Electoral systems secure after parliament hack, but longing for upgrade

Australia’s electoral chief has warned that while the country’s core electoral systems were unaffected by the malicious intrusion of parliament’s IT system earlier this month, the ageing infrastructure behind the systems remains an ongoing concern.

AEC Electoral Commissioner Tom Rogers

Facing senate estimates earlier this week, commissioner Tom Rogers reiterated previous comments that the Australian Electoral Commission's ageing and highly customised roll management and election management systems were ripe for replacement.

However he also stressed that the existing systems were “secure” following revelations this week that the security breach of the parliamentary computing network by a suspected state actor extended to the systems of the Liberal, Labor and National parties.

“We were briefed on the issue and we have taken appropriate steps, which is why I’m confident making the statement that we don’t think that our systems have been compromised,” the commissioner said.

Rogers first called for the need for funding to upgrade or replace the IT systems behind election and roll management, which have reached the end of their usable life, in his submission to the electoral matters inquiry following the 2016 federal election.

That inquiry found the ageing systems, which are supported by platforms that date back to the 1980s, risked compromising the integrity of Australia’s federal voting system, and that the AEC needed additional funding to overhaul its core IT environment.

The findings, as well as speculation that foreign cyber attackers influenced the outcome of the 2016 US election, sparked an examination of the agency’s core electoral systems in 2017 to identify any security vulnerabilities that might be lurking.

Following this, the AEC revealed plans for a once in a generation to overhaul the aging array of elections systems following the 2019 election in light of worsening cyber security conditions.

The seven-year modernisation project is expected to span AEC’s electoral roll, counting and voter management systems, candidate management, as well as cyber security and resilience, though it is yet to receive funding from government.

While Rogers steered clear of providing an update on the modernisation program during the senate committee, he told senate estimate that any upgrade of the systems was “unlikely to be a very small project”, particularly “based on ... the cost of IT projects globally”.

He said that only a handful of people were left that understood the Adabas and Natural language that the systems were written in, but that there would come “a point at which [the systems] need to be replaced”.

“It is a very sensitive piece of data and at a point we need to get that replaced,” he said.

While the modernisation program is only expected to be ready in time for elections beyond 2026, AEC is planning to establish a new security operations centre to improve cyber security monitoring ahead of this year's poll.

The SOC, which will be up and running by the beginning of April, will be used to activity monitor AEC's electoral systems around the around the clock in the lead up, during and following the election.