IEBC CEO Ezra Chiloba addresses the press at the national tally centre at the Bomas of Kenya, Nairobi, on August 9, 2017. PHOTO | AFPKenyan’s have been doubly intrigued by the activities of lawyers and information technology sleuths at the Supreme Court, pitting the election front runners H.E. Uhuru Kenyatta and Hon. Raila Odinga, with a host of other enjoined, looking to prove electoral malpractice. Aside from the verbosity exhibited by the learned friends, one of the core arguments for the positioned malpractice was the alleged infiltration of production servers belonging to the Independent Electoral and Boundaries Commission. One hand argued on the side of robust, fortified and impenetrable infrastructure while the other on that of a compromised system with possible back-doors that could have allowed for manipulation, calling for root access to enable the audit of the proverbial logs and other such digital footprints as may have been left by any digital persona, authorized or not.
With the Supreme Court decision having been made directing that fresh presidential elections be held within 60 days, let us take a moment to think about protecting the systems at play.
In the world of cybersecurity, a concern that revolves around securing digital assets and infrastructure, the same skillset can be used for both bad and good with the resulting nomenclature as you may have heard floated around; blackhat and whitehat. Simply put, a blackhat illegally infiltrates systems with malicious intent while a whitehat plays nice, often under contract to find vulnerabilities as a running concern to help bolster organizational defenses. In the past we have looked at bug bounty programs that many global scale platform owners run to mitigate against zero day hacks or long standing yet unidentified loopholes that may be used to compromise them.
Back to our context of the August and November 2017 elections, I assume that as a default, any political party or coalition will have an in-house team of greyhats, owing to the fact that the IEBC did not make a call for engagement at the time of going live with the Kenya Integrated Election Management System and it modules – the Candidates Registration System, Electronic Voter Identification System, Biometric Voter Registration System and the Results Transmission and Presentation; neither do they have an active or publicly known bug bounty program. This is for the simple reason that any system controlling any process of great import is a prime target for attack, infiltration and manipulation and it also takes one to know one. We have seen this with banks, utility firms and companies that hold massive user databases rich in metadata.
We need to subject any platform built and deployed for citizens use towards any national objective, to a more stringent and open set of testing standards that going forward, can deliver much needed confidence in their continued use at population scale.