By Yemi Adeniran
As I write these lines, there is a cash crunch in Nigeria due to a rush at banks and ATMs to exchange old naira notes and withdraw the new currency. This is causing chaotic scenes as the country scrambles to cope, and everyone tries to get their hands on the new naira notes (Financial Times). Add to this chaos is the nationwide fuel shortages and the resulting long queue at gas stations. All these chaotic scenes are crippling a nation of huge informal economy that is dependent on cash transactions (BBC News).
Against these backdrop, Africa’s most populous nation, is heading to the polls on February 25. The electoral body which oversees election in Nigeria is the Independent National Electoral Commission (INEC).
According to INEC, the total number of registered voters for the 2023 general election is 93 million. That is 16.7 million more registered voters in Nigeria than other 14 countries in West Africa put together. In the words of INEC, an election in Nigeria is like conducting elections for the whole of West Africa. With this background, this article will explore the risks and mitigations of election hacking as Nigeria heads to the polls on February 25.
This writeup seeks to, first, assess the risk of election hacking, and second, discuss the mitigations as Nigeria heads to the polls on February 25, 2023.
1. What exactly is election hacking?
Election hacking is used to describe efforts to undermine an election outcome in its entirety. In this case, election hacking is a way of breaching the systems used for the election with the intension to manipulate data(votes) to favour, discredit a candidate or the whole of the election results.
2. How could an election be hacked (the risks)?
On Thursday, January 26, INEC Officials went live stating that hackers were making attempts to hack the commission’s computer systems ahead of the 2023 general election. The question that was not answered publicly during the briefing was how successful the hackers have been to plant malicious code to destroy the integrity of the system so that it could be exploited to alter the outcome of the election.
The systems being used for the election are inter-connected for voters’ identification and accreditation, to transmit data (uploading result and or images of the result sheets, vote counts, etc.) to the backend servers at the INEC data centres. These systems vulnerabilities could be exploited by hackers to influence the general election result. Figure 1 is a subjective assessment of high-level logical view of INEC ecosystem of:
- BVAS (Bimodal Voters’ Accreditation System)
- iREV (INEC Result Viewing online portal)
- Back-end servers of databases
- Forms EC8A and EC8B
- PVC(Permanent Voters’ Card)
- Connectivity(internet, virtual private network) to transmit votes to the backend databases (servers)
Figure 1: Logical view of election ecosystem
So, what are the risks?
Let’s examine the risks of election hacking using possible scenarios.
- One of the greatest threats to the integrity of the election result is the threat that comes from within INEC. The election processes are not fully automated, certain aspects of the processes are done manually. The insider threats may come from three actors namely: compromised staff, malicious people, and carelessness. Insider threat actors are motivated by financial gain, political ideology, or revenge. This risk may originate from actors within the organization or has something to do with the organization.
- The ecosystem could be exploited to alter voters accreditation and the registration database to the point where many voters are turned away or not allowed to vote due to the BVAS device not authenticating (accreditation failure due to device error). Device slowdown (another form of device failure) could lead to slow accreditation of voters. By slowing down the device, you deny many people the opportunity to vote considering voting will close at a specific time.
- The BVAS works on a push notification communication to transmit data to a central database using a wireless process. Transmitting happens when the device is not in use for accreditation (at intervals). The device is part of the potential targets for result manipulation. The physical security of the device begs the question of its use-case in the hand of those that knows how to circumvent the controls. INEC must prevent the weaponization of BVAS as a tool of conspiracy theories and disinformation.
- Another possible exploit is the delay in syncing the accredited voters with the number of votes at a polling unit. The lag (delay) in what was synchronized and what is left to be synchronized may result in manipulation. The potential abounds for exploitation by the hackers.
- A phishing campaign on the INEC’s process, people and technology present a risk of malicious attack to ransomware in part or the whole of the ecosystem.
- INEC rely on critical telecoms infrastructure for remote transfer of data from the polling units to the backend servers including online iREV portal. Transfer delays due to saturated bandwidth (lag) is expected in remote part of the nation where telecoms signal towers are few and far between.
- All the above are a few of the risks INEC must mitigate with effective controls to prevent anyone or group from manipulating the outcome or successfully hacked the election results that may change who wins.
How could INEC protect the election ecosystem from the risk of hacking?
INEC must act to prevent election hacking and avoid anything that could impugn on the credibility of the 2023 election results. The organization must act to augment their security posture and be prepared for new and emerging risk.
1. Understand the risk
Hackers will take advantage of any opportunity as a chance to hit the INEC ecosystem. INEC must undertake constant risk assessment of the election processes, people and technology, build defence in-depth, zero trust security and ring fence its infrastructure/platforms. The risk assessment must be continuous, any vulnerability uncovered must be addressed with the implementation of effective control(s).
2. Insider threat must be mitigated
One of the greatest threats to the integrity of the election result is the threat that comes from within INEC. Insider threat must be mitigated with controls and those controls constantly evaluated for effectiveness.
3. Increase transparency
The number of accredited voters must be displayed on iREV online portal as voting proceeds on election day for increased transparency. The BVAS transmit same data at intervals to the INEC backend server. As it stands, the polling unit accredited voters recorded by the BVAS are used in collation and subsequent results declaration.
4. Plan Ahead
One of the mitigations against a cyber-attack during the election is a proactive security strategy that plans for every scenario. Apart from renewed risk assessment that must be regularly conducted, updated business continuity planning (BCP) and disaster recovery (DR) plans, will uncover issues or anomalies that must be added to the election risk register for immediate treatment.
5. Work Closely with Experts
Election day intrusion must be prevented by INEC. This, in part, means INEC must work with third-party cyber security partners to support the in-house cyber security capability. For instance, partners that could provide INEC with continuous threat monitoring, detection and remediation will be crucial to have during the election. INEC Security Operation Centre (SOC) must be optimized to detect internal and external threats such as tampering and manipulation of voting results whilst being transmitted, processed, or stored. A proactive and measured approach to new threats must include engaging experts outside the organization for support, continued protection and ensure all eventualities are planned for.
6. Training and Awareness
Whilst Security is the responsibility of everyone, the information security training and awareness of all staff and contractors involved in the election ecosystem is a must to mitigate risks to election hacking and strengthen operational resiliency.
Conclusions
As the nation of Nigeria pivots towards the 2023 general election against the backdrop of various economic and social challenges, the INEC must focus on increasing detection capabilities as the importance of the election justifies having early detection capabilities.
With that said, the commission must focus on key priorities to reduce Distributed Denial of Service (DDoS) against malicious cyber-attacks, mitigation of attack surface and threat vectors during the election period: increase detection capabilities, work with trusted partners on threat intelligence, a coordinated risk assessment of election critical infrastructures. Ring fenced INEC Database through encryption in transit and at rest. Other priorities are Cyber Security Operation Centre to deploy and mount surveillance on streams of data (voting result) coming in for processing from polling units.
About the author: Yemi Adeniran is an astute Cybersecurity, Governance, Risk & Compliance Consultant with over 25 years international experience. He holds MSc in Cyber Security and MBA from a UK business school. He has delivered on Information Security Governance, Risks and Compliance projects. His area of expertise covers Digital Trust, Cyber and Information Security, Data Protection, Regulatory, and Audits such as ISO 27001, 9001 and 27005. You can reach him on email: [email protected]