Case on election raises key questions on public servers
Kenyans have been intrigued by the activities of lawyers and IT sleuths at the Supreme Court in a duel pitting the election winner against the first runner-up, with a host of others tied to the case.
Aside from the verbosity exhibited by the lawyers, one of the core arguments for the alleged malpractice was the claim of infiltrating production servers belonging to the Independent Electoral and Boundaries Commission (IEBC).
One side talked about robust, fortified and impenetrable infrastructure while the other painted a picture of a compromised system with possible backdoors that could have allowed for manipulation, calling for root access to enable the audit of the proverbial logs and other such digital footprints as may have been left by any digital persona, authorised or not.
In the world of cybersecurity, a concern that revolves around securing digital assets and infrastructure, the same skillset can be used for both bad and good with the resulting nomenclature as you may have heard floated around; blackhat and whitehat.
Simply put, a blackhat illegally infiltrates systems while a whitehat plays nice, often under contract to find vulnerabilities as a running concern to help bolster organisational defences.
In the past we have looked at bug bounty programmes that many global scale platform
owners run to mitigate against zero day hacks or longstanding yet unidentified loopholes that may be used to compromise them.
In the context of the August 2017 elections, I assumed that as a default, any political party or coalition would have an inhouse team of greyhats, owing to the fact that the IEBC did not make a call for engagement at the time of going live with the Kenya Integrated Election Management System and its modules — the Candidates Registration System, Electronic Voter Identification System, Biometric Voter Registration System and the Results Transmission and Presentation.
Neither do they have an active or publicly known bug bounty programme.
This is for the simple reason that any system controlling a process of great import is a prime target for attack, infiltration and manipulation and it also takes one to know one.
We have seen this with banks, utility firms and companies that hold user databases rich in metadata.
Maybe it is time we subjected any platform built and deployed for citizens use towards any national objective, to a more stringent and open set of testing standards that can deliver much needed confidence in their continued use at population scale.
UNAUTHORISED ACCESS A system controlling a process of great import is a prime target for attack.