Director of Media and Publicity, PDP presidential campaign organization, Femi Fani-Kayode at a press conference today raised alarm over APC plans to rig the March 28th 2015 presidential election. Read below text of the press conference.
Ladies and gentlemen of the press,
It is with a heavy heart that we are compelled to share with the Nigerian public the following sensitive information which we believe, if not handled properly and looked into, is serious enough to affect the outcome of Saturday’s presidential election in a negative way.
Before we go into detail permit me to make an important assertion which cannot be overstated or over-emphasised. That assertion is as follows: the PDP Presidential Campaign Organisation and our candidate President Goodluck Jonathan are not in the least bit worried about what the outcome of Saturday’s election will be. We believe that we have the backing and full support of the Nigerian people and we believe that we shall not only win but that we shall win convincingly.
Whatever we share with you here today does not, in anyway, mean that we shall not participate inSaturday’s election or that we are worried about how we will fare. The fact of the matter is that we shall not only participate but we are also very confident of winning. We believe that the Nigerian people will give President Goodluck Jonathan a fresh mandate for the next four years regardless of the shenanigans of the opposition and those that are covertly working for and with them.
To highlight the most serious of such security vulnerabilities that are critical enough to justify a halt in INEC’s plans to use the Smart Card Readers for the forthcoming general elections (until such issues are satisfactorily resolved and fully certified as being secured by reputable independent third party security auditors).
To demonstrate that the opposition APC has already secured, through rogue means, an unassailable advantage over the ruling PDP which will most likely result in a resounding electoral victory for it irrespective of PDP’s actions or inactions, in the event that the Smart Card Readers are used for the elections.
To highlight the need for INEC to admit to the security-related failings of its Smart Card Readers implementation under circumstances that will be credible to local and international observers, such that it will become obvious that the use of Smart Card Readers for the forthcoming polls cannot guarantee free, fair and credible elections.The major issues that are worthy of consideration are summarized below. Each issue can be readily substantiated by verifiable sources of evidence.i. Compromised Master Encryption/Decryption Key: The Master Encryption/Decryption Key that can “unlock” and simulate the PVC data processed by the Smart Card Reader has been compromised. There is only one copy of the Master Key in Nigeria and it is in the possession of an individual who is a known APC sympathizer/supporter (and also the contractor responsible for the production of PVCs and manufacture of Smart Card Readers for INEC who was already blacklisted by INEC following his inability to deliver ballot papers during the 2011 elections). The Master Key should rightly be in the possession of INEC, as the neutral umpire, under the most stringent access control protocol imaginable and not freely in the possession of a partisan actor.INEC has already expressed concern over intelligence reports that APC has been purchasing VINs (Voter Identification Numbers uniquely identifying each PVC), which can only mean that the Party is already in possession of the Master Key (as the purchase of VINs would otherwise have been a fruitless exercise).This has grave implications for the PDP as the opposition APC, armed with the Master Key and sufficient VINs, can actually simulate the same data transmitted from any Smart Card Reader deployed for the elections at will. The situation is even now worsened by the fact that APC no longer has to purchase VINs or PVCs as they can now download the entire VINs directly from the INEC database which they have successfully “hacked” into.RECOMMENDATION: INEC should be officially requested to IMMEDIATELY produce the Master Encryption/Decryption Key (before it has the opportunity to cover up this monumental act of negligence).ii. Failure to carry out Independent Security Audit of its IT Infrastructure: Contrary to what the average political commentator thinks, the critical IT infrastructure for the use of the Smart Card Readers by INEC is not necessarily the actual device itself, but the back-end IT infrastructure comprising INEC servers, database, network, personnel and processes. Given the critical nature and purpose of this infrastructure, the standard global best practice is for the organisation to enlist the services of an independent third-party IT Security Audit firm to carry out a comprehensive (and indeed, periodic) Security Audit of its entire end-to-end IT infrastructure and prepare a Security Audit Report which forms the ONLY basis upon which INEC can certify its proposed technology as secure and safe from vulnerabilities that can be exploited by rouge persons/systems.There are various internationally-acceptable information security standard certifications that a reliable back-end IT infrastructure like INEC’s should pass in order to command public confidence, such as ISO/IEC 27001, ISO 27018, etc. The lack of such security-related certifications simply means that INEC cannot confidently assert that its systems have not been “hacked”, compromised or otherwise illegally accessed by unauthorised persons.RECOMMENDATION: INEC should be officially requested to IMMEDIATELY produce a copy of any Security Audit Report independently authored by a reputable and certified third party (before it has the opportunity to cover up this monumental act of negligence).If INEC fails to produce a satisfactory Security Audit Report, then it should be compelled to conduct a fresh Security Audit of its entire IT infrastructure which can even be extended to its production/manufacturing facilities in China (indeed the only other copy of the Master Encryption/Decryption Key is in the possession of the Chinese Manufacturers) – this process of auditing cannot possibly be completed before the general elections.iii. Compromised back–end Personnel: Contrary to standard industry practice, INEC opted for the engagement of relatively inexperienced, “suitcase” IT Consulting Companies for the development of its back-end collation and transmission systems and other core server and database applications, using predominantly open source software characterised by publicly-available source code – another major security vulnerability. While significant budgets were made available for this purpose, INEC’s choice of “greenhorn” consultants was due to the ridiculously low contract sums paid for these consultancy contracts. The unfortunate consequence of this indiscretion, however, is that the personnel associated with these firms are poorly motivated, ill equipped, poorly supervised and easily compromised. It is, therefore, easily understandable why the opposition APC has been able to compromise INEC’s back-end personnel to its advantage.RECOMMENDATION: INEC should be officially requested to make public the company profile of the IT Consulting Firms it contracted to develop its back-end IT systems, the Curriculum Vitae of their personnel, their known connections to opposition APC figures as well as the financial details of their associated contracts (vis-a-vis the approved budgets). This will clearly prove the lack of credibility of INEC’s critical back–end systems.iv. Millions of Unprinted PVCs: Contrary to the public perception that INEC has virtually completed the production of PVCs, the true situation is that, as at last week, INEC was yet to take delivery of over 2 million PVCs that were yet to be produced by the contractor, Act Technologies. It is not certain that the production of these PVCs will be completed before the presidential elections scheduled for March 28th 2015. It is, therefore, obvious that a significant number of eligible voters will definitely be disenfranchised in the process.RECOMMENDATION: INEC should be officially requested to invite stakeholders to an impromptu visit of the PVC production facility of ACTS Technologies in Ganges Street, Maitama, Abuja to observe, first hand, the on- going production process and take stock of the current and outstanding inventories in a transparent manner.