In the last two weeks, a group calling itself Anonymous Kenya has terrorized government folks by hacking social media accounts belonging to Kenya Defence Forces, their spokesperson and the deputy president.
The response from government folks was just laughable. Just watch this KTN interview with Evans Kahuthu, the guy tasked with Information Security at the ICT Authority. It was the week that the accounts were hacked, exposing the governments behinds and this guy dances on the fence with jibber jabber….. he didn’t say anything and the presenters/interviewers….well, that warrants a post on its own. I spoke to Evans later and he explained his challenges, off the record, but still, as an info sec rep in a government, this guy should have more teeth. Who should give him the teeth? Read on…
A lot has been said in the media and a lot of that is available online. But beyond all that, I thought it was better to look at the root causes, other than the symptoms.
When you talk to many folks in the ICT industry, a common theme that is emerging is the fragmentation of government ICT functions; yes the ICT Authority is supposed to be the more consolidated arm, but does it have all the powers? Listen to Evans and you will get it.
1. ICT Authority
When e-gov, GITs and the ICT Board merged to form the ICTA, the idea was that all govt functions would be consolidated into one major body that can now advise government and the county ICT reps on the technology directions. Now, I could go on and on but one key thing was that when the hackings happened, even the guys at ICTA weren’t aware of the passwords or who operates what.
It was clear that there was no audit or a centralised doc that can tell you the ICT hardware (servers, laptops etc), Software – think of all money paid to Oracle by government, and the attendant passwords. So when you say, why were we not Secure? Govt folks might ask, didn’t we invest in new locks?
2. Itumbi and his team
There is something about a duel between young and old people. The old guard thinks experience trumps technology, the young think the dinosaurs are hogging power and do not know what they are talking about. Itumbi and his digital team, are in charge or operate the social media accounts. They know their stuff and no one will tell them anything.
I asked whether the ICTA and team Itumbi have ever sat in a room together and I couldn’t get straight answers, so I assumed the answer was no.
So, the ICTA is in charge of ICT direction in this country but do they give advise or direction to team Itumbi? Whether they like it or not, its government security and it matters.
I am not sure what security precaution team Itumbi takes but clearly, more synergy is needed at least not to have the Deputy President’s personal number exposed. There is no big deal but probably some people will add him to their Whatsapp group on neighbourhood security or something.
3. The Communications Authority
Now, the CAK is the big boy. You know the guy or girl in your school who would threaten or take your piece of bread in high school, yet they have theirs? Well, CAK insist that it can handle all matters tech in the country, even when its clear that that they should handle only policy stuff.
The CAK has been in a tug of war with ICTA to own the Cyber security master plan and the numerous master plans and road maps that this government has specialised in. It has been clear that they can’t handle. Why?
Picture this; in May 2012, a group that maybe the now anonymous Kenya set up KE-CIRT twitter account, which has the ca.go.ke as their contact and has been tweeting on tech matters. After the hacks, the account was used to spew disparaging remarks and push the buttons of Anonymous group.
Do you think a government body would be spoiling for a fight with anonymous given the situation?
When I asked the folks at CAK, they said that thats not them bla bla but you are the custodian of KE-CIRT, how would you not know of an account operating in your name, now masquerading as the government body? From 2012? There has been no attempt to at least lock your accounts to avoid squatting?
You can imagine the commotion and phone calls as people tried to find out who was KE-CIRT and others saying how they are helpless and can only depend on Twitter Inc to help.
It is clear that something needs to happen, I don’t have all the answers but something needs to happen now..
🙂 and the crowd say…….. we have heard that before!