Standing up for Canberra

Submission on Electoral Matters

With the Federal election looming against the backdrop of cyber hacks on the electoral systems of the United States and France, and the DDoS attacks on the 2016 Census, I welcome this timely and important inquiry. 

My comments are in direct response to issues raised in the paper, Third interim report on the inquiry into the conduct of the 2016 federal election: AEC modernisation and in particular, the cyber security implications of recommendations 2 to 5.

The report made clear the need for reform and modernisation of the Australian Electoral Commission’s information technology systems and electoral processes to maintain the integrity of our elections. But we need to recognise the acquisition of new equipment and systems alone will not automatically assure the cyber security of our electoral systems. 

I therefore call on the committee to recognise the experience of other countries by recommending the Turnbull Government:

  • Classify Australia’s election systems as a critical infrastructure sector under the Trusted Information Sharing Network, which will overlay the appropriate scrutiny and assurance mechanisms to assure the Australian people of the cyber resilience of their democracy.  
  • Direct the AEC – and through it our election systems – to comply with mandated Australian Signals Directorate cyber security standards, and
  • Include compliance with the mandated Australian Signals Directorate standards in the performance agreements of the Federal, State and Territory commissioners and their board chairs.

 

Election systems as critical infrastructure

The Trusted Information Sharing Network defines critical infrastructure as those: “physical facilities, supply chains, information technologies and communication networks, which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation, or affect Australia’s ability to conduct national defence and ensure national security.”

Our election systems and infrastructure are the very foundation of our democracy. They underpin trust in the way we govern ourselves, and our values. They are vital to the “social wellbeing” and cohesion of the nation.

Unfortunately, however, they are not yet recognised as critical infrastructure in Australia. 

In 2017, the United States designated election systems as a subsector of its critical infrastructure sectors. 

At the time, the former Department of Homeland Security Secretary, Jeh Johnson, declared:

“Given the vital role elections play in this country, it is clear that certain systems and assets of election infrastructure meet the definition of critical infrastructure, in fact and in law.”

The United States designation covers: 

  • Voter registration databases and associated IT systems 
  • IT infrastructure and systems used to manage elections, such as counting, auditing and displaying election results, and post-election reporting to certify and validate results
  • Voting systems and associated infrastructure
  • Storage facilities for election and voting systems infrastructure, and
  • Polling places, to include early voting locations.

 

Mandate cyber security standards 

In 2014, not one of the seven government entities investigated by the Australian National Audit Office for cyber resilience complied with mandatory Australian Signals Directorate cyber security standards.

Four years on, and a review of 14 government entities later, and only four - or 28 percent - have been found to comply.

Unfortunately it is not clear if the AEC complies with these mandated cyber security standards, because it hasn’t been audited.

What is clear from this year’s ANAO review of the AEC’s procurement of services is the organisation:

  • Only applies one quarter of the applicable controls for IT security risks, and
  • Does not have sufficiently cyber secure supply chains.

 

While voting in Australia is paper based, our national voter registration databases are not. 

We must ensure Australia’s databases are protected from any kind of breach or manipulation. 

I encourage the committee to consider my recommendations to protect our democracy and way of life.