Election integrity at risk: the cybersecurity consequences of EC’s illegal transfer of voters
As Ghana prepares for its national elections on December 7, 2024, the integrity of the electoral process is under increasing scrutiny. A recent breach involving the illegal transfer of voters by a staff member of the Electoral Commission (EC) has exposed serious vulnerabilities in the EC’s digital voter management system.
This breach, which led to the dismissal of the staff member, underscores critical weaknesses in the EC’s infrastructure—a key pillar of Ghana’s democracy.
In today’s digital age, elections rely heavily on electronic systems to manage voter data and ensure accurate results. When these systems are compromised, as in the recent breach within the EC, they not only threaten sensitive voter data but also undermine the trust citizens place in the electoral process. Unauthorised access or manipulation of these systems can lead to inaccurate results, jeopardizing the fairness of elections and, ultimately, the foundation of democracy—the right to vote and have that vote counted accurately.
This breach highlights the urgent need to classify the EC’s voter management system as Critical Information Infrastructure (CII) under Ghana’s Cybersecurity Act 2020 (Act 1038), with oversight provided by the Cybersecurity Authority (CSA). Such classification would impose legal obligations on those responsible for securing the system and ensure that voter data is protected at the highest level mandated for CII. Safeguarding these systems is crucial for maintaining election integrity and preserving public confidence in Ghana’s democratic process.
This article explores the cybersecurity consequences of the breach, including potential liabilities for both the responsible individual and the EC’s leadership. It also emphasizes the need to recognize the EC’s system as CII, underscoring the CSA’s legal obligation to lead in assessing and securing the system by conducting comprehensive vulnerability and integrity tests. Addressing weaknesses in system security procedures and internal controls is essential for restoring public confidence in the EC’s readiness ahead of the elections.
EC SYSTEM AS A CRITICAL INFORMATION INFRASTRUCTURE
Act 1038 under section 35 defines Critical Information Infrastructure (CII) as “computer systems or networks essential to national security or the economic and social well-being of citizens”.
The EC’s digital infrastructure is more than an administrative system; it is a critical component of national infrastructure. According to the Cybersecurity Act, 2020 (Act 1038) and the Directive for the Protection of Critical Information Infrastructure, critical systems are those whose incapacitation or destruction would severely impact national security, the economy, or public safety. Given the vital role that free and fair elections play in Ghana’s democracy, the EC’s voter management system undoubtedly falls into this category as CII.
If compromised, these systems could cause major disruptions in governance and erode public confidence. Since elections are the foundation of democratic governance, any breach in the EC’s system would undermine the legitimacy of election results and threaten national stability.
Section 3(c) of Act 1038, mandates the Cybersecurity Authority (CSA) to regulate owners of critical information infrastructure regarding cybersecurity activities to ensure a secure and resilient digital ecosystem. Despite the EC’s reluctance so far to pursue an independent audit of its system, under Act 1038 the CSA has the legal mandate and responsibility to lead in conducting this assessment, ensuring that the EC’s system is fully protected under the law.
As a designated CII, the EC’s digital systems must comply with the strict requirements of the Cybersecurity Act. These include ensuring system confidentiality, integrity, and availability, conducting regular security audits, and promptly reporting incidents to the CSA.
The recent breach involving the illegal transfer of voters clearly indicates a failure to maintain these standards, raising questions about whether the EC leadership has fully complied with its legal obligations to protect this critical system.
These questions of compliance tie directly into the legal frameworks that govern the protection of critical systems. Both the 2020 Cybersecurity Act and the 2008 Electronic Transactions Act establish clear penalties for unauthorised access and cybercrimes involving protected systems.
PROTECTED SYSTEMS, UNAUTHORISED ACCESS, CYBERCRIME AND PENALTIES
The Cybersecurity Act 2020 (Act 1038) and the Electronic Transactions Act 2008 (Act 772) establish a robust legal framework for protecting critical systems and penalizing unauthorised access. These laws complement the general definition of crime as provided under Section 1 of Criminal Offences Act, 1960 (Act 29) which states “A crime is an act, omission or conduct that is considered a wrongdoing and is punishable by law.”.
This foundational definition of a crime encompasses all forms of criminal conduct, including those that occur within the digital and electronic spaces, which are addressed under Act 1038 and Act 772.
As technology and electronic communications have become integral to modern society, the law has evolved to cover crimes committed in the digital space. Acts 1038 and 772 specifically address these new forms of criminal conduct, ensuring the protection of Ghana’s critical information infrastructure.
