Kenya's digital landscape is facing an unprecedented wave of cyberattacks, with the Communications Authority of Kenya (CA) reporting a staggering 2.54 billion cyber threat incidents between January and March 2025. This represents a 201.7% increase from the previous quarter (October to December 2024), underscoring the escalating risks to the nation's digital economy. The rise is largely attributed to cybercriminals increasingly deploying Artificial Intelligence (AI) and machine learning (ML) tools to automate and refine their attacks, making them more sophisticated and challenging to detect.

Escalating Threat Landscape

The latest data from the National Kenya Computer Incident Response Team – Coordination Centre (National KE-CIRT/CC), domiciled at the CA, indicates that system vulnerabilities accounted for the bulk of the detected threats, rising by 228.3% to over 2.47 billion cases in Q1 2025. These vulnerabilities, often stemming from outdated software, weak encryption, and misconfigured networks, remain prime targets for malicious actors. Internet Service Providers (ISPs) and cloud service providers were among the most targeted, with attackers focusing on end-user devices, IoT devices, web applications, and government systems.

While overall cyber threats have surged, some traditional attack methods saw a decline in Q1 2025. Distributed Denial of Service (DDoS) attacks decreased by 76%, mobile application attacks by 51%, malware infections by 28%, and brute-force login attempts by 3%. However, web application threats showed an upward trend, rising by 11.8% to 5.08 million cases, indicating growing risks to online platforms and services.

AI: A Double-Edged Sword

The increasing sophistication of cybercriminal networks is a significant factor in the surge. The World Economic Forum (WEF) notes that AI tools are accelerating the speed and complexity of cyberattacks, reducing the average time to execute an attack from 60 days in 2019 to under four days today. Cybercriminals are leveraging AI-powered language models to write malicious code and develop new strains of malware and ransomware, enabling even less experienced hackers to carry out sophisticated attacks.

Despite the amplified threats, AI also presents opportunities for strengthening data protection. AI algorithms can detect unusual patterns of data access, allowing for quicker identification and response to breaches. In sectors like banking, AI systems are already monitoring transactions in real-time to identify fraudulent activity. AI-driven tools can also enhance public awareness by educating consumers about their digital rights and how to protect personal data.

Legal and Policy Frameworks

Kenya has established a robust legal and policy framework to combat cybercrime. The Computer Misuse and Cybercrimes Act No. 5 of 2018 provides a comprehensive legal framework for addressing various cybersecurity concerns, imposing significant penalties for offenses such as hacking, cyberespionage, and data breaches. The Act mandates service providers to cooperate with law enforcement and report suspicious activities.

Complementing this, the Government of Kenya launched the National Cybersecurity Strategy 2022–2027 on Thursday, August 5, 2022, as a roadmap to address emerging threats. The strategy is anchored on six pillars, including strengthening governance structures, policy, legal and regulatory frameworks, protecting critical information infrastructure, cultivating a skilled cybersecurity workforce, minimizing incidents, and fostering cooperation.

Stakeholder Response and Challenges

In response to the escalating threats, the National KE-CIRT/CC issued 13.23 million cyber advisories between January and March 2025, a 14.2% increase from the previous quarter. These advisories urged heightened vigilance and the adoption of protective measures, including implementing organizational access controls, hardening antivirus software and firewalls, regularly patching vulnerable systems, and utilizing multi-factor authentication and strong passwords.

However, challenges persist, including inadequate system patching, limited user awareness of threat vectors like phishing, and the rapid proliferation of insecure Internet of Things (IoT) devices. Kenya lost an estimated $83 million (approximately KES 12.5 billion) to cybercrime in 2023, ranking second in Africa after Nigeria. The hidden costs, including business interruptions, recovery expenses, and erosion of consumer trust, are likely much higher.

What to Watch

The ongoing battle against cybercrime in Kenya will require continuous adaptation and collaboration. Stakeholders should closely monitor the implementation of the National Cybersecurity Strategy 2022–2027 and the effectiveness of the Computer Misuse and Cybercrimes Act. The development of a skilled cybersecurity workforce and enhanced public awareness campaigns will be crucial in mitigating future risks. The integration of AI into defensive cybersecurity measures will also be a key area to watch as the threat landscape continues to evolve.