IT Security Case Study Retrospective: The 1994 South African Election

IT Security Case Study Retrospective: The 1994 South African Election

In April of 1994, everything – work, play, love, and hate – moves to a beat in Johannesburg. Hate, of course, has the loudest, most visible rhythm. There is sporadic gunfire from numerous city locations, where guards get antsy at 2:30AM and empty their clips if they see a suspicious car coming down the street. We use ear plugs to block out this rhythm and find sleep. Bus drivers rhythmically toot their horns while flashing cryptic hand signals to tell potential passengers which township they’re headed for. People walk with an amble that speaks volumes about the new sensation of being able to move freely around Joburg. Some white men swagger like cowboys, with sidearms strapped to their hips. In South Africa’s population of 37.5 million, the 29 million black citizens have never voted before, and about half of the population is unemployed. The writing is on the wall: “Vote Left and nothing will be right; vote Right and nothing will be left.”

By all measures, the 1994 South African Election was a historic event. It was dubbed the “Mother of all Elections” by the South African Ambassador to Canada. The Independent Electoral Commission (IEC) was set up by the South African transitional government, and given the responsibility for running a free and fair electoral process. The IEC was directed by a team of 17 commissioners, appointed from a number of countries, with a mandate to help facilitate and oversee the electoral process. “South Africa was the largest non-military democratic development mission Canada has undertaken,” reported Ron Gould, Assistant Chief Electoral Officer to Canada, and former appointed Commissioner to the Independent Electoral Commission of South Africa. But “it was well into January [1994] before the IEC was really in place, with an impossible mandate to carry out an election on April 27th. I arranged to bring in a group of Canadian experts in election readiness planning, in voter education, in training of election officials, in voting by the disabled and prisoners, in public electoral inquiries, in communications, and three election computer specialists. This group worked directly for and with officials of the IEC and, in my view, without them there would have been no South African Election” said Gould.

As a 'pigmentationally-challenged' computer security consultant coming from the relatively peaceful dominion of Canada, working for the Independent Electoral Commission was both a professionally and a personally challenging experience. I arrived thinking that my assigned role was relatively straight-forward: assess the IT security risks, implement critical controls and write up a generic Disaster Recovery Plan (DRP). The primary task was to build and implement a DRP for the Information Technology (IT) infrastructure that the election process would depend upon. However, general IT risk assessment and physical security practices were also needed to stop a full scale disaster from occurring.

Both the technical challenges and the culture shock of working in South Africa often stood in my way. The struggle between white supporters of apartheid and the black majority was a daily threat that appeared ready to explode and rip the country apart. The sometimes violent struggle for power between the major political parties seemed impossible to reconcile. Also, computer security professionals do not normally complete a risk assessment, build and implement a DRP when they are already in the middle of a disaster. But if you spoke with anyone who worked at the IEC, they would probably tell you the election was a series of daily disasters from beginning to end.

BACKGROUND

Never have so few done so much for so many in so little time. The IT application development group has twenty people. By comparison, the Monitoring Department next door has over 10,000 workers. After an unexpectedly move from the Johannesburg World Trade Center to a downtown office tower, there are no desks or chairs. The software engineers literally program on their knees for the first week and a half. With phones constantly ringing and people buzzing around, there is an air of barely controlled chaos. Most of the IT people are local consultants. A few of us are specialists from elsewhere. Lunch in the IEC cafeteria is like a United Nations get together, with conversations in a dozen languages and many of the African women beautifully decked out in traditional attire. The colours are a wonderful sight for winter-weary Canadian eyes. Pagers and cellular phones ring to the city’s rhythm. People are red-eyed and frazzled. Bomb threats and evacuations are commonplace. The lack of experienced and trained personnel is the most difficult hurdle to overcome. Many people working for the IEC have never voted before, let alone any experience running elections.

We see some of the country’s linguistic diversity reflected in the Telkom (South Africa’s telecommunications provider) multilingual internetwork sign-on screen:

EASY ACCESS 

AFRIKAANS : SLEUTEL NUI IN.

 ENGLISH  : ENTER NUI FOR SERVICES.

 ISIXHOSA : FAKA UNUI UKUFUMANA UNCEDO.

 ISIZULU  : NGENISA UNUI UKUTHOLA USIZO.

 SEPEDI   : TSENYA NUI GO HUMANA DITIRELO.

 SESOTHO  : KENYA NUI HO FUMANA DITSHEBEDISO.

