Improving Electoral Cybersecurity in Kenya

This morning, the Kenyan Supreme Court announced it cancelled last month’s presidential election and ordered a new election within 60 days. Chief Justice David Maraga affirmed that the August 8^th election, which declared incumbent Uhuru Kenyatta the winner by a margin of 1.4 million votes, was not “conducted in accordance with the constitution.” Justice Maraga stated the election commission had committed irregularities “in the transmission of results,” although more details on this conclusion have not yet been provided.

As in 2013, the main opposition party alliance, known as NASA, disputed the results of last month’s election after Kenyatta was declared the decisive victor. The reason is new this time. In a press conference on August 8th, the opposition argued that the election commission system had been hacked and its servers compromised in favor of the incumbent. In conflicting responses, the electoral commission first denied any hacking attempts and later said the hacking attempts had been thwarted.

After much jostling, the opposition filed a petition at the Kenyan Supreme Court protesting the election results. The court did not blame President Kenyatta’s party or campaign, but the decision elicited praise from President Kenyatta’s opponent Raila Odinga and his supporters. Separate and apart from the current turmoil is the question of how such a situation might be avoided in the future.

Kenya has a robust legal regime governing cybersecurity and hacking. The government’s executive cabinet approved a computer and cybercrime bill this year mandating penal consequences for a set of cyber-related offenses, including intentional unauthorized infiltration of a computer system and unauthorized interception of transmission of data over a telecommunications system. The statute also says that interference with a computer system that threatens national security, causes injury or death, or threatens public health and safety carries a fine of up to $20,000 or ten years in prison.

Several other statutes explore the relationship between cybersecurity and national security, focusing particularly on crime detection and counterterrorism operations. For example, Section 69 of the Security Laws (Amendment) Act empowers national security organs to intercept communications for the purpose of detecting and preventing terrorist activities. National security bodies also have wide-ranging surveillance capabilities, including direct access to Kenya’s telecommunications networks, and can monitor social media.

The Supreme Court holds the power to nullify the results of the presidential election and order a new election under Kenya’s Constitution, which it exercised today. Pursuant to the statutes discussed above, electoral hacking gives rise to a penal consequence. However, in assessing the potential impact of electoral hacking on the state’s democracy, there is an argument for a more comprehensive response. Article 10 of Kenya’s Constitution lists “democracy and participation of people” as one of the national values and principles of governance. As noted by Kenya’s high court in Republic v. IEBC:

As a creature of the Constitution, the Court has a duty, like other State organs, to protect, promote and fulfil the values, principles and purposes of the constitution... The purpose includes those values recognized by the preamble to the Constitution as the aspirations of all Kenyans for “a government based on the essential values of human rights, equality, freedom, democracy, social justice and the rule of law.

To give meaning to the national value of “democracy,” the law must allow for the effective prevention of attempted attacks and for first ensure that attempts to compromise the electoral process are prevented and that any compromises that succeed are dealt with accordingly.

The first step to better protecting Kenya’s electoral process is declaring the elections system as critical infrastructure. (The United States has set a precedent in this regard.) The Kenyan Critical Infrastructures Protections Bill specifies:

Critical Infrastructure refers to physical and virtual assets or facilities, whether owned by private or public entities which are essential to the provision of vital services to Kenyans for their social and economic well-being, and which if destroyed, degraded or rendered unavailable, would impact on the social or economic well-being of the nation or affect Kenya's ability to conduct national defence and security.

Certainly, the electoral process fits this definition. Allegations of electoral compromise can “affect Kenya's ability to conduct national defence and security,” as the 2007/2008 post-election violence showed.

Cyber-warfare is still in many ways a nascent and developing issue and it stands to reason that the norms protecting other critical infrastructure should also cover election systems.

Designating the electoral process as critical infrastructure would have several advantages. Such a declaration would spur a coordinated overall approach in the management, development and mitigation of cybersecurity vulnerabilities in the electoral process, thereby helping to identify and stop threats. It would also ensure better encryption of voter systems since they would merit funding to engage in capacity-building

Kenya is poised for a bigger conversation on how to create a more secure electoral system better prepared for cyberattacks. The first serious step would be to declare the system critical infrastructure.