IEBC Tallying System Attacked Twice On Poll Day, Auditors Say
The Sh9.6 billion electronic voting and results transmission system could have been attacked at least twice before it finally crashed at 8pm on March 4.
Several lawyers of companies and individuals involved in the supply, installation and implementation phases exposed the system to interference, leaving the Independent Electoral and Boundaries Commission ( IEBC) helpless on where to start.
But it is the fact that IEBC had not had a single successful test involving all the election officials before the poll day. Investigation by The Standard also shows that despite trials failing, IEBC continued putting on a brave face, admitting failure deep into the election when it was already too late to be fixed.
An independent auditor of the system pointed this to the fact that the system had been broken into various components that required additional servers, which had compromised its hardware.
“Ideally, the mobile and web application is always a synchronised platform and it raises a lot of curiosity how IEBC allowed different firms to run complementary system functions, which led to further system insecurity,” the source, who ran an independent audit of the system after it crashed told The Standard.
The other component of the failed system is the maps service server. After the information was received in the database server, it was relayed to the map service server that was being run by Japak GIS for visualisation of results on the screens that were situated at Bomas of Kenya.
“I established that despite the failure of the IEBC voter tallying system at the testing stage, the institution insisted that it would still go ahead and implement the failed solution that had been developed by Japak GIS and International Foundation for Election Systems,” the source said.
The independent auditor also raised concerns on whether the overall system administrator had all passwords for the system.
“My brief was to use my developer networks and knowledge to conduct an initial system audit that would give some insight on what was going on at the back end of the IEBC system,” he added.
Jamming of the database server, which was receiving the information from the mobile handsets from the various polling centres across the country, also fanned collapse of the project. Next Technologies, the firm that had developed the transmission system for by-elections of September last year, which had been successful, had also been replaced.
The weakness of the system had been spotted more than two weeks before it happened.
On February 21, Safaricom had threatened to withdraw from transmitting the election results over its network, citing concerns on ‘website security and capacity to handle huge traffic.’ The mobile firm had also cautioned over a possible penetration of external attacks.
“We do remain concerned at the general casual nature of some of the partners and some of the institution’s senior officials,” the Safaricom’s letter handed to the media by Vice-President Kalonzo Musyoka read in part.
In a statement to clarify its role in the transmission system, Safaricom said it had two responsibilities. The first was to provide the Virtual Private Network for the conveyance of the results from polling stations previously identified as having sufficient mobile coverage to the IEBC’s constituency, county and national tallying centre infrastructure.
The second was to deliver 17,900 original manufacturer warranted handsets to the IEBC for use by polling staff for purposes of transmitting electronic results.
What further exposed the system is the fact that the technology that was used for voter registration in late 2012 was different and entirely separate from the technology used to identify voters at polling centres given that several companies were involved along the chain.
By the time it crashed, about 16,000 polling stations had reported the presidential race and above 8,000 had also reported results for county assembly representatives, senators, governors, national assembly members and women representative results.
Three different technologies were employed in the election. The first was the registration process, which was successfully done. The next phase was the poll book, also known as the Electronic Voter Identification System.
This refers to equipment used on the voting day to biometrically identify voters at polling stations. This was the beginning of trouble after some laptops failed and others lost power. There were also cases where election staff forgot passwords or were unable to log into the system.
“The tender followed through to completion and a South African firm, Face Technology, was chosen by IEBC to supply 35,000 devices for use on Election Day. The devices were allegedly manufactured in Asia (China). None of the equipment utilised in the Canadian-supplied BVR system was used on voting day,” the Embassy of France said in a statement distancing itself from the failure.
The third technology was used to transmit provisional results from the polling stations to the IEBC National Tallying Centre, involving 32,000 specially configured cell phone devices to electronically send provisional vote results from polling stations to a dedicated IEBC server. This process was called the Results Transmission System.
The project was developed in-house by IEBC with several technical areas subcontracted to local firms including Safaricom and Airtel. This is the process that crashed a few minutes after 8pm on Election Day.
Presiding officers interviewed told The Standard that their major challenge was the delay in the delivery of the phones.
“We received the mobile phones very late and most of us were interacting with them for the very first time on poll day,” a presiding officer who also doubled up as a trainer told The Standard. Some officials were also asking for passwords to be reset almost 60 hours after the election.
“It was just impossible to understand how they work while at the same time carrying out the election. But our problem was sending the results, I never managed to send any result through and the reason I was told was that the servers were not working,” a presiding officer based in Migori, who requested anonymity, said.
IEBC Director of ICT Dismas Ong’ondi had, however, insisted prior to the Election Day that the electronic result transmission system had been tested.
Mr Ong’ondi said it would cost Sh3,000 per piece to relay results for the six elective slots to three different tallying centres across the country. This translates to about Sh96 million. Despite the assurances, the last two trials of the system conducted before the March 4 General Election failed, one of which was in full view of party representatives.
However, IEBC downplayed all these issues terming them ‘minor technical challenges that would be resolved before Election Day’. This never happened.
The IEBC declined an interview on this subject on grounds that it was a matter before court even before the petition had been officially filed.
“ICT matter in court. (sic) Contempt to discuss,” Ms Tabitha Mutemi, the IEBC communications manager told The Standard in a text message declining an interview. The message was sent on Thursday, two days before CORD made true their threat to file their petition.
- The Standard
Raila won with 5.7 million votes vs. Uhuru's 4.5 million. Ok?