Two simultaneous happenings on the elections day are telling.
First, in the deep of the night of August 8, hours after polling, IEBC started beaming “live” the presidential results. Unexpectedly, they were not accompanied by the statutory results forms. But that’s hardly all; the results showed a certain pattern that defied the uneven nature of Kenyan voters – they exhibited a consistent gap between top two contestants, Raila Odinga and Uhuru Kenyatta.
In panic IEBC chairperson Wafula Chebukati hurriedly convened a stakeholders’ meeting at the National Tallying Centre (NTC), Nairobi, to seek answers from Safran about this development that had put the country on tenterhooks.
Sandwiched between Commissioner Roselyne Akombe on one side and Chebukati and Chiloba on the other was the official of the French company that supplied the requisite technology. The man kept gesticulating; his explanation clearly a gabble. He wasn’t giving adequate responses. And his French twang didn’t make things better.
The devices were programmed to release text and pictorial results side by side, the Safran man told the emergency meeting. However, the Results Transmission System (RTS) had collapsed; it wasn’t working. Thus, the NTC couldn’t get the sum total presidential vote.
Agents of Candidate Raila were livid. Chebukati sat pensively. Once in a while Chiloba would put on a wry smile. “Can you configure the (KIEMS kit) in such a way that only those results where there’s text and form (can be accessed and downloaded at once) … If we agree on that then we can make progress,” Chebukati mumbled.
“Currently it’s not the way the system is designed. As you know … the law prevents returning officers to correct anything, so no one is touching anything,” the official responded. It would take weeks to reconfigure the devices, he offered.
An IEBC IT official attempted to clarify Safran’s predicament but his response was stuttering, inarticulate: “In terms of managing public anxiety, the text results need to come out, and we are making that provision that if for any one reason that we are not able to transmit both (text and forms) then the (lighter one) which is text should be able to hit the screen but the Form 34A is still available.”
The room wasn’t convinced. “To cut you short; has the instructions been given for it to go only that it cannot because of (lack of requisite 3G and 4G network) coverage, “ a fellow in the room questioned. The IEBC staffer is at pains to respond.
Someone in the meeting wanted to know whether a polling station could transmit multiple results. “One polling station can only send (results) once; there’s s no way we can get more than one result from a polling station,” the Safran official answered.
“(What is on the screen) is a display of what are perceived to be results which cannot be verified … Assuming the verification takes place and what you have displayed is not what you verify, and already is out there in the public domain; that is more dangerous. You’d rather only expose to the public (the) process the Commission can stand and defend. Assuming that you come out and say ‘those results we displayed had a problem, let’s recall them and display these new ones’, that will be creating a state of disorganization,” an Opposition agent cautioned.
After some consultations, IEBC trashed the “live” streaming.
Second, kilometres away from the NTC, Apprielle Oichoe, a doctoral student in cyber security, keenly observed and followed up on the “live” results. She noted the constant gap between the figures for Raila and those of Uhuru. This wasn’t possible in situation where voters were asymmetrical.
The figures appeared deceptive, defying the six main principles against which the electoral systems and database ought to be tested: confidentiality; integrity; availability; authenticity; privacy; non-repudiation. In a nutshell, the results were meant to be accurate, secure from alteration, and available when required by those authorized to use them, or as demanded by the law.
But importantly, an audit trail must be maintained on activities related to the information. This is what is called the non-repudiation principle, which presupposes that if someone or anything has access to or modifies the information or database or system, it should have a footprint and a log should be maintained in order to trace back to source and actions, according to Oichoe.
She saw IEBC stonewall to Opposition demands to access to the server.
The RTS must have been compromised, she concluded. And “the failure is due to the fact that (IEBC) was either unable to have control of its system or that it ceded this authority to some other authority.” This is what she later told the Supreme Court in her affidavit supporting Raila’s petition against Uhuru’s win.
According to our investigations, indeed IEBC ceded its authority to a third party. The electoral agency wasn’t in control of the transmission of results. That’s why, a year after the elections, the Commission’s ICT Department is yet to provide the requisite report on its performance during the August General Election and the consequent Fresh Presidential Election (FPE). In fact, its own internal audit has faulted this failure to explain the implementation of technology.
According to IEBC insiders, this delay or noncompliance is hardly because of oversight. “They (ICT Department) wasn’t in control of the RTS. Safran was,” says a top official at Nairobi’s Anniversary Towers, IEBC Headquarters. “There was a parallel team behind the scene.”
The entire transmission was managed by (Safran) with very minimal involvement from IEBC staff. “The reason given was that Safran needed to safeguard the process. So, who generated the figures?
According to investigations, the Fifth Column jointly with a third party intercepted results and altered or replaced them in a process the Commission insiders call “quality control process”. The saboteurs allowed a parallel RTS to circumvent the official KIEMS by dismembering all anti-rigging setup, and isolating centres of theft – areas they claimed to be out of 3G and 4G network reach.
With about 11,000 polling stations out of statutory RTS, the cabal had over seven million votes – a third of total registered voters – to manipulate in favour of one of the presidential candidates.
Litany of errors
Almost all anti-rigging measures put in place were disregarded or made to fail completely. The RTS collapsed. Text and scanned copies of results were transmitted differently. Polling stations sent in results that showed votes exceeding the number of registered voters. Unauthorised parties transmitted results to the NTC.
And there was this riddle of unexplained multiple forms. In some cases (such as Jomvu and Kibwezi constituencies) the F34B forms were uploaded by multiple ROs.
In fact, Chebukati, in a memo to Chiloba dated September 18, 2017, conceded to irregularities that marred the elections. “A significant number of polling stations” sent text results without image of results form (10,366 (4,636,556 voters) of the 40,883). Some 595 polling stations “failed and/or otherwise refused to send any results for the presidential election” while 682 polling stations had an equal number of rejected votes vis-à-vis the number of registered voters.
A key source within the IEBC says POs did their work very well. “The problem arose between the polling station and the NTC. In compliance with the Maina Kiai court decision, the polling stations were supposedly connected directly to the NTC server.” (Lawyer Maina Kiai and Khelife Khalifa successfully petitioned the constitutional court to declare as final the presidential results at polling stations. The public branded it the Maina Kiai decision).
“When people talk about figures from polling stations being different from the ones announced at the NTC, we need to understand that before the data from the polling stations could be beamed on the TV screens, it had to go through a quality control process,” says an IEBC insider. “This opened the way for the results to be adulterated further”.
Red flags
The electoral theft wasn’t surprising after all. Five happenings prior to August 8 elections should have, ideally, been considered red-flags.
One, IEBC stonewalled to KPMG request for a penetration testing on the register of voters to establish its level of vulnerability to unauthorized access. Two, a computer analyst, Obar Mark Asuelaa published an article in which he detailed the risks fraught in transmitting electoral results electronically.
Three, Chebukati blew the lid off possible manipulation of the KIEMS. Four, former ICT manager Msando spoke of an “already” infringement on the electoral process. Five, four companies IEBC contracted to supply the crucial data centres and related security arrangement, and server infrastructure failed to comply.
As noted in the section on Procurement, the scope of the KPMG contract of auditing the voters’ register was limited to weeding out dead voters. But the audit company was concerned about the credibility of the register. It sought IEBC to give it more latitude.
“The IEBC indicated that it would reconsider its decision and communicate to us accordingly. At the time of preparing this report, the authorisation for these tests had not been provided.
Should these penetration tests be authorised by the Commission, the work will be carried out after the submission of this report and a supplemental report issued to the Commission”
The Commission said it didn’t require the KPMG offer because it planned to acquire a new ICT infrastructure for purposes of the elections. It also noted that the law required that the system to be used in the elections be tested and certified at least 60 days before the elections.
Tellingly though, IEBC later went ahead and contracted another vendor to do the same task. Inexplicably, the vendor didn’t comply as per contract.
