The voter register audit has indicated serious problems in database controls and infrastructure security. But looking at what was publishedby the Kenya electoral body, Independent Electoral and Boundaries Commission (IEBC), the respective chapter and the whole annex of the report has been left out. The executive summary, however, lists serious issues that at least in April 2017, at the time of the audit, were endangering the operations and integrity of the voters register and its operations.
In the executive summary the audit firm points out:
- The IEBC did not authorize a penetration test of the database (a test where KPMG would try to hack the database). So the audit firm could not verify the probability that hackers may be able to access the database.
- The passwords of the two administrators were not changed as a routine. “The result of which is weak access controls over the security and confidentiality of the Register of Voters database.” KPMG wrote.
- The two administrators did not review each other’s actions. Thereby changes made to the register, by any one of them, at the database level “could go undetected.”
- The database access was susceptible to “Denial of Service Attacks” through which malicious attackers could block the availability of the database at the time of the attack.
- The IEBC had neither a business continuity plan nor a disaster recovery plan in the case of disasters which could hamper the integrity or operations of the voters register. This “could represent significant risk to the preparation for or during the elections in August 2017.”
- Backups were made onto tapes at the head office and were not held in separate places. There was no additional “redundant” backup, which posed a risk to a possible necessary data recovery.
- The data centre was not protected with critical environmental controls. One of the three batteries for the UPS power supply was faulty and aircon did not work thereby hampering the operations of the servers. The fire alarm was not working and had not been serviced for 18 months.
An attempt to conceal the Chapter was hidden
In the published table of content of the voters register the IT chapter is listed as chapter 7 to run from page 141 to 163. In the online publication however, IEBC has published the chapters separately and has renamed chapter 8 as chapter 7, thereby making it less obvious that the IT chapter is missing.
Also the annex to the report has not been published.
On July 6, IEBC Secretary Ezra Chiloba had promised in a press briefing that the full report would “eventually” be published online. The 11 page IEBC press release had not mentioned the substance of the KPMG demands regarding database controls and infrastructure security.