Hi, On Thu, Mar 21, 2013 at 10:56 AM, Evans Ikua <ikua.evans@gmail.com> wrote:
Brian, you are right on your observations. But one thing that I disagree with you is the bit regarding human resource capacity. This is what you have said: * "Human Resource Issues:* Several times in their presentations the Koreans complained that they had observed a critical lack of human resources. They emphasized that they were not referring to *skilled* human resources but simply to *enough people* for the project requirements. Shock of shocks! With the incredible numbers of well educated Kenyans who are unemployed or underemployed?"
Unfortunately they are right and I agree with them. One of the biggest problems we have in Kenya is the lack of adequate advance skills in IT.
I bet to differ; we don't lack the skills. Pick any random field and you will find suitably qualified engineers. Just off the top of my head, I am at most one person away from - Someone in charge of HSMs (PKI private key stores) critical to a significant chunk of Internet related security. - Someone coding high frequency trade systems. - Someone writing firmware for a large hard disk manufacturer. - Someone working on interesting tech in US national lab - Microbiology....
This should be pretty obvious even in this case as we have to now depend on Koreans to implement PKI for us, as sensitive as this project is.
As with almost everything else, we seem to prefer giving contracts based on kickbacks. Not on technical merit. Dig hard enough and you will inevitably find that either someone is profiteering or the project is a donation (by a government mandating that you use technology developed by it's citizens == subsidies for the said company).
Implementing PKI is not a walk in the park, and am sure the number of professionals who can do this in Kenya may be in the handfulls, not in the thousands.
True, but it's not black magic. I can tell you first hand that it's more about process, audits and understanding what you are doing.
I stand to be corrected. what we have in Kenya is thousands of youth who have basic IT skills, and a small group who have managed to get the advanced skills that matter.
Yup, through some fault of..... drumroll..... us. If you really want, *you*can advance your skills to whatever level you want. *You* can commit code to gnu hurd, Freebsd, debian... *You* can sign up for moocs to up your game. *You* have all the resources *you* need to start several million dollar startups: - My smartphones is now more powerful than my souped computer that I used in University. - My smartphone has in ~ 2 years sent & received far more traffic that I did in my university years. - Learning resources are abundant; github, google code for source code, arxiv for research papers, stack overflow when you get stuck, udacity, ocw, coursera for the theory ... - Utility computing (EC2 and friends) for your playground. It's entirely possible to fire up 100s of servers to test your distributed computing idea and shut them down in less time than it takes me to draft this email, all for probably less than 50 USD. So the point is, we ought to be avaricious when it comes to knowledge and technology. Don't just absorb what your lecturer/colleague,news blog is saying, research it, understand it. The talent is there, but it needs to be developed and equipped with the
very advanced skills that make a difference.
There are several initiatives that are being undertaken to get more kids into STEM. See Eriks H email from a few days back. SA is pulling ahead with initiatives such as these: http://www.siliconcape.com/profiles/blogs/umonya-and-python-training-to-high...
Please also connect this with our BPO initiatives. What the Koreans are doing here is making money by outsourcing their knowledge to us.
Probably true.
So how did they get there? 5 years ago Korea used to make nearly twice our current annual budget just from Software services. I wonder how much they make now. Their Government implemented a strategy that offers advanced software development skills to its youth, ensuring that they have the capacity to compete on the global scale.
My take is that we are collectively underskilled when it comes to advanced IT skills.
On average, standard deviation will probably show that there's a long tail. You can probably find any skill set given that you are willing to give reasonable incentives.
Evans
On Wed, Mar 20, 2013 at 8:33 PM, John Maina <mwasjunior@gmail.com> wrote:
I agree with Brian there is a potential conflict of interest if CCK plays multiple roles in the ecosystem,
Can someone clarify why we have two CA’s in the system? I see the point of having all players involved in intra-government transactions authenticated by the same CA but at the very least shouldn’t the same CA authenticate citizens, how else do we go down the path of having secure national ID cards (think Chip based) or administer secure e-passports if the citizens are verified by a different CA from what the govt uses.
I could be simplifying this but I think the same entity that authenticates government institutions should authenticate citizens and corporations to facilitate transactions between these three entities.
On Wed, Mar 20, 2013 at 12:23 PM, Brian Munyao Longwe <blongwe@gmail.com>wrote:
Any comments from the skunks?
---------- Forwarded message ---------- From: Brian Munyao Longwe <blongwe@gmail.com> Date: Wed, Mar 20, 2013 at 6:06 PM Subject: Kenya’s PKI Destined for Failure? To: KICTAnet ICT Policy Discussions <kictanet@lists.kictanet.or.ke>
Disclaimer: All the opinions expressed herein are my own.
#140friday <http://140friday.com> » Business<http://140friday.com/?cat=3>» Politics <http://140friday.com/?cat=6> » Technology<http://140friday.com/?cat=8>» Kenya’s PKI Destined for Failure? March 20, 2013 Kenya’s PKI Destined for Failure?
Today I had the opportunity to attend a seminar organized by the Ministry of Information & Communications and Samsung SDS as part of the implementation of Kenya’s National Public Key Infrastructure (NPKI). The project is undertaken within the framework of the Kenya Transparency & Communications Infrastructure Project (KTCIP), a World Bank funded initiative that will help Kenya achieve a number of the goals under the ICT pillar of Vision 2030.
