Protecting our elections in Cybersphere: EC alone cannot ensure the security and integrity of our elections

This article aims to emphasise that the Electoral Commission (EC) alone cannot protect our elections in 2024 due to the sophisticated and varied cyber threats we face. As cyber-attack techniques have become increasingly advanced, the geopolitical interest in West Africa has also intensified. Given the current context, world powers would understandably seek to exploit elections in former colonial countries, particularly in the West Africa subregion, to achieve their national interests.

Moreover, the intense competitive nature of our internal politics makes it difficult to unite key stakeholders especially the political parties to act from a unified front, as actions of nation-state actors may benefit one party over another. This complexity underscores that the EC alone cannot ensure the integrity of the elections. Therefore, the EC should not appear to be dismissive when key stakeholders, particularly parliament, political parties, or CSOs, raise concerns about its conduct. The EC needs the buy-in of all stakeholders if we, as a nation, want to have a chance against determined nation-state actors. We also need to be able to recover quickly from a possible cyber-attack, and this can only be done calmly if there is a united stakeholder group behind the EC.

The EC should reach out to key stakeholders particularly the dominant political parties, the NCCE, the Council of State, the Forces, relevant Ghanaian CSOs, Ghanaian Private Security Firms, Parliament, Ghanaian security researchers and others to solicit their assistance and cooperation. The EC should set up an Elections RISK Management Task Force incorporating the stakeholders with the single purpose of protecting our elections against nation-state actors in 2024. This is the year when cyber-attack techniques reach a sophisticated level never seen before and geopolitical competition for influence is at the most aggressive and dangerous. At the same time, our politics has never been as partisan. A comprehensive Risk Register should be developed and published even if with some redactions. In my view, our electoral system appears to be vulnerable to cyber-attacks as are many other systems worldwide.

BVDs and the Reference Threshold issue

The introduction of biometric devices into Ghana's electoral framework in 2012 was a response to numerous challenges that had plagued the electoral process in previous elections. Before their introduction, allegations of voter register inflation, double voting, vote suppression, procedural opacity, and ballot stuffing seriously undermined the integrity of our elections.

The integration of biometric devices aimed to address these concerns, ushering in an era of enhanced scrutiny and technological advancement in Ghana's electoral processes. Despite this significant milestone effort, the efficacy of the biometric system in resolving these perennial issues has been mixed.

Notably, before 2012, to my knowledge, the Supreme Court had not been involved in settling election petitions. However, since the adoption of biometric technology, two out of the three elections (2012 and 2020) have required Supreme Court intervention, highlighting ongoing challenges within the electoral process.

While it's crucial not to solely attribute dissatisfaction with election outcomes to biometric devices, their implementation hasn't entirely mitigated pre-existing grievances. Moreover, as computer devices, these biometric devices natively inherit vulnerabilities common to all computing devices. Contextual factors surrounding their usage also introduce additional vulnerabilities, necessitating a comprehensive evaluation of their efficacy and security in Ghana's electoral framework.

The introduction of biometric devices has opened new avenues for exploitation by various criminals, especially those who are adept in digital manipulation or those who have access to skilled hackers. For instance, vote suppression can be facilitated by manipulating the device's reference threshold. By adjusting this threshold, perpetrators can influence the False Acceptance Rate (FAR) or False Rejection Rate (FRR) of the device.

The reference threshold is a critical factor in the biometric verification process and plays a significant role in determining a device's effectiveness. This threshold is also a key consideration in the bidding process for such devices, but it presents a potential attack vector for cybercriminals. A high FRR leads to prolonged verification processes, resulting in voter frustration and potentially causing voters to leave polling stations without casting their votes due to long queues and slow processing times. Conversely, manipulating the reference threshold to produce a high FAR could allow ineligible individuals to vote by reducing the number of rejections, thus enabling those who should have been rejected to cast votes.

To mitigate these risks, the threshold should be configured to balance security and convenience. An optimally balanced FAR and FRR, known as the Equal Error Rate (EER), ensures that the system is both secure and user-friendly. However, if the verification function of the biometric verification device (BVD) system is disabled, it provides maximum convenience for voters but poses a significant fraud risk. While not necessarily malicious, disabling or manipulating this function undermines the security of the voting process, highlighting the need for a careful balance between ease of use and robust security measures.

Vulnerabilities and Threats

Some examples of the potential vulnerabilities and threats that need to be considered due to the integration of biometric devices into the electoral process include:

Disgruntled or Criminal Insiders
 Individuals with legitimate access to the systems, such as election officials or IT personnel, could potentially tamper with BVD verification if they have the necessary permissions and access rights. Malicious configuration of a BVD can be executed either centrally over the network or at the endpoint. Employees with administrative or system privileges can manipulate devices or cause them to malfunction. Samuel Adams and William Asante of GIMPA, in their June 2019 paper "Biometric Election Technology, Voter Experience And Turnout In Ghana," indicate that “machine malfunction facilitated election fraud, including overvoting and ballot stuffing, especially where election observers were not present.” This was with reference to the 2012 elections. Other sources similarly associate device malfunction with higher incidences of election fraud, but readers are encouraged to verify these claims independently.

Insiders can also act on behalf of external sponsors (Ghanaian or foreign). These insiders can exfiltrate data or perform actions on behalf of their sponsors. For example, they might plant malware that provides access to the EC systems, allowing the manipulation of voter data and interference with the configuration settings of devices and software. Insider attackers may not always be criminals but could be disgruntled individuals with political or personal grievances, akin to Edward Snowden and Chelsea Manning, who leaked classified US data.  IT consultants on hire by the EC also fall into the category of insiders and could maliciously infect the EC’s systems on behalf of their sponsors.