Tight deadlines lead AEC to ditch security compliance: ANAO

A 12-week turnaround before a double dissolution election with a new method to allocate preferences, forced the AEC to accept an increased level of risk. Thanks Malcolm.

anao-aec.png

ANAO timeline of IT security risk assessment activities

(Image: ANAO)

The Australian National Audit Office (ANAO) has passed its verdict on how the Australian Electoral Commission (AEC) procured services for the 2016 federal election, and AEC cannot demonstrate it got value for money from the Senate ballot paper scanning services offered by Fuji Xerox Document Management Services, and that security in said services was lacking.

"The focus was on delivering a Senate scanning system by polling day and insufficient attention was paid to assuring the security and integrity of the data generated both during and after operation," ANAO said in its report released on Monday.

Due to the tight time frame imposed on the AEC by a confluence of factors -- recent Senate voting reforms, a double dissolution election, and a shorter timeline for the return of election writs -- the ANAO said the AEC had ditched compliance with Australian government IT security frameworks.

"Because of the highly compressed time frame available for development, it was accepted that certain controls would not be able to be met and would have to be accepted by the agency as a residual risk," the AEC told ANAO.

Thanks to the introduction of a new way to allocate Senate voting preferences, the AEC decided that a manual process would be too expensive, and engaged the services of Fuji Xerox Document Management Services to create a semi-automated ballot scanning process at a cost of AU$27.2 million.

Despite the millions handed over by the Electoral Commission, the ANAO said the AEC "did not own the intellectual or physical property that would result from this expenditure", and the cost included a AU$4.1 million "contribution" to equipment and infrastructure needed to scan the ballots.

ANAO also determined the AEC had procured the Fuji Xerox solution via a limited tender, while the AEC publicly said it was determined by an open tender.

"No consideration of financial cost was evident in the records of the AEC's decision-making to implement the Senate scanning system," the audit said. "Timeliness, quality, and risk were taken into account."

"The documentation on the Senate scanning system procurement indicates that inadequate consideration was given to assessing value for money and did not demonstrate that it was achieved."

Such is the AEC records management process, that when asked by ANAO for procurement records to conduct its audit, AEC needed to ask its suppliers for them.

"During 2017 the AEC has been procuring an electronic document and records management system to replace its paper-based system." ANAO wrote. "It will not solve the AEC's record-keeping shortcomings unless it is accompanied by a change in culture."

Some of the other red flags raised by ANAO included the Australian Signals Directorate (ASD) realising that the Electoral Commission could not fix all its concerns by election day, and instead decided to focus on "ensuring the supporting infrastructure was as secure as possible so as to reduce the risk of the system being compromised".

Additionally, ANAO said the AEC had not involved its own security team until after the Fuji Xerox system had gained security approval, and subsequently with a lack of relevant logging, the AEC had a "very limited visibility of security events and there was a lack of a security audit trail". Despite this lack of information, the AEC said "there was no large-scale intentional tampering of the 2016 Senate election".

Although the Australian Government Information Security Manual (ISM) states that systems must be accredited before being put into operation, ANAO said that accreditation was issued after the system had been operational for a day, even though the system did not comply with 107 ISM controls stipulated in the manual, of which 61 were high risk.

An agency is able to exempt a system from ISM compliance provided it keeps a copy of decisions made, but ANAO found the AEC failed to keep any documentation on this.

In its response to ANAO, AEC Commissioner Tom Rogers said he remained confident in the integrity of the Senate count.

"On any reasonable measure, the solution was an impressive accomplishment which functioned as intended," he said. "I am incredibly proud of our achievement to successfully design and implement the Senate scanning solution in such a short time frame and then the successful conduct of the 2016 federal with the return of all writs in time for a new government to be formed without any delay."

An interim report by the Australian Joint Standing Committee on Electoral Matters into the conduct of the 2016 federal election recommended in June last year that the AEC be modernised and have its 25-year-old technology systems updated, as well as conduct a pilot of electronic counting and scanning of House of Representatives ballot papers.

"Upgrades to the AEC's information technology systems have become overdue," it said. "The committee notes the AEC's advice that this could take many years to complete.

"At this stage, the AEC does not have available funding to begin planning and preparation for an upgrade."

In his submission to the inquiry, Rogers raised concerns about the AEC's current IT system and its staffing model.

"The IT systems, which have been built over a long period of time, are not able to be easily integrated with contemporary mobile platforms and in many cases, will not be supported by vendors in future," he said.

Last month, the joint committee heard the AEC was looking at a BYOD scheme to allow poll workers to access an Electronic Certified List of voters, due to budgetary constraints, and the commission was impressed by video-based training of polling officers in the last ACT election.

"What we're looking at is our own video-based training, which we would ask our [officers] to download on their own device before the event, have that available to them and their staff at the polling places -- I don't have the money to issue 8,000 laptops for training purposes," the AEC said.

Related Coverage

Electoral Commission exploring how technology can simplify voting process

Electronic lists containing citizens' information at voting booths or smartphone apps for enrolled voters might already be in place if the Australian Electoral Commission had the cash, a House of Representatives committee has heard.

Australian Electoral Commission battens down the cyber hatches

In response to the alleged interference in the lead up to the 2016 US Presidential Election, the Australian Electoral Commission is working with Malcolm Turnbull's cyber advisers to make sure it is prepared.

Australian Electoral Commission wants money to fix ageing IT systems

The Australian Electoral Commission has said it needs money to update its election IT systems, warning that the existing ones are at the end of their useful life.

Joint committee recommends trial of electronic counting and scanning for Australian House of Representatives

The next Australian federal election could see electronic counting and scanning expanded from the upper house to the lower house on a trial basis.

How the ABS prepared for the same-sex marriage survey using the public cloud

Given a go-live date from Prime Minister Malcolm Turnbull of around four weeks, the Australian Bureau of Statistics turned to AWS to run the online and call centre components of the same-sex marriage survey in the public cloud.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All