I guess the title of this article should be “is the Nigeria ready for any cyber-attack?” Since the end of the Second World War, the world’s super powers have been in constant competition for technological superiority and advantage. They have competed over who have the most sophisticated weapons and advanced technological know-how to dominate Air, Land, Sea and Space. As a result, unimaginable development of Kinetic technologies of varying magnitudes have been created.
Today, audio-video wireless calls have become ubiquitous. Instant messages, e-commerce, Internet of Things, Global Positioning Systems, Machine Learning, Cloud Computing, Artificial Intelligence and Quantum Computing technologies are disrupting the global landscape. Today’s hand-held devices are more powerful than the Apollo Guidance Computer system that first took man to the Moon!
Without a doubt, in the last decades, technology helped in the invention of unconceivable products that have simplified and at the same time complicated our lives in so many ways. Unfortunately, most of these legacy technologies were designed and developed without Information Systems Security (InfoSec) measures built into them.
Lack of InfoSec measures in these legacy systems have led to exploitable vulnerabilities in many enterprise legacy systems out there in the world. These days, a 12 year old kid sitting in his/her basement in any part of the world can easily hack into these systems and exploit these vulnerabilities.
Suddenly, terrorism as we know it, is no longer the most dangerous threat to our daily existence. The greatest threat facing the world on a daily basis today is Cyber-attack/cyber-terrorism. From script kiddies to well-funded Advanced Persistent Threats (APT) actors, personal and nation-state attacks are now done in the cyber domain to achieve economic, political, religious or social goals.
People’s privacy are being invaded through webcam hack; cybercriminals are having a field day hacking into financial systems, infecting systems with malware and demanding money (ransomware); hacktivists are using cyber-intrusions to gain the spotlight; Nation-State actors are actively seeking political, economic and political advantage through cyber activities.
You must be living in a cave if you have not heard about how Russia cyber-attack operations meddled into the 2016 United States election. According to a UK-based watch dog report, 18 countries also had their elections hacked in 2016 through cyber campaigns using various cyber tactics, techniques and procedures. That number has since increased in the last two years.
Cybersecurity has become the number one concern of major civilized countries. Forward thinking nations all over the world are implementing cybersecurity countermeasures to ensure that they protect the confidentiality, integrity and availability of their national critical infrastructure; most especially the electoral information systems.
The question is: Is Nigeria ready to respond to cyberattack(s) on the 2019 presidential election to protect the integrity of the Election Information Systems and data? More importantly, does Nigeria have the required national cybersecurity technical capabilities, know-hows, tools, processes and professionals to protect the country from any cyber-attack?
There are a myriad of reasons malicious actors would like to hack Nigeria’s 2019 election. It could be foreign actors that have huge interest in who becomes the next president of the Federal Republic of Nigeria. It could be insidious politicians and political parties seeking to have their candidates win. It could be hacktivists or anyone with grudge against the country. It could even be a bored teenager somewhere in the world looking to try their technical hacking skills!
Although the Nigerian government (and some of the people) never prepare for ANYTHING until there is a crisis; but now is the time to start thinking and developing the cyber defenses required to protect the Nation’s critical infrastructure and Electoral Systems from cyberattacks.
There are multiple attack vectors that can be used to hack the 2019 election:
1. Malicious code Insertion into the PVC card readers and database server(s)
2. Unencrypted data transfer from voting centers PVC card readers to the centralized database server
3. Insider threat
4. Biometric data duplication
Using malicious code insertion attack, rogue software algorithm could be inserted into the PVC card reader or database that would compromise the vote counts assigned to each political party. A simple rogue arithmetic line of code like ApcTotal = PdpTotal + ‘1000’ would make the handheld PVC card readers to give extra 1000 votes to one party over the other before transferring the data to the central database (or make the database add the extra votes).
Malicious code insertion attack can be mitigated by ensuring that the software in all handheld PVC card readers and election systems are properly tested and vetted against malicious algorithms and backdoors. Also, the election software vendor(s) must be made to patch their systems against all known critical security vulnerabilities in their software and provide vulnerability reports for risk assessment. Some vendors might be reluctant to admit flaws in their software to avoid bad press or the expenses required to create a patch!
Unencrypted wireless transfer of election result data should not be allowed. To mitigate this vulnerability, all voting data requiring wireless transfer to and from any central server should be encrypted during data transfer.
Local election officials should be monitored for insider threat activities. The “good” PVC card readers can be changed to a compromised one while in transit from the warehouse to the polling center. There should be some kind of PVC Card reader authenticity vetting method at the polling centers to ensure that the PVC card readers have not been compromised. Also, they should be carefully monitored during data transfer to ensure that the voting data counts came from the same PVC card reader used at the polling centers.
It is becoming increasingly easy to replicate fingerprints to fool fingerprint readers. Anyone could pre-register “fake” fingerprints and make multiple entries of biometric data in the system. To avoid multiple entries of biometric data, the election system software vendor should provide biometric data deduplication solution to identify voters with multiple registrations in the system.
It is 2018. The world has recognized cybersecurity as the new frontier just like the space race of the 1960s. Whether Nigeria (or Africa for that matter) decides to develop cybersecurity capabilities or not, one day they will wake up and find out that the entire nation’s banking, communication, aviation, and industrial control systems have been crippled by unidentifiable malicious cyber actors.
It is no longer if but when. Now is the time to start preparing for that cyber dooms day before the rest of the world stay another four hundred years ahead with cyber technological advantage. Is Nigeria ready for a possible cyberattack on her 2019 Presidential Election?