CLICK HERE TO DOWNLOAD PRINTABLE & SHAREABLE VERSION
1.0 Background
The fundamental challenge of any Electoral Management Body (EMB) is to be able to conduct free, fair, and credible elections (INEC, 2022). Premium Times has reported that the transparency of the 2023 Nigerian elections is being questioned in the preliminary report of the European Union Election Observer Mission (EU EOM), citing a lack of transparency during important phases of the electoral process 1. The report highlights that although the Independent National Electoral Commission (INEC) held the elections on schedule, it lacked efficient planning and transparency during critical stages of the electoral process. This decreased the stakeholders’ confidence in INEC’s independence, professionalism, and voter information efforts ahead of the elections. On election day, trust in INEC was further reduced because of delayed polling processes and information gaps related to accessing results on its Results Viewing Portal (IReV). The report also shows that the deployment and opening of polling units were delayed, and polling procedures were not always followed. Additionally, polling staff in the polling units struggled to complete result forms, which were later not posted online. Despite introducing the Bimodal Voter Accreditation System (BVAS) and the INEC Results Viewing Portal (IReV) to ensure the polls’ credibility , uploading the results using the BVAS did not work as expected, raising concerns. INEC’s expectations were that the handwritten results of voting in each polling unit will be signed by a presiding officer, digitally captured, and uploaded to the IReV where it will be saved as a viewable PDF file, and accessible via the internet from anywhere in the world, in near real time. However, in reality, , the system did not function as promised when it mattered most. As of 7:14pm on election day, a check by The PUNCH shows that no result had been uploaded to the IReV portal.
In explaining why the system did not function as intended, Nigeria’s Information Minister, Lai Mohammed, stated that INEC, in a bid to preserve the integrity of the election data, withheld uploading the results after suspecting a series of cyberattacks. This statement is in sharp contrast to INEC’s assurance, a few months to the election, that “everything had been done to ensure that the BVAS is not compromised”. This assurance was reiterated a day after the election by INEC’s spokesperson, Festus Okoye, who said that the delay in uploading the presidential results was due to “technical hitches” and not because of sabotage. He concluded that the challenges experienced were not because of any intrusion, and that the IReV remains well-secured. These conflicting statements are very concerning, especially as INEC has yet to support its own statements with verifiable facts.
2.0 Aims and Objectives
The overall aim of this analysis is to provide an independent, impartial, objective, and actionable gap analysis with actionable recommendations to address the issues plaguing the INEC electoral information system(s) used for the 2023 Nigerian Presidential Elections.
This gap analysis aligns with globally accepted industry best practices for Information and Communications Technology (ICT) and Cybersecurity (i.e., the assessment of control gaps related to People, Processes, Technology, and Data Controls).
3.0 Limitations of the Study
All artifacts, analysis, and recommendations provided in this analysis are based on publicly available information and research tools, with no insider knowledge of INEC’s internal workings, workflows, and controls. No penetration testing and/or vulnerability assessment was performed. This is based on the amount of information we have been able to gather so far.
4.0 Literature Review
Elections are significant milestones in the transition from authoritarian to democratic regimes worldwide. The electoral management body supervises , administers , and manages free and fair elections to foster trust in the electoral process. This trust is crucial for improving the prospects of democratic consolidation (IDEA, 2012)2. In Nigeria, the Independent National Electoral Commission (INEC) is the EMB or apex body for election conduct in the country. The INEC is entrusted with the responsibility of overseeing the electioneering process while ensuring credibility. With a population of 210-million, Nigerians go to the polls every four years to choose their representatives at the local, state, and federal government levels. However, despite the commission’s efforts to keep the electoral process as transparent as possible, there have been widespread reports of electoral malpractice, sometimes aided by violence. Therefore, over the years, INEC has sought the deployment of technological innovation to improve the electoral process’ credibility and safety in Nigeria. In 2015, the commission deployed the use of smart card readers for the conduct of the elections with one main objective: to verify the Permanent Voter Cards (PVCs) presented by voters at polling units and ensure that they are genuine, INEC-issued (not cloned) cards. Another objective was to biometrically authenticate the person who presents a PVC at the polling unit and ensure that he/she is the legitimate holder of the card. On September 13, 2021, INEC said it had applied several technological innovations to manage the country’s electoral processes. It wanted to correct the loopholes the Smart Card Readers posed. The body introduced voters’ online pre-registration as part of the Continuous Voter Registration (CVR) exercise. It also introduced the INEC Results Viewing (IReV) portal, where voters can see results in near real-time (Dubawa, 2023).
4.1 Process of Voting at the Polling Unit
- Voter Accreditation: The officials verify the identity and eligibility of voters, then accredit them to vote.
- The casting of Votes: Eligible voters cast their votes.