Apart from stonewalling to the security audit, IEBC was even hesitant to fix the faulty voter register. In fact, the supposed audit was a mere public relations exercise to appease the Opposition, for there wasn’t any follow up on the recommendations– it wasn’t cleaned up.
“When KPMG published its report, a whole chapter on Database controls and infrastructure security was redacted. No reason has been offered why IEBC saw it fit to hide sections of a report paid for by taxpayers,” says Mulle Musau, the coordinator of Election Observers Group, Elog.
In his article three months to the August election, Asuelaa warned that a technological tool like a High Dimensional Analytics (HDA) was capable of running a designated database that reflects that of IEBC – in terms of number of registered voters per polling station. “When properly ascribed as a computer worming algorithmic calculation pattern, under Round Robbing Algorithm, HDA can systematically replace results from specific polling centres or regions with predetermined results.”
According to him, all this “can be done on the preponderant network infrastructure. What is more, electronic electoral malpractices can be done on the Register of Voters, Database and Results Transmission System”. He asked IEBC to state how it was to guard against such technological malpractices that could be conducted away from its jurisdiction.
A month following this article, Chebukati, without the knowledge of fellow commissioners, ordered a covert evaluation of KIEMS inherent security – whether the RTS was as fool-proof as its supplier, Safran, had claimed.
The secret evaluation followed the suspension in May 2017 of James Muhati, the IT director accused of allegedly sabotaging the electoral process. In fact, Muhati left without hand-over of assignments or projects he was undertaking. This forced Chebukati to on May 30, 2017 to direct Chiloba to facilitate the handover to Msando “so as not to compromise the operations of the organization”.
Muhati was lethargic, according to an IEBC insider. He would give presentations to commissioners at the plenary and none would understand what he was talking about. “His presentations were so muddled in a way so as not to afford commissioners an opportunity to ask questions or make input.” So, when Msando was appointed in acting capacity commissioners eventually started following and asking questions about the technology that was to be used.
Upon his return, the commissioners expressed their reservations. “But then individual commissioners started receiving threats, some through telephone texts to take him back. Who was calling/texting? It was (a top Jubilee politician and his spouse). They sent abusive texts to commissioners.”
Chebukati’s audit revealed that, once reset to factory mode, the devices could be accessed by unauthorized parties. In recovery mode, the device could be configured to use multiple QR codes to transmit data. “This means that one kit can transmit results on behalf of another polling station,” he told Safran, warning that the inherent weakness could “cause the kits to fail on elections day”.
He demanded “concrete suggestions on how to alleviate and/or eliminate the concerns”.
Safran didn’t specifically address the concern but rather asked Chebukati to state the source of the kits used in the investigation, the environment the testing happened, the people involved, and the procedure. The chairman refused to respond and hinted at the possibility of placing the matter before the Plenary.
Non-Compliance
As noted in the previous article, four companies failed to supply the crucial data recovery infrastructure. The Commission would later accept Safran’s offer to have Japan’s Nippon Telegraph and Telephone Corporation (NTT) to provide back-up infrastructure (cloud services).
The vendors didn’t comply, and Kenya walked into elections without a recovery server and data centre. “I think some suppliers were part of the strategy to steal the vote. They were out to sabotage the exercise by failing to deliver and by causing confusion at the last hour,” says an IEBC source.
The Commission awarded the contracts despite warning by the Communication Authority of Kenya that such crucial data shouldn’t be placed in private hands.
IEBC staff conspired with a cabal that wedged itself in the RTS, intercepted results, manipulated them in favour of the Jubilee candidate, and forwarded them to the NTC for declaration. Those mentioned as part of this nefarious cabal include ICT staff of two telcos and two Israeli agents. Seven IT companies directly or indirectly aided the fraud.
According to IEBC key insiders, these individuals worked closely with the Fifth Column within IEBC, a Cabinet Secretary and a relative of a top Jubilee leader.
