Political parties to get cyber subsidy for electoral databases

Australia’s four major political parties have been granted $300,000 to shore-up their systems following Russia's alleged cyber interference in the 2016 US election.

The funding will be made available to the parties in the form of voter information protection grants that will be administered by the Department of Finance over the second half of 2018.

The Liberal, Nationals, Labor and Greens parties will use the grants to “improve security of their constituent management systems and associated data, including information pertaining to the electoral rolls and voter information”.

The funding follows a series of briefings on the security threat to Australia’s elections between Australian Signals Directorate (ASD) and party leaders in early 2017