornography The act also through section11 criminalizes child pornography. The acts here are broaden in thee main category that is: Publishing child pornography through a computer System Producing child pornography for the purpose of its publication through a computer system Possession of child pornography in a computer system or on a computer data storage medium. The Council of Europe Convention on Cybercrime aim is to protect society from cybercrime in general including child pornography. In Content-related offences, this article concern on Offences related to child pornography “child pornography seeks to strengthen protective measures for children, including their protection against sexual exploitation; by modernising criminal law provisions to the more effectively circumscribe the user of computer systems in the commission of sexual offences against children The Council of Europe Convention on Cybercrime, Article 9 2.6 Types of Cyber Crime in Kenya 2.6.1 Cyber terrorism Is evidenced by attacks against one or more parts of the Internet with the aim of precluding legitimate users from being able to use internet-based services, to instil fear that the integrity of services has been compromised, and most importantly to cause fear in the power of the group behind the attack. Brian Fitzgerald et al, ‘Internet and E-Commerce Law: Technology Law and Policy’ (Lawbook Co, Sydney, 2007). Cyber terrorism is closely linked to cyber warfare. The difference between cyber terrorism and cyber warfare lies in three aspects: intention, scale, and actor. As such the intention in a full-scale cyber war is to cripple the target (be it the economy, communications or essential services), or to create confusion prior to or during an actual attack. In these situations, direct control by the state or close collaboration of the state with these actors cannot be ruled out. Lilian Ochieng, ‘Tough Law to Boost Fight Against Cybercrime’ Daily Nation Kenya, 28 January 2014 2.6.2 Ransom ware Ransom ware built from two words, ransom and malware it’s a kind of malware attack that demands payment in exchange of stolen computer functionality. Most attacks of this nature make use of encryption as means of extortion. Basically encrypting files on computer’s hard drive and then asking for financial favours to decrypt them back for the victim to have them back. It’s a form of denial of service attack. Gazet, A., Comparative analysis of various ransom ware virii. Journal in computer virology, 6(1), (2010). Pg. 77-90. A majority of the people will go dramatic lengths in order to access locked information or to prevent sensitive information from being leaked to the public. Ransom ware is a crime in the rise and its projected as the favourite cybercrime of the future. Awareness education is the key to ransom ware prevention. Luo, X., & Liao, Q, Awareness Education as the key to Ransomware Prevention. Information Systems Surity, 16(4), (2007). Pg. 195-202. Efforts to make backups in the “cloud” are gaining popularity. However, this measure is constrained by the privacy policy a client has to sign or accept. Since some of the content is highly confidential some individuals find it hard to make these online backups. 2.6.3 Malware Malware is a short form of malicious software. It refers to malicious software that finds their way to a computer system especially from the Internet. They could be viruses, Trojans worms, and other software that get installed in a computer without the user’s knowledge. Poonia, A. S. Cyber Crime: Challenges and its Classification. International Journal of Emerging Trends & Technology in Computer Science (IJETTCS), 2014 In the definition of a malware, Malware is defined by its malicious intent, acting against the requirements of the computer user and so it’s important to note that , it does not include software that causes unintentional harm due to some deficiency. In several cases, the software will pretend to be legitimate software. Malware’s intentions are diverse ranging from spying on your work, phishing/password sniffing, monitoring web sites visited, access to confidential data, and denial of service, among others. Cyber criminals who can hack use malware to gain access to government sites. Malware can be used to bring down a website. Whatever the motivation of attack, it is important that users avoid installing pirated software, downloading software from non-trusted sites, and maintain an up-to date anti-malware protection. General awareness on computer software security issues can go a great mile in reducing cases of malware attacks. Users can avoid payments created by a malware. 2.6.4 Identity theft / Fraud Cyber criminals source out information from an institution, the government and also from an individual. The information is then used to commit other offences. This information can be obtained through social engineering, email phishing, purchase the data on the black market, or use tools and techniques to search. Social media contain personal information’s about an individual and an attacker may befriend a non-suspecting individual and obtain all the information they needed to launch an attack or entice them to perform some action. Halder, D. &Jaishankar, K., Cyber crime and the victimization of women: laws, rights and regulations. Information Science Reference. (2011).this can be through conversations either via phone calls, online chats, emails or other means of communications on disclosure of private information. In case of such incidences it’s the sole responsibility of an individual to alarm authorizes in place so that an investigation can commences immediately for the individual to be arrested. 2.6.5 Cyber stalking In Kenya cyber stalking takes many forms such as defamation or libel, falsification, fraud, intimidation, offensive comments, personal attacks, graphic violence and violation of rights to privacy. Clark, K., Stikvoort, D., Stofbergen, E., & van den Heuvel, E., A Dutch Approach to Cybersurity through Participation. Surity & Privacy, IEEE, 12(5), (2014) pg. 27-34.It involves use of friends and family to get information about an individual. A victim of cyber stalking should report the matter to the relevant authority. However, generally, lack of legislation on dealing with cybercrime before the bill on cyber crime came into force, retards the efforts of reporting. Some victims may even chose to ignore the attack and move on. Cyber stalking is the use of technology; that is use of internet and electronics to harass someone. An attacker harasses a victim using electronic communication, such as e-mail, instant messaging (IM), phone calls or posting messages on chat forums/discussion groups or social sites. A cyber stalker will hide in the Internet for anonymity to avoid detection. Romero-Mariona, J., Ziv, H., Richardson, D. J., & Bystritsky, D., Towards usable cyber surity requirements. In Proceedings of the 5th Annual Workshop on Cyber Surity and Information Intelligence Research: Cyber Surity and Information Intelligence Challenges and Strategies (p. 64). The stalker relies upon the anonymity afforded by the Internet to allow them to stalk their victim without being detected. The messages sent range from sexual harassment, threats to one’s security and safety, posting of false information for defamation or just annoying attention to an individual’s private life and family activities. Unlike general cyber harassment, cyber stalking poses a credible threat to the victim. Cyber stalkers will go to great lengths to try to monitor a victim’s online activity. This may include infecting a person's computer with malware that is able to log computer activity. They may contact a victim's colleagues, friends and other online contacts in an effort to slander them or extract personal information from them. Cyber stalkers are also known to continually harass their potential victims. To deal with cyber stalking some of the drastic measures are to report the crime to the police, block contacts of the perpetrator, or unfriend their contacts. General knowledge on cyber-attacks may also help individuals identify a potential attacker and take necessary measures. The rate of cyber stalking in Kenya is high and the need to educate the public on cyber stalking is necessary as an initiative of controlling cyber crime. 