• Saturday, November 23, 2024
businessday logo

BusinessDay

Electoral Act 2022: Technical implications, emerging risks and forensic possibilities

Electoral Act 2022: Technical implications, emerging risks and forensic possibilities

It is no longer news that the Electoral Act 2022 has now been signed. This is a laudable development and an essential milestone in our democratic process. In 2015, I wrote an article in Business Day Newspaper published as a two-part series on November 12th and 13th, where I x-rayed the use of the card reader and the lessons therefrom. The article pointed out the key challenges, such as the lack of an underlying legal/legislative framework and the need for stakeholder buy-in and support.

Specifically, I noted that “E-government (and by extension emerging technologies in the electoral process) must derive legitimacy from an underlying legal framework that recognises and supports its operations.” The previous electoral act did not seem to contemplate the involvement of hi-tech and left loopholes that could be exploited technically. Therefore, I commend the National Assembly and the President for the Electoral Act 2022, which addressed some of the concerns I raised in 2015. This law is a bold attempt at legitimising technological innovations deployed by INEC for the smooth conduct of the elections, in line with global best practices and industry trends.

Let’s look at some key sections where the Electoral Act 2022 referred to technological involvement. Section 41(1) gives the commission the mandate to provide suitable boxes, electronic voting machines or any other voting devices for the conduct of elections. Section 47(2) requires the Presiding Officer to use a smart card reader or any other technological device prescribed by the commission to verify, confirm, authenticate, and accredit voters. Section 50(2) states that subject to Section 63, voting at an election and transmission of results shall be in accordance with the procedure defined by INEC. Section 62(2) gives the commission the power to maintain a centralised electronic register of elections for e-collation.

While there is notable room for improvement, it is refreshing to see our electoral law reflect the modern realities of technological adoption in the electoral process. Now that this has been achieved, the ball has now been effectively passed to INEC to work out efficient strategies to operationalise and implement this. First, it is important that they get the right technology. They need to get the processes right. They also need to adequately train their personnel (both full-time and ad hoc), as an efficient system without competent personnel is a disaster.

INEC must also deliberately take steps to have the buy-in of all stakeholders. No matter how efficient an electoral system is, without public acceptance, the outcome will be doubted. In the book Chapter, “Towards Secure and Practical E-Elections in the New Era,” Burmester and Magkos argued that “identification of election technology that meets the public acceptance is as important as the election itself.” The technology deployed for the electoral process must be accepted by the people and be transparent in its operations. If any piece of technology will substitute the role of citizens (humans), then such should be subjected to rigorous and robust scrutiny by all stakeholders. Therefore, INEC needs to get stakeholders engaged in deliberately building trust in the system.

Read also: 2023: Optimism grows on back of INEC timetable release

That said, there will be new operational challenges and emerging risks. For instance, the commission may decide to rely on the GSM network for the electronic transmission of results at every polling units. A key challenge here is that the nation does not have 100% GSM signal coverage at the moment. Therefore, INEC would need to work with the Telcos to get signal coverage maps and verify same to avoid unnecessary challenges on “D-Day”. This is very important for operational and contingency planning. For the areas without signal coverage, ad-hoc solutions can be explored. Other stakeholder-agreed strategies may be explored where these solutions are too expensive or operationally impossible within the time frame. These emerging challenges could be completely corrected in the next few election cycles.
There will also be other emerging risks that previously were not existing. For instance, there is the potential risk of equipment failure. Therefore, INEC should ensure the reliability of the devices deployed. There should be robust and stakeholder-driven reliability tests in good time before the elections. In my previous article on this, I noted that “for a public system to be declared fit, it is expected to go through a robust multi-stakeholder testing process to establish the system’s integrity, efficiency, accuracy, reliability, and security.” This is very important, and INEC should reach out to all stakeholders and industry experts for this.

There is also a potential risk of manipulation or tampering with Electronically Stored Information (ESI). There are emerging cybersecurity risks that should be properly considered. These risks are distributed across key aspects of the electoral chain. There is a technical possibility of manipulation of the electronic voter database. Without prejudice to any specific device, there is a potential risk of manipulating the data stored on the smart card reader. There is a potential risk of interception of transmitted data or the transmission process itself. There is an emerging risk of tampering with the collation process. Section 62(2) of the Act gives the commission the power to compile, maintain and update on a continuous basis, a register of election results to be known as the National Electronic Register of Elections, which shall be a distinct database or repository of polling unit by polling unit result. Therefore, there is a potential cybersecurity risk (hacking, encryption, manipulation, etc.) of remotely manipulating electronically collated results.

Another potential risk is the regulatory risk relating to Data Protection. The National Information Technology Development Agency, earlier in 2019, rolled out the Nigeria Data Protection Regulation (NDPR) to safeguard the rights of natural persons to data privacy. By the sheer size of Personally Identifiable Information (PII) stored by INEC, they are one of Nigeria’s most important data controllers, with potentially high risks. The Electoral Act 2022 further gives INEC the impetus to electronically collect and store voters’ details (running into tens of millions). Specifically, Section 9(1) and 9(2) give the commission the mandate to maintain a voter register, which shall be stored in an electronic format in a central database. Therefore, INEC needs to take special measures in compliance with this regulation.

INEC should be ready to rise to the occasion and mitigate these emerging risks. First, an organisation the size of INEC should not manage risks in silos. There should be a robust Enterprise Risk Management (ERM) system to manage these risks across the enterprise. This is needed for better coordination and efficient risk management. All the identified risks – operational, logistical, security, technological, cybersecurity, etc. – should be robustly analysed and managed across the enterprise.

INEC needs to put in place the right cybersecurity strategies and technologies to mitigate the identified cybersecurity risks. Prevention (protection) remains the best and most cost-effective strategy. Also, bearing in mind that even the best systems do suffer a breach someday, it is essential to have the proper controls and plans for Business continuity and disaster recovery in the wake of any incident. If a system or a device fails, what are the alternatives? What plans are in place to ensure swift remediation and restoration? What are the other options if a server fails or is maliciously taken down? What is the backup policy? What are the connectivity options when one fails? Does INEC have robust and articulated Business Continuity Plans (BCP) and Disaster Recovery Plan (DRP)?

Beyond this, there is the need to engage the services of Digital Forensic experts to investigate any incident. Given the heavy involvement of technology in the Electoral Act 2022, most of the post-election cases will rely on digital evidence. The amended Evidence Act 2011 allowed for the admissibility of digital evidence; therefore, the outcome of these cases would depend on the services of forensic examiners and expert witnesses. INEC as an organisation needs to be forensically ready. Political Parties and litigants would also need such services to prove their cases.

A forensic expert can accurately investigate electronic devices and Electronically Stored Information (including information extracted from smart devices used for elections and the central database for voter registration and votes aggregation – smartphones, computers, servers, network devices, etc.). They can help collect, preserve, and analyse digital data and present results in a forensically sound manner. An excellent forensic investigation could rely on digital artifacts to recreate events and scenarios critical to solving electoral disputes, beyond reasonable doubts. So, for those planning to engage the services of hackers and other malicious fellows, remember the Locard’s theory of exchange. Your digital footprints will give you away.

INEC, over to you; the ball is now nicely served in your court. Avoid unforced errors. If you need help, seek help now, not on Election Day.

Sibe, PhD is a Digital Forensic and Cybersecurity Expert and the CEO/Lead Forensic Examiner at Digital Footprints Nig. Ltd and tweets as @rsibe. He writes from Abuja.

Join BusinessDay whatsapp Channel, to stay up to date

Open In Whatsapp