Kenya reports cyber attacks causing government system outages

NAIROBI — Cyber attackers targeted a digital platform used by Kenya’s government to deliver services, the country’s technology minister said, highlighting the vulnerabilities of the system.

The attack on the e-Citizen platform in recent days caused system outages that left users unable to access a broad range of government services, ranging from passport applications to electricity payments. Some private companies were also affected.

It was “an unsuccessful attempt to overload the system through extraordinary requests, with the intention of clogging it,” said Eliud Owalo, cabinet secretary for information technology, in a statement on Thursday. He said technical teams had blocked the source of the requests, adding that privacy and the security of data had not been compromised.

Kenyans reported challenges accessing several services, including purchasing prepaid tokens from the Kenya Power company through M-Pesa mobile money services. Kenya Power confirmed late on Thursday that the “system hitch” had been resolved. The foreign affairs ministry sent out a statement indicating that the attack had impacted the processing of e-visas. It said travelers would be issued with a visa on arrival at all entry points to Kenya.
A group referring to itself as Anonymous Sudan on a Telegram channel with more than 110,000 members on Thursday claimed responsibility for the attacks. It said the attack was in protest at Kenya’s alleged role in Sudan’s ongoing conflict.

The group issued two conditions to prevent further attacks; an official Kenyan government apology to Sudan or a ransom of $200,000 worth of bitcoin. The government has not responded to the demands.

Owalo, in a radio interview earlier in the day, said his ministry would “build an elaborate risk mitigation framework” to prevent future attacks.

The Kenyan government has focused on digitizing its services for citizens over the last decade, since the launch of the Huduma Kenya Service Delivery Programme by former President Uhuru Kenyatta in 2013. The aim of the program was to integrate and devolve government services including access to identification and birth certificates, immigration services and business licensing.

Government data now shows millions of Kenyans continue to access the services through the e-government platform to date, one of the more successful implementations on the continent. This is why these cyber attacks have been especially notable and impactful.

President William Ruto last month launched Gava Express, a program intended to make it even easier to access government services, particularly for those using feature phones. He said the aim was to enhance service delivery, increase revenue collection, promote transparency, and eliminate corruption.

However, with the recent attacks across several government ministries and private agencies causing simultaneous outages, this raises questions about the capacity of Kenya’s cyber infrastructure to protect citizens’ data and withstand malicious attacks.

A report by global cybersecurity firm Trend Micro estimated that Kenya lost $36 million to cyber criminals in 2022 alone, after attacks on banks and other agencies. While this may not be entirely a unique phenomenon to Kenya, the reality is that sustained cyber attacks would be detrimental to economic progress and political stability. The government has a duty to provide access to its services and ensure that data is stored securely.