Elections 2024: ‘Dose of scepticism’ needed as personal data becomes vulnerable

Personal data becomes susceptible to being used across political parties and polling companies. A “dose of scepticism” will be required to mitigate falling victim to getting your personal data in nefarious hands.

This is but one piece of advice from Dr Daniel Ramotsoela, a senior lecturer in the University of Cape Town’s (UCT) Department of Electrical Engineering in the Faculty of Engineering & the Built Environment (EBE). With interests in network security, machine learning and wireless sensor networks, Dr Ramotsoela urged people to be “smart about the information they give out”.

He laid out the cybersecurity environment from his point of view, noting that South Africa “is a sophisticated economy with world-class facilities, but the cyber infrastructure and expertise is not where it should be”.

“We have big systems which undergo upgrades every year, and they become vulnerable, and this opens the door to attacks that have been successful, which lead to leaks,” he said. He fears unauthorised access or manipulation of systems [that] can result in catastrophic accidents, environmental hazards, or even loss of life because of the critical nature of the application environment.

“Don’t be too trusting; enquire about the safety of your data.”

With South Africans heading to the election polls on 29 May, people may find that they will be called to participate in polling research data, with some political parties accessing people’s personal information to fill in signature requirements for eligibility. Herein lies a gap for information to land in the wrong hands.

“Don’t be too trusting; enquire about the safety of your data; have a healthy dose of scepticism. Give people as much access as they need to perform their minimum functions, nothing more. Do not fear taking part in polls, just be smart about it,” Ramotsoela advised.

“I feel people do not interrogate how well their data will be protected [by those they share it with]. That data is out there and no one knows how politicians will be handling that data. Is there an adequate data management plan? Does everyone in the party need to have access to that information? A lot of people will receive calls from people purporting to be from polls, or parties themselves. It is important to be vigilant. Some of the people who call may have nefarious reasons: access to your personal data. Do not let your guard down.”

Leak

Ramotsoela mentioned the leaking of certain party lists as an example of inadequate data management. He asked the question: Should everyone have access to the stations that have data? How can you stop people from accessing those? Most importantly, does a leak from the Electoral Commission of South Africa put the credibility of election results in jeopardy?

Not entirely, according to Ramotsoela. “On the election itself, we are lucky because we are a paper-based country, and so disputes can be easily verified with a paper trail. Consider the United States’ elections some years ago when there were disputes; what saved them from the alleged rigging accusation was that a paper trail existed too.”

“It’s a low-risk effort for hackers across the world to try their luck in South Africa.”

Ramotsoela praised the country’s cybersecurity efforts, while also pointing to a potential pitfall. Emphasis is given on upgrading the systems. “There’s a heavier emphasis on networking; the more advanced networking infrastructure and AI [artificial intelligence], which on the one hand takes the human out of the loop – giving power to the system to make decisions to run efficiently and on the other, you give people access to the system from outside,” he explained.

“But it was found that users of the system are not sophisticated in terms of operational knowledge. It’s a low-risk effort for hackers across the world to try their luck in South Africa, see how it works and potentially take that elsewhere. That has to do with our law enforcement not coming to the party.”

South Africa’s cybersecurity is under the National Cybersecurity Policy Framework (NCPF), approved by government in 2012 and made official through a gazette three years later. This was developed “to ensure a focused and an all-embracing safety and security response in respect of the cybersecurity environment.” The NCPF deals, among other cyber threats, explicitly with the issue of cyberwarfare.

The key objectives of the NCPF are to:

• centralise coordination of cybersecurity activities by facilitating the establishment of relevant structures, policy frameworks and strategies in support of cybersecurity in order to combat cybercrime, address national security imperatives and to enhance the information society and knowledge-based economy
• foster cooperation and coordination between government, the private sector, and civil society by stimulating and supporting a strong interplay between policy, legislation, societal acceptance, and technology
• promote international cooperation
• develop requisite skills, research and development capacity
• promote a culture of cybersecurity
• promote compliance with appropriate technical and operational cybersecurity standards.