2.7 Attack on banks and Mobile money payment systems Cybercriminals have their eyes on the banks and mobile money payment platforms in Kenya such as M-pesa, Airtel money and Orange money. The tremendous growth in the mobile payments also offers a great opportunity for money laundering. Users therefore need to exercise great caution and use common sense in the event of potentially fraudulent transactions. Angela Okuku et all, Cybersurity Strategy’s Role in Raising Kenyan Awareness of Mobile Surity Threats.(2015) Over the years, since mobile money transactions services gained ground, criminals have always devised ways of gaining access to individual’s accounts Apparently, most of the mobile money transactions are not monitored via banking regulations. The lack of thorough testing on mobile money transactions platforms offers a major vulnerability easily exploited by cybercriminals. Various malware families may take advantage of this situation and cause serious losses to mobile money transaction clients. Kenyan banks have been tasked to compile and file with the central bank of Kenya a detailed report their plan, strategies, policies and frameworks that they intend to use in confronting emerging cyber security threats. Victor Juma, daily nation, New cyber regulations for commercial banks, Daily Nation CHAPTER THREE 3.1 Relevant national legislations on cyber security 3.1.1 The 2010 constitution provisions The constitution is the supreme source of law of the land; The Constitution of Kenya, 2010, art 2(1)it further recognizes treaties and conventions ratified by Kenya shall form part of laws of Kenya subjected to the control of supremacy of the constitution and rule of law principles. Ibid art 2(6) The constitution through the bill of rights in chapter four recognizes fundamental human rights that are always a target by cyber criminals. The bill of rights forms an integral part in social, economic and cultural policies of the state. The rights belong to each individual and not granted by the state. Ibid art 19(1),(2) The state has the obligation to safe guard, respect and protect the rights and fundamental freedoms these rights against criminals including cyber criminals. Ibid art 21 These rights include the right to privacy; protection against infringement of an individual’s communication; to access to information; to consumer protection; to fair administrative action; to access to justice and fair hearing; to freedom of conscience; religion and opinion; to freedom of expression; and to freedom of media Any violation of the bill of rights by cyber criminals, qualifies any individual to institute court proceedings claiming that a right or a fundamental freedom in the bill has been violated, infringed or threatened. The proceedings can be instituted by an individual or by one acting at his interest. Ibid 22Jurisdiction to hear and determine matters on chapter four has been granted under art 23(1) and art 165 of the constitution. Ibid art 23 & 165 These rights, for example freedom of expression, are not absolute and can only be limited pursuant to the law in incidences that are reasonable and justifiable the right should only be exercised in manner that does not violate another person’s enjoyment of the bill of rights. Ibid art 24 The constitution further empowers the national assembly to enact legislations that will protect the constitution and promote rule of law. Ibid art 109 The parliament exercised these powers of legislation through the enactment of the 2016 computer and cyber crime bill. 3.1.2 Computer and cybercrime bill of 2016 3.1.2.1 Part III investigation procedures The power to investigate is based on the criminal offence under the act and other offences committed through the use of a computer system. The act must also be prohibited by the act or any other written law. Ibid, s 20 A police officer or any authorized officer, may where there is reasonable doubt, search and seize computer stored data that is necessary for investigation or prosecution. A search can be with or without a search warrant. For search with warrant, the officer applies to the court stating the necessity of the warrant, mechanism to be used in getting the information necessary through, and physical custody of the computer system, program data or computer data storage medium. Any data seized pursuant to the provisions of the act can only be used for the purpose of investigation or prosecution. Ibid s 21 An officer is also granted the power to search without a warrant in the event where he believes that delay will defeat investigation process or prosecution since the data may be lost, manipulated or destroyed. Ibid s 22When conducting this search an authorized officer is bound to follow the code of conduct laid in the CPC cap 75, section 119-121. Criminal Procedure Code cap 75,s 119-121A record of anything seized is made and taken to the court whose jurisdiction the things were found. If the seized data or item is missing or has been made inaccessible the officer in charge must make a report about the same and report to the authority. The owner of a seized data or computer system should be allowed to access the data or the computer system unless there is believe that, the owner can compromise the data or the computer system, the right can be denied. Supra, note 22, s 23 In instances where one is still in possession of the data or a computer system, an officer can apply for production order from the court. If one is a service provider, he will be required to submit subscriber information relating to such services under his control or possession. Ibid s 24The act further provides for expedited disclosure off traffic data in a computer or data storage medium .the act aims at, preventing modification of the traffic data, losing it or destroying it. The data preserved is treated with for the period specified in the notice by the officer. Any extension in the period should not be more than 30 days. The preservation shall mainly be used in investigation and prosecution. If the owner or control of the computer system is a service provider, he should respond to the assistance request and disclose enough the non content data that aids the officer in identifying other telecommunication providers involved in the transmission of the communication. Ibid s 25 Real time collection of traffic data may be achieved through making an application to the court. The order compels a service provider to collect or record any information within its technical capability. It’s limited to a period of 6 months and any extension of the period must be reasonable. Measures to promote integrity and privacy of the users, customers or third parties are to be obeyed. The acts also prohibit disclosure of any information or data of any party not part of the investigation. Ibid s 26 An officer may apply for a data interception order, if there is reasonable believe that the content of any specifically identified electronic communications is required for investigation. The cooperation, collection and recording must be within the jurisdiction transmitted by means of computer system. The order lasts for only 9 months though it may be extended by the court where it considers necessary for the purpose of investigation or prosecution. Ibid s 28-30 3.1.2.2 Part IV international cooperation. The Central Authority may make a request for mutual legal assistance in any criminal matter to a requested State for purposes of undertaking investigations or proceedings concerning offences related to computer systems, electronic communications or data. That is collecting evidence of an offence in electronic form, obtaining expeditious preservation and disclosure of traffic data, real-time collection of traffic data associated with specified communications or interception of content data or any other means, power, function or provisions under the Act and its upon a requesting State to make a request for mutual legal assistance to the Central Authority in any criminal matter. The central authority may accept to offer legal assistance or deny offering any legal assistance. In case of any acceptance, any information that is shared out must comply with the Mutual Legal Assistance Act of 2011. The Mutual Legal Assistance Act, 