Cyber fears trigger Australian Electoral Commission core systems rebuild

The infrastructure underpinning Australia’s democracy is set for a once in a generation overhaul amid top level fears its vintage hardware is a sitting duck for hackers increasingly looking to disrupt elections.

The Australian Electoral Commission revealed plans for a comprehensive Election Systems Modernisation program to replace its ageing mainframes and highly customised applications, citing the deteriorating cyber environment as a key factor. 

The big upgrade, revealed on Wednesday, will span across the electoral roll, counting and voter management systems, candidate management, cyber security and resilience.

With Parliament having booted any prospect of online voting some time ago and fears of foreign interference now at a global all-time high, the process of casting and counting looks set to be paper based for the foreseeable future.

Slated for delivery in two overlapping major tranches between 2019 and 2026, the envisaged rollout will cut across two federal elections nominally scheduled for May 2022 and May 2025, with work likely starting very soon after the May 2019 federal election – if the government lasts that long.

“Since the 2016 federal election, events overseas have highlighted the importance of maintaining the integrity of electoral ICT systems and protecting them against unauthorised interference,” the AEC said in a request for information issued to the market.

“Events within Australia have demonstrated that the risk of cyber-attack is increasing and even unsuccessful cyber-attacks can impact on the public’s perception of the integrity of the business process.”

The documentation puts the AEC’s current systems environment at approximately “93 systems and supporting sub-systems that deliver services to citizens and political parties, support the work of the AEC and provide integration and interface services.”

However the AEC also cautions that its infrastructure is getting very long in the tooth and running out of runway.

“The current core software platforms have been in use for almost 30 years. The technology platforms that support these ICT systems, while old, are still capable of processing large volumes of data and are reliable for the short term.”

It also warns that the engine room of democracy is a fiddly custom build having been “developed incrementally over time to deliver new business requirements and improve connection between business systems and databases.”

“Most of these systems and sub-systems are bespoke in nature as no commercial off the shelf (COTS) products were available at the time to meet legislative requirements.”

And while there are dozens of moving parts, the main game is reworking Australia’s giant list of electors with the systems that run elections as well making the calculations and setting the boundaries for electoral redistributions.

“The vision for Election Systems modernisation is to create an Integrated Roll and Election Management System (IREMS). The new IREMS will replace the AEC legacy systems,” the AEC’s documentation says.

“The program is seeking to deliver core infrastructure that can support an increased scale and scope of services over time.”

The release of the AEC’s election tech RFI is also certain to stimulate wider discussion in political, public sector and public policy circles about potential enhancements or limitations that may be needed to keep things above board.

One of the more contentious areas the AEC has custody of is the collection of information and disclosure related to political donations and funding for candidates during election campaigns.

Transparency and governance advocates have for years been pushing for far more timely and granular tracking of the cash flowing into party coffers, especially in relation to third party organisations that assist particular parties or causes that legally sit just outside of donations regulations.

The extent and role and effectiveness of indirect campaigning remains a hotly contested topic across both sides of politics, with barbs and accusations of slush-funding a regular occurrence.

Fallout from the Cambridge Analytica scandal also looms large before the refresh, especially around who has access to the Electoral Roll and how they are able to slice, dice and micro-target campaigns at specific groups of voters.

Both the Australian Labor Party and the Liberals have recently invested in substantial upgrades to their electoral databases and related analytics technologies as the systems become increasingly powerful and commoditised.

Most political parties remain deeply secretive about how they suck-in and model electoral data, especially what information they keep on individual voters and their views in addition to basic data supplied by the AEC.

A major criticism of political party databases has been that they are excluded from privacy and spam regulations as well as being largely immune from independent oversight or audit.

It is understood that access to the electoral roll by political party officials or authorised campaign workers has long been regarded as a security weak spot, especially in terms of being able to look up individual electors for personal purposes.

The AEC’s request for information closes at 2pm, 19 November 2018, with an industry briefing to be held on 29 October 2018 between 10:30am - 12:30pm at the Vibe Hotel, Canberra Airport.