 -------------------------------------

 NUI? 901040OZ3U

 

These are only six of South Africa’s 14 main language groups, plus 24 sizable “home languages” such as Dutch, French, Tamil, and Portuguese. The electoral education process was a mammoth effort. All of the different ethnic groups throughout the country were told why you might want to participate in a democratic election, what voting means, and how you go about voting. This presented a challenge for some of the Operation Access education teams who had to help illiterate tribesmen and women who had never held a pencil in their hands before.

THE IEC INFORMATION TECHNOLOGY

Contrasting this grass roots electoral work, the computer technology used in the election is 'rocket science' (for 1994). In less than 10 weeks, South Africa is wired from coast to coast. A high speed TCP/IP network, running over Cisco routers links 41 remote sites. Only one vendor is able to provide an entirely integrated software product suite – Microsoft. This is a critical success factor in getting all of the software components to work together. The network is driven by 25 Windows NT Advanced server-based machines, three of which run multi-processor Pentium-based configurations. The database servers, running Microsoft’s SQL Server 4.2.1 provide information to more than 1000 concurrent users. The PCs run Windows for Workgroup 3.11 and Microsoft Office. To support the election process over 400 software modules (screens and reports) are built using Microsoft Access 2.0, Visual Basic 3.0, and REGIS (mapping software), running as client-server applications.

Why would anyone chose a rocket science solution using a client-server based architecture for such a mission critical application as an electoral system? The solution was forced on us by a number of constraints: budget, the available computer technology in South Africa, and the lack of large numbers of IT personnel to do the work.

The electoral applications include Personnel Registration and Tracking for 300,000 IEC workers, Geographic Information Systems containing textual and graphic information on provinces, election districts, and polling stations, Inventory Management Systems, Incident and Event Tracking, and an Adjudication System that contains cases, types, parties involved, and judgments on the 400 courts set up throughout the country to handle legal challenges. The database tables are distributed between the central database and local databases. Network and Database Management Training is provided to the key technology staff scattered through each province. This includes doing secure backups and the emergency restoration of the servers.

Each Windows NT server has a CD-ROM drive and a copy of the latest versions of the OS, network drivers, middleware, applications, master databases, and system documentation, all on one CD-ROM. Rather than fighting with boot disks and backup tapes during a hardware recovery contingency, or a disaster recovery process, the CD-ROM can simply be booted from the server to get up and rolling with the latest basic working system. A new CD-ROM is pressed every few days and sent to the System Administrators for updating their site.

DEVELOPING THE PLAN

Preparing a Disaster Recovery Plan for a project of this size would usually first involve a detailed Threat Risk Assessment (TRA). Our TRA takes about fifteen minutes. It is not a matter of whether a threat is probable, but how long before it happens. Fires, floods, loss of power and communications, bombings, insider threat, terrorism, assassination of staff, civil war, theft, destruction, and loss of data integrity - just about every threat scenario we can imagine is likely to happen, or already has several times. The only things we discount are nuclear and biological weapons, because we believe the warring parties have lots of protestors as well as low-tech machetes, bombs, and AK-47s. But with every imaginable threat having severe consequences and almost certain probability, the risk assessment did not really help us out deciding what controls would be most effective in these circumstances. Because of the extremely high threat probabilities, management recommends that additional security work both precede and support the DRP effort. To do this, I search the Incident Database for the most probable threats that will likely stop the election from succeeding. If they destroy the network, we can't count the votes. If they drive a truck bomb into the basement of IEC headquarters and kill all of us, we won't have the skilled resources or the machinery needed to administer the election process. If a minority party significantly and unexpectedly alter the voting numbers in their favour, we could have a civil war instead of a free and fair election. These 'kill the election' risks become the main focus to implement our major security controls.

One of our most curious discussions centers around the protection of sensitive electoral information. The confidentiality of voting returns is normally paramount to ensure complete fairness in a regular election. But with over 300,000 people working for the IEC (many of whom actively support the ANC, NP, or IFP political parties), it is assumed that there will be leaks while the votes are being tallied and before the results are officially announced. So the worst scenario would be to have incorrect information leaked. For example, if someone took bad data and extrapolated a majority win for the far right white Afrikaner party, this leak would start a civil war in a matter of minutes. So it is decided that if we do have leaks, we must leak correct information. In this case, data integrity is far more important than confidentiality of data.