2011 The information can only be used in investigation or proceeding. Computer and cyber crime bill,2016,s 31The central authority may spontaneously share any information acquired during its own investigation, with a foreign state for the purpose of cooperation under the act and any other written law, only if the information will aid in investigation or prosecution of cyber crime offences. Before sharing the information the central authority should set conditions that protect confidentiality and the foreign state should respond if it shall comply or not. Ibid s 32For the search, similar access, seizure or similar securing of data or any disclosure of data, a requesting state may request the court, through the Central Authority for an order of expeditious preservation of data stored by means of a computer system, located within the territory of Kenya. Once the order is granted by the court, the central authority is mandated to preserve the specified data according to the powers conferred upon it by the act. The preservation order lasts for not less than one hundred and twenty days, in order to enable the requesting State to submit a request for the search or access, seizure or securing, or the disclosure of the data. Ibid s 33 In case an investigating agency discovers that a service provider in another State is involved, the Central Authority shall expeditiously disclose to the requesting State a sufficient amount of traffic data to identify any other service provider from another country and the path through which the communication was transmitted. Ibid s 34 Mutual assistance regarding accessing of stored computer data will involve the Central Authority to take all appropriate measures to obtain necessary authorization including any warrants to execute upon the request. It may at one point seek the support and cooperation of the requesting State during such search and seizure. Ibid s 35 A police or any other authorized officer has a right of trans-border access to stored computer data with consent or where publicly available. Ibid s 36The act also captures the aspect of Mutual assistance in the real-time collection of traffic data and Mutual assistance regarding the interception of content data. Ibid s 37 & 38 The Central Authority shall ensure that, investigation agencies responsible for investigating and prosecuting cybercrime have designated a point of contact available on a twenty-four hour, seven-day-a-week basis, in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence. The point of contact shall have the authority and it’s empowered to coordinate and enable access to international mutual assistance under the computer and cyber crime bill of 2016. Ibid s 39 3.1.2.3 Part v—general provisions Kenyan courts have jurisdiction to try any offences provided in the act within its jurisdiction. The jurisdiction of the courts goes beyond the territory of Kenya for offences committed outside Kenya by a Kenyan citizen or an individual who resides in Kenya or against a Kenyan citizen or against the government of Kenya. Ibid s 40 The court before which a person is convicted of any offence may, in addition to any other penalty imposed, order the forfeiture of any apparatus, device or thing to the Authority. Ibid s 41Any conflict in law on matters of cyber crime, the computer and cyber crime bill of 2016 prevails over any other written law. Ibid s 42 3.1.3 The Kenya Information and Communication Amendment Act (KICA) The Kenya Information and Communication Amendment Act (KICA) was passed in 2013 with regulatory responsibilities powers over both broadcast and online media. The act entirely covers the broadcasting aspect more than it deals with matters of cyber crime. In the definition of what cyber crime is, the act fail to recognize cyber crime against individuals, for example children. In its recognition of what cyber crime is, it defines cybercrime as offences against the information technology infrastructure, from unauthorized access to and interpretation of computer services, modification of computer material, data, and unauthorized change of mobile telephone equipment. The Act regulates the retention of electronic records and of “information in original form.” Section 83 states: “Where any law provides that documents, records or information shall be retained for any specific period, then that requirement shall be deemed to have been satisfied where such documents, records or information are retained in electronic form if: (a) The information contained therein remains accessible so as to be usable for subsequent reference; (b) the electronic record is retained in the format in which it was originally generated, sent or received or in a format which can be demonstrated to represent accurately the information originally generated, sent or received; and (c) The details which will facilitate the identification of the original destination, date and time of dispatch or receipt of such electronic record are available in the electronic record...” Prior to 2016, cyber security in Kenya has been regulated by this act which was insufficient. This lacuna in law has increased cyber crime in Kenya thus the government will have to fight extra hard so as to control and uproot this criminal activity that is eroding away the economy. 3.2 International standards 3.2.1The freedom of expression through digital means Freedom of expression under the international law is a fundamental right protected by a number of internationally recognized statues. Kenya is bound by international statutes that protect the freedom of expression through article 2 of the constitution which provides that international laws, conventions and treaties ratified by Kenya shall form part of the laws of the land. The 2010 Kenyan constitution, article 2 The Universal Declaration of Human Rights (UDHR),article 9, “everyone has the right to freedom of expression and the right includes freedom to hold opinions without interference to seek , receive and import information and ideas through the media regardless of the frontiers.” The Universal Declaration of Human Rights (UDHR),article 9 The UN Human Rights Committee in September 2011 explicitly recognizes that Article 19 ICCPR envisaged the freedom of expression through internet based mechanisms and also through other electronic media devices. In September 2011, the General Comment No 34 on freedom of expression was adopted by the UN Human Rights Committee which applies in Kenya since we are signatories to the Rome statute. CCPR/C/GC/3, para 12, adopted on 12 September 2011. Article 19 of the International Covenant on Civil and Political Rights (ICCPR) also provides for the freedom of expression which is effected through an electronic media or other computer devices. The International Covenant on Civil and Political Rights (ICCPR), article 19 The PEN declaration on freedom of expression provides that, digital suppression should not be used to hamper with the exercise of the freedom of expression through digital means such as twitter. The PEN declaration on freedom of expression, article 1 Freedom of expression is provided for in the 2002 Declaration of Principles on Freedom of Expression in Africa (African Declaration) in Article II. The 32nd Session of the African Commission on Human and Peoples’ Rights, 17-23 October 2002 Kenya ratified the 1983 African Charter on Human and Peoples’ Rights (ACHPR), to mean that the provision on the right to freedom of expression in Article 9 applies to Kenyan circumstances. The African Charter on Human and Peoples’ Rights on 23 January 1992. 