The NSW Electoral Commission has secured $4.8 million to perform the most urgent cyber security upgrades to the state's electoral systems, after its last three proposals for funding were knocked back.
The funding was quietly approved from the state government’s digital restart fund (DRF) last month following repeated public calls by electoral commissioner John Schmidt for investment.
Schmidt first raised the alarm about the commission’s precarious cyber security posture in April 2021, saying that more than 50 electoral systems required “urgent” fixes.
He said several funding proposals to address the issues had not been approved, making it difficult for the NSW Electoral Commission (NSWEC) to comply with the government’s cyber policy.
“Lack of adequate investment... has meant that the commission does not comply, and cannot comply in the immediate future, with... mandatory cyber security policies,” Schmidt said at the time.
Ahead of the 2021 budget process, the commission submitted a $22 million business case for cyber security improvements from the DRF’s cyber security reservation over four years.
But by November that was still pending, leading Schmidt to describe the process to secure funding as “Kafkaesque” and a “circle of hell”.
The Department of Customer Service later said “in-principle endorsement” for the funds occurred in July 2021, but that problems with the business case had prevented approval [pdf].
“Critical recommendations must be remediated to ensure risks are addressed, including those associated with the anticipated successful delivery of the uplift program,” it said.
“In response to this process, the NSWEC developed a lean business case which will enable commencement of work on the first phase of cyber security uplift initiatives, while considering the most appropriate response to the broader gate two review recommendations.
“At the time of submission, the lean business case for the first phase was expected to be submitted for approval in February 2022.”
At a budget estimates hearing on Monday, the NSW government’s chief information and digital officer Greg Wells said an initial allocation of almost $5 million had now been released from the fund.
“What we have funded so far is a first tranche of funding for $4.88 million to enable the Electoral Commission to start their security uplift program,” he said.
“The investment that has been recently approved will uplift cyber security maturity in line with the Electoral Commission’s plan.”
Wells said initial funding covers the 2022 calendar, with the remainder of the $22 million “reserved” in the DRF for the NSWEC to “come back to”.
“That $22 million is reserved currently and we will work with the Electoral Commission about subsequent tranches,” he said, without disclosing what work would occur.
NSWEC told iTnews the funding, which will become available later this month, will be used to increase its cyber security maturity, including complying with the ACSC's "Essential Eight" strategies to mitigate cyber security incidents.
“The planned outcomes for this funding are to increase maturity against the Australian Cyber Security Centre's Essential Eight controls, improve the commission's capacity to comply with the NSW government's cyber security policy... and improve identity and access management,” a spokesperson said.
DCS working to prevent iVote outage repeat
Wells also told budget estimates that DCS is working with NSWEC to ensure the iVote outage experience at last year’s local government elections is not repeated.
“We are also assisting the Electoral Commission at the moment to look at what they can do to set up for success next year,” he said.
Wells said this includes “platform stability and scalability assistance”, as well as “commercial negotiation” with iVote vendor Scytl.
“In terms of scalability and stability of the platform, our team is working closely with their team to make sure that we can do everything we can to make sure it is set up to scale,” he said.
“In terms of the commercials, I understand that we are working closely to look at their provider, their vendor Scytl, and how we can assist with any negotiations that are taking place.”
The technical glitch – which was caused by unprecedented demand – prevented users from voting, throwing the results of at least three ballots in the state into doubt.
The election results of Singleton, Kempsey and the City of Shellharbour now face the prospect of being declared void because iVote had a “defect or irregularity”.
NSWEC has shelved iVote until “extensive reconfiguration” can occur, with the system not used in recent local government by-elections, despite the impact on blind and vision impaired voters.
The NSW Greens are calling for the government to replace iVote with an open source capacity for technology-assisted voting in conjunction with leading researchers”.