“A question is asked, since it is not in doubt that there was hacking, who then did it? The simple answer is that the people who won (the presidential vote) had an upper hand in intercepting results, of course with the help of some Commission’s top officials,” according to a key IEBC insider. “Externally, the hacking team was under the direction of (a CS and relative of a top Jubilee politician).
They coordinated the team that was working behind the scenes, say key sources
The electoral fraud involved three levels: Cloning KIEMS; disabling the RTS; and transmitting non-existent results. In all these, IEBC – which had four ICT managers and a director – wasn’t in control; only three people at the Secretariat knew exactly what was happening. The Chairperson was in the dark, according to insiders.
This team wedged itself between the polling station and the NTC. It worked on the figures and forwarded the resultant results to the Bomas server where the IEBC cabal would ensure the quality control process before uploading on the Commission’s portal.
According to multiple sources, the nefarious team had access to 100 KIEMs it used to transmit results from the 10,366 polling stations IEBC had declared out of 3G and 4G network coverage. Thus, the cabal had over seven million votes to work with. In addition, there were 1.2 million extra ballots whose distribution remains unexplained.
Every KIEMS device is like a database; it has the registration details of all voters in the country. “One KIEM can handle details of 19 million voters but, for the purpose of these elections, it was configured to carry just (details of) 700 voters. In fact, the entire voters’ register is in every single KIEM”, according to an IEBC insider.
Whereas the IEBC system was reportedly configured to transport only PDF and JPEG formats, other results came in as “docx” (word processing document ) and/or “xlsx” (spreadsheet ) formats, indicating that the t mechanism of ensuring only images were uploaded was dismembered.
In fact, IEBC had foreseen this months earlier. The Directorate of Audit and Compliance had considered the interference with RTS a high risk and placed it in red mode (severe risk). “Transmitted results could be intercepted midstream and altered by the service provider before onward transmission in collusion with Commission staff,” it stated in its Risk Assessment Report.
To deal with this, IEBC planned to “liaise with service providers and vendors of KIEMS to ensure that the system for RTS is fool proof”. The commissioners taxed Ezra Chiloba and Muhati with dealing with this.
Just as Obar Mark Asuelaa had forewarned, this team systematically replaced results from specific polling centres with predetermined figures. Instructively, only 277 presiding officers successfully transmitted their results out of the 40,000 plus countrywide. The rest of the results were intercepted and subjected to the “quality control process”.
In a memo to Chiloba, Chairman Chebukati claimed that the Commission’s server meant for its day-to-day operations was instead used to transmit F34Bs despite that fact that Plenary had resolved that a dedicated server be used for this.
Quality control
Two IEBC staffers were the key people in charge of the “quality control process”. They received the fraudulent results from the external parties, modified them to give some sense of legitimacy, and later uploaded the resultant figures on the IEBC portal.
The two junior ICT officers moved from regional offices to headquarters in the run up to the General Election. At their positions, they were not even supposed to have rights to access the system. They created accounts in the name of chairperson and National Returning Officer yet Plenary had agreed on a “read-only” account for Chebukati designated as presidential@iebc.o.ke and results@iebc.or.ke.
Whoever granted the duo super-right access remains unclear as passwords were the preserve of Safran. However, IEBC sources indicate that a top Secretariat official instructed the ICT department to create passwords in the name of Chebukati without the chairman’s knowledge.
“Quite patently, the ICT Director and members of staff involved in managing SFTP platform, appear to have fallen short of assisting the Commission successfully discharge this collegial and constitutionally enshrined mandate,” chairman Chebukati would later tell Chiloba.
Secure File Transfer Protocol (SFTP) platform is always very secure procedure of data transfer over a network. However, its security strength relies on the settings – although data is secure in transit across the internet, it’s very vulnerable at the final point of handoff of the receiving network.
As an analogy, water being transferred in a pipe is secure but the same can’t be said once it pours into a bucket. “It all depends on the encryption,” says a chief data administrator of a blue chip company. “In the case of the Commission’s RTS, it’s possible the data wasn’t encrypted or the encryption was weak.”
