Making sense of Kenya's nullified polls

OPINION | KENYA POLLS

By Christopher Muhawe

The recently concluded Kenyan presidential elections results presented yet another technological question which goes beyond our physical world Democracy, a cherished governance process that has been in existence since the ancient conquest of Greece by the Romans in 146 BC, is being shaped and enhanced by the cyber world in the 21st Century.

What remains to be seen is whether the use of cyber architectural platforms in electoral process has yielded the desired goal of free and fair elections. My take on the involvement of ICT in democratic processes is that if diligently used, it will ensure the elimination of fraud in such processes, for example, in elections.
 
The 2017 Kenyan presidential general election is the third presidential election in a space of two years after last year's American presidential election that was won by Donald Trump and this year's French general elections won by Emmanuel Macron that has been confirmed as having been influenced by cyber intrusion.

Electoral processes interference through hacking in the latter two respects have been confirmed by the American National Security Agency (NSA) and the Kenyan election hacking allegations have been confirmed by the Kenyan Supreme Court. This in itself suggests that the free and fair elections notion has been put to trial by an unlikely actor.

Whereas the American and French hackings have been reported as being intrusions on the candidates' systems mostly on emails and their political parties' communications, the Kenyan situation is a lot different. The claim herein was that there was a direct intrusion on the Independent Elections and Boundaries Commission's (IEBC) results electronic transmission system.

The Kenya's Supreme Court vide the 2017 Raila Odinga and Kalonzo Musyoka presidential election petition traversed the cyber intrusion allegations by the petitioners the whole of last week and confirmed that indeed the IEBC's electronic transmission system was interfered with. The ultimate result was that the election was not free and fair and hence deserved nullification.

As earlier stated, for the American and French elections, the attacks were confirmed to have been through unauthorised access to email communications of candidates and their respective parties. Such access is possible given the fact that emailing involves usage of the internet's underlying core email protocol, the Simple Mail Transport Protocol (SMTP), as was adopted in 1982 and is still deployed and operated today.
 
The challenge is that SMTP is susceptible to a wide range of attacks including man-in-the-middle content modification and content surveillance. I would have expected that these candidates from such developed nations should have employed basic email security standards as have been modified and augmented over the years.
 
Standards such as spoofing protection, integrity protection, encryption and authentication being properly implemented in email systems are sufficiently capable of securing government, financial and medical communications.  These adaptations mitigate cyber intrusion and threats.

Candidate Odinga's case was that hackers gained access to the IEBC's database through the stolen identity of the deceased chief ICT official, Christopher Msando, as his dead body was found with a missing limb days to the election.
In effect, he suggested that the login credentials for example of Msando's thumb prints were used to gain access to the system, which position the court believed. However, a simple two-factor authentication security approach would have served better and this would have guaranteed the integrity of the system.
 
The man-in-the-middle intrusions allegations in the process of electronically transferring of results from polling stations to the central IEBC system would have been dispelled by encryption. Be that as it may, I hope the Supreme Court in its detailed judgment coming in 21 days will develop better jurisprudence for the handling an electronically-assisted electoral process given the present facts in future.

It is important to note that petitioners did not emphatically attribute the cyber intrusion allegations to any player and indeed the court absolved the third respondent Uhuru Kenyata of any wrong doing in the elections process. However, the earlier admission of a failed attempted intrusion on IEBC's system by its officials complicated the matter. If the attempt did not actually materialise, players behind the same should have been mentioned. That way, responsible bodies would be accorded a chance of knowing how to protect future elections from interferences by negative elements.

My analysis is that the source of possible cyber-attacks that has often been ignored is one that originates from the suppliers of both hardware and software used in the electoral processes. ICT service providers may serve as another potential cyber intrusion avenue. Such suppliers have the underlying technology and hence should be contractually bound as to the integrity of the systems they are providing. Lest, they may act as conduits of bad elements.

The call herein is that a cyber security conscious electoral process will not only protect any country's democratic process but will as well ensure transparency.
The writer is a lawyer/Advocate specializing in Intellectual Property & Cybersecurity Law.