Elections body moving to eliminate weaknesses in voters database
-as debate continues on its suitability
By Andre Haynes
Stabroek News
December 29, 2003
Although a recent audit of the Electors' database has found that GECOM's network was never breached, the Elections Commission is trying to correct vulnerabilities identified in the security safeguards to dispel doubts about its integrity.
"GECOM is in the process of addressing the perceived vulnerabilities," says Chair-man of the Guyana Elections Commission (GECOM), Dr. Steve Surujbally.
"And, within the context of transparency, we are also apprising the stakeholders every step of the way."
More than a month ago the opposition PNCR declared it had no confidence in the database, citing among its concerns the vulnerabilities of both the electronic and physical security measures in place.
The PNCR called for the database to be scrapped in favour of a new registration exercise, to generate what the party called a credible electoral roll, in time for the 2006 General Elections. The party said this would also coincide with GECOM's plans to begin a continuous registration process, for which the current database is incompatible.
But according to the recent findings of IDEA (Institute for Democracy and Electoral Assistance), there is no evidence to substantiate claims that the database was compromised, although possible security deficiencies were identified.
"We have found no evidence to support any allegations that the security of the database was breached, or that the system security at GECOM was at risk," forensic database specialist Roy Dalle Vedove writes in IDEA's report of the Audit of Systems Security for the Election Database.
The report also says that although there was no evidence to show that a breach had occurred, one possible way by which the security of the network could be breached was identified.
"...Although there is no evidence whatever that this has taken place at any time in the past. We recommend action to prevent such a breach."
A consultant, hired by GECOM, is preparing a report on how the security vulnerabilities should be addressed, based on an audit which was done by Vedove who identified the potential weaknesses.
But weaknesses like the one identified during the audit and those detected during the June 2001 audit - which was also done by IDEA and Vedove - are the reason for the PNCR's doubts about the database. These areas of concern resulted from several errors in the voters' list for the 2001 elections. People who had ID cards were not on the final voters' list and were unable to vote. Others, whose addresses were erroneously stated were unable to determine where they should vote.
In May, the two GECOM databases that were frozen after they were used for the 2001 General Elections were opened and integrity checks were done.
The PNCR enlisted a team of its own experts to run independent checks on the results, from which they say several abnormalities regarding the security and integrity of the database were revealed.
The PNCR made its concerns known to GECOM, identifying four specific areas:
(i) that attempts were made to gain unauthorised access to the GECOM database;
(ii) that some attempts may have been successful;
(iii) that the computer and administrative audit trail that could have been used to conclusively determine these issues was not created in key areas and, where created, was partially deleted with non back-up copies kept, in accordance with the known standard practices in such highly sensitive operations;
(iv) and serious security flaws existed in the system.
GECOM responded by requesting the audit of the system's security, the results of which were provided to the PNCR, who used it to inform their position on the database.
"...The party has no confidence in the integrity of the current database and demands that GECOM scrap it entirely and immediately," PNCR leader Robert Corbin said at a press conference in Novem-ber.
"GECOM must move urgently to implement the recommendations in the IDEA report on tightening the security of its IT operations," Corbin also said.
The party later said that unless it was satisfied that the weaknesses in the database identified by the experts have been addressed, it would not change its position. And while open to alternative methods of correction, it held the view that the scrapping of the database remains the only solution to safeguard against voter disenfranchisement.
But Mohamed Sattaur, one of the members of the Database Integrity Test committee for the 2001 Elections, says most of the security concerns are not applicable to the GECOM, with the physical and electronic security systems in place.
The Technical Oversight Committee ensured that the GECOM computers were not connected to the Internet or any telephone line to avoid these security issues and he said the only way to tamper with the system is for that person to be physically present in the computer room at GECOM.
"The person would first have to get past the guard of a fenced compound, enter the building which is protected by a coded electronic lock system, enter the computer room and then have a password to access the computer system.
"Even then all activities are logged at two levels of electronic security, first the operating system and then the SQL Database system and detailed audit trails are kept by GECOM."
