'Circle of hell': NSW Electoral Commission cyber funding frustrations reach fever pitch

Uncertainty over cyber security funding for NSW electoral systems means it is already too late to apply some fixes in time for the state election in 2023, the electoral commissioner has revealed.

John Schmidt expressed his frustration at what is now four failed bids for funding to protect electoral systems against threats.

Schmidt described the process as “Kafkaesque” and a “circle of hell” at budget estimates last week.

He warned that even with the money, fixes are “impossible” to implement before delayed local council elections due to be held on December 4, and that the funding door is rapidly closing for future polls.

Schmidt first raised the alarm about the commission’s precarious cyber security posture in April 2021, saying that more than 50 electoral systems required “urgent” fixes to be compliant with the government's cyber security policy.

At the time, he said lack of funding for systems and personnel meant the commission “does not comply, and cannot comply in the immediate future, with … mandatory cyber security policies”.

The comission is one of a number of agencies in this position, with the NSW Audit Office revealing late last month that “poor levels of cyber security maturity are a significant concern” across the state government.

Despite Schmidt's public appeal, this year's budget contained no new funding for the commission to address the issues, making it the fourth year in a row the government has pushed back against a bid.

The government’s apparent unwillingness to fund the fixes comes at a time when it has set aside $240 million for cyber security between 2020-21 and 2022-23 and is uplifting defences at a number of agencies.

Speaking at a budget estimates hearing last week, Schmidt said that a business case for $22 million was submitted for cyber security improvements over four years as part of this year’s budget process.

He said that “in discussions with Treasury… the decision was taken to refer [the proposal] across to the digital restart fund”, which is providing $2.1 billion for IT projects between 2020 and 2024.

“That was discussed with the organisation and that was, I presume, because money is very tight in the Covid situation,” he said.

But as the digital restart fund (DRF) is primarily for short, sharp digital projects of common value, Schmidt said there was confusion over why the bid had been brought forward in that arena.

“One of my officers was at the very first meeting with some of the people from the department and the question was raised, “why are you bringing this here? You do not meet the criteria”, and this is true, we do not meet the criteria for the DRF,” he said.

“The digital restart fund is meant to only provide time-limited funding. We are not seeking time-limited funding; we are seeking ongoing operational funding.”

While the Department of Customer Service, who owns the DRF, “agreed to consider the application, Schmidt said a decision is unlikely until February 2022, making some changes difficult.

“I will be quite honest: It is too late to do some of the measures now that we would have liked to put in place for the state's general election because we had planned on funding… coming through to us on July 1,” he said.

“We are now in November and it may be February [2022] before the money begins to flow.”

Schmidt also noted the amount of funding the commission had sought through the DRF had been reduced “partly because the business case requirements for $20 million were too onerous... so there is a lean business case approach which we are now taking”.

“I do not want to say this lightly, but you do get a Kafkaesque feel to some of this at some point,” he said, adding later on that the process was “a circle, a circle of hell”.

“One of criticisms of the business case was that it did not have an adequate cost-benefit analysis, including economic impact to the state of a failed election," Schmidt said.

“I can tell you it costs a lot more. It costs up to $100 million-plus to re-run a state election. I would have thought that would have spoken for itself, but no.”

Asked by Labor MLC Mark Buttigieg whether it was possible for the commission to meet the cyber standards in four weeks if Perrottet came through with the funding, Schmidt replied “no, [it's] impossible”.

Premier Dominic Perrottet has committed to meeting with Schmidt to discuss the funding issues as a matter of urgency.

Electronic voting through the commission’s iVote system will be available to citizens for the first time in this year’s local council elections.