EC alone cannot ensure the security and integrity of our elections
This article aims to emphasise that the Electoral Commission (EC) alone cannot protect our elections in 2024 due to the sophisticated and varied cyber threats we face. As cyber-attack techniques have become increasingly advanced, the geopolitical interest in West Africa has also intensified. Given the current context, world powers would understandably seek to exploit elections in former colonial countries, particularly in the West Africa subregion, to achieve their national interests.
Moreover, the intense competitive nature of our internal politics makes it difficult to unite key stakeholders especially the political parties to act from a unified front, as actions of nation-state actors may benefit one party over another. This complexity underscores that the EC alone cannot ensure the integrity of the elections. Therefore, the EC should not appear to be dismissive when key stakeholders, particularly parliament, political parties, or CSOs, raise concerns about its conduct. The EC needs the buy-in of all stakeholders if we, as a nation, want to have a chance against determined nation-state actors. We also need to be able to recover quickly from a possible cyber-attack, and this can only be done calmly if there is a united stakeholder group behind the EC.
The EC should reach out to key stakeholders particularly the dominant political parties, the NCCE, the Council of State, the Forces, relevant Ghanaian CSOs, Ghanaian Private Security Firms, Parliament, Ghanaian security researchers and others to solicit their assistance and cooperation. The EC should set up an Elections RISK Management Task Force incorporating the stakeholders with the single purpose of protecting our elections against nation-state actors in 2024. This is the year when cyber-attack techniques reach a sophisticated level never seen before and geopolitical competition for influence is at the most aggressive and dangerous. At the same time, our politics has never been as partisan. A comprehensive Risk Register should be developed and published even if with some redactions. In my view, our electoral system appears to be vulnerable to cyber-attacks as are many other systems worldwide.
BVDs and the Reference Threshold issue
The introduction of biometric devices into Ghana’s electoral framework in 2012 was a response to numerous challenges that had plagued the electoral process in previous elections. Before their introduction, allegations of voter register inflation, double voting, vote suppression, procedural opacity, and ballot stuffing seriously undermined the integrity of our elections.
The integration of biometric devices aimed to address these concerns, ushering in an era of enhanced scrutiny and technological advancement in Ghana’s electoral processes. Despite this significant milestone effort, the efficacy of the biometric system in resolving these perennial issues has been mixed.
Notably, before 2012, to my knowledge, the Supreme Court had not been involved in settling election petitions. However, since the adoption of biometric technology, two out of the three elections (2012 and 2020) have required Supreme Court intervention, highlighting ongoing challenges within the electoral process.
While it’s crucial not to solely attribute dissatisfaction with election outcomes to biometric devices, their implementation hasn’t entirely mitigated pre-existing grievances. Moreover, as computer devices, these biometric devices natively inherit vulnerabilities common to all computing devices. Contextual factors surrounding their usage also introduce additional vulnerabilities, necessitating a comprehensive evaluation of their efficacy and security in Ghana’s electoral framework.
The introduction of biometric devices has opened new avenues for exploitation by various criminals, especially those who are adept in digital manipulation or those who have access to skilled hackers. For instance, vote suppression can be facilitated by manipulating the device’s reference threshold. By adjusting this threshold, perpetrators can influence the False Acceptance Rate (FAR) or False Rejection Rate (FRR) of the device.
The reference threshold is a critical factor in the biometric verification process and plays a significant role in determining a device’s effectiveness. This threshold is also a key consideration in the bidding process for such devices, but it presents a potential attack vector for cybercriminals. A high FRR leads to prolonged verification processes, resulting in voter frustration and potentially causing voters to leave polling stations without casting their votes due to long queues and slow processing times. Conversely, manipulating the reference threshold to produce a high FAR could allow ineligible individuals to vote by reducing the number of rejections, thus enabling those who should have been rejected to cast votes.
To mitigate these risks, the threshold should be configured to balance security and convenience. An optimally balanced FAR and FRR, known as the Equal Error Rate (EER), ensures that the system is both secure and user-friendly. However, if the verification function of the biometric verification device (BVD) system is disabled, it provides maximum convenience for voters but poses a significant fraud risk. While not necessarily malicious, disabling or manipulating this function undermines the security of the voting process, highlighting the need for a careful balance between ease of use and robust security measures.
Vulnerabilities and Threats
Some examples of the potential vulnerabilities and threats that need to be considered due to the integration of biometric devices into the electoral process include:
- Disgruntled or Criminal Insiders
Individuals with legitimate access to the systems, such as election officials or IT personnel, could potentially tamper with BVD verification if they have the necessary permissions and access rights. Malicious configuration of a BVD can be executed either centrally over the network or at the endpoint. Employees with administrative or system privileges can manipulate devices or cause them to malfunction. Samuel Adams and William Asante of GIMPA, in their June 2019 paper “Biometric Election Technology, Voter Experience And Turnout In Ghana,” indicate that “machine malfunction facilitated election fraud, including overvoting and ballot stuffing, especially where election observers were not present.” This was with reference to the 2012 elections. Other sources similarly associate device malfunction with higher incidences of election fraud, but readers are encouraged to verify these claims independently.Insiders can also act on behalf of external sponsors (Ghanaian or foreign). These insiders can exfiltrate data or perform actions on behalf of their sponsors. For example, they might plant malware that provides access to the EC systems, allowing the manipulation of voter data and interference with the configuration settings of devices and software. Insider attackers may not always be criminals but could be disgruntled individuals with political or personal grievances, akin to Edward Snowden and Chelsea Manning, who leaked classified US data. IT consultants on hire by the EC also fall into the category of insiders and could maliciously infect the EC’s systems on behalf of their sponsors.
