AEC 'satisfied' with security risks absorbed ahead of the 2016 election

A report from Australia's Audit Office said the Electoral Commission ditched government IT security frameworks ahead of the election, but the AEC boss told Senate Estimates last night he was 'satisfied' with the risks that were accepted.
Written by Asha Barbaschow, Contributor

A report from the Australian National Audit Office (ANAO) last month called out the Australian Electoral Commission (AEC) for ditching compliance with Australian government IT security frameworks.

In particular, the ANAO said insufficient attention was paid to assuring the security and integrity of the data generated both during and after operation, as the focus was on delivering a Senate scanning system by polling day.

Facing Senate Estimates on Tuesday night, Electoral Commissioner Tom Rogers said he was satisfied with the risks that the AEC accepted ahead of its go-live.

"They were not untreated risks -- we were aware of them," Rogers clarified.

"One of the comments in the report, or inference, is that I accepted a higher level of risk and in my way of thinking, that's what you do with projects. You identify the risks and mitigate or accept them. And for that particular project I was satisfied with the risks that we accepted."

The commissioner agreed with the ANAO's assertion that due to the 12-week, tight time frame imposed on the AEC by a confluence of factors -- recent Senate voting reforms, a double dissolution election, and a shorter timeline for the return of election writs -- it accepted more risks than it otherwise might have.

Instead of conducting a public tender, the AEC used an existing standing deed of offer with Fuji Xerox for its Document Management Services, which Rogers said was consistent with Commonwealth procurement guidelines.

"I absolutely take the point of the ANAO that there was other ways of doing that, but at that point, to get that project done by that period of time, that's the decision that I made," he explained.

"I stand by what I did. In fact, I stand fully by what I did in that process and that's the bit where I think perhaps the ANAO report -- as useful, valuable as that is -- misses the point of context."

Next time, however, the AEC is adopting a panel approach to service procurement.

"We really do try and achieve best value where we can, but it does depend largely on context as well ... it does depend on the circumstances of each individual procurement and we do our very best to achieve that value for money," he added.

When asked if the AEC had sufficient funding at its disposal to manage the IT security of the project, Rogers simply said yes.

Assisting Rogers was First Assistant Commissioner of Capability Tim Courtney, who said the AEC identified a number of areas of weakness in the reviews conducted on the system, and put in place a number of mitigation strategies to manage them.

"Some of those controls were not met, so we put in strategies to manage that," he explained. "My point is, we were well aware of the compliance or partial compliance of the system and it was something which I regularly briefed the executive team and the commissioner on in terms of the risk profile."

Given the current global election climate, Rogers was asked for assurance that there was no instance of intentional tampering of the 2016 Senate election data.

"It's a very topical issue Senator, not just with the AEC but around the world at the moment with the vulnerability of electoral systems ... to the extent that I can be confident that nothing untoward happened, I am very confident nothing untoward happened," he said in response.

"We had robust systems in place, we worked with the ASD [Australian Signals Directorate], we put mitigation strategies in place, we designed the system to prevent that from occurring, and our own measures tell us that nothing did occur to that process."

Courtney offered his assessment, which was that after receiving briefings from the ASD, he was "very" satisfied with the processes the AEC put in place to manage security.

"The count wasn't conducted -- I'm not an IT expert -- on the internet, this was a sealed system that we used and we had sufficient measures in place," he added.

"I'm incredibly proud of that solution."


Tight deadlines lead AEC to ditch security compliance: ANAO

A 12-week turnaround before a double dissolution election with a new method to allocate preferences, forced the AEC to accept an increased level of risk. Thanks Malcolm.

Electoral Commission exploring how technology can simplify voting process

Electronic lists containing citizens' information at voting booths or smartphone apps for enrolled voters might already be in place if the Australian Electoral Commission had the cash, a House of Representatives committee has heard.

Australian Electoral Commission battens down the cyber hatches

In response to the alleged interference in the lead up to the 2016 US Presidential Election, the Australian Electoral Commission is working with Malcolm Turnbull's cyber advisers to make sure it is prepared.

How the ABS prepared for the same-sex marriage survey using the public cloud

Given a go-live date from Prime Minister Malcolm Turnbull of around four weeks, the Australian Bureau of Statistics turned to AWS to run the online and call centre components of the same-sex marriage survey in the public cloud.

Editorial standards