AEC to review resilience of electoral systems

The Australian Electoral Commission is taking no chances with the resilience of its outdated IT systems following speculation that foreign cyber attackers influenced the outcome of last year’s US election.

The agency is preparing to examine the security of its core electoral systems ahead of the next federal election, which could be held in either 2018 or 2019, to identify any vulnerabilities that might be lurking.

It is also keen to avoid a repeat of last year's DDoS attack on the Australian Bureau of Statistics eCensus solution. Like the Census, federal elections are considered the biggest peace-time logistical events in Australia.

AEC’s current election and enrolment management systems were first introduced in the early 1990s, but a lack of investment by the federal government has led to the need for either significant upgrades or replacement of the agency’s two core systems.

Last month, a parliamentary committee found the ageing IT systems risked compromising the integrity of Australia’s federal voting system, without the allocation of additional funding for an IT overhaul.

"Voters must have confidence in the election result and certainty that no bias or error has influenced the outcome. Change is now imperative to maintain this confidence and the AEC needs additional resourcing to keep pace," the report stated.

The joint committee also noted that “cyber security threats to Australian electoral process must be effectively identified and mitigated” after the AEC advised that the age of its systems rendered them vulnerable to evolving cyber threats.

The agency has taken the findings of the committee onboard and is currently on the hunt for personnel to conduct a holistic security review of its IT environment and recommend how any vulnerabilities might be addressed.

It wants a number of its systems to be reviewed, including the electoral roll management system, which is used for polling place management and vote count tabulation, as well as the corporate production network, wireless network, email gateway, and its AWS hosted public web servers.

“The AEC relies on multiple systems to successfully deliver a federal election. These system work together to provide the infrastructure necessary to both directly deliver an election, and to provide corporate back-office support for staff involve in the election”, a brief on the digital marketplace states.

The review will consist of an active compromise attempt from both within the AEC network and externally, and a review of the agency’s existing Splunk security monitoring configuration before and after the compromise attempt, the agency said.

Penetration testing will be performed on the operating system, alongside limited application layer testing, firewall and ACL testing (at the server level), and database and network equipment security controls testing.

The security review and testing will be conducted and completed during August 2017.