Getting safely around Johannesburg requires anecdotal knowledge that is handed on from person to person. From reading the local newspapers, I have a good idea of what parts of the city are dangerous. Several of us, wanting to see more of the city, have maps with circles around the no-go sections, and particular intersections with gangs who threaten passing drivers and pedestrians. One curious feature is the daily running of the gauntlet from hotel to IEC HQ which is about six blocks away. Having a security background, I feel that I know the drill: don’t travel at the same time each day, don’t take the same route every day, and don’t attract attention. Wrong. This city has a rhythm that must be obeyed. The regular people on the street are friendly, curious, and helpful to strangers. You go with the crowd, and you go when they go. As it turns out, everyone in Joburg goes to work at the same time, using the same streets, and they stick together for protection, like a school of fish. If you go one street east or west of the standard route, you may be in dangerous territory. If you try to move around the streets at other times of day, many streets are deserted, or those you meet are not anyone who you want to hang out with. At three o’clock the stores close, and everyone heads for home. After hours, you can’t help but stick out when you’re the only irregular face on the street. From this I learned that physical and personnel security must adapt to the culture that it functions in.

Security sweeps the IEC building with dogs every morning, searching for explosives. Unfortunately, the dogs are also trained to react to the smell of sugar (an ingredient in some types of explosives), and so they also find every candy bar wrapper in the building. 'Airport security' measures are used to control everyone entering the headquarters IEC building. Every package coming in is X-rayed. Visitors are politely requested to check their sidearms at the front desk. Access to the basement parking garage is controlled, to prevent a copy-cat New York World Trade Center truck bombing.

Certain political and operational logistic decisions that have already been made dictate what security strategies may or may not be employed. For example, we discuss having armed soldiers at the front door as a terrorist deterrent. However, uniformed soldiers would give the impression that the same old repressive apartheid police state is running the election. Instead, security decides to use plain clothed soldiers inside. I question this decision with the head of physical security. After all, isn’t intimidation a useful deterrent for keeping the hostile elements at bay? Who wants to be a sitting duck? This well-meaning but flawed directive is changed later as the threat level increases in the weeks before the election.

To direct the IEC operations during an emergency, a War Room is built inside the IEC HQ building. However, one army officer has already told me that given 2 hours notice the Zulu supporters of the IFP can raise 100,000 protesters to march on Johannesburg. If they have two days to organize, they can besiege the city with 500,000 marchers. I suggest that if the building is over-run by 100,000 angry Zulu protesters, their war room may not be in the world’s safest place. The head of the army force protecting the IEC facilities offers to “stop every train and bus coming to the city” if I would like. This would keep most of the protesters out in the homelands, but would also interdict tens of thousands of innocent black workers trying to commute to their jobs in Johannesburg.

No alt text provided for this image

To ensure the continuity of the most critical operational IT systems, a hot backup site with servers and LAN is created at a secret military location in the Mid Rand. Telecommunications deploy a satellite backup system to ensure that the Provincial offices can communicate if the IEC nerve center is destroyed or has to be moved. Mobile satellite units are sent to army helicopter bases, to be flown to alternate communications sites if terrorists knock out an IEC office. We now feel more secure with three systems (microwave, satellite, and VHF radio) to backup the regular fiber and copper network. The Network engineers tell us that the process of building a 93 million Rand network for the election has been like gathering cobwebs to make something of substance.

In less than 8 weeks the Application Development Division constructs a robust information system that provides the user community with a central repository of all election related information. The system is designed around four abstract classes of information objects: Persons, Events, Locations, Things, and thus becomes know as PELTIS. Insiders acknowledging the incredible feat of the software engineers that seems to be nothing short of magic, affectionately dub the system HOCUS PELTIS. 

My fellow IT workers see the Disaster Recovery Plan taking shape and nervously ask about their safety. I try to reassure them by saying that everything is fine; it’s now only two weeks before the election. If the far right Afrikaner army really wanted to stop the election, they would have started assassinating us by now. For some reason this comment does not reassure anyone. Later, an officer from the Canadian Consulate arrives, asking that I fill out a personal data form to assist in the evacuation of Canadian workers. This leaves my fellow South African workers wondering what emergency is unfolding, of which we are unaware.