Instructively, the “corrupt” Chebukati passwords had the authority to “type”, “size” and “modify” data. The command for renaming files, RNFR (issued when an SFTP client wants to rename a file on the server), was executed 188 times by various users. His account made 9,934 transactions.
Whereas the KIEMS device was configured to block any “delete” and “modification” commands, reports indicate that there were over 8,300 delete commands on August 8 – 17, 2017, of which 7,954 were successful. There were 147 delete requests for F34Bs – which is almost half of all results countrywide.
The IEBC server was accessed from various external locations. Chebukati’s log-ins used different IP (Internet Portal) addresses, implying that his password credentials accessed the server from different locations. Implicitly, the integrity of the server was weak.
All wasn’t well at the IEBC. Its actions in the run-up to the polls pointed to sabotage. Or plain ignorance. Indeed, as noted above, weeks to elections, vendors hadn’t supplied the requisite data backup and security infrastructure. Yet, instead, IEBC preferred brinkmanship over strategy. Chiloba kept exuding confidence even when IEBC was clearly ill-prepared for the key event.
“On Tuesday, when Kenyans vote, results will be coming live from all the 40,883 polling stations and displayed concurrently at Bomas, and the other 337 tallying centres with no human intervention,” he had thundered during the testing of RTS, on August 2, 2017.
“For you that means you can choose to be at Bomas, in your office or anywhere else and still have full access to all the results from all the polling stations”. A month earlier, he had quipped: “The results will be conveyed electronically and therefore physical delivery by our (ROs) will not be there”.
Tactically, these statements were meant to be a two-pronged attack. One, to sway the eager and enthusiastic media houses from tallying the presidential results themselves, for why spend amounts and effort on tallying when results will be out there on the screens? Two, to contain an overzealous civil society, for AFRICOG and KPTJ had sought that the technology testing include simulations on what would happen if the systems failed.
IEBC’s rule of the thumb against censure is to always rush to self-defence even in cases where criticism is well-meaning. So often, the Commission took a cynical view of criticism levelled against it by the Opposition and civil society.
Nine months to the general elections, the Opposition CORD wrote to the Commission asking it to develop ICT regulations within 30 days of the Electoral Laws (Amendment) Act no.36 of 2016.
Nothing happened. Months later, on Feb 20, 2017, James Orengo wrote to complain on state of election preparedness.
But in a bullish response, IEBC blamed the Opposition for painting a “grim and pessimistic picture of the challenges facing the Commission” in relation to its ICT preparedness.
“We want to emphasize that our information technology is robust. In addition, we are also setting up a new disaster recovery centre with state of the art facilities… Our database is not connected to the database of any other agency.”
Yet, on June 29, 2017, four months after this self-praise, IEBC wrote to the Communication Authority of Kenya CA) proposing to use a private cloud to supplement its primary and secondary disaster recovery sites. CA advised the electoral agency against this, and warned that sensitive data couldn’t be put in private hands.
Recovery site
Evidence based on multiple interviews indicate that IEBC didn’t have a recovery site by August 8. And this explains why the Commission was unable to respond to the SCOK order to allow petitioners access the servers. Had (IEBC) had a disaster recovery (or secondary) server, it would have resorted to it rather than the cloud server in London.
From the outset, the RTS had been problematic. During simulation, the system kept “transmitting erroneous results”, according to an IEBC manager. “The figures were different from those it had been fed… We instructed officers to rectify the problem.”
So why did IEBC commit Sh4.19 billion of taxpayers money to acquire a system that would later be dismissed?
Unbeknown to Kenyans, it was Safran – and not IEBC – that declined to open up the server. This French company argued that opening the server to “third parties” would compromise its (server’s) security.
IEBC wasn’t privy to the arrangement between Safran and with NTT, and couldn’t force the French firm to oblige to SCOK directive.
Against this backdrop, it’s obvious that IEBC wasn’t in control of the RTS. (
This article is drawn from research
commissioned by AFRIGOG.