2. Supply Chain Attacks
A particularly insidious type of attack is the supply chain attack, where vulnerabilities are introduced through compromised equipment and software supplied by third parties. A notable example was the SolarWinds Orion platform attack, which affected numerous US government departments and major technology companies, including Microsoft and Intel. The recent XZ Utils attack is another example of a supply chain attack. XZ Utils is a suite of software tools which includes a very popular software compression tool.
3. Denial of Service (DoS) Attacks
Criminal attackers could overwhelm the EC verification system with excessive requests, causing it to crash or become unresponsive, effectively disabling biometric verification. Attackers could also throttle internet bandwidth. These acts could engineer forced device failure, facilitating election fraud associated with machine malfunctions.
4. Power Outages and Internet Infrastructure Breakdown
The reliance on biometric devices means that power outages and internet infrastructure breakdowns, such as damage to subterranean fibre optic cables, pose significant risks to the electoral process.
5. Activities of Political Parties
Political parties might employ hackers or leverage sympathizers with the necessary skills to infiltrate the EC’s systems, steal data or deploy malware that grants remote access. This access could be used to manipulate biometric verification templates or manipulate devices in specific electoral areas. Additionally, political parties could steal voter names and contact details to launch targeted deepfake attacks. If a political party acquires the full voter register and with contact details well ahead of official publication, that political party acquires an unfair advantage. In addition, a successful attack could also be deliberately publicised by the attackers as a tactic to undermine confidence in the election process.
6. Hacktivists
Hacktivists are local or international groups who use hacking to promote political or social causes. While their actions are often driven by ideological motivations rather than personal gain, their actions are considered illegal. Hacktivists may target countries with poor human rights records or organizations engaging in unethical behaviour. One of the most well-known hacktivist groups is the Anonymous group, which conducts cyber-attacks to advance various political and social causes, often targeting government entities and corporations. Anonymous is believed to have supported political activists in Tunisia and Egypt and supported WikiLeaks in the past.
7. Nation-State Actors
West Africa, particularly the Sahel region, has experienced a series of coups in recent years, leading to significant shifts in geopolitical influence. Countries such as Mali, Burkina Faso, Niger and Guinea have seen their governments overthrown, disrupting established political dynamics and creating opportunities for imperialist powers to lose or assert their influence. This geopolitical shift appears to have benefited Russia and China, while traditional Western powers such as the US and France have seemingly lost some of their foothold in the region.
Elections in the neighbourhood of these countries are therefore of considerable interest to external actors, as they seek opportunities to shape political outcomes in favour of their strategic interests. Nation-state actors may seek to influence our elections through various means, including cyber-attacks, disinformation campaigns, and financial or political support for certain candidates or parties.
Nation-state actors can target digital grids used to manage critical infrastructure such as traffic light systems, electricity networks, banking operations, air traffic control systems, military systems, and electoral systems. These attacks aim to steal sensitive data and sabotage systems to malfunction. In the case of the Stuxnet attack in Iran, physical damage to centrifuges was also caused.
Nation-state actors pose the greatest threat to our democracy through their dominance in cyberspace. For example, cyber experts believe that no other threat-actor group could have pulled off the SolarWinds Orion, XZ Utils, or Iran Stuxnet attacks due to the substantial resources, time, and effort required for these operations. These attacks are usually executed by malware that is implanted over a prolonged period and can stay in apparent incubation over long periods sometimes lasting years. This long-term gameplay known as Advanced Persistent Threat (APT) is mostly associated with nation-state actors. Could our systems already have APTs lurking in them?
8. Global Context of Elections Cybercrime
There have been cyber-attacks against elections worldwide, highlighting the global nature of this issue. For instance, the 2016 US presidential election saw significant interference attributed to foreign actors from Russia by Western analysts. Similarly, the 2017 French presidential election experienced cyber-attacks targeting Emmanuel Macron’s campaign. The 2019 European Parliament elections were also subjected to various cyber threats, partially attributed to North Korea.
This year, cyber-attack techniques appear to have reached a new level of sophistication and are being deployed with unprecedented aggression. For example, the ongoing 2024 general elections in India have been marred by sophisticated phishing attacks and ransomware targeting election officials and critical infrastructure. During the Brazilian municipal elections in November 2020, coordinated denial-of-service attacks disrupted voter registration systems, leading to significant delays in announcing results and causing considerable confusion. The failure of some election computers in the 2023 elections in Nigeria led to allegations of forced server malfunction to aid in the fraudulent tallying of results.
