Before I begin, let me state clearly that from a cyber-security point of view, Huduma Number is not viable!
A lot has been said about Huduma Number (National Integrated Identity Management System – NIIMS). In fact, it has become a hot and an emotive topic here in Kenya. What is, however, clear is that many of us have little to no information about what it is, what it is set to accomplish and why the hurry to implement it. Moreover, it has been characterized by insistent threats from the government directed towards those unwilling to register. That said, why are we against it as cyber security professionals?
Confidentiality, Integrity and Availability (CIA)
In cyber security, data and information is governed by the principle of CIA (the CIA triad). This principle holds that data assets MUST be Confidential. This is to mean that we must have means to ensure that data assets are secured from unauthorized access. As for Integrity, data assets MUST be trustworthy and accurate. Lastly, we MUST have guaranteed and reliable access (Availability) to the information by authorized personnel.
Based on this principle, how has the government and relevant partners failed to gain our trust and confidence on this Huduma Number issue?
Before you proceed below, please note that the company tasked with providing equipment used in this exercise has changed its name three times in the past 5 years, it is not registered in Kenya (as is required by law to conduct business in Kenya) and guess what?? It is the same company that provided the KIEMS kit used in the last elections. Surprised? You SHOULD be!
- No Data Protection Law – Did you know that Kenya has no law that protects and secures your information privacy? This means that a government is going ahead with an exercise without a legal framework that would be used as a reference in case of a breach. The implications of this is that once you give out your information and find out that it was used by a third party, against your wishes, to make money, you have no legal basis to sue anyone. This is a hacker’s haven.
- Technical Capability – Our concern was also drawn to the fact that no one knows how our data will be protected and the technical ability of the equipment used with regard to fending off attackers. The most notable response from the government in this regard was that “not even ten geniuses could hack the system”. Well, that should make you confident!
- Idemia Securities Limited –As mentioned above, the company responsible for supplying equipment and overseeing the exercise has changed its name 3 times in the past 5 years. In 2013, it went by the name Safran Morpho which supplied Biometric Voter Registration (BVR) kits which failed terribly. In 2017, they went by the name OT-Morpho that supplied KIEMS kits (which again, failed). The question that arises is why the change of name each time they make a bid for a tender? Isn’t that suspicious. What confidence do we have that the company, now Idemia Securities Limited will ensure that our data is trustworthy and accurate? As if this is not enough, the company has already made a bid to provide equipment for the scheduled national census.
- OT-Morpho Servers Hacked – In 2017, word went round that unauthorized personnel (read ODM) had accessed data found in the servers. At the same time, Jubilee also claimed to have some classified data. Do you recall the humor by Abduba Dida that the one party (ODM) had claimed to hack the system only to realize that another party (Jubilee) had already pitched camp in the system and were even sharing an IP? Does this give you any confidence that data collected will not be manipulated?
- If you remember in 2017, after the court nullified the election and demanded that OT-Morpho provide access to the servers, they said they couldn’t. Why? They claimed that the servers were in France and people were asleep – well, at least that is what I heard. What makes it different that this time round, when our data is needed urgently, people will not be asleep? This clearly brings to question the assurance of availability of our data.
Word yesterday was that the parliament had voted to block Idemia Securities Limited from conducting business in Kenya for ten years. They based their ban on the integrity of our election system claiming that the company could not be trusted. Not my words!
Therefore, from a cyber-security point of view, I am not confident that my data will be private, will not be manipulated and access will be granted when needed. The whole process thus fails the CIA test. I am not asking you not to register. I am simply asking you to think about the implications of no-information to all the loopholes and security threats that have not been addressed. In your opinion, do you feel confident in the Huduma Number?