A hacker group calling itself "Anonymous Kenya" has poked holes at the government's cybersecurity preparedness by hacking two official Twitter accounts.
The accounts of The Kenya Defence Forces (KDF) and KDF Spokesman Major Emmanuel Chirchir were hacked on Monday and the users were only able to regain access to them yesterday evening, through the intervention of Twitter. Before Twitter intervened the users of the accounts couldn't log in or reset passwords.
Kenya has been involved in the war in Somalia, mainly targeting terrorists and pirates, and updates of the Somalia incursion have been coming through @kdfinfo and @majorEchirchir.
"So much poverty in Africa while you are wasting money in guns," was one of the tweets sent out on the @kdfinfo account following the breach. The hacked @MajorEChirchir account was used to tweet President Uhuru Kenyatta, "Hey @UKenyatta give me the weed!"
This is the second time the government has been embarrassed by a hack. The first time was two years ago when 128 government websites were hacked by an Indonesian hacker. After the incident the government promised to put in tighter controls.
To show that it was taking information security seriously, the government consolidated all agencies handling ICT under the current, central ICT Authority, which was then charged with handling all government ICT related matters. A government ICT security master plan was also supposed to guard against hacking incidents.
"Policies exist on paper but whether they are enforced or not is an entire debate altogether," said Tyrus Kamau, an independent security consultant. "Now we have a National Cyber Security Strategy and master plan from which all government IT security policies will be derived and it's just a question of prioritizing the implementation of the master plan and having the right people in the right place doing the right things,"
The Twitter hack exposed the need for the government to train personnel on security preparedness, including basic issues like passwords, and how to use social media. To that end, the government should take on the C4ISR (Command Control Computers Communications Intelligence Surveillance Reconnaissance) methodology used for cyber defense by the U.S., said John Gichuki, a security consultant involved in public and private sector security tests.
On its part, the ICT Authority said that it was enforcing new security measures and would release an update once all the processes were in place.