Cybersecurity experts have also warned of increasing attempts to exploit vulnerabilities in online voting systems, as happened in the Estonian local elections in 2021 where attackers tried to manipulate digital voting platforms. These incidents underscore the evolving nature of cyber threats, with attackers employing more advanced techniques such as deepfake videos to spread disinformation. For example, in recent election campaigns, deepfake videos have been used to create realistic but fake speeches or statements from political candidates, aimed at misleading voters and undermining trust in the electoral process. These sophisticated cyber-attacks highlight the urgent need for robust security measures and public awareness to protect the integrity of elections and the democratic process.
The maturation of these cyber-attack techniques means that election security must now contend with not only traditional threats but also highly sophisticated, coordinated digital assaults. This calls for robust cybersecurity measures, continuous monitoring, extensive logging and above all stakeholder cooperation to safeguard the integrity of our elections.
The EC and Stakeholders
It should not be left to only the EC to ensure the integrity of our elections, nor should the EC seek to exclude key stakeholders from the security planning processes towards the 2024 elections.
The EC alone cannot defend our electoral system against cyber-attacks mounted by cyber criminals, especially nation-state actors.
So, what should we, as a nation, do to protect Ghana’s electoral system and our elections, especially in this year of heightened international interest for geopolitical reasons? This year, in 2024, it can be assumed with high confidence that the so-called world powers would seek to influence every election for geopolitical reasons.
In my view, it is a question of protecting our sovereignty. Our mindset should be as if we were facing a physical military threat or as if we were confronting a more aggressive form of COVID. However, unlike a military threat, which would automatically unite all citizens in comradely cooperation, the cyber enemy is invisible, lacks a clear name and its aims are difficult to explain.
However, the seriousness of the threat remains. Our biggest shield against this threat in my view lies in our ability and willingness to cooperate. We should defend in great depth as we ensure that all our flanks are covered. In my view, it is the EC that can act to bring about this cooperation. Involving stakeholders in the planning and implementation of election security measures is vital for ensuring the integrity, transparency, and trustworthiness of the electoral process. By leveraging the diverse expertise, perspectives, and resources of various stakeholders, the EC can develop comprehensive and effective security strategies that address the full spectrum of potential threats and vulnerabilities. This collaborative approach not only enhances the security of biometric verification devices but also strengthens the overall resilience of the election digital infrastructure, fostering public confidence and trust in our democratic processes.
Poor Cyber Hygiene
As a final point, in my view, the Electoral Commission (EC) has been compelled to disclose extensive details about the election devices and their integration into the election process when responding to public demands for accountability. Consequently, the public including security researchers of the nefarious kind has confirmed that the EC hires generators to address power outages. Listeners and viewers of any news channel in the past few weeks also now know that the EC uses USB drives for temporary data processing and server synchronisation. Additionally, we have learned that biometric verification devices (BVDs) require activation before use, necessitating an activation code. We even know that the serial number of a BVD is a required input to generate the activation code. This code can be generated elsewhere on another EC system and then applied to the device in question. Most of this information was gratuitously provided by the EC and is not harmless from a cyber security perspective. This article neither touches on the baffling issue of the auctioned BVDs, nor the amazing, forced admission by the EC that some BVD kits are missing or lost and are believed stolen.
In my view, the hygiene in the EC’s cyberspace could be better. Noticeably poor cyber hygiene within an organization is often seen as an open invitation for hackers, especially nation-state actors, to probe for vulnerabilities.
Detailed information that could be exploited by hackers should remain confidential and be shared only on a need-to-know basis to protect the security and integrity of the electoral process.
The reader may note that I am aware of the existence of IPAC, the stakeholder group.
Ensuring that critical operational details remain secure while upholding transparency and accountability is a balance that the EC must strive to achieve. This balance is essential to protect our electoral process from potential threat actors while maintaining public trust and confidence. The most efficient and sensible way to achieve this is through stakeholder cooperation and participation in the security arrangements of the electoral processes. The spectre of the nation-state actors must concern all Ghanaians, but the most efficient and effective way for nation-state actors to achieve their goals is to compromise insiders into doing their bidding. The existence of a united stakeholder group will help mitigate some exploitative possibilities for would-be nation-state actors.
So, the EC must properly engage the NPP and NDC, the only two parties with seats in parliament that have realistic chances of producing a winning presidential candidate in the 2024 elections.
Finally
The EC must acknowledge the challenging historical context in which it operates. Recognising these difficulties will be a positive first step.
The maturity of the EC will be judged, in part, on its ability to bring key stakeholders together. The nation’s elections, democracy, and perhaps its future once again depend on the EC, as they did in March 1978 when the UNIGOV referendum was held. On that occasion, in the opinion of most Ghanaians, the EC despite all the odds, rose to the challenge and acted impartially in the interest of Ghana and showed no bias towards any of the two sides in that contest.