Audit of IEBC servers reveals some discrepancies

An audit of the Independent Electoral and Boundaries Commission servers discovered some discrepancies despite the limited access given to independent ICT experts.

A report filed at the Supreme Court by Prof Elijah Omwenga, Prof Jose Sevilla and Janet Kadenyi showed that the commission could not deliver information on internal firewall configuration to its servers as ordered by the court.

Scrutiny of the IEBC servers was conducted pursuant to an order of the Supreme Court judges and was done in the presence of representatives of the National Super Alliance, Jubilee and IEBC.

The experts noted that the commission could not deliver certified copies of certificates of penetration tests conducted on the IEBC Election Technology System prior to and during the election.

"We discovered that the documents supplied were not certified and their submission did not conform to Election (Technology) Regulation 10 of 2017,” said the experts. 

It would, however, be for the seven Supreme Court judges to make meaning of the report, given that each party in the presidential election petition dispute claimed that the report favoured their position and claims.

Whereas NASA, through lawyer James Orengo, submitted that the audit of the servers had proved claims of interference and hacking of the systems, IEBC and Jubilee lawyers Paul Muite and Fred Ngatia maintained that the audit proved the elections were credible and verifiable.

The Supreme Court had ordered that IEBC to provide certified copies of all reports prepared regarding testing of their election servers before, during and after the election but the experts concluded the order was not fully complied with given that the documents supplied were not certified.

On the court’s order for IEBC to provide specific GPRS location of the Kenya Integrated Electronic Management System (KIEMS) kits used during the elections, NASA agents disputed the report given by IEBC, with the experts noting that the commission should have provided the correct one.

The audit team further noted that although the commission provided a list of all procured KIEMS kits, the information on whether they were used or not was not comprehensive.

On the issue of log in trail of users and equipment into the IEBC system servers and KIEMS database management system, NASA disputed a soft copy of logs provided and wanted access to the servers.

“The commission should have demonstrated that the logs came from them by allowing all parties to have a read-only access and to copy the logs,” noted the experts.

The experts noted similar issues with the access to IEBC public portal from August 5, saying that the commission allowed live access but did not give the parties access to the database logs.

The commission, however, complied with the order requiring disclosure of the number of servers in their exclusive possession, but declined to disclose the configuration of the internal and external firewall.

The experts noted in the report that the refusal was not justified, given that the request by NASA for configuration of the internal firewall was genuine.

The report noted that all parties were satisfied with the commission’s disclosure of their operating systems, password policies, password matrix, system user types and levels of access and the IEBC Election Technology System Redundancy Plan consisting of its business continuity plan.