The presentations from the team from Korea consisted of representatives of Samsung SDS (who won the International tender for Kenya’s NPKI implementation) as well as representatives from some of the key actors in Korea’s own NPKI. The Korean presentations were interesting, informative and very well prepared. Over the period of a few hours they were able to take the relatively complex subject of National Public Kenya Infrastructure and unpack it in a way that was both easy to understand as well as clear and straightforward. They left no shadow of doubt as to whether Samsung SDS can successfully implement this project. They also shared the organizational structure for the project, which is as follows:
[image: CAM00454]<http://140friday.com/wp-content/uploads/2013/03/CAM00454.jpg>
During the course of their presentations the team from Korea shared the high level plan for the implementation of Kenya’s SDS. They made it clear that they had spent a good deal of time working closely with Government officials responsible from the Kenyan side.
In describing the structure and hierarchy that has proven successful in Korea for the implementation and operation of their NPKI, the team shared the following diagram.
[image: CAM00455]<http://140friday.com/wp-content/uploads/2013/03/CAM00455.jpg>
At the very top, there is the Ministry responsible for the NPKI, they provide the legal and regulatory framework, national authentication plan and other high level functions. Below them is the “Root Certification Authority” an organization known as the Korea Internet Security Agency (KISA), which provides operation of the National Authentication system, licensing/accreditation of certificate authorities (CA) to provide service to the public as well as development of technical standards. Below them are the accredited CAs of which Korea has 5 who provide certificate issuance and management services to the public.
In a presentation which came later, the Korean team shared the proposed structure for the Kenyan implementation which had been arrived at after consultations with Government. The diagram is as follows.
[image: CAM00457]<http://140friday.com/wp-content/uploads/2013/03/CAM00457.jpg>
In this structure, Government who will be responsible for legal and regulatory framework, national authentication plan, other high level functions as well as licensing and auditing are to be represented by the Communications Commission of Kenya (CCK). Below them and responsible for operation of the Root Certification Authority is CCK. Below that are a proposed “Government CA” which will issue certificates for Government agencies and employees and a proposed “Private Sector CA” which will issue certificates to the rest of the country.
I have a big problem with this structure. First and foremost because CCK is being proposed as BOTH the licensing authority as well as the licensed operator of the Root Certification Authority. The potential for conflict of interest is immediately evident, not to mention the fact that the end-to-end integrity of a structure that ensures top-down accountability is rendered completely void. Even worse was the mumbled suggestions by some of the government participants at the seminar that CCK might also act as the Government CA. In addition that is the fact that a project as crucial as this has not gone through a proper stakeholder consultative process and is seemingly being shoved down our throats. In his closing remarks a director a the E-Government directorate asked the ICT Board to engage stakeholders further and receive input before moving too far.
I raised this point as a question during the Q & A session at the end of the seminar and would like to emphasise that it would be *very wrong*for CCK to be the Root Certification Authority for a number of reasons:
1. *Conflict of Interest:* As per the proposed structure the representative of Government, CCK needs to serve as the top level entity that handles the legal and regulatory framework and the national authentication plan. Adding a subsidiary role would not only compromise their integrity but would also expose them to all manner of challenges with regards to operation of an infrastructure that is supposed to be based on trust. 2. *Procurement Issues:* In sharing to a certain level of detail the complexity of the Root Authority setup, it became evident that there would be a continuous need for procurement of various goods and services. As a government agency, CCK is subject to public procurement regulations, this means that even very basic, small and simple items could take months if not years to procure. The problems with our public procurement are well known. Subjecting the Root Authority to this kind of environment is in itself a major risk for successful implementation and operation. 3. *Human Resource Issues:* Several times in their presentations the Koreans complained that they had observed a critical lack of human resources. They emphasized that they were not referring to *skilled*human resources but simply to *enough people* for the project requirements. Shock of shocks! With the incredible numbers of well educated Kenyans who are unemployed or underemployed? They could obviously have only been referring to what they had seen as far as the people available for the project from the Ministry and CCK. It is no secret that CCK has extremely limited human resources in their ICT division and those few are oveworked, stretched beyond measure and juggling multipe roles. Isn’t adding additional responsibilities into this mix a formula for disaster? 4. *Inertia*: CCK has proven to be very poor at the timely execution of functions that fall outside their core mandate of licensing, regulation and resource management. A perfect example is the implementation of the Universal Service Fund, which CCK insisted on handling as an inhouse function instead of facilitating the setup of a dedicated entity to handle the task. It has been over 6 years since regulation and legislation regarding the USF came into place and there is still nothing to speak of. I will reserve this as a subject for another day (it is a long and detailed one!)
*Recommendations*
The Government should immediately consider adopting a *Public Private Partnership* approach for the implementation of Kenya’s NPKI. This is especially timely because we now have a fully ratified Public Private Partnership Policy that provides a variety of models for project implementation. This will not only ensure involvement from crucial stakeholders but also free the Root Authority from the problems highlighted above (and probably many others) while at the same time ensuring that enough private sector energy and enthusiasm is infused into the project so that it moves with speed and determination. Success stories such as KENIC and TEAMS show that it is not only possible but that it can be done with ease.
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- *---------------------------------------------------- Kind Regards, Evans Ikua,* lanetconsulting.com, lpi-eastafrica.org, ict-innovation.fossfa.net, Skype: @ikuae Cell: +254-722-955831
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke