Oluwafemi Osho November 19, 2022
Last week, on Channels TV’s Sunrise Daily program, Dr. Lawrence Bayode, the Independent National Electoral Commission’s (INEC) Deputy Director of ICT, assured Nigerians that the Bimodal Voter Accreditation System (BVAS) was hack-proof. Ordinarily, the news should fill the hearts of ordinary Nigerian electorates with joy and increase their confidence in INEC to conduct free and fair elections next year. However, to those who know better, making such a statement was, at best, premature, ill-advised, and showed a lack of a good understanding of how cybersecurity works.
It is highly risky for INEC to assume all loopholes that malicious actors can exploit have been blocked. That can create a sense of false security. There is only so much that the Commission can do to secure the BVAS. This is because many factors—many of which are entirely outside the control of INEC—interplay to impact vulnerability assessment and discovery.
Firstly, there is no perfectly secure system: every system is always vulnerable to being compromised. That is why in cybersecurity, the main goal is to make it as difficult as possible for threat actors to compromise the system. Granted that INEC has done its best, a scenario that presupposes that it has a capable and tenacious security team. Yet, that does not guarantee a compromise-proof BVAS.
Secondly, INEC can only secure the BVAS, and the Commission’s entire cyber infrastructure, to the extent that the available tools, however sophisticated they may be, can identify vulnerabilities in the System. Vulnerability detection tools generally function by connecting to a Common Vulnerabilities and Exposures (CVE) database, a system that logs all known vulnerabilities. Thus, such tools are effective so far as there are no zero-day vulnerabilities. A zero-day vulnerability is a loophole in a system that the proprietors of the system have not discovered. Until such vulnerability is detected and mitigated, hackers who know of it can exploit it to compromise the system. Perhaps, there are zero-day vulnerabilities in the BVAS unknown to its proprietors or INEC; who knows?
Lastly, even if all the known vulnerabilities in the BVAS have been detected, and there are no zero-day vulnerabilities, the general elections are still some months away. Rogue and malicious actors, including those that desperate politicians could sponsor, would do everything possible to compromise the forthcoming elections. They would try to exploit existing and seek to identify new vulnerabilities in the BVAS. Added to this is the possibility of insider threats: disgruntled INEC employees who may collude to compromise the System.
We all desire a hack-proof BVAS, but that’s unattainable. So, INEC should stop selling us such promises. Instead, we are okay with them simply telling us they are pulling out all the stops to identify known vulnerabilities in the System and its supporting infrastructure. And it is good enough if they let us know, in addition, that they would spare no effort to discover and mitigate emerging loopholes as they become known in the lead-up to, during, and after the general elections. We are counting on them to deliver free and fair general elections in 2023, but we don’t want unrealistic assurances.