Under Section 97 of Act 1038 (emphasis mine):
- cybersecurity is defined as “the protection of computer systems from unauthorised access or attacks, ensuring the integrity of those systems”.
- Unauthorised access means “access of any kind by a person to a programme or data held in a computer without authority if (a) the person is not personally entitled to control access of the kind in question to the programme or data; and (b) the person does not have consent to access the kind of programme or data from the person who is entitled to control access”.
- Cybercrime, under the same Act, refers to the “use of cyberspace, information technology, or electronic facilities to commit crime”.
Section 55(3)(f) of Act 772 further classifies a “protected computer” as:
“any computer, computer system, or network used directly in connection with the legislative, executive, or judicial services, as well as the public services and security agencies”.
Since elections are crucial to the functioning of these branches of government and public services, the systems used in elections are integral to their operations. Elections play a vital role in maintaining governance, public services, and national security.
As such, the computer systems used in managing and administering elections—due to their direct connection to legislative, executive, and public service functions—fall under the definition of a ‘protected computer’ according to this law. This designation highlights the critical status of the Electoral Commission’s voter management system, as it is essential to ensuring the integrity of Ghana’s electoral process.
Both Act 772 and Act 1038 prescribe severe penalties for unauthorised access or tampering with protected systems:
- Penalties under Act 772: Section 55(4) imposes fines and/or imprisonment of up to ten (10) years for unauthorised access to protected computers.
- Penalties under Act 1038: Section 40 criminalizes unauthorised access to Critical Information Infrastructure (CII), which includes systems such as the Electoral Commission’s voter management system. Offenders may face up to five (5) years’ imprisonment.
This illegal transfer of voter data by an EC staff member clearly violates the law, illustrating both the system’s vulnerability and the broader cybersecurity implications for the EC leadership.
By accessing the system to transfer voters without the Commissioners’ consent, bypassing established procedures, and illegally modifying data, the EC staff member responsible for the unauthorised transfers committed a cybercrime, an offence against the state, threatening national security, undermining both the system’s integrity and public trust in the electoral process. If prosecuted, the individual faces up to five (5) years in prison under Act 1038 and up to ten (10) years under Act 772.
Furthermore, the EC’s leadership bears responsibility for ensuring the cybersecurity of its systems. Failure to implement adequate security measures exposes the EC to both legal and administrative penalties under these Acts, as institutions are held accountable for securing critical and protected systems. Therefore, it is crucial for the EC to establish and maintain rigorous cybersecurity protocols to prevent breaches and ensure compliance with national cybersecurity regulations.
CYBERSECURITY THREAT AND LIABILITY OF THE ELECTORAL COMMISSIONER AND DEPUTIES
Cybersecurity threat, under Cybersecurity Act 2020, (Act 1038), means” an unauthorised effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system”.
Beyond the criminal liability of the individual responsible for the illegal transfer of voters, there is the issue of whether the Electoral Commissioner and her deputies can be held accountable for failing to safeguard any cybersecurity threat to the system. Under both the Act 1038 and the Electronic Transactions Act, 2008 (Act 772), entities managing Critical Information Infrastructure (CII) and Protected Systems are required to implement strict cybersecurity measures to prevent unauthorised access and protect sensitive data.
Failure to comply with these obligations exposes the EC to civil and administrative penalties. If the EC is found negligent in implementing necessary safeguards, it faces penalties for:
- Failing to properly secure critical data.
- Not conducting adequate risk assessments and audits of the system.
- Failing to report security vulnerabilities or incidents in a timely manner as mandated under the law.
The EC is legally obligated to secure its systems, conduct regular risk assessments and audits, and report any cybersecurity incidents as required by the Cybersecurity Act and the Directive for the Protection of CII.
A cybersecurity incident is defined by Act 1038 as “any act or attempt, successful or unsuccessful, to gain unauthorised access to, disrupt or misuse an information system or information stored on such information system.” This definition underscores the importance of reporting not just actual breaches, but also attempts to compromise system integrity.
The EC leadership, including the Electoral Commissioner and Deputies, may also face personal liability if their failure to implement adequate security measures contributed to the breach. Section 39(2)(b) of Act 1038 states that failure to audit CII systems can result in administrative fines, while Section 47(6) of Act 1038 holds institutional heads accountable for not reporting cybersecurity incidents. Beyond legal liabilities, the reputational damage to the EC’s leadership could be significant, particularly in an election year where public confidence in the electoral process is crucial.
