The Integrity of Ghana’s Electoral Process: A Call for Cybersecurity Vigilance
By Kofi Anokye Owusu-Darko (Dr)
As Ghana gears up for its national elections on December 7, 2024, the integrity of the electoral process is facing unprecedented scrutiny. A recent incident involving the illegal transfer of voters by a staff member of the Electoral Commission (EC) has unveiled significant vulnerabilities within the EC’s digital voter management system. This breach not only raises alarms about the security of sensitive voter data but also threatens the foundational trust that citizens place in the electoral process.
The Digital Age and Electoral Integrity
In today’s digital landscape, elections are increasingly reliant on electronic systems to manage voter data and ensure accurate results. When these systems are compromised, as evidenced by the recent breach within the EC, the ramifications extend beyond mere data loss; they jeopardize the fairness of elections and the very essence of democracy—the right to vote and have that vote counted accurately.
The illegal transfer incident underscores the urgent need to classify the EC’s voter management system as Critical Information Infrastructure (CII) under Ghana’s Cybersecurity Act 2020 (Act 1038). Such classification would impose stringent legal obligations on those responsible for securing the system, ensuring that voter data is protected at the highest level mandated for CII. Safeguarding these systems is crucial for maintaining election integrity and preserving public confidence in Ghana’s democratic process.
Cybersecurity Consequences of the Breach
The breach involving the illegal transfer of voters has significant cybersecurity implications, including potential liabilities for both the individual responsible and the EC’s leadership. The Cybersecurity Act mandates that the CSA (Cybersecurity Authority) regulate owners of critical information infrastructure regarding cybersecurity activities to ensure a secure digital ecosystem. Despite the EC’s reluctance to pursue an independent audit of its system, the CSA has the legal mandate to conduct assessments to ensure the EC’s system is adequately protected.
Defining Critical Information Infrastructure
According to Act 1038, CII encompasses computer systems or networks essential to national security or the economic and social well-being of citizens. The EC’s digital infrastructure is not merely an administrative system; it is a critical component of national infrastructure. Any compromise of these systems could lead to significant disruptions in governance and erode public confidence in the electoral process.
The Cybersecurity Authority is tasked with ensuring compliance with cybersecurity standards, which include conducting regular security audits and promptly reporting incidents. The recent breach raises questions about whether the EC leadership has fulfilled its legal obligations to protect this critical system.
Legal Framework and Penalties for Cybercrime
The Cybersecurity Act 2020 and the Electronic Transactions Act 2008 establish a robust legal framework for protecting critical systems and penalizing unauthorized access. These laws define cybercrime and unauthorized access, emphasizing the need for stringent security measures to safeguard sensitive data.
The illegal transfer of voter data by an EC staff member constitutes a clear violation of these laws, illustrating both the system’s vulnerability and the broader cybersecurity implications for the EC leadership. If prosecuted, the individual responsible could face up to five years in prison under Act 1038 and up to ten years under Act 772 for unauthorized access.
Accountability of the Electoral Commission
Beyond the individual liability, the EC’s leadership may also face accountability for failing to safeguard against cybersecurity threats. Under both Acts, entities managing CII are required to implement strict cybersecurity measures. Failure to comply exposes the EC to civil and administrative penalties, including fines for not conducting adequate risk assessments and audits.
The EC leadership must demonstrate full legal compliance and take proactive steps to reinforce the system’s defenses. This includes conducting regular audits, reporting incidents, and providing staff training to prevent future breaches. With elections approaching, urgent action is needed to protect the system and restore public trust.
The Role of the Cybersecurity Authority
The CSA is mandated to oversee the security of CII in Ghana, including the EC’s voter management system. While the EC operates independently in administering elections, this independence does not extend to the security of its digital systems. The CSA has the authority to conduct audits and inspections to ensure compliance with cybersecurity directives.
Given the breach, the CSA must intervene to assess and secure the EC’s system before the elections. This includes conducting comprehensive vulnerability assessments and implementing necessary cybersecurity measures to protect the integrity of the electoral process.
Is the EC System Fit for Purpose?
The illegal transfer of voters has cast doubt on the integrity and readiness of the EC’s voter management system. For a system that qualifies as CII, strict cybersecurity measures must be adhered to, including regular vulnerability assessments and real-time monitoring of system activities.
The CSA must perform an immediate integrity and vulnerability assessment of the system, including penetration testing to identify weaknesses. Additionally, the EC should adopt enhanced security measures, such as data encryption and multi-factor authentication, to safeguard sensitive information.
International Perspectives on Pre-Election Cybersecurity Audits
Countries like Estonia and Ukraine have demonstrated the importance of pre-election cybersecurity audits in safeguarding electoral integrity. Estonia conducts regular security reviews of its i-voting system, while Ukraine performed audits ahead of its 2019 Presidential election to mitigate cyber threats. These proactive measures highlight the necessity of pre-election audits in addressing cybersecurity risks.
Conclusion
The Electoral Commission is an independent body constitutionally mandated to conduct elections in Ghana. However, once it integrates computer systems into its operations, this independence does not extend to the security of those systems. The illegal transfer of voter data has exposed serious vulnerabilities in the EC’s system, necessitating immediate action to ensure its integrity before the upcoming elections.
The CSA must fulfill its mandate by conducting a comprehensive forensic audit to assess and address vulnerabilities within the EC’s system. Both the individual responsible for the breach and the EC’s leadership face legal consequences under the Cybersecurity Act and the Electronic Transactions Act. Securing the EC’s system is of utmost urgency, as public trust in the legitimacy of the upcoming election depends on the security of the electoral infrastructure.
In this critical moment, it is imperative that the CSA takes decisive action to protect Ghana’s electoral process, ensuring that the foundation of democracy remains intact. The integrity of the electoral process hinges on the ability of the EC to safeguard voter data, and proactive measures must be implemented to restore public confidence before the December elections.
Dr. Kofi Anokye Owusu-Darko is a Digital Rights Advocate with an EMBA in IT Management, an LLB, and an LLM in IT & Telecommunication. For more insights, visit Kofianokye.blogspot.com or Kofidarko2.blogspot.com. Contact: [email protected]