Government moves to have IEBC's servers hosted locally

Marjan Husein

IEBC Chief Executive Officer Marjan Hussein Marjan in Nairobi on March 14. IEBC will be required to have its servers hosted locally in new proposals.

Photo credit: File I Nation Media Group

What you need to know:

  • The Computer Misuse and Cybercrimes Regulations, 2024, provides for localisation of the country's critical information.
  • The regulations are designed to ensure that only authorised individuals have immediate access to critical information infrastructure in the event of a cybersecurity incident.

The Independent Electoral and Boundaries Commission (IEBC) is among government agencies that will be required to have its servers hosted locally, if proposed regulations come into force.

The Computer Misuse and Cybercrimes (Critical Information Infrastructure and Cybercrime Management) Regulations, 2024 provides for localisation of the country's critical information.

The IEBC conducts critical operations that include voter registration and voting.

"An owner of critical information infrastructure shall ensure that the information is located in Kenya," the proposed regulations state.

However, an owner of a critical information infrastructure who intends to have it located outside Kenya "shall apply to the National Computer and Cybercrime Coordination Committee" headed by a Director-General.

The committee shall then review the application and verify if it meets the security standards provided for in the Act, and shall issue its decision within 30 days of receipt of the application.

The regulations currently under public consultation are critical to the implementation of the Computer Misuse and Cybercrimes Act.

President Ruto: IEBC servers have always been open

In considering a request for critical information to be located outside Kenya, the committee may scrutinise whether the security measures and safeguards applied to it meet the standards set out in the Act.

If approved in its current form, this will address fears and allegations that the IEBC has previously allowed unauthorised access to its election servers with the aim of manipulating stored data - election results.

However, the regulations are designed to ensure that only authorised individuals have immediate access to critical information infrastructure in the event of a cybersecurity incident or during a compliance audit.

The regulations will serve to supplement the Data Protection (General) Regulations, which have been in draft form for more than two years, to protect against unauthorised access in the implementation of the Data Protection Act.

"A data controller or data processor who processes personal data for the purpose of achieving a public good shall ensure that such processing is carried out through a server and data centre located in Kenya," the proposed regulation states.

Under the Data Protection Act, which came into force on November 8, 2019, IEBC is both a data controller and a data processor. A data controller because it is the custodian of the voters' roll, and a processor because it uses the voters' roll in conducting elections in the country. The law further categorises a voter register as personal data.

The management of electoral data, the voter register and the transmission of election results - has always been a contentious issue in the country's electoral history.

For example, during the hearing of the 2017 presidential election petition at the Supreme Court, the IEBC refused to open its servers despite court orders.

At one point, Mr Paul Muite, acting for IEBC's in the petition, confirmed to the court that IEBC's servers in 2017 polls were hosted in France and that it would take some time to open them.

At the time, OT Morpho, a French company that supplied the IEBC with the Kenya Integrated Election Management System (Kiems) used in the 2013 and 2017 elections, was hosting IEBC's servers in France.

The IEBC's failure to open the servers was one of the reasons the Supreme Court nullified the results of the August 8, 2017 presidential election. The court ordered that a fresh, fair and credible presidential election be held on October 26, 2017.

However, on October 15, 2017, then Nasa presidential candidate Raila Odinga gave the IEBC conditions that he wanted to be met before he could participate in the fresh election.

Mr Odinga's list of demands included the relocation of the IEBC server from France to Kenya.

But the IEBC's failure to meet this demand led to Mr Odinga boycotting the repeat presidential election on the grounds that he was not guaranteed a fair and credible process.

The boycott negatively affected the image of the IEBC and the credibility of the election results.

Earlier, on September 8, 2017, Mr Odinga had written a protest letter to the French Embassy in Nairobi, requesting the French government to investigate OT Morpho for rigging the system in the August 2017 elections.

Mr Odinga alleged that the Paris-based IT firm was complicit and conspired to subvert the will of Kenyans by allowing its two employees to gain unauthorised access to IEBC servers.

He wanted the French embassy to prevail by preventing the two officers from interfering in Kenya's elections.

The regulations also list 15 other critical infrastructure sectors. They are defense, education, civil administration, civil protection, public order and safety, environment, space, industry, transportation, financial services, health, food, water, ICT and energy.