The illegal transfer of voter data highlights a possible lack of oversight and raises concerns about whether adequate cybersecurity measures were in place. Therefore, it is essential for the EC’s leadership to demonstrate full legal compliance and take proactive steps to reinforce the system’s defences.
This includes conducting regular audits, reporting incidents, and providing staff training to prevent future breaches. With elections approaching, urgent action is needed to protect the system, as further lapses could undermine public trust in the integrity of the electoral process.
In light of this cybersecurity threat, and EC leadership failure to secure the system, the CSA, as the body responsible for overseeing the security of CII, must take a central role in securing the EC’s voter management system before the elections by conducting a comprehensive assessment and addressing vulnerabilities.
LIMITS OF THE EC’S INDEPENDENCE UNDER ARTICLE 46 OF THE 1992 CONSTITUTION
The Electoral Commission’s independence under Article 46 of the 1992 Constitution states that the EC “shall not be subject to the direction or control of any person or authority,’ except as provided by the Constitution or other laws not inconsistent with it”.
However, this independence cannot be absolute. For instance, the EC cannot refuse to comply with the National Pensions Regulatory Authority (NPRA) under the National Pensions Act, 2008 (Act 766) when it comes to making mandatory pension contributions for its staff.
In such a scenario, the EC is subject to the direction and control of the Authority, as Act 766 has not been declared inconsistent with the Constitution. Similarly, when the EC’s IT system is compromised or faces a cybersecurity threat, it cannot invoke its independence to avoid oversight by the Cybersecurity Authority under the Cybersecurity Act, 2020 (Act 1038).
Once the EC relies on computer systems and networks for compiling and maintaining the voter register—a function under Article 45(a) of the 1992 Constitution—it becomes subject to Act 1038, which governs the security and integrity of such digital systems. Therefore, the EC cannot operate beyond the reach of these laws simply by citing its constitutional independence.
MANDATE OF THE CYBERSECURITY AUTHORITY: SHOULD THEY INTERVENE?
The Cybersecurity Authority (CSA), under the Cybersecurity Act, is responsible for preventing, managing, and responding to cybersecurity threats and incidents. It is also responsible for overseeing the security of Critical Information Infrastructure (CII) in Ghana against cyber threats, which includes the Electoral Commission’s (EC) voter management system.
Although the EC is an independent institution mandated by the Constitution of Ghana to oversee electoral processes, this independence extends only to the administration of elections—not the security of its digital systems. If the EC were to run its electoral processes entirely using a manual system, free from any computer systems or networks, it could remain independent of the CSA’s oversight in cybersecurity matters.
However, once the EC relies on computer systems, which by the nature of the EC`s system falls under the category of CII, the CSA is empowered under Act 1038 to assess, monitor, and audit these systems to ensure their security. Given the breach, the EC cannot independently declare its systems secure; the CSA is mandated to ensure that comprehensive cybersecurity measures are implemented and maintained.
Section 38(2) of Act 1038 mandates the CSA to conduct audits and inspections of designated CIIs to ensure compliance with cybersecurity directives. The CSA can also issue additional directives to CII owners, including the EC, without prior notice, and the EC is required to comply. This legal framework obligates the CSA to conduct vulnerability and integrity assessments of the EC’s system, particularly in light of the illegal voter transfer incident.
Any entity, including the EC, planning lawful activities within their mandate that may impact the confidentiality, integrity, or availability of a CII must seek clearance from the CSA. Non-compliance could result in criminal and administrative sanctions under Section 92(2) of 1038.
Thus, the CSA is both authorised and obligated to enforce a forensic audit and perform vulnerability assessments on the EC’s system before the elections. These actions are essential to meet cybersecurity standards and restore public confidence.
While the CSA has the mandate to secure systems like the EC’s voter management system, the responsibility of ensuring compliance with cybersecurity laws ultimately falls on the Electoral Commissioner and Deputies.
However, given the severity of the recent breach and its potential impact on the electoral process, it is clear that the CSA must intervene. Failure by the EC’s leadership to address these cybersecurity lapses exposes them to significant legal liabilities, making the CSA’s role in enforcing cybersecurity measures essential to preserving the integrity of the elections.
IS THE EC SYSTEM FIT FOR PURPOSE?
The illegal transfer of voters by an EC staff member has cast doubt on the integrity and readiness of the EC’s voter management system, especially with elections fast approaching. The system’s vulnerability to unauthorised access raises concerns about whether it is currently fit for its intended purpose—safeguarding Ghana’s voter registration and electoral process.
