At least 10 security loopholes that could be exploited to manipulate the August 8 General Election have been exposed in an audit report of the country’s voter register.
The voter roll lacks mandatory security features and could therefore be easily hacked into and data of the 19.6 million registered voters deleted, added or amended, according to the audit report by KPMG.
In its report to the Independent Electoral and Boundaries Commission (IEBC), KPMG points out that there are two active default administrator accounts that could be used to access the voter register by unauthorised persons.
The firm further warns IEBC that deceased voters could still cast their ballots on August 8 and advises the electoral commission to strictly use biometric voter identification on polling day.
“In order to mitigate the risk of unregistered deceased persons being in the register of voters, it is imperative that the commission utilises biometric identification of voters as a primary mechanism on polling day,” reads the report.
Why the Judiciary should be challenged
KPMG has pointed out a host of weak security settings, which it advises need to be addressed urgently to prevent the possibility of hacking of the register ahead of the polls, which are 25 days away.
“KPMG observed that there are two active default administrator accounts whose default passwords have not been changed. This significantly increases the risk of unauthorised access to the Register of Voters and using these accounts, a perpetrator can add, delete or amend the voter details in the Register of Voters,” warns the report.
The report also points out that “logs for monitoring super user activity” on the register had not been activated and manipulation of the register could go undetected.
An analysis of the roll revealed that the register is highly susceptible to cyber-attacks that could result in “unavailability of the database”.
This is because the commission was yet to instal security measures to prevent such attacks. Computer systems across the world have recently been attacked by hackers, leading to the loss of crucial data. In some instances, the hackers demanded ransom from affected organisations to restore their data.
KPMG says its auditors were denied permission to conduct tests to assess the risk of unauthorised persons accessing and manipulating the data. The electoral commission explained it was acquiring new ICT infrastructure.
The law and morality of politics in Kenya
The audit report published by IEBC on its website on Tuesday has been the subject of confrontation between the commission and the Opposition National Super Alliance (NASA). NASA leaders led by presidential candidate Raila Odinga had accused IEBC of hiding details of the audit, which was meant to help improve the integrity of the register.
In its recommendation, KPMG wants IEBC in consultation with its technology provider, Morpho SAS, to urgently harden the database hosting the RoV (Register of the Voter). More worrying, the report notes, is that IEBC does not have a disaster recovery site, thus putting it in a dangerous position in its preparation for the forthcoming polls in the event of technology failure.
“Whilst we understand the commission is in the process of procuring a co-location site and new IT infrastructure, in the event of failure of systems prior to the establishment of a secondary production environment, this could represent significant risk to the preparation for or during the elections in August 2017,” says the report.
“KPMG further noted that IEBC carries out back-ups of the Register of Voters on backup tapes. There are no detached premises where these back-ups can be restored and tested. In the event that back-up tapes were to be destroyed at Head Office, the commission’s ability to recover critical voter registration data will be impaired due to lack of redundancy,” added the report.
IEBC is further exposed to data loss through its manual transfer of files. The report notes that the commission transfers data from its registration centres to its head office manually.
“The BVR system setup necessitates manual transfer of enrolment files from the BVR kits at the registration centres to the regional centres using flash disks.
“Due to the current practice of offline transfer of files between the registration centres and the regional offices, there exists a risk of loss of enrolment data before it reaches the regional office. This risk also exists when the data is transferred offline from the regional offices and head office,” says the report.
In its second Mass Voter Registration (MVR), the commission transferred 78 per cent of its enrolment manually. In a quality assurance conducted by the commission after the MVR II, the commission realised that some applications were missing due to the manual transfers.
“Through this exercise, the Returning Officers identified applications missing from the preliminary register,” the report said.