Case on elec­tion raises key ques­tions on pub­lic servers

Business Daily (Kenya) - - DIGITAL BUSINESS - by MBUGUA NJIHIA Njihia is CEO of Sym­bi­otic @mbuguan­ji­hia

Kenyans have been in­trigued by the ac­tiv­i­ties of lawyers and IT sleuths at the Supreme Court in a duel pit­ting the elec­tion win­ner against the first run­ner-up, with a host of oth­ers tied to the case.

Aside from the ver­bosity ex­hib­ited by the lawyers, one of the core ar­gu­ments for the al­leged mal­prac­tice was the claim of in­fil­trat­ing pro­duc­tion servers be­long­ing to the In­de­pen­dent Elec­toral and Bound­aries Com­mis­sion (IEBC).

One side talked about ro­bust, for­ti­fied and im­pen­e­tra­ble in­fra­struc­ture while the other painted a pic­ture of a com­pro­mised sys­tem with pos­si­ble back­doors that could have al­lowed for ma­nip­u­la­tion, call­ing for root ac­cess to en­able the au­dit of the prover­bial logs and other such dig­i­tal foot­prints as may have been left by any dig­i­tal per­sona, au­tho­rised or not.

In the world of cy­ber­se­cu­rity, a con­cern that re­volves around se­cur­ing dig­i­tal as­sets and in­fra­struc­ture, the same skillset can be used for both bad and good with the re­sult­ing nomen­cla­ture as you may have heard floated around; black­hat and white­hat.

Sim­ply put, a black­hat il­le­gally in­fil­trates sys­tems while a white­hat plays nice, of­ten un­der con­tract to find vul­ner­a­bil­i­ties as a run­ning con­cern to help bol­ster or­gan­i­sa­tional de­fences.

In the past we have looked at bug bounty pro­grammes that many global scale plat­form

own­ers run to mit­i­gate against zero day hacks or long­stand­ing yet uniden­ti­fied loop­holes that may be used to com­pro­mise them.

In the con­text of the Au­gust 2017 elec­tions, I as­sumed that as a de­fault, any po­lit­i­cal party or coali­tion would have an in­house team of grey­hats, owing to the fact that the IEBC did not make a call for en­gage­ment at the time of go­ing live with the Kenya In­te­grated Elec­tion Man­age­ment Sys­tem and its mod­ules — the Can­di­dates Reg­is­tra­tion Sys­tem, Elec­tronic Voter Iden­ti­fi­ca­tion Sys­tem, Bio­met­ric Voter Reg­is­tra­tion Sys­tem and the Re­sults Trans­mis­sion and Pre­sen­ta­tion.

Nei­ther do they have an ac­tive or pub­licly known bug bounty pro­gramme.

This is for the sim­ple rea­son that any sys­tem con­trol­ling a process of great im­port is a prime tar­get for at­tack, in­fil­tra­tion and ma­nip­u­la­tion and it also takes one to know one.

We have seen this with banks, util­ity firms and com­pa­nies that hold user data­bases rich in meta­data.

Maybe it is time we sub­jected any plat­form built and de­ployed for cit­i­zens use to­wards any na­tional ob­jec­tive, to a more strin­gent and open set of test­ing stan­dards that can de­liver much needed con­fi­dence in their con­tin­ued use at pop­u­la­tion scale.

UNAU­THO­RISED AC­CESS A sys­tem con­trol­ling a process of great im­port is a prime tar­get for at­tack.

Newspapers in English

Newspapers from Kenya

© PressReader. All rights reserved.