3.2.2 The OECD Guidelines These are guidelines that were formulated by the Information, Computer and Communications Policy (ICCP) Committee in 1992, with an Expert Group on information security. The guidelines were later adopted by the OECD Council. The Council of the OECD adopted the Recommendation concerning Guidelines for the Surity of Information Systems. The 24 OECD member countries adopted the guidelines later. The guideline includes: Sanctions for misuse of information systems are an important means in the protection of the interests of those relying on information systems from harm resulting from attacks to the availability, confidentiality and integrity of information systems and their components. Examples of such attacks include damaging or disrupting information systems by inserting viruses and worms, alteration of data, illegal access to data, computer fraud or forgery, and unauthorised reproduction of computer programs. In combating such dangers, countries have chosen to describe and respond to the offending acts in a variety of ways. There is growing international agreement on the core of computer-related offences that should be covered by national penal laws. This is reflected in the development of computer crime and data protection legislation in OECD Member countries during the last two decades and in the work of the OECD and other international bodies on legislation to combat computer-related crime […]. National legislation should be reviewed periodically to ensure that it adequately meets the dangers arising from the misuse of information systems. Organisation for Economic Cooperation and Development (OECD), Guidelines Governing the Protection of Privacy and Transboarder Flow of Personal Data, 23 September 1980, available at: http://www.refworld.org/docid/3dde56854.html  [accessed 22 June 2017] Under the OCED Guidelines par 4, the Guidelines recognize the fact that member countries may wish to exclude the application of the principles under the guidelines because of national sovereignty, national security or public policy. Organisation for Economic Cooperation and Development (OECD), Para 4 3.2.3 United Nations Convention against Transnational Organized Crime (UNTOC) One of the objectives of United Nations, through the UNTOC is to set protocols that prevent and punish organized criminals who deal with children exploitation and Women abuse together with misuse of Information Technology devices and system with the aim of committing an offence. A state through the Optional Protocol to the Convention on the Rights of the Child Convention on the Rights of the Child on the Sale of a Children, Child Prostitution and Child Pornography, has powers to set out policy in the best interests of the children through cyber crime legislation. The United Nations Convention against Transnational Organized Crime (UNTOC) aims on stopping of cybercrime activities among the member states. Legislative Guides for the Implementation of the United Nations Convention against Transnational Organized Crime, 2004, page xvii, available at: www.unodc.org/pdf/crime/legislative_guides/Legislative%20guides_Full%20version.pdf. (accessed 23th June, 2017). 3.2.4 The Council of Europe Convention on Cybercrime (CETS) (cybercrime convention) It was adopted in 2001 and has been ratified by 42 countries, including Kenya, the United States, Australia and Panama, and signed by more than 7 other countries as at 2002. The Convention provided guidelines on the drafting of the computer and cyber crime bill of 2016 in Kenya in accordance with human rights standards. The convention is relied on by other states in drafting cyber crime legislations. In particular, it contains basic definitions, including a definition of computer data, computer system, traffic data and service provider which are adopted in our national legislations. The Computer and Cyber Crime Bill, 2016 part IIThe Convention mandates the adoption of a number of procedural measures to investigate and prosecute cybercrimes, including preservation orders, production orders and search and seizure of computer data. These recommendations are captured by the current laws on cyber crime in Kenya for example the offence of child pornography in the CETS, The Council of Europe Convention on Cybercrime, Article 9. is criminalized in Kenya. CETS differs to comparable regional frameworks such as the African union is the fact that the CETS has no instrument for international cooperation is in place. 3.2.5 The African Union The African Union Commission works jointly with the UN Economic Commission for Africa (UNECA) in developing a legal framework for African countries that addresses issues like electronic transactions, cyber security and data protection in Africa. The need for uniting in fight against cyber crime is based on the increase of cyber offences, with growth on use of improved technology across the continent. The advancement of technology is so fast that leaves behind a lacuna in laws that govern cyberspace. African Union, Oliver Tambo Declaration, Johannesburg 2009, available at: www.uneca.org/aisi/docs/AU/The%20Oliver%20Tambo%20Declaration.pdf. (accessed on 25th June, 2017). The convention drafted a more comprehensive credible legal frame work which states; Each Member State shall adopt such legislative measures as it deems effective, to define material criminal offenses as acts which affect the confidentiality, integrity, availability and survivability of ICT systems and related infrastructure networks; as well as procedural measures deemed effective for the arrest and prosecution of offenders. Member States shall be called upon to take on board, where necessary, the approved language choice in international cyber crime legislation models such as the language choice adopted by the Council of Europe and the Commonwealth of Nations.” Article III – 23 – 1: Laws against cyber crime Chapter two of the convention deals with standards related to statutory authorities, harmonization, democratic principles, double criminality, protection of essential information infrastructure and international cooperation. Ibid Art. III-1-1 to Art. III-1-7 The third chapter addresses issues related to a national cyber security system. This includes the role of the government, education, a culture of security, public-private partnership and training and public awareness-raising. Ibid Art. III-1-8 to Art. III-1-12. Chapter 4 is dedicated to national cyber security monitoring structures and lastly the fifth chapter deals with international cooperation. The different conception is provided for in Articles 21 and 25.The convention proved of much significance in Kenya during the drafting the computer and cyber crime bill of 2016. 3.3 Regulatory mechanism against cyber crime in Kenya 3.3 .1 Institutional mechanism 3.3.1.1 Cyber crime coordination centre Its centre set up by the communication authority of Kenya (CA) in October 2016. The centre will is tasked to respond to actual online attacks and threats on cyber security in Kenya. The centre was formed due to the increase in online threats posed by cyber criminals through the use of information technologies (ICT) and the internet. The centre aims at curbing increasing threats posed by cyber criminal in Kenya and the region at large. The centre works with other CERTS and other international organizations with the view of facilitating information exchange and how to mitigate risks posed by cyber threats and attacks. The centre also promotes cyber crime awareness across the country 3.3.1.2 Kenya Law Reform Commission The Commission has a statutory and on going role of reviewing all the laws of Kenya including cyber security legislations, to ensure that they are modernised, relevant and harmonised with the Constitution of Kenya. They are part of the task force constituted to formulate legislation on cybercrime (the Computer and Cybercrimes Bill, 2016) that is in operation in Kenya. Its tasked to identify the lacuna in law on cyber crime and formulated laws necessary to curb cyber crime offences. 