- BVAS Record Keeping: The Bimodal Voter Accreditation System (BVAS) records the number of people accredited to vote and the number of people that actually vote.
- Vote Counting: The votes are counted by polling officials, and recorded on a party basis.
- Results Verification: The officials cross-check the paper records with the electronic records on the BVAS to ensure they tally and are accurate.
- Party Agent Confirmation: The party agents are called upon to confirm and sign the results, affirming their agreement with the recorded numbers and outcomes.
- Results Transmission: The officials take a photograph of the results and electronically send them to the central server for collation.
- Results Distribution: Give a duplicate copy to each agent and the security personnel in attendance, then keep one for yourself and take the original to the collation officer.
- Collation Officer Verification: The collation officer checks the BVAS records and compares them with the paper records to ensure consistency and accuracy.
- Results Collation: The Collation Officer, after confirming that the figures are the same as what is on BVAS, will record and compute results from different units under him/her.
- Party Agent Confirmation: The party agents are called upon again to confirm and sign the collated results, affirming their agreement with the final outcomes.
- Results Upload: After taking a photograph of the results, the polling officials upload the results to the INEC server.
- Result Distribution and Presentation: The polling officials give copies of the results to security personnel and party agents, then present the results to the Local Government (LG) collation officer, etc.
5.0 Methodology
To achieve the objectives of this analysis, a gap analysis approach was employed. The gap analysis involves comparing the current state of INEC’s electoral system against best practices, identifying gaps/deficiencies, and recommending solutions to address these gaps. The approach considers four key areas: People, Processes, Technology, and Data Controls. The information used for this analysis was collected from publicly available sources, including reports from INEC, EU EOM, news articles, and research papers. This information was analyzed using a qualitative research approach, with the necessary information organized, categorized, and interpreted to identify gaps and deficiencies in INEC’s electoral system.
6.0 Results and Analysis
After careful analysis and the review of the literature above, we found the following gaps in the process.
Top 10 gaps identified during the February 25th General Elections
- Over-hyped technology and security capability: This is because of insufficient understanding or knowledge of technology and security capabilities among the people responsible for implementing and managing the system. There is a lack of proper assessment and testing of the technology and security capabilities to ensure they meet the required standards.
- Suboptimal UI/UX Design and Implementation: This gap is because of a lack of expertise in user experience design and implementation among the people responsible for the design and development of the system. There is a lack of proper user research, design, and testing processes to ensure that the UI/UX design meets the needs and expectations of users. There is also a lack of consideration for user data and feedback in the design and implementation process.
- Ineffective Supplier Risk Management: From our perspective, we suspect there was a lack of proper risk assessment, monitoring, and management processes in place to manage supplier risks.
- Ineffective Resilience: From our perspective, it appeared as though the resilience measures, such as availability zones and auto-scaling that were put in place to keep the system running in the event of unexpected failures or high demand, were not effectively implemented. This may have resulted in downtime or slow performance during the election, leading to voter frustration and potentially impacting the election’s integrity.
- Inadequate Data Integrity Checks: Ensuring data integrity is crucial to maintaining the election results’ credibility . Data was not adequately checked for accuracy and completeness, leading to errors or fraudulent activity that went undetected, compromising the election result.
- Ineffective Personnel Training: The personnel responsible for the INEC electoral system’s implementation and maintenance require proper training to ensure efficient and effective system operation. However, the current training approach is ineffective, leading to skill gaps and potential system failures.
- Inadequate Password Management
Going by our discovery, INEC personnel had access to multiple systems/applications, and may have been using the same or different sets of authentication credentials to access those systems. There was no evidence that a centralized password management application was in use. This may have led to unauthorized privileged access to INEC’s result portal, which further brings the result’s integrity into question. - Flawed Authentication Mechanism: Publicly available information suggests that INEC personnel required multiple credentials to access different applications. A modern, easy-to-use authentication system (such as Single Sign-on or SSO), complemented by a multi-factor authentication mechanism, would have significantly reduced the potential for unauthorized access.
- Lack of Consistency in Processes: Consistency in processes is essential to ensure that the INEC electoral system operates efficiently and effectively. However, the current system lacks consistency in processes, leading to potential operational failures and inefficiencies. Furthermore, inconsistencies in processes, such as data entry and system configuration, led to errors and vulnerabilities. This resulted in missing or incorrect data.
- Inadequate Availability and Performance Monitoring of BVAS Infrastructure: The BVAS’ infrastructure availability and performance were not adequately monitored, resulting in issues such as downtime or slow performance that were not detected in a timely manner, potentially impacting the election’s integrity.
