Security agencies, IEC on red alert to counter cyberattacks

Vulnerable: The IEC was the first electoral body in the world to introduce digital nominations, but as the voting process becomes ever more high-tech, so does the risk of fraud and cyberattacks increase. (Gianluigi Guercia/AFP and Delwyn Verasamy)

Vulnerable: The IEC was the first electoral body in the world to introduce digital nominations, but as the voting process becomes ever more high-tech, so does the risk of fraud and cyberattacks increase. (Gianluigi Guercia/AFP and Delwyn Verasamy)

The government’s security cluster is working to mitigate any threat of cyberattacks to the May 8 elections.

The national police spokesperson, Vish Naidoo, said crime intelligence, defence intelligence and state security were working closely with the South African Police Service (SAPS).

The Electoral Commission of South Africa’s (IEC’s) systems have been increasingly digitised in recent years.

IEC chief electoral officer Sy Mamabolo on Wednesday said: “Measures are being taken to ensure the integrity of our network even during the period of elections ... Threats remain every day, and threats are directed at all institutions almost on a daily basis but, for the purposes of our report to the nation, we have taken reasonable precautions to obviate the possibility.”

There have been cases or allegations of cyberinterference and cyberattacks in countries such as the United States and in Africa.

In South Africa, many government websites have been hacked, including those of the presidency and the SAPS. The ANC website was hacked in 2013 and it is estimated that businesses have lost about R2.2-billion a year to cybercrime, according to a South African Banking Risk Information Centre report released last year.

Sources in two political parties said they believed the chief risk would be when results were submitted to the IEC’s national results centre.

It is understood that the matter has been raised with the IEC and the commission is going to allow parties to inspect its information technology infrastructure in the coming weeks.

The elections take place in seven weeks’ time.

Mamabolo said experts were correct when they said no network is 100% safe, so the IEC had recently overhauled most of its digital infrastructure.
There were some outstanding tenders for hardware, which the commission was in the process of procuring.

“Ordinarily, at a time such as this, we do a security audit of the network and it’s not anything that is new. So we have done a security audit of the network. As you know, this is an area where we do not wish to get into details, you will understand why,” he said.

“We have taken precautions and some of those measures are currently being implemented, others have already been implemented but unfortunately we cannot get into specific granular details about those types of things.”

Mamabolo said the IEC used both manual and digital processes, especially when counting votes, which provided another safeguard against potential cyberattacks.

But the recent overhaul of its infrastructure also ensured that the security systems on the networks were brought up to scratch.

“The bulk of the work we did has really been about replacing the infrastructure because our digital infrastructure had come of age …

“At the heart of that replacement, while we were replacing equipment because it had reached the end of usefulness, there is also a security element to it because newer hardware brings new capabilities that are more security-alert than the previous iteration. That’s another layer of security,” he said.

The elections take place in seven weeks’ time (Delwyn Verasamy)

South Africa’s election infrastructure is more advanced than in many other countries. He said the IEC was the first in the world to introduce the digital acceptance of nominations, which it did in 2016.

He added that 60% of the lists submitted last week were received digitally. Mamabolo said he was confident the IEC had done enough to secure its networks. Naidoo also said that, although the threat could not be ruled out, mitigation measures were being put in place.

“Remember we have crime intelligence, defence intelligence and state security working very closely with us. They will identify threats and bring it to the fore and we will then … mitigate … those threats,” he said.

He confirmed that cyberthreats were among them, but said South Africa was world-renowned for preparing well for large events and its elections had been run smoothly and without major incident.

He said the security services were working to ensure that this election would be no different.

The State Security Agency (SSA), in reply to questions, said this week it was providing support to the IEC, although it did not go into details.

“The SSA is providing support to the IEC in preparation for the general elections on areas of the SSA’s core mandate, which include detecting and preventing cyberattacks. In line with the provisions of the Intelligence Services Act, 2002 (Act 65 of 2002), the SSA is not in a position to expand on national security intelligence and operational methods,” its spokesperson, Lebohang Mafokosi, said.

Professor Basie von Solms, the director of the Centre for Cybersecurity at the University of Johannesburg, said the reality was that, in cyberspace, nothing is safe.

“Anything can be hacked, depending on the time, effort and resources employed,” he said.

He gave examples such as the hacking of the police services in South Africa and the 2017 Kenyan election experience, in which opposition leader Raila Odinga complained that the electoral commission’s information technology systems had been hacked to manipulate the election result. Kenya’s electoral commission denied the allegation, the BBC reported at the time.

Von Solms said hacking happened even to private companies that had spent billions on securing their information. But he trusted the IEC would do the best it could to secure its databases, which was really all one could do. He said people, not just systems, had to be trustworthy to mitigate against cyberthreats.

“The inside effect [people] is actually the biggest risk,” he said. On the systems side, any information technology person who claimed a system was 100% safe “is lying”.

Cyberthreats were not the only threats identified by police. Others were load-shedding and protest action, Naidoo said.

Load-shedding is a particular concern for the IEC, largely because of the counting of votes, which generally takes place at night.

A power outage during the counting process could place the process at risk and, at worst, compromise the credibility of the election. Mamabolo said the IEC had discussed mitigation strategies with Eskom.

Eskom on Tuesday said it would know in two weeks’ time how long the current spate of load-shedding could last. It painted a dire picture of a perfect storm, including Cyclone Idai affecting supply from Cahora Bassa, hampering its ability to meet power demands.

Should load-shedding continue in May, voting stations are likely to be hit. “We are going to have to institute second-tier contingency plans, especially for the counting processes,” Mamabolo said.

Natasha Marrian

Client Media Releases

Changes at MBDA already producing the fruits
University open days: Look beyond banners, balloons to make the best choice
ITWeb, VMware second CISO survey under way
Doctoral study on leveraging the green economy
NWU's LLB degree receives full accreditation