While Sattaur did note that GECOM acknowledged problems, he said they are moving to put all the legal and operational systems in place, as soon as possible.
Despite the concerns about its integrity, he said the database provides a good basis for the start of GECOM's plans for continuous registration, rather than a new registration exercise, which would cost over $2.714B.
But Haslyn Parris, one of the PNCR members on the GECOM Commission, notes that the most recent audit of the database begins:
"The Electors' Database held at GECOM may become vulnerable if it is returned to operation, and the systems security at a network and database level is not significantly improved."
Parris noted that the forensic audits of the database identified specific corrective actions that must be implemented by GECOM in order to correct the weaknesses in the construction and security of the database. He said they should be implemented.
Sherwood Lowe of the PNCR believes that a new registration process would afford GECOM the opportunity to produce a clean list, devoid of ineligible voters. He also thinks that it would give GECOM the opportunity to rebuild the national register in an environment where the necessary technologies, operating procedures, and security systems can be introduced. He said many of these measures were not in place in the last registration process in 1996/97, which has made the existing database prone to suspicion and attack.
But he also thinks that the database could be used as a foundation for the new continuous registration process, once certain conditions are met to ensure its accuracy.
"To make the case for using the current database," he wrote in a letter published by Stabroek News, "GECOM must demonstrate how a belated implementation of measures to revamp and upgrade its flawed computer network and other systems can produce a list of the required integrity and accuracy."
He said five areas must be addressed to the satisfaction of all stakeholders:
(i) The lack of security of the current database - Lowe notes that the existing GECOM databases have never been properly secured, as recorded by the 2001 international audit team, leaving it vulnerable to attack. The security failures were detected at three levels: physical (preventing unauthorised persons entering the GECOM building and its nerve centres); electronic (preventing persons from hacking into the computer network); and administrative (ensuring detailed operational procedures, such as password policy, audit trail and event log policy, internet connectivity policy are established, complied with, recorded and stored).
Like Parris he alludes to the recommendations to address these problems and says GECOM must do so comprehensively and competently. He also notes that it may wish to propose the reactivation of the multi-stakeholder Technical Oversight Committee, to allow the stakeholders to monitor the process.
(ii) The presence of systemic and programming errors that caused an "unacceptable" number of Guya-nese to be disenfranchised in 2001 - he said GECOM must be able to show that errors will not recur. Among the findings from the 2001 audit report, were the 255 persons contained in the database with the same surname and first name.
(iii) Purging the next voters' list of ineligible voters - it is noted that the Preliminary Voters' List for the 2006 election, if it is extracted from the existing database, will contain the names of tens of thousands of people who are ineligible as voters by reason of death, migration, etc. Lowe said the country faced the same problem in 2001 and will always face it once there is no new registration. While GECOM had adopted a claims and objections mechanism, he noted that this is slow, inefficient and unfairly shifts a burden onto the public and political parties. GECOM in 2001 decided that a more effective way to purify the list was to have registrants show up to be photographed. But in the aftermath, he argued that over 99,000 names or 20% of the eligible voters dropped off the list.
(iv) Weak practices in its computer operations - Lowe says GECOM must admit that the extent of the lapses (poor maintenance of audit trails, high-risk password policy, etc) was at best scandalous. He says even if it is believed that these acts were due only to the inexperience of the staff or to work overload, GECOM may want to reassure that it will tackle this problem.
(v) Introducing new technology to boost confidence in the database - he said any case for using the current database must include biometrics, which would involve the computer cross-matching of each voter's fingerprints to ensure he or she appears only once on the list.
Lowe said if these issues are successfully addressed, then there is no need to scrap the database.
Surujbally agrees but also says that it is also important that the stakeholders are comfortable with the security system.
And he says the security issues are being addressed to ensure the accuracy of the list. This includes purging the next voters' list of ineligible voters, which will be addressed during the continuous registration process.
"Every one of those points are being addressed as part of the deliverables of the consultant who has been contracted... it is our job to get it right... to have a list as infallible as possible, maybe not 100% but we are going right down the wire."