Top 10 gaps broken down by People, Processes, Technology, and Data:
Gaps | People | Processes | Technology | Data | |
---|---|---|---|---|---|
1. | Over-hyped technology and security capability | X | X | ||
2. | Suboptimal UI/UX Design and Implementation | X | X | X | X |
3. | Ineffective Supplier Risk Management | X | X | X | X |
4. | Ineffective Resilience (e.g., Availability Zones, Auto scaling) | X | X | ||
5. | Inadequate Data Integrity Checks | X | X | X | X |
6. | Ineffective Personnel Training | X | X | ||
7. | Inadequate Password Management leading to Authentication issues | X | X | X | |
8. | Lack of SSO and MFA | X | |||
9. | Lack of Consistency in Processes | X | X | ||
10. | Inadequate Availability and Performance Monitoring of BVAS Infrastructure | X | X | X |
People
Accountability, Transparency, Competency, and Screening
Potential Gap:
- There exists a considerable gap because of the absence of accountability among INEC officials and ad-hoc staff entrusted with the electoral process. These individuals responsible for managing the electoral system are not being held responsible for their actions or lack thereof. A robust system of accountability has not been put in place to ensure that individuals are accountable for their decisions and actions.
- INEC lacked efficient planning and transparency during critical stages of the electoral process, which decreased the stakeholders’ confidence in INEC’s independence and professionalism.
- In terms of competency, it was observed that there was a lack of proper training for personnel responsible for the INEC electoral system’s implementation and maintenance. The current training approach was found to be ineffective, leading to skill gaps and potential system failures.
Actionable recommendation:
- INEC should invest in regular training programs to improve the skills and knowledge of personnel responsible for the electoral process. It is suggested that training should not only be held before the next elections, but there should also be a mandatory and ongoing process for both INEC officials and prospective ad-hoc staff.
- To prevent any instances of electoral malpractice, INEC should conduct thorough background checks on all individuals involved in the electoral process. This includes polling unit staff, security personnel, and INEC officials to ensure that they do not have any history of such malpractices.
- A proper system of accountability needs to be established to ensure that people take responsibility for their actions and decisions. INEC should create an independent body that investigates and holds officials accountable for electoral malpractices.
Processes
Automation, Communications, and Crisis Management
Potential Gap:
- One possible gap in INEC’s automation process is the current system’s limited capacity to manage the increased workload and lack of scalability to support future growth. As a result, system failures, processing delays, and data loss have occurred.
- Another area of a potential gap in INEC’s communication processes is the absence of a well-defined and standardized communication plan for both internal and external stakeholders. This has resulted in confusion, information misinterpretation, and delayed decision-making. Moreover, the lack of adequate communication channels and tools, such as collaboration software, has hindered effective communication and coordination among team members.
- There is a lack of a comprehensive and tested crisis management plan. Without a clear plan in place, there is confusion and delays in responding to the crisis, which has exacerbated the situation. Additionally, there is a lack of training or experience in dealing with crisis situations, which has led to ineffective responses.
Actionable recommendation:
- To address the gap in automation, INEC may consider upgrading its system to a more scalable platform and integrating it with other systems to ensure consistency and accuracy of data.
- To address the gap in communication processes, INEC needs to develop a clear and standardized communication plan and invest in collaboration tools to facilitate effective communication and coordination.
- To address the gap in crisis management, the company may develop a comprehensive crisis management plan, conduct regular training exercises to test the plan and ensure that key personnel are trained and experienced in crisis response.
Technology
Design, Architecture, Implementation – Security, UI/UX, Resiliency
Publicly and readily available information gleaned from DNSDumper indicates that INEC’s electoral system is hosted in the public cloud on servers located in the UK and US, owned by major cloud service providers – Amazon Web Services (AWS) and Google Cloud Platform (GCP).
Potential Gap:
- INEC’s failure to proactively leverage the high availability, redundancy, elasticity, and resiliency that these cloud service providers offer as suggested by the “scaling” issue that they publicly admitted to.
- For a platform intended to provide information to aid election transparency, the INEC’s IReV portal is poorly designed, without end-user experience in mind. Navigating individual polling unit (PU) results for validating what is being reported publicly is a pain. For instance, below is the journey of a registered (and logged-in) user who’s trying to view the result of the first PU in Abia state:
Visit inecnigeria.org > election results > presidential election > presidential election – 2023-02-25 – presidential > Abia > Aba north (LGA: 01) > Eziama (Ward: 01) > Eziama High Sch. XI [PU Code: 0101/01/049]
Now, considering that there are 12 wards and 503 polling units in the Aba North LGA of Abia state, it will take at least 1,509 clicks for any user to view all the results of this local government. Note that there are 774 local governments in Nigeria.
The above issue can be summarized as follows:
- The overall user journey is very painful. Therefore, the primary goal of providing information to aid election transparency is at risk of being defeated
- A statement of the poll’s result from each polling unit is handwritten by the presiding officer. It means that end users have to deal with over 176,500 different writing styles. The purpose of transparency will be defeated where handwriting is not legible.
