I watched the Nigeria Presidential and National Assembly elections with so much interest and expectation. Nigerians came out enmasse to exercise their right to vote and vote they did.
There was so much awareness within and outside Nigeria. Citizens worked very hard to ensure they registered and received their Permanent Voters Cards (PVCs) so they can cast their votes on the day of the election, February 25, 2023.
Overtime, Nigerians have been promised by the Independent National Electoral Commission (INEC), a free, fair, independent, and transparent election, which I must say are the cornerstone of democracy. The Nigeria government paid a huge sum to get this satisfaction and the promises were taken to heart by Nigerians and all observers who understand it to mean that they will participate in a secret ballot system where they will vote candidates of their choice; that data will be captured by the Bimodal Voter Accreditation System (BVAS) device, that at the close of poll, the information will be uploaded/transmitted electronically to a receiving server/database and Nigerians and indeed the world can view the results on their personal devices on the INEC Result Viewing (IReV) Portal. https://www.inecelectionresults.ng/elections/types.
As a Nigerian and a Cyber Security Expert, please permit me to draw a direct correlation of these promises to the CIA triad, which appears to be broken. The reason cybersecurity exist is to ensure the Confidentiality, Integrity, and Availability (CIA) of data and services. These tenets of security at the very least have become questionable on a large scale and beg for answers. The dummy election/test-run that was conducted by the INEC was successful and some recent elections held were recorded as a success but on the D Day, that is, the day of the general election when voters can vote their choice of the next president, the BVAS appears to have fallen short in uploading the results. Hence, the IReV portal had nothing to present to the people.
Confidentiality of the election is ensuring only authorised individuals/systems can view sensitive or classified information. Unauthorised individuals should not access the data being entered in the BVAS and ultimately sent over the network. To ensure this, encryption had to have been in place.
Integrity states that data is authentic, reliable, and has not been corrupted or tampered with. This means that data is accurate and complete and cannot be modified by unauthorised users at any stage whether at rest or in transit. If the data gets corrupted, then it means a failure to maintain data integrity. To ensure this, there had to be Integrity checker in place that is based on Hash functions.
Availability means that the voters’ data will be uploaded from the BVAS system to the receiving servers without denial and/or interruptions. To ensure availability, the network engineers should make sure hardware, software and necessary services are maintained. This also means they will plan to make appropriate and regular upgrades, have a plan for fail-over, and prevent bottlenecks in the network.
Having laid these tenets of security, the Nigeria government owes its citizens and indeed the world an explanation on what happened. Failure to do this will put the country in a very bad light and make it a laughing stock amongst the community of nations.
Either way, a proper audit and deep forensics analysis by a trusted cyber security firm needs to take place. Lots of answers that cannot be repudiated will come from this. The Incident Response (IR) will tell us a story on a timeline of who accessed these electronic devices and servers thereby letting us know if Confidentiality was observed, thereby laying the foundation for trust. IR will also provide answers to what happened to the data entered in the BVAS locally and the result reported by the INEC thereby bringing to light the state of the election result Integrity. The last but not the least will give us an understanding of what or who was responsible for the lack of Availability of the receiving servers/database.
• Kessington Ekhaiyeme, the CEO, Kenima Cyber Security, wrote via Kessington@Kenimacybersecurity.com