3.3.1.3 National Intelligence Services (NIS) The NIS is a department under Kenya’s Ministry of Interior, National Intelligence Service Act, 2012 charged with identifying conditions which threaten Kenya’s social, economic and political stability. The NIS also is involved in developing techniques and strategies to neutralise cyber threats. NIS works collaboratively with the Technology Service Providers of Kenya (TESPOK) and the ICT Authority in gathering intelligence based on existing or emerging threats. They have a dedicated cybercrime unit which acts as a liaison between the NIS and other industry stakeholders. The unit reports to the Director General of the NIS, who sits on the National Security Council. Their powers are not prejudiced by the computer and cyber crime bill of 2016. The Computer and Cyber Crime Bill ,2016,s 20(3) 3.3.1.4 The computer incident response team The CIRT was set up by the CCK whose mandate is to coordinate response and manage incidences of cyber security in Kenya through collaboration with relevant actors locally, internationally and regionally Available at http://www.google.com/url?q=https://www.unodc.org/cld/lessonslearned/ken/cybercrime_lead>on 27th August 2017.CIRT functions include; Facilitating the development of a national Public Key Infrastructure (PKI) Capacity building in information security and creating and maintaining awareness on cyber Coordinating computer security incident response at the national level and acting as a national trusted point of contact Liaising with the local sector Computer Incident Response Teams (CIRTs), regional CIRTs, international CIRTs and other related organizations; Gathering and disseminating technical information on computer security incidents, vulnerabilities, security fixes and other security information, as well as issuing alerts and warnings. Carrying out research and analysis on computer security, related technologies and advising on new trends 3.3.1.5 Proposed National Cyber security Agency It’s an agency envisioned as a body that will be responsible for overseeing the mechanisms of protecting against advanced internet-based crimes. The proposed functions of the Agency include: Protection of government communications and information systems against penetration of its databases and systems. This includes, but is not limited to detection, prevention and the management of cyber risks and data breaches in accordance with ISO 27001 series of standards Decoding translation and information analysis 3.3.2 Policy mechanisms 3.3.2 .1 Information sharing and collaboration The computer and cyber crime act of 2016, provides for the Central Authority with powers to make a request for mutual legal assistance in any criminal matter with another state when undertaking investigations or proceedings concerning offences related to computer systems, electronic communications, data or collecting evidence of an offence in electronic form. The computer and cyber crime act,2016,part ivSharing of information and strategies by different states and other institutions formed to curb cyber crime makes it easier and convenient in avoiding cyber attacks not only in Kenya but worldwide. Parties may, however, restrict their level of cooperation more narrowly in cases of extradition regarding the interception of content data. More broadly, this general principle of cooperate, mutual assistance regarding the real time collection of traffic data and mutual assistance is to be carried out ‘through the application of relevant international instruments on international co-operation in criminal matters, arrangements agreed on the basis of uniform or reciprocal legislation, and domestic laws.’ United Nations Convention against Transnational Organized Crime (UNTOC)UNTOC art 23 3.3.2 .2 National ICT Policy of 2016 The national ICT review of 2016, reviewed the policies of 2006 in developing ICT sector in Kenya. The strategy was aimed at harmonizing the policies with the 2010 constitution of Kenya, which is commitment to upholding the constitution and respecting fundamental values of human rights, equality, freedom, democracy, social justice and the rule of law. The policy also acknowledges that the right to privacy, security of the person and property which are paramount in the deployment of information and communication in Kenya. The objectives of the policy include; Protecting vulnerable populations such as children, who will require special focus to ensure that they are safe and derive value from cyberspace, from cyber crimes such as pornography. Development of appropriate legal, regulatory frameworks, technical solutions and law enforcement strategies for the appropriate detection and prevention of cyber threats in Kenya. Providing information security standards for the ICT sector. Supporting the development of a new generation of technologies that will lead secure, trustworthy, and sustainable computing and communications systems; 3.3.2 .3 Kenya National Cyber security Strategy A National Cyber security Strategy was devised in 2014 as a vision to the future of cyber security in Kenya. The strategy is framed to support national and encouraging ICT growth and aggressively to promote cyber security in Kenya. It is a guiding document for the management of cyber security issues in the country, it also address loopholes in information security and provides the government with implementation plans to protect Kenya’s ICT cyber assets. The strategy also affirms Kenya’s commitment to multi stakeholder engagement by stating that cyber security is a shared responsibility internationally. Lukorito, Graham Masinde, "Information surity threats and E-government initiatives at the Kenya Revenue Authority (KRA)." Unpublished MBA Project, University of Nairobi (2011).Kenya has taken the first step towards building a cyber security policy framework to suit Kenya’s unique cyber threats. This Policy is currently steered by the ICT Authority (Formerly the ICT Board) through the National Cyber Security Master Plan. The key elements of the policy address are Training & Awareness, Economic Impact, Governance, Policy and Legal framework. The problem with such trainings is that the knowledge remains with individuals who aren’t directly concerned in either implementing or executing the function. Currently the government is not explicitly working with academic entities. Partnerships into cyber security are mostly being undertaken by the private sector where partnerships are being forged to either increase the depth of research in cyber security or develop training and awareness programs across the country. 3.4 Emerging Issues and Challenges in the Arena of Cyber Law in Kenya 3.4.1 Investigation. The challenges of digital investigations are addressed in the Convention (ch II s 2). Because of the inherent volatility of digital evidence, these include powers for the expedited preservation of stored computer data, UNTOC,art 16 and the expedited preservation and partial disclosure of traffic data. Ibid art 17. ‘Traffic data’ is defined in art 1 as ‘any computer data relating to a communication by means of a computer system, generated by a computer system that formed a part in the chain of communication, indicating the communication’s origin, destination, route, time, date, size, duration, or type of underlying service’ These powers allow for relevant data to be preserved, allowing authorities time to seek its disclosure. Partial disclosure of traffic data is also allowed in order to identify the path through which the communication was transmitted. Provision is also made for production, Ibid art 18 or search and seizure of data, Ibid art 19 as well as real time collection of traffic data and/or interception of content data. Ibid ch 2 s 2 title5 These procedures must be applied to those offences provided for under arts 2–11. Further, to help ensure equivalence between the collection of non-digital and digital evidence, United Nations Office on Drugs and Crime, ‘Comprehensive Study on Cybercrime’ (Report, February 2013) 1 (‘Comprehensive Study on Cybercrime’). and subject to limited exceptions, they must also be applied to other offences committed by means of a computer system, or where evidence is collected in electronic form. United Nations Convention against Transnational Organized Crime (UNTOC), art 14(2). This eludes the fact that the importance of electronic evidence extends beyond ‘cybercrimes’ to potentially any form of offending to which electronic evidence may be relevant. Investigation process beyond Kenyan territory is based on mutual assistance where a state can willing fully accept to assist or deny. In case of denial it means that the investigation will not be sufficient to sustain prosecution. The most intrusive form of request, the interception of content data, is completely governed by ‘applicable treaties and domestic law. Ibid art 34 3.4.2 Evidential problem Kenya being a third world country, we experience the problem of loss of evidence necessary to sustain an investigation process and prosecution. The current act on computer and cyber crime address these challenges by prescribing the manner in which the information may be stored including physical custody of a computer system. Prosecution in Kenya is based on physical evidence while electronic evidence is subjected to strict regulations thus can sustain prosecution. Developments reflect the problems regarding electronic evidence and the focus on police and prosecutions. This lacuna in law has made it difficult to sustain prosecution. 