IEBC: How We Ensured Our System Was Hack-Proof

  • Independent Electoral and Boundaries Commission (IEBC) Chairperson Wafula Chebukati addressing the media at Bomas of Kenya
    Independent Electoral and Boundaries Commission (IEBC) Chairperson Wafula Chebukati addressing the media at Bomas of Kenya
    Courtesy
  • The Independent Electoral and Boundaries Commission (IEBC) has given a detailed breakdown of measures it put in place to ensure that its systems were secured from penetration by unauthorized persons.

    In responses it submitted to Supreme Court on Saturday, August 27, the IEBC through its lawyers maintained that its systems were hack-proof and that it put in place seven tiers to prevent any infiltration.

    The Commission noted that all the KIEMS kits used to transmit information within the system had their unique metadata which could be used to trace back the data to its original source.

    All the data would be filtered through installed software that would reject data if it did not match the code associated with its source. For instance, if it established that a Form 34A bearing results from Kilifi was sent from a kit in Pokot, the data would be rejected.

    IEBC Chairman Wafula Chebukati releasing the presidential election results at Bomas of Kenya on August 15, 2022
    IEBC Chairman Wafula Chebukati releasing the presidential election results at Bomas of Kenya on August 15, 2022
    Kenyans.co.ke

    "The entire network spectrum was secured with a twin - external and internal - high-level perimeter firewalls which filtered all the information and only define and authorized transmission was permitted through these filters," read the IEBC response in part.

    In addition, the transmission was done in clusters through a secured Virtual Private Network (VPN). The system also put in measures to allow controlled access, with the Commission noting that no single user would make final changes without the knowledge of others.

    "The permitted users had distinct but interdependent roles at all levels. No single person could perform an end to end operation in the system," read the responses.

    While IEBC noted that it sought network from service providers, safeguards were put in place to wade off any unauthorized access even from the contracted companies.

    This include limiting the transmission format to Hyper Text Transfer Protocol (HTTP) packets encrypted with Secure Socket Layer (SSL) technology. Any transmission from any SIM card not registered with the IEBC was easily flagged and rejected.
     
    The SIM cards used configured to secured Access Point Networks (APNs), used a static Internet Protocol (IP) addresses, that could not be duplicated and had a unique Internet Mobile Subscriber Identity (IMSI). Furthermore, their voice call and text messaging functions were disabled.

    Operators generated and provided Call Data Records (CDRs) which contained information of the serial number of each Sim card, its all number, static and IP address and the internet volume generated by it.

    "As demonstrated in the affidavit by Michael Ouma, the CDRs show no stoppage in transmission of data or intrusion by any strange unidentified number," IEBC explained.

    The Commission's ICT Department also put in a third security layer which comprised several firewalls that not only filtered incoming and outgoing data but also sounded an alarm over irregular access.

    "The firewalls had an inbuilt report back and alert mechanism in case of any attempted access or unusual activity in the system and were continuously being monitored for such," the Commission noted.

    The IEBC's response was filed by five law firms including Mohammed Muigai LLP, G&A Advocates LLP, Iseme Kamau & Maema Advocates, Murugu Rigoro & Co. Advocates, and  Garane & Somane Advocates.

    Former Attorney- General Prof. Githu Muigai when he appeared before the Senate Ad-Hoc Committee on the Medical Equipment Services at Parliament on Friday, February 21, 2020,
    Former Attorney- General Prof. Githu Muigai when he appeared before the Senate Ad-Hoc Committee on the Medical Equipment Services at Parliament on Friday, February 21, 2020.
    The Standard
    hack