- It appears that presiding officers merely used their devices to take a picture of the statement of result and upload it to the back end. Besides the fact that this is prone to human error, the uploaded material’s quality will be determined, to a great extent, by the quality of the phone’s camera and the presiding officer’s ability to capture a clear image using a mobile phone. Below is an example of a poorly captured result.
- To navigate from one result sheet to another, the user has to hit the browser back button, then click on “view result” again. The extra step of hitting the browser back button can be eliminated by placing a “Next” button at the bottom of the page.
Actionable recommendation:
- The IReV portal can be re-designed with the end user in mind. The user journey and unnecessary clicks can be significantly shortened by presenting every key element of the portal on a single page, from where users can easily drill down to the Polling Unit level. Here is an example:
- Map of Nigeria showing all states > user clicks on the state of interest > map of state comes up showing all LGAs > On the same page, clicking on an LGA should present its wards and PUs in a tabular fashion.
- Poll Results should be typed, reviewed, and digitally signed by all parties involved (using a tool like DocuSign or PandaDoc) before being uploaded to the server. This will significantly limit human error whilst enhancing the end user’s experience.
Data
Confidentiality, Integrity, and Availability (balancing these)
Potential Gaps:
- It was noted that the web services utilize weak encryption standards for the security of traffic transmitted from the website to the end user. Transport Layer Security (TLS 1.1/1.0) is an example of the weak protocols in question. A malicious attack may exploit this flaw to compromise the confidentiality of information that is being transmitted to the end user.
- There is no evidence to note that the OWASP (i.e. Open Web Application Security Project) Top 10 Proactive Controls were implemented when the INEC web application was developed.
Actionable recommendation:
- Upgrade the encryption protocols and cipher suites used by the web services to stronger versions to ensure that traffic transmitted from the web services to the end user is secure. For example, INEC could upgrade from TLS 1.1/1.0 to TLS 1.3, which is currently considered to be a strong encryption protocol.
- Implement Open Web Application Security Project (OWASP) Top 10 Proactive Controls to secure the INEC web application. This would involve implementing measures such as input validation, authentication, access control, error handling and logging, secure communication, and others.
- Conduct regular security assessments and audits of the INEC web application and infrastructure to identify any vulnerabilities and ensure that they are addressed in a timely manner. This would help to ensure that the data stored on the INEC systems are secure and that the confidentiality, integrity, and availability of the data are maintained.
7.0 Conclusion
As with any technology system, there is always room for improvement and new iterations. The gaps identified above, while not an exhaustive list, form the basis for future research and recommendations that would lead to a robust, secure, scalable, and stress-free experience for the voters in Nigeria. The limitations of the study also leave room for further deliberation.
References
- Premium Times, (2023). #NigeriaDecides2023: INEC disappointed Nigerians – EU Observers. https://www.premiumtimesng.com/news/top-news/585208-nigeriadecides2023-inec-disappointed-nigerians-eu-observers.html
- IDEA, (2012). Electoral Management during Transition: Challenges and Opportunities https://www.idea.int/sites/default/files/publications/electoral-management-during-transition.pdf
- Dubawa, (2023). Electronic transmission of results. https://dubawa.org/electronic-transmission-of-result-the-proposed-process-vs-reality-with-irev/
- INEC News, (2021). Deployment Of Bimodal Voter Accreditation System Satisfactory, Says INEC Chairman. https://inecnews.com/deployment-of-bimodal-voter-accreditation-system-satisfactory-says-inec-chairman/
- Techun Code, (2021.) INEC’s BVAS Voting Technology: The Loopholes. https://techuncode.com/bvas-voting-technology-the-loopholes/
- Premium Times, (2023). #NigeriaDecides2023: INEC disappointed Nigerians – EU Observers. https://www.premiumtimesng.com/news/top-news/585208-nigeriadecides2023-inec-disappointed-nigerians-eu-observers.html
Contributors
- Taiye Lambo – https://www.linkedin.com/in/taiyelambo
- Mobolaji Moyosore – https://www.linkedin.com/in/mobolajimoyosore
- Ololade Otayemi – https://www.linkedin.com/in/ololade-otayemi-b59b67b0
- Chibueze Alutu – https://www.linkedin.com/in/chibuezealutu
- James Oche – http://linkedin.com/in/james-oche-33112a
- Michael Oriade – https://www.linkedin.com/in/michael-a-oriade
- Dr. Isi Idemudia – https://www.linkedin.com/in/dr-isi-idemudia-phd-906a8815
Contact Information
Website: www.nigisut.org
Email: communications@nigusit.org
CLICK HERE TO DOWNLOAD PRINTABLE & SHAREABLE VERSION