Mutheu Khimulu’s LinkedIn page has a striking beginning despite being rather humble. It says that she is a “self-employed Legal Specialist in Cybersecurity, Counter-Terrorism & Crisis Management Law.” At CIO Africa, Mutheu is better known as a genius, her brilliant mind illuminating complex dialogue in our summits.
Cybersecurity may sound technical, but in essence, it is about people, and Mutheu is one of its top practitioners on the continent. She may not code, but she will always give advice on ethical coding. The paradox of life. “People you closely associate with reflect who they are as a person. Your close circle of friends should have people who build and encourage you and not those who tear you down unnecessarily,” Mutheu begins.
The lawyer and former sole advocate of the Banks Supervision Department of the Central Bank of Kenya has her share of notable achievements including creating enabling legislation for building societies to convert into banks, which in turn led to the creation of today’s Family Bank, and Kenya’s biggest bank, Equity. “I played a pivotal role in the creation of Kenya’s Anti-Money Laundering legislation when I created the National Task Force on Anti Money Laundering (NTF), a multisector task force.” She co-chaired the legal subcommittee. The NTF created the current policies against crime and anti-money laundering legislation, which in turn created the Asset Recovery Agency and the Financial Reporting Centre.
The security fascination
“I have always been fascinated by technology and technological innovations although there is a misplaced stereotype that women are not tech-savvy,” says Mutheu. “I have never been one to walk the path most travelled by the majority and I thrive when faced with challenges that require one to think outside the box.”
Two years ago, Mutheu felt her career had reached a point of minimal challenge and reflected on her next chapter. After attaining her undergraduate law degree from the University of Reading, UK, she was accepted for an LL.M programme at both University of London and the University of York. Unfortunately, she did not complete the LLM’s. That, she did 16 years later, 23 years after her LL.B. Her LL.M was in the field of Cybersecurity, Counter-Terrorism, and Crisis Management. Mutheu earned the Dean’s Award for Excellence from the cybersecurity hub of the US following her studies at the University of Maryland Francis King Carey School of Law with a 3.77 GPA.
“While in the US, I had the opportunity to attend Maryland Senate Cybersecurity meetings and was honoured to be invited to attend the US Cyber Command at Andrews Joint Air Base,” she tells me in passing. “I am now one of the few formally trained cybersecurity lawyers currently on the global stage.” See? We told you she was impressive. Mutheu loves being at the forefront of developing this new complex and crucial area in the law. She considers it a rare privilege to be part of that inner circle creating the foundations for a new area of law and more so, one that is the future of digital transformation.
Cyberspace, The New Frontier
The biggest challenge she has had to deal with in her career is the newness of cybersecurity law. There are misconceptions about what the role of a cybersecurity lawyer is. “Many assume I am a techie from a technological perspective. While I am a techie, however, I am one from a legal perspective. To put it simply, I can’t write code, but I can tell you why the code you write is either illegal or legal!”
Cyberspace, the new frontier, cannot go unregulated. That would be a recipe for disaster. While a lot of good is done by the ease of online facilities and communications, malicious actors also surf the web with the intent to cause havoc. From the more commonly known hacking operations where cybercriminals steal money and intellectual property rights to cyberwarfare where raging battles are not fought by the trained military on battlefields but rather, anyone with access to a keyboard; the internet can trigger a war and fund terrorism.
“As such, you can see that cyberspace is a completely new realm that needs to be adequately regulated. This is where the role of cybersecurity lawyers comes to play,” she adds. “We have, and are developing laws and policies to better regulate this new realm where conventional laws cannot apply.”
Attribution in cyberspace?
For example, if someone steals a car there is a high probability that the owner of said car can trace it and attribute the crime to the thief. In cyberspace, attribution is the bane of whitecoat cyber professionals. Attribution is hard to prove, as the cybercriminal could be located anywhere in the world. With the proliferation of cryptocurrencies, attribution is an even bigger challenge. “Attribution is slowly becoming viable albeit still rare,” she notes. “Tackling cyber warfare while we have rules for conventional warfare means there are no rules for cyberwarfare. Norms need to be developed. This is a slow process as no nation-state is willing to reveal its true cyber capabilities for national security interests.” Cyber lawyers still need to find ways, be they laws, norms, or policies, to ensure adequate cyberspace regulation. It is a thrilling area as cyberspace evolves rapidly. Laws need to be stabilising but not static, and simultaneously, outside the box to resolve everyday issues. “This is why my LL.M brings valuable qualifications in our current world as they all intertwine and are crucial.”
So, what’s is on Mutheu’s plate?
Presently, she runs her own legal consultancy after venturing out of employment. She finds it particularly exciting. “I may well be the only formally trained cybersecurity lawyer in Eastern and Central Africa. There are a lot of opportunities as my skills enable me to work with the ICT sector, banking and financial sectors, insurance sector, SACCOs, manufacturing, UN agencies, and even intelligence agencies.”
Mutheu has the ability to customise training programmes for organisation’s staff and boards, gifting them with a better understanding of cyber-related issues. The Kenyan Data Privacy legislation, for instance, has been operationalised with the appointment of the first Data Commissioner in 2020. The legislation has far-reaching implications when it comes to violation, which can adversely affect the bottom line thanks to hefty penalties prescribed as well as dent corporate goodwill, not to mention jail time for violators. “As a nation, we have for far too long taken a lax attitude to data privacy and protection. Staff and boards need to be trained on what precautions or actions to take to prevent them from being held in violation.”
Inevitably, Mutheu makes guest speaker appearances across forums virtually and in person, locally and internationally, over matters cybersecurity and its policy development. She consults with the government and regional bodies over the development of policy and law to protect and secure national and regional interests in cyberspace.
“It is an exciting field of work, but it requires one to keep abreast with cybersecurity developments which in turn needs commitment, dedication, and long hours reading or listening to reports or podcasts. The field is forever evolving and as a cyber lawyer, one needs to keep abreast with the new developments to be adequately equipped to develop policies, laws, and regulations for cyberspace.”
Turning the impossible into ‘I’m Possible’
Though still the minority in the tech space, women lag behind due to preconceived misconceptions about cybersecurity. Mutheu strongly believes this narrative will be changed as more young girls see more women take center stage. It also helps that they are encouraged from a young age to embrace technology. “As ease of access to the internet becomes more accessible to people from all lifestyles, I am hopeful in another decade or less, this will no longer be an issue.”
Hers has been an easy landing with the women she’s had the privilege of mentoring in the local tech space. She tells me they have been very welcoming, and have fostered a great working relationship. HerNovation, she says, is a fine example of such amazing initiatives that help women in tech to enhance their soft skills, imperative to career building. “To be a successful leader irrespective of gender, one needs to respect their employees and build an atmosphere of trust with both employees and clients,” she says. “Authenticity and empathy are great traits to practice with one’s team as well as the humility – to admit when you are wrong.” She encourages women leaders to ensure that they are surrounded by a team that has a deep thirst for knowledge, especially if in the field of cybersecurity. And, she points out, they need to create some time for fun with their team.
“What seems impossible will become ‘I’m possible’ if you believe, work hard, and never give up. You are worth it so believe and achieve it,” she signs off.