In retrospect, the stress level of your fellow workers must be closely monitored and honestly respected. Off-handed, cynical jokes will backfire and cause more stress, not less. The morale of your fellow workers can be easily crushed with a single, unthinking remark. Similarly, events that can cause fear, uncertainty, and doubt (“FUD factors”) should be managed to minimize their impact. FUD factors can be handled by quietly dealing with them off-line, in private, away from the regular workplace. This can be difficult when many groups are working in close proximity; a separate security office or a quiet corner is preferable to being the center of attention. Confining security and DRP work to a secured office is also preferable for another reason: the work you are doing may be of interest to those working against you. What happens if a member of your disaster recovery team is the person who causes the disaster? What if a member of the immediate staff is actively involved in sabotaging the enterprise you are working to protect?

While this scenario may seem remote, experience in this election says otherwise. During the months leading up to the election, two of the IEC directors overseeing procurement of computer equipment and services acted in an strangely incompetent and obstructionist manner. The Director of Application Development, finding herself blocked at every junction, finally took her frustrations to the highest level of management at the IEC. For political reasons, nothing was done to replace the two managers, who continued to stall and avoid making decisions. The Director of Application Development, knowing that tens of thousands of IEC workers were depending on operational IT systems, adopted a strategy of “it is easier to beg forgiveness than to get permission.” She cut the managers out of the loop, and managed the IT effort without their direct involvement. After the election concluded, an audit discovered that the two obstructionist managers spent their time running phony companies to fraudulently bill the IEC for hundreds of thousands of Rand in hardware, software, and services that were never delivered. It is frightening to think that greed would drive anyone to endanger the safety of an entire country and its process towards democratic freedom. (The two managers ended up pondering this dilemma in a South African prison.)

At T-minus 10 days, the Director of Application Development asks everyone to move to 12 hour shifts. This passes without any reaction, possibly because it only formalizes what everyone has been doing for weeks anyway. A collection is taken up for a tombstone and funeral expenses of another IEC Operation Access worker who was assassinated while working in KwaZulu/Natal. People are very tired, and morale is slipping badly. The Director delivers a brilliant pep talk after having a gripe session to let everyone express their fears and help restore their resolve to carry on. We learn that another 250,000 person Inkatha Freedom Party (IFP) march on our headquarters and the ANC’s is scheduled for the week before election day. We discuss plans for moving to a backup site if the building is over-run. The building’s backup generators are tested.

I learn from Patrick, a waiter at my hotel, that the staff are staying there over night, rather than going home to Soweto. They fear for their lives if they meet the IFP marchers on Monday morning, and they may not be able to enter the city if it is ringed with soldiers and razor wire. After his shift, Patrick provides additional intel and tells me stories about life in Joburg under apartheid. Western Transvaal bomb number 36 explodes by a community hall at Makokskraal near Ventersdorp. A returning field engineer describes the local graffiti: “Welcome to Tanzania – Any problems, dial AK-47.”

Monday at 4 AM there is a ten foot high wall of razor wire strung across the intersection outside my hotel, stopping traffic from approaching ANC HQ two blocks away. Johannesburg pedestrians seldom run, but at sunrise there are hundreds of people running to find passage through the wire barricades and shelter from the anticipated two hundred thousand strong wall of approaching Zulu protesters.

A siege mentality has gripped everyone, but every day we try to set up inclusive activities to get the team spirit up and help everyone cope with the constant stress. When people begin to buckle under the strain, they withdraw into themselves, become depressed, and stop communicating. Some people sleep at their desks rather than drive home at night. Some are afraid to go to the ATM machine to get money, and so they feel that they can’t participate in group outings. To counter stress, guilt, fatigue, and help everyone stay well, we keep a stock of goodies, full coffee pots, and a carbohydrate-loaded cafeteria open. At the end of the evening, we try to get everyone to stop and go to the restaurant down the street for a group pizza. We ensure we always have extra money, food, taxis, and people to act as “gophers” for others who can’t take breaks away from the office. Some people have worked for over 50 days without a single day off.

On Tuesday, a miracle happens. The IFP agrees to participate in the election! There is a palpable sigh of relief; hope is visible on everyone’s face. We’re happy because this event reduces the probability of attacks on IEC buildings by 50%. (Unfortunately, the Vryheidsfront Afrikaner army are still busy shooting and bombing.) Now all that remains to be done is update the constitution, change our mathematical model of the electoral counting process interpreted from the constitution, and add IFP stickers to the 70 million pre-printed ballots, all in the next six days!

At four days before the election, our focus shifts to report writing and away from programming. Few of the user areas can articulate what they want to see on election day or which database fields are most important. We play “what if” and imagine what reports they might like. Access 2.0 allows a programmer to complete about 10 good reports a day. A multimedia expert arrives to design the graphics presentation system for displaying the televised election results. I’ve completing the Disaster Recovery Plan so it can be tested.

