Saturday, 1 September 2007

COMPUTER FORENSICS-KENYA NEEDS A LAW TO PROTECT BUSINESSES AGAINST CYBER/COMPUTER CRIME

The business community like the media should have celebrated the withdrawal of The Kenya Communications (Amendment) Bill, 2007 by Minister Mutahi Kagwe. The Minister cited the need to introduce clauses to deal with cyber crime and protect the optical fibre cable as the reason for the withdrawal.

Most businesses and financial institutions in Kenya have now embraced Information and Communications Technology (ICT) and are highly dependent on computers for operations and accounting. For older enterprises, it is impossible to envision a business process re-engineering that does not engross the automation of core business processes. Automation is intended to give businesses a competitive edge in their industry but this is not always the case. High dependency on ICT comes with the attendant risks of electronic fraud, pilfering of data and computer components which can sometimes bring an entire enterprise to it knees. This has forced major commercial entities to invest in expensive physical security systems and software to prevent corporeal intrusion into their premises and protect sensitive data from theft and possible manipulation by competitors and external hackers. In spite of these efforts businesses and the general public have not been spared of electronic fraud. The media has reported numerous cases of computer crime involving credit card fraud, false lottery offers, pyramid and multi-level marketing investment schemes.

Kenya does not have an elaborate legal framework to protect businesses against electronic fraud and theft of computer data. Digital evidence is a 20th century phenomena and many laws in our statute books which were adopted in 1897 do not take cognisance of its existence. Past attempts to make digital evidence an integral part of our law of evidence have been haphazard. In 2000 parliament amended the Evidence Act Cap 80 to provide for the admissibility of digital evidence in court. The Interpretation and General Provisions Act, Cap 2 was not amended and still requires the production of a physical document for purposes of adducing evidence in court. This means that the production of information and evidence generated, sent or stored in magnetic, optical or computer memory is still contentious. Computer evidence only received passing mention in the Narcotic Drugs and Psychotropic Substances Control and the Anti-Corruption and Economic Crimes Acts. The Central Depositories Act, 2000, and the Government Financial Management Act, 2004, criminalise and provide stiff penalties for manipulation of electronic data. The Capital Markets Authority (CMA) which employs a computer system to centrally handle commercial securities was given wide power to enter, seize, search, inspect and operate suspect computer systems. This was intended to protect investors and preserve the integrity of data maintained in the computer systems at the Nairobi Stock Exchange and to curb larceny of public revenue through computer systems. The Criminal Procedure Code and the Evidence Act do not have corresponding provisions to enable Kenya Police carry out proper investigations in cases involving electronic fraud.

As technology becomes more complex and more Kenyans join the national grid, commercial entities could become wholly dependent on ICT for operations and this will witness a sharp rise in computer crime. The police and other law enforcement agencies will require computer forensic techniques and methodologies to conduct computing investigations and analyze information contained in and created by computer systems and computing devices so as to determine when, how and who committed the computer crime.

To protect businesses against computer fraud, Kenya urgently needs a law to provide a framework of standards, quality principles and approaches for the detection, preservation, recovery, examination and use of digital evidence for forensic purposes. The law should regulate training and certification to encourage more consistent investigative methodologies and hence the production of more comparable results, so as to make computer forensics an integral part of our law of evidence.

2 comments:

Anonymous said...

This idea is long overdue. I don't know where to start with such an idea in Kenya. I was in Nairobi early this year and talked to a number of IT firms that are starting to get mainstream. I had a big problem explaining the need for basic Cyber security. What Kenyans consider IT is having sophisticated mobile phones and laptops that have Wireless access. The bottom line is that you must have security in place before you can implement any of these technologies. Kenyans don't even know that mobile phones with Bluetooth can be easily hacked into and information stolen. For such ideas to be successful, we will need to educate people on the importance of Cyber security..

Anonymous said...

This idea is long overdue. I don't know where to start with such an idea in Kenya. I was in Nairobi early this year and talked to a number of IT firms that are starting to get mainstream. I had a big problem explaining the need for basic Cyber security. What Kenyans consider IT is having sophisticated mobile phones and laptops that have Wireless access. The bottom line is that you must have security in place before you can implement any of these technologies. Kenyans don't even know that mobile phones with Bluetooth can be easily hacked into and information stolen. For such ideas to be successful, we will need to educate people on the importance of Cyber security..