3.4.3 Sovereignty Most of the states in the region have not come up with sufficient legislation on cyber crime. The applicability of treaties and conventions are subject to the states laws where if a state has not ratified a treaty that covers cyber crime issues, it leaves a gap that is utilized by cyber criminals. The 2016 act on cyber crime issues, covers the issue of sovereignty in the sense that, jurisdiction of the courts goes beyond the territory of Kenya for offences committed outside Kenya by a Kenyan citizen or an individual who resides in Kenya or against a Kenyan citizen or against the government of Kenya. Computer and Cyber Crime Bill ,2016,s 40 Any conflict in law on matters of cyber crime, the computer and cyber crime bill of 2016 prevails over any other written law. Ibid s 42 The problem here is with other states if they do not have such a provision in their laws, it means that their citizens are immune form cyber offences they commit within their country against the Republic of Kenya. 3.5 Conclusion The rapid evolution of Cybercrime will continue. Driven by technology and the creativity of offenders, new schemes will spread rapidly over the Internet. This will pose challenge domestic and international law enforcement bodies and for the development of international legal standards that much with the evolving cyber crime. The Kenyan legislations so far have made progress in recognizing the internationally set standards. We are at a better stage currently in so far as enactment of legislations. The enactment of the 2016 computer and cyber crime bill is recommendable since the act has so far recognized the gaps in the previous laws, though the legislations can be termed not sufficient because of the nature of cyber crimes which evolve so fast. CHAPTER FOUR COMPARATIVE STUDY 4.0 SOUTH AFRICA 4.0.1 National Cyber crime Legislations South Africa is currently working on consolidation of cybercrime and cyber security legislation through the cybercrime and cyber security bill that is yet to be tabled in parliament following its subsequent approval by the cabinet and publication in August 2015. South Africa’s new bill will affect everyone who use internet, < https://myboardband.co.za/news/government/195276-south-africas-new-cybersurity-bill-will-affect-everyone-who-uses-the-internet.htlm > August 23, 2017 The Electronic Communications and Transactions Act The Electronic Communications and Transactions Act, No 25 of 2002 (ECTA). has been the sole regulator of cyber security in South Africa for the past years. The act covers National E-strategy, Ibid, s 5-9 electronic transactions, Ibid s 10 communication of data messages, Ibid s 21-24E-government resources, cyber inspectors, Ibid s 80-89 cyber crime Ibid s 85-89 and the general provisions. Ibid s 90-95 The Protection of Personal Information Act The Protection of Personal Information Act, No 4 of 2013 (POPI Act) imposes administrative as well as punitive penalties for infringements of its provisions as it seeks to advance in data security standards, it imposes stringent requirements pertaining to the lawful processing of personal information and requiring data processors to implement security measures aimed at protecting personal data from breach or compromise. The Electronic Communications and Transactions Act (ECTA) Electronic Communications Amendment Act, No. 1 of 2014. through the Minister of Communications after consultation with the Justice, Crime Prevention and Security ministries (JCPS Cluster) Mthembu, Mpakwana Annastacia. "High road in regulating online child pornography in South Africa." Computer Law & Surity Review 28.4 (2012): 438-444. established a ‘cyber security hub’ that is responsible for , detecting and preventing cybercrime and fostering co-operation between government, creating awareness of cybercrime, responding timorously to incidents or threats of cybercrime the private sector, civil society and international businesses and communities in implementing guidelines or standards for cyber security requirements. < https://www.cybersurityhub.gov.za > August 24, 2017 The National Integrated ICT Policy white paper of 2016 National Integrated ICT policy white paper,2017 outlines policy frameworks that aims at the transformation of south Africa into an inclusive and innovative digital and knowledge society. The paper seeks to resolve fragmented systems and non-alignment of laws and policies prior to implementation of an effective national cyber security strategy. Van Audenhove, Leo. "Towards an integrated information society policy in South Africa: an overview of political rhetoric and policy initiatives 1994–2000." (2003): 129-147.The paper stipulates the reinforcement and extension strategies that connect South Africa connect national broadband policy. South Africa connect: creating opportunity, ensuring inclusion,2013 The Draft Cybercrimes and Cyber security Bill, 2017 South Africa has been in the process of drafting legislations that endeavours to consolidate the states cyber security legislations into one, through Cybercrimes and Cyber security Bill Michalsons < https://mybroadband.co.za/news/government/195276-south-africas-new-cybersurity-bill-will-affect-everyone-who-uses-the-internet.html > August 24, 2017 that commenced in 2015. The bill aims; Individuals who are involved with IT or POPI compliance. Electronic Communications Service Providers. Providers of software or hardware tools that could be used to commit offences. Financial services providers. Owners of copyrights and pirates. Information Security experts. Anyone who owns an Information Infrastructure that Government could declare as critical. The bill creates around 50 new offences, that involve data, messages, computers, and networks that is, Using personal information or financial information to commit an offence, Unlawful interception of data, uttering Extortion or terrorist activity, hacking and Computer-related forgery. The penalties for these offences range from 1-10 years in prison or up to a R10-million fine. Ibid 4.0.2 The power to investigate search and seize The ECTA, the Criminal Procedure Act, Criminal Procedure Act, No 51 of 1977 Laws of Republic of South Africa. the Regulation of Interception of Communications and Provision of Communication-related Information Act The Regulation of Interception of Communications and Provision of Communication-related Information Act, No 70 of 2002 (RICA) and the Criminal Procedure Act Criminal Procedure Act, No 51 of 1977 Laws of Republic of South Africa. have been the champion legislation on cybercrime in south Africa but it provides investigation search and seizure mechanisms that are inadequate to curb cyber crime. The Cybercrimes and Cyber security Bill will empower inclusively the South African Police and the State Security Agency extensive powers to investigate, search, access, and seize just about anything – like a computer, database, or network. Supra note 18 4.0.3 International cooperation and structures. The Southern African Development Community (SADC) Model directs its all 15 member states to craft and harmonize legislation that will curb cyber crime in the region. Kizito sikuka,SADC respond to cyber crime, < http://www.sardc.net/en/southern-african-news-features/sadc-responds-to-cyber-crime/ > August 23, 2017The harmonization of legislation was visional to provide legal framework in the region that would collectively tackle challenges associated with cyber crime. The Budapest Convention has also been of great significance in South Africa, as it provides the state with a list of criminalization against means of computers, investigation procedural laws and the international police and judicial cooperation on cybercrime and E-evidence The Budapest convention on cybercrime: a framework for capacity building,< https://www.thegfce.com/news/news/2016/12/07/budapest-convention-on-cybercrime > August 23, 2017. 