The most complex application is the Seat Allocation System – a set of programs that take the raw number of votes that are won by each party and convert them to seats in the legislatures. Unlike the Canadian system – a constituency based and “winner take all” system, the South African system is based on proportional representation where the electorate votes for a party list. Each party submits an ordered list of candidates names in advance of the election. Seats are awarded in proportion to the number of votes cast to that party. There are 19 parties running in this election. The actual conversion of votes to seats involves some 34 complex equations to get the final result.

The transitional government has set out the Constitutional rules for counting ballots and rolling up the scores. However, the transitional Constitution can be interpreted in several ways, depending upon your point of view. The Seat Allocation System as it stands will tend to quickly round off and exclude the members of the smaller political parties. Our test results are validated, but the Director asks if this is what they really want to have happen when the votes are tallied. Nelson Mandela asks that the Constitution be interpreted in such a way as to be as inclusive as possible. He wants the roll up process to include any possible minority parties in the final result. Work resumes on a formal mathematical model of the constitution, and twenty-four hours later we have a new working scheme that is inclusive and avoids excluding the smaller parties as the results are rolled up. This must be one of the few times that an information system has directly influenced the Constitution of a country.

Sunday, Johannesburg is rocked by a car bomb that kills 10 and injures hundreds. The explosion sets off a screaming din of car and office alarms. ANC headquarters is badly damaged. IEC headquarters goes to high alert. Another bomb explodes next to a provincial IEC office, but work continues after the cleanup. Apparently this is the sixth attempt to destroy this particular office – the first five bombs failed to explode. However, the men responsible for the car bomb in Johannesburg are found, and they quickly sing like canaries. This leads the army to a barn where fifty of the bomber’s colleagues are discovered busily preparing more bombs.

A bomb explodes outside of my hotel where many of the foreign workers are staying, apparently meant to scare us off and bring the election machinery to a halt. Another bomb explodes in the departure lounge of the Johannesburg international airport, killing several people. Election day arrives and passes, as reports on voting statistics and discrepancies are produced. Part-way through the televised counting process, the tallied votes for several of the parties suddenly jumps by several thousand. The IT Director’s phone rings, and a TV reporter asks if it is true that the electoral computer system has been hacked and the votes altered. A frantic investigation reveals that a data entry clerk has either posted some of the entries wrong, or bungled an attempt to alter the results.

By the end of voting, the Incident Database has collected over 44,000 incident reports. These include everything from shootings and polling stations being burned down, to minor fights in the often mile-long lineups to vote. This database was a vital damage control system that allowed incidents to be instantly communicated via email to quick response units. These teams then defused critical situations before they got out of hand. The database also allowed managers to allocate security and observer resources to the areas that had the highest rates of serious incidents and voting irregularities. Several days after voting is completed, the ANC have over 60% of the votes. We run our new mathematical model of the constitution that determines the list of candidates for Parliament. It’s finally done.

No alt text provided for this image

CONCLUSION

Apartheid ended not with a bang, but instead with a cheer of freedom. Against all odds, the first democratic election in South Africa was deemed free and fair, and a very tired team of workers returned home to ponder this historic event, mindful that the outcome could have been very different. It was a once in a lifetime experience, seeing the true end of apartheid, but would we do it all again? Highly trained athletes have come to expect victory or defeat with the narrowest of margins. IT’s part in this election almost failed, and only succeeded by the narrowest of margins because of the team’s strength, courage, and determination to succeed against overwhelming odds. This was our heart-felt victory. And like an Olympic athlete, who wouldn’t push their personal limits for those kinds of feelings?

 The author, Walter Cooke, originally wrote a shorter version of this article for HUM The Government Computer Magazine, and presented a keynote version of this information at the Fifth World Conference on Disaster Management in Toronto, Canada in 1995.

The author would like to acknowledge the assistance of Robyn Kall, an Ottawa-based consultant, who provided the background information on the IEC electoral computer systems and IT’s important role in the South African election. Ms. Kall was the Director of Application Development at the IEC.

Wabwire Julius

Cook job at In schools

1y

I need a Job as a cook

Like
Reply
Talieh Karroubi

Technical Analyst @ Co-operators | Master of Cybersecurity and Threat Intelligence -University of Guelph

2y

Thank you Walter for sharing your story with us.

Like
Reply

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics