The Australian Electoral Commission (AEC) chose not to comply with the government’s cyber security standards during the 2016 federal election.
That was amongst the findings from the Australian National Audit Office (ANAO) in its performance report, released last week.
The criticism centres around the $27.2 million deal with Fuji Xerox Businessforce, contracted by AEC to create and deliver a semi-automated senate scanning system, which captured voter preferences.
Fuji Xerox was called on shortly before the June 2016 election, following changes passed in March to the voting system that allowed for optional preferential voting above and below the line, which AEC believed required semi-automated processing.
And the short turnaround meant that system struggled to meet government cyber security standards, the report finds.
The ANAO states that prior to the election, “AEC assessed that one quarter of the applicable Australian Government controls for treating security risks had not been implemented,” yet still went through with the project.
“The contract with the ICT supplier had not required compliance with the Australian Government IT security framework,” states the report.
“The security risk situation was accepted by the AEC but was not made sufficiently transparent.”
According to ANAO, AEC initially enforced its Statement of Requirements to Fuji Xerox, which reflected the government’s Information Security Manual (ISM), before removing compliance to the framework “due to time constraints”.
The rate of compliance to the Information Security Manual was said to be at 75% (319 out of 426 controls) as of the AEC’s final assessment of the system before the election.
Of the 107 controls not implemented, 61 represented a “high security risk to information and systems”.
It was found that AEC internally claimed that the system was “ISM compliant end to end”.
The report also suggests AEC misguided the public regarding ISM compliance.
“In relation to materials published on government websites, it would not have been evident to readers… that the security implementation was not sufficient to allow approval for full system accreditation.”
Amongst the recommendations from ANAO were that AEC “take the necessary steps to achieve a high level of compliance with the Australian Government’s security framework when information technology systems are employed,” and that “when the Australian Electoral Commission uses computer assisted scrutiny in future federal electoral events, the integrity of the data is verified, and the findings of the verification activities are reported.”
Both AEC and Fuji Xerox responded to the audit, with AEC applauding its efforts in an “extraordinarily short period of three months, and without prior warning,” said AEC Electoral Commissioner, Tom Rogers.
“The AEC successfully developed and then implemented a robust, effective, technologically advanced and entirely new system for counting, under high levels of scrutiny, some 15,000,000 senate votes.”
While acknowledging that there is opportunity to enhance compliance and promote best practice in the future, Rogers stated that he was “confident that the range of measures put in place for the 2016 federal election ensured the integrity of the senate count.”
Fuji Xerox was also defensive of its system.
“Fuji Xerox worked with the Australian Electoral Commission to deliver a technology based solution that accurately captured voting preferences and still met the immutable deadline to declare an election result,” said Operations Director, Wassim Hage-Hassan.
Hage-Hassan applauded the system for delivering the results “with high integrity”.