4.1 The United Kingdom 4.1.1 Legal measures 4.1.1.1 The Computer Misuse Act Computer Misuse Act 1990, chapter 18 - An Act to make provision for suring computer material against unauthorised access or modification; and for connected purposes. It is the first ever piece of legislation that was drafted by the UK to specifically address and legislate on cyber crime in the United Kingdom. It was drafted to cover the loop holes in law, since the existing laws were inadequate in dealing with threats caused by hackers. The outcry that led to the enactment of this act was failure by the law to convict two hackers in the case R v Robert Schifreen and Stephen Gold, R v Gold and Schifreen [1988] 2 WLR 984in 1985 even on appeal, after the two gained unauthorized access to the BTs prestal service in 1984 and charged under forgery and counterfeiting act 1981. The act in section 1-3 introduced three main offences of cybercrime and computer misuse; See ,< http://www.viruslist.com/en/weblog?weblogid=186528531 > August 24, 2017 1. Unauthorised access to computer material 2. Unauthorised access with intent to commit or facilitate commission of further offences 3. Unauthorised modification of computer material The act went through several amendments to date to make it consistent with the European convention on cyber crime. Council of Europe –convention on cyber crime ( ETS No. 185) Section 37 was amended to include new section 3A which criminalizes the making supply or obtaining articles for use in computer misuse offenses. Sections 41-44 were also amended by the serious crime act of 2015 Supra note 24, s 41-44. The police and justice act also amended section 35 where unauthorized access to computer materials was punishable by up to two years with a fine. Section 36, Ibid s 36 was amended to punish intent to impair operations of a computer by ten years imprisonment. Section 43, Ibid s 43 covers territorial scope of computers misuses’ to cover other states especially in instances where the perpetrator is a British citizen and is in violation of the local laws. 4.1.1.2 Data Protection Act Data Protection Act, 1998 CHAPTER 29 Laws of the U.K. The act was enacted in 1998 by the UK parliament to protect personal data that is stored in an organized filling system or stored on computer devices. The act lays out strict rules known as data protection principles. Crime justice and the law,< https://www.gov.uk/data-protection/the-data-protection-act > August 25, 2017 The act controls how organizations, business entities or the government uses individual’s personal data. The usage of any personal data is subjected to the principles that, the body in question must ensure that personal information available is: Is only kept for the period prescribed Is handled with due consideration to people’s data protection rights Is used lawfully and fairly Accurate Used in a limited manner as to only the specified reason Used in a manner that is relevant and adequate The act provides a stronger protection to sensitive personal information Supra note 31 ,schedule 2 and 3 such as; sexual health, ethnic, political affiliations, religious believes and practices, health and criminal records. Ibid The act only covers data of individuals alive and who can be identified and distinguished from the other. Ibid The act through sections 70 to 71, Ibid s 70-71 sets out supplementary definitions and definitions that explain expressions used in the act. Key definitions of the data protection act, < https://ico.org/uk/for-organisations/guide-to-data-protection/key-definition/ > August 25, 2017 4.1.2 Institutional Regulatory Mechanisms 4.1.2.1 The National crime Agency National cybercrime Agency, UK,2013 It was established in 2013 to replace the Serious Organized Crime and Police Agency, Serious Organized Crime and Police Agency, 2005 (SOCPA), Came into force 1 July 2005. which came into force on 1st July 2005. The NCA comprises of the child exploitation and online command and the national cyber crime unit. See,<www.coe.int/en/web/octopus/country-wiki/ /asset_publisher/hFPA5fbKjyCJ/content/unitedkingdom/popup?101INSTANCE_hFPA5fbkCJviewmode=print&101INSTANCEhFPA5fbkyCJlanguageld=ar_JO > August 25, 2017 The NCA has a strategic role of detecting cyber crime analysing their operations and destruction of cybercriminals links. The NCA works in correlation with the serious fraud office, individual police unit and the regional organized crime unit. The NCA director general is one of the senior law enforcement leaders and has the powers to direct the regional police chiefs on how they can concentrate their resources to help curb cyber crime activities. National Crime Agency, < www.bbc.com/news/uk-24384152 > August 25, 2017 4.1.2.2 The UK Computer Emergency Response Team (CERT) CERT UK. See < https://www.cert.gov.uk/ > August 25, 2017, 2017. The CERT works with other security operations centre teams in order to identify and respond to cyber risks and the establishment of detection rules and coordination of response to computer related emergencies of national significance. Computer Emergency Response Team (CERT), < https://www.uk.capgemini.com/computer-emergency-response-team-cert > August 25, 2017 The CERT provides a range of services to protect business assets from cyber threats and it’s responsible for the formulation of appropriate response formulae towards a cyber security threat. IbidThe CERT will also provide advisory notices on cyber security issues detected across the UK, academia or industries. Chris Vallance, cyber emergency response team launched by UK, < www.bbc.com/news/technology-26818747 > August 25, 2017. CHAPTER FIVE CONCLUSION AND RECOMMENDATIONS 5.0 Conclusion As the technology evolves and changes so too our responses will need to evolve and change not necessarily at the same rate but again the evolution of our legislative responses should not stagger so much. Kenya has the obligation to determine what it considers necessary to effectively combat cybercrime, looking at national, regional and international standards in enacting laws that best suit its national circumstances. The obligation to safeguard the state and the world as objective of the study touches on; The evaluation of cyber-crimes legislature in Kenya The evaluation of the efficiency of these laws. Evaluation of whether access to these laws conform to the international standards The Kenyan government enacted the Computer and Cyber Crimes bill 2016 which is a reflection of the international standards with the input of experts from the Inter Agency Committee for Formulation of Cyber Crime and the Budapest Convention on Cybercrime. The act has further implored a wide and comprehensive range of offences that includes; unauthorized access, the access with the intent to commit other offences, child pornography and other wide arrays of computer-related crimes. The Computer and Cybercrimes Bill 2016 has been vouched for by the Communications Authority, the ICT Ministry, the Central Bank of Kenya, office of the Director of Public Prosecutions, the National Intelligence Service and other key stakeholders as a transformative piece of legislation that has curb most of the loopholes in the law. The act being legislation that touches on technology the drafters of the laws should from time to time monitor the progress and try to fill the lacuna in law. 5.1 Recommendations With new legislations that cover cyber security issues at local, regional and international level in place, the state should adequately fund the institution in place so that they can manage the investigations, detection and preventive measure of combating cyber crime issues. The anti-cybercrime agencies involved to be fund by the government to enable them acquire modern technological equipment that will match the evolving technology annually, to the strength of the crimes committed and not continue to play a catch-up game with cyber criminals. With the faster evolution of technology the state should annually educate a team of security experts on cyber security issues and set up training institutions on cyber security and involve all stakeholders in the same field. The state should also develop a special team of prosecutors who would be trained and educate specifically prosecute matters of cyber security. Kenya being a third world country that is crippling with the faster growth of technology, the state should conduct and promote civic education on cyber crime, sensitize the young and internet addicted generation on how they can avoid cyber attacks and the importance of reporting such attacks to the relevant authorities. There is need and concern for continued collaboration between the government, the public and private sector in setting the right legal context that satisfies both national security concerns and consumer rights. Individuals and organizations should implore data-encryption in order to curb the vice of cyber-crime i.e. each institution or organization that is a prime to cyber attacks should develop and report to the relevant cyber regulation authority a system that they intend to use in order to limit and aid in combating cyber crime offences in Kenya. The state should endeavour in ensuring regional and global harmonization of cyber crime and related crimes legislation and in instances of most serious cybercrimes and cyber attacks of global concern, the state should champion for investigation and prosecution based on international law, and sentenced by an international Court or Tribunal for cyberspace. BIBLIOGRAPHY Books Dr. Marco Roscini, Cyber Operations and the use of Force in International Law. Oxford University Press (2014). McQuade, S. C. “Encyclopaedia of Cybercrime,” Greenwood Press, Westport USA.(2009). Uchema Jerome Orji, Cyber Law and Regulation. WLP(2012). Articles Angela Okuku et all, Cybersecurity Strategy’s Role in Raising Kenyan Awareness of Mobile Security Threats.(2015) Cabrera-Balleza, Mavic. Finding a difficult balance: human rights, law enforcement and cyber violence against women, (2008) Ford Gordon, Assessing Technology, Methods, and Information for Committing and Combating Cyber Crime, 2003 Ford Gordon, Assessing Technology, Methods, and Information for Committing and Combating Cyber Crime, 2003, 2011). Jones, C.W., Council of Europe Convention on Cybercrime: Themes and Critiques. Workshop on the International Dimensions of Cyber Security, hosted by the Georgia Institute of Technology and Carnegie Mellon University,(2005). Pg. 6-7 Kenya Cyber Security Report, Rethinking Cyber Security –“An Integrated Approach: Processes, Intelligence and Monitoring.” Serianu Ltd, (2014) Levy, Hackers, 1984; Hacking Offences, Australian Institute of Criminology, 2005, Lukorito, Graham Masinde, "Information security threats and E-government initiatives at the Kenya Revenue Authority (KRA)." Unpublished MBA Project, University of Nairobi (2011). Roderic, G. Et al. ‘Cyber-crime: the challenge in Asia,’ University of Washington Press, USA.(2005). Romero-Mariona, J., Ziv, H., Richardson, D. J., & Bystritsky, D., Towards usable cyber security requirements. In Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies (p. 64). ACM. (2009). Journals Campbell/Gordon/Loeb/Zhou, The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence From the Stock Market, Journal of Computer Security, Vol. 11, page 431-448. Clark, K., Stikvoort, D., Stofbergen, E., & van den Heuvel, E., A Dutch Approach to Cybersecurity through Participation. Security & Privacy, IEEE, 12(5), (2014) pg. 27-34. Gazet, A., Comparative analysis of various ransom ware virii. Journal in computer virology, 6(1), (2010). Pg. 77-90. Hackworth, Spyware, Cybercrime and Security, (2007) IIA-4. Joyner/Lotrionte, Information Warfare as International Coercion: Elements of a Legal Framework, EJIL 2002, No5 – page 825 Luo, X., & Liao, Q., Awareness Education as the key to Ransomware Prevention. Information Systems Security, 16(4), (2007). Pg. 195-202. M. D. GOODMAN and S. BRENNER, The Emerging Consensus on Criminal Conduct in Cyberspace ( Oxford, International Journal of Law and Information Technology), [ 2000] Vol. 10, at p. 3. Mthembu, Mpakwana Annastacia. "High road in regulating online child pornography in South Africa." Computer Law & Security Review 28.4 (2012): 438-444. Okuku et al, Cyber security Strategy’s Role in Raising Kenyan Awareness of Mobile Security Threats. Vol.32, 2015 Poonia, A. S. Cyber Crime: Challenges and its Classification. International Journal of Emerging Trends & Technology in Computer Science (IJETTCS), 2014 Sabaliauskaite, G., &Mathur, A. P. Design of Intelligent Checkers to Enhance the Security and Safety of Cyber Physical Systems. In Computer Software and ApplicationsConference Workshops (COMPSACW), International (pp. 7-12). 2014. Van Audenhove, Leo. "Towards an integrated information society policy in South Africa: an overview of political rhetoric and policy initiatives 1994–2000." (2003): 129-147. Yee, Juvenile Computer Crime – Hacking: Criminal and Civil Liability, Comm/Ent Law Journal, Vol. 7, 1984, page 336 Internet Sources . Michalsons < https://mybroadband.co.za/news/government/195276-south-africas-new-cybersurity-bill-will-affect-everyone-who-uses-the-internet.html > August 24, 2017 Kizito sikuka,SADC respond to cyber crime, < http://www.sardc.net/en/southern-african-news-features/sadc-responds-to-cyber-crime/ > August 23, 2017 The Budapest convention on cybercrime: a framework for capacity building,< https://www.thegfce.com/news/news/2016/12/07/budapest-convention-on-cybercrime > August 23, 2017 Crime justice and the law,< https://www.gov.uk/data-protection/the-data-protection-act > August 25, 2017 Key definitions of the data protection act, < https://ico.org/uk/for-organisations/guide-to-data-protection/key-definition/ > August 25, 2017 National Crime Agency, < www.bbc.com/news/uk-24384152 > August 25, 2017 CERT UK. See < https://www.cert.gov.uk/ > August 25, 2017, 2017. Computer Emergency Response Team (CERT), < https://www.uk.capgemini.com/computer-emergency-response-team-cert > August 25, 2017 Chris Vallance, cyber emergency response team launched by UK, < www.bbc.com/news/technology-26818747 > August 25, 2017. South Africa’s new bill will affect everyone who use internet, < https://myboardband.co.za/news/government/195276-south-africas-new-cybersurity-bill-will-affect-everyone-who-uses-the-internet.htlm > August 23, 2017 African Union, Oliver Tambo Declaration, Johannesburg 2009, available at: www.uneca.org/aisi/docs/AU/The%20Oliver%20Tambo%20Declaration.pdf. (accessed on 25th June, 2017). Legislative Guides for the Implementation of the United Nations Convention against Transnational Organized Crime, 2004, page xvii, available at: www.unodc.org/pdf/crime/legislative_guides/Legislative%20guides_Full%20version.pdf. (accessed 23th June, 2017). Organisation for Economic Cooperation and Development (OECD), Guidelines Governing the Protection of Privacy and Transboarder Flow of Personal Data, 23 September 1980, available at: http://www.refworld.org/docid/3dde56854.html  [accessed 22 June 2017] Olowu, D., ‘Cyber-Crimes and the Boundaries of Domestic Legal Responses: Case for an Inclusionary Framework for Africa’, (2009) (1) Journal of Information, Law & Technology (JILT), available at <http://go.warwick.ac.uk/jilt/2009_1/olowu> accessed on 27 April .2017 The ITU Cyber surity Work Programme to Assist Developing Countries (2007-2009), 2007, available at: www.itu.int/ITU-D/cyb/cybersurity/docs/itu-cybersurity-work-programmedeveloping-countries.pdf>. accessed on 27 April .2017 ITU WTSA Resolution 50 (Rev. Johannesburg, 2008), on Cyber surity, available at: www.itu.int/dms_pub/itu-t/opb/res/T-RES-T.50-2008-PDF-E.pdf accessed on 27th April .2017 ITU Cyber surity Work Programme to Assist Developing Countries 2007-2009, 2007, available at:< www.itu.int/ITU-D/cyb/cybersurity/docs/itu-cybersurity-workprogramme-developing-countries.pdf>. accessed on 25th April .2017 Terms and Definitions, available at: www.itu.int/dms_pub/itut/oth/0A/0D/T0A0D00000A0002MSWE.do>c accessed on 25th April .2017 WSIS Action Line C5: Building confidence and surity in the use of ICTs, available at www.itu.int/wsis/c5/> accessed on 21st April .2017 The WSIS Geneva Plan of Action, available at: <www.itu.int/wsis/documents/doc_multi.asp?lang=en&id=1160|0 accessed on 21st April .2017 The WSIS Tunis Agenda for the Information Society, available at www.itu.int/wsis/documents/doc_multi.asp?lang=en&id=2267|0 accessed on 20th April .2017 The World Summit on the Information Society (WSIS), available at: www.itu.int/wsis/> accessed on 20th April .2017 PAGE \* MERGEFORMAT iii