Thought Leadership Articles

A National Cybersecurity Agency: A Strategic Imperative for Kenya's Digital Future—Not a Digital Spymaster

By Bonface Asiligwa, President, ISACA Kenya Chapter

Kenya stands at a defining moment in its digital transformation journey. As our economy becomes increasingly dependent on digital infrastructure from financial services and e-commerce to healthcare, energy, education, and government services our national cybersecurity capability must evolve accordingly.

The discussion surrounding the establishment or strengthening of a National Cybersecurity Agency should therefore be viewed through the lens of national resilience, economic security, and digital trust, rather than through the narrow narrative of creating a "digital spymaster."

Unfortunately, cybersecurity institutions are often misunderstood. There is a tendency to equate cybersecurity with surveillance or intelligence gathering. While national security agencies perform intelligence functions under established legal mandates, a National Cybersecurity Agency serves an entirely different purpose.

Its primary role is to protect, not to spy.

Cybersecurity is National Infrastructure Protection

Every modern economy depends on secure digital infrastructure. Kenya's payment systems, digital identity platforms, Transport infrastructure (Ports), power grids, hospitals, telecommunications networks, and public services all rely on interconnected information systems. Cyber-attacks no longer target only governments. Increasingly, they target businesses, banks, universities, hospitals, critical infrastructure operators, and even ordinary citizens. Ransomware attacks, supply chain compromises, phishing campaigns, identity theft, AI-enabled fraud, and attacks against critical infrastructure have become global realities. Without a nationally coordinated capability, these threats remain fragmented and difficult to manage. A National Cybersecurity Agency provides that coordination.

A Coordinator, Not an Operator

The agency's strategic value lies in coordinating the national cybersecurity ecosystem. It should bring together:

  • Government Ministries, Departments and Agencies
  • Critical Information Infrastructure operators
  • Financial institutions
  • Telecommunications providers
  • Internet Service Providers
  • Academia
  • Professional bodies
  • Development partners
  • Law enforcement agencies
  • Private sector organizations

Cybersecurity is a shared responsibility. No single institution can defend the country's digital ecosystem alone.

Protecting Kenya's Digital Economy

Kenya has positioned itself as one of Africa's leading digital economies. Our ambitions around:

  • Digital Government
  • Digital Financial Services
  • Artificial Intelligence
  • Digital Trade
  • Smart Cities
  • Cloud Computing
  • E-Commerce
  • Innovation Hubs

all depend on one critical ingredient: Trust.

  • Investors invest where digital infrastructure is secure.
  • Businesses digitize where cyber risks are manageable.
  • Citizens adopt digital services where their information is protected.

Cybersecurity therefore becomes an economic enabler—not merely an ICT issue.

Learning from Global Best Practice

Many leading digital economies have established dedicated national cybersecurity institutions. Countries such as the United Kingdom, Singapore, Australia, Canada, the United States and Estonia have recognized that cybersecurity requires specialized institutions responsible for:

  • National cyber resilience
  • Threat intelligence coordination
  • Incident response coordination
  • Critical infrastructure protection
  • Cybersecurity standards
  • National cyber exercises
  • Skills development
  • Public awareness
  • International cooperation

These agencies generally do not function as intelligence organizations. Rather, they strengthen national preparedness, resilience, and coordination while operating within clearly defined legal and institutional frameworks.

Governance Matters

Public concern about privacy and surveillance should not be dismissed. It is both legitimate and healthy in a democratic society. The answer, however, is not to avoid building cybersecurity capability. The answer is to build it with strong governance.

A National Cybersecurity Agency should operate under:

  • Clear legislation defining its mandate
  • Parliamentary oversight
  • Independent audit and accountability mechanisms
  • Compliance with the Constitution of Kenya
  • Adherence to the Data Protection Act
  • Respect for human rights and civil liberties
  • Transparent governance structures
  • Clearly defined institutional roles to avoid overlap with intelligence and law enforcement agencies

Good cybersecurity governance is founded on accountability, proportionality, transparency, and respect for fundamental rights.

Supporting National Cyber Resilience

The agency should focus on strengthening Kenya's cyber resilience through:

  • National Cyber Incident Response coordination
  • Critical Information Infrastructure protection
  • Cyber threat intelligence sharing
  • National Cyber Risk management
  • Digital risk monitoring
  • Cybersecurity policy implementation
  • Workforce development
  • Capacity building
  • Public awareness campaigns
  • International cooperation

These functions help reduce national cyber risk while improving the country's readiness to prevent, respond to, and recover from cyber incidents.

Building Public Trust

Trust is the cornerstone of any successful cybersecurity institution. That trust is earned through openness, accountability, professional competence, and consistent respect for the rule of law.

The public should view a National Cybersecurity Agency as a trusted partner that protects citizens, businesses, and national infrastructure—not as an institution that monitors lawful digital activity.

Achieving this requires regular public reporting, engagement with industry and civil society, and robust oversight mechanisms.

The Way Forward

Kenya's digital ambitions cannot be achieved without a secure and resilient cyberspace. Establishing or strengthening a National Cybersecurity Agency is therefore not about expanding state surveillance; it is about protecting the digital foundations upon which our economy, public services, and national prosperity increasingly depend.

As President of the ISACA Kenya Chapter, I believe that cybersecurity is fundamentally about building trust in the digital economy. A well-governed National Cybersecurity Agency can become a strategic national asset—one that safeguards critical infrastructure, supports innovation, strengthens cyber resilience, and enhances Kenya's competitiveness in the global digital economy.

The debate should not be whether Kenya needs a National Cybersecurity Agency. The real debate should be how to establish one that is effective, accountable, transparent, and firmly anchored in the Constitution, the rule of law, and internationally recognized principles of good cybersecurity governance.