For a system that qualifies as Critical Infrastructure Infrastructure(CII), the Cybersecurity Act and the Directive for the Protection of CII outline strict cybersecurity measures that must be adhered to.
These include conducting regular vulnerability assessments, ensuring real-time monitoring of system activities, and implementing incident response plans to address breaches swiftly and effectively. However, the illegal transfer incident highlights potential gaps in the EC’s system security framework. Without clear and effective internal controls, the system remains susceptible to further breaches, which could undermine the integrity of the entire electoral process.
Given that elections are the cornerstone of democracy, it is crucial that the EC system is capable of protecting voter data from manipulation, ensuring accurate voter rolls, and preventing unauthorised access.
To this end, the CSA must step in to perform an immediate integrity and vulnerability assessment of the system. This assessment should include penetration testing, a simulated cyberattack to identify vulnerabilities in the system, to identify weaknesses, a review of access controls, and an examination of audit trails to ensure that any unauthorised actions can be detected and responded to in real-time.
Additionally, the EC should adopt enhanced security measures, including the encryption of sensitive data, multi-factor authentication, a security process requiring users to provide two or more verification factors to access the system and comprehensive staff training to reduce the risk of insider threats.
The public’s confidence in the electoral process relies on the ability of the EC to protect voter data, and it is critical that these steps be taken well before the December 7th elections to ensure the system is truly fit for purpose in protecting the very foundation of Ghana’s democracy. A pre-election audit of the EC’s system spearheaded by the CSA which has the legal mandate is most necessary.
PRE-ELECTION CYBERSECURITY AUDITS: INTERNATIONAL PERSPECTIVE
Pre-election cybersecurity audits in response to cyber threats are not new. Countries like Estonia and Ukraine have shown the importance of these audits in safeguarding electoral integrity in the face of cyber threats.
Estonia regularly conducts security reviews and vulnerability assessments of its i-voting system before elections, especially after discovering cyber vulnerabilities in 2014.
Similarly, ahead of Ukraine’s 2019 Presidential election, the country conducted pre-election audits of its electoral systems to safeguard against ongoing cyberattacks. These proactive measures illustrate the importance of pre-election audits in addressing cybersecurity risks and protecting the integrity of elections.
CONCLUSION
The Electoral Commission (EC) is an independent body constitutionally mandated to conduct elections in Ghana. However, once it integrates computer systems into its operations—such as the voter management system—this independence does not extend to the security of those systems. In accordance with the Cybersecurity Act, 2020 (Act 1038), any Critical Information Infrastructure (CII), including the EC’s systems, is subject to oversight by the Cybersecurity Authority (CSA).
The illegal transfer of voter data has exposed serious vulnerabilities in the EC’s system. With the December elections approaching, ensuring the system’s integrity is critical to maintaining public trust. Although the EC retains independence over the electoral process, the security of its computer systems must comply with national cybersecurity laws.
The EC’s expertise in election administration does not necessarily extend to the complex domain of cybersecurity, making external oversight essential. The CSA is mandated to intervene in this regard and enforce a comprehensive forensic audit to assess and address the vulnerabilities within the system.
Both the individual responsible for the breach and the EC’s leadership face legal consequences under the Cybersecurity Act and the Electronic Transactions Act. While the individual can be prosecuted for unauthorised access, the EC’s leadership could be held accountable for negligence if security vulnerabilities remain unresolved.
Securing the EC’s system is of utmost urgency, as public trust in the legitimacy of the upcoming election depends on the security of the electoral infrastructure. Self-regulation by the EC, in light of its independence, is insufficient given the breach of its computer systems.
Therefore, the CSA must fulfil its mandate by ensuring that a comprehensive forensic audit is conducted independently and transparently. Only decisive action can preserve the integrity of the electoral process and restore public confidence before the elections.
A real test case for the CSA to live up to their mandate in making sure Critical Information Infrastructures that come under cybersecurity threat such as that of the EC are protected. It is not for the EC to self-determine the robustness of its systems in such a critical situation bordering on cybersecurity.
The author Dr. Kofi Anokye Owusu-Darko is a Digital Rights Advocate, holds an EMBA (IT Management), an LLB and LLM (IT & Telecommunication) (visit : Kofianokye.blogspot.com; Kofidarko2.blogspot.com) contact: kofianokye18@gmail.com