How Secure is the Sierra Leone Open Election Data Platform?

With the Sierra Leone Elections coming up in March, measures have been put in place to ensure that the Elections will be Free and Fair. A community of Open Data practitioners drawn from both Private and Public sector was able to mobilize and have an

The security of information technology tools for sensitive information like elections results especially, have been and continue to be a challenge because of the risk of hackers who can do things to compromise the integrity of such data, is real.  For our purposes now, needless to say, there should not be an iota of security concern as it relates to publishing election results via the SLOEDP.

Why?  We will get results from the National Electoral Commission (NEC) then we will use the results on our site in compliance with the law.  The difference between NEC’s and ours are the types of files that anyone can access the results on SLOEDP versus pdf files from NEC.  At least as far as we know.

NEC may surprise us with their partner NEW to produce something that could be better than SLOEDP.  And if so, we still win.  Because our goal is not to celebrate a visionary idea in SLOEDP, but more so that government and civil society do what is in the best interest of the ordinary man and woman of Sierra Leone and not only for the privileged few.

It is NEC’s responsibility to publish correct information and we will just make those more useful to those who want to do more than just view pdf files.

But in spite of everything said above, LAM TECH has always been a pro-security organization with principals that have a mindset for information security principles.  Therefore one would expect to see the basics, which we feel like this platform goes beyond.  In fact, we built this product as if NEC was using it for the 2018 elections; therefore it is probably secured than most, if not all of the systems we have in the public space.  Specifically, this is what is in place security-wise with SLOEDP

At the server infrastructure level

1. We are using an “N-tier Architecture (separated data, business logic, and presentation layers).- We have a dedicated server that hosts the database; a dedicated server for the backend application; and a dedicated server for the frontend application.

2. In addition to the above, we are using one of top content delivery network (CDN) providers in the world with servers in Africa that are closer to Sierra Leone than those in Europe or America.

3. The CDN provider is the only outsider that has direct access to our servers. All traffic from end users is handled by this provider. This provider filters out ‘bad traffic’ and only allow ‘good traffic’. They also prevent the platform from DDoS attacks and much more.

4. Our developers working on the servers have direct access to the servers via SSH only. Password-authenticated is not safe and hence is not allowed.

1. Our backend application is based on a widely used and secured Web Content Management System that is used by 50% of US Federal Government Websites and much more.

2. The platform is available via SSL or https only.

3. We enforced complex password requirements for all users. These are based on United States Federal Risk and Authorization Management Program (FedRAMP) and Defense Information Systems Agency (DISA) security standards.

4. From a content point of view, every piece of content managed by the platform is version controlled. The system keeps track of every change and who made the change including the IP address and other details about them. Some users have access to create but cannot publish, others have access to edit what others have created but cannot publish or create (input) new data and others have access to publishing content that has been edited and marked approved to be published. Basically, we have a publishing workflow to ensure all content published was meant to be published. When we copy content from other sources, we give credit to those sources by referencing them and we do not change their original content.

5. The individuals who will be responsible to publish content are considered trusted individuals within their communities. Anybody can create but not everybody can publish.

We are aware of the security issues on the internet and we have years of experience working with governments and fortune 500 Inc. around the globe. Here’s the thing though in closing. Are we fated to choose our leaders in settings resonant with the dinosaur ages because we are afraid of Russian-like attacks on Cyberspace?  Or do we think future elections will leverage the latest versions of technological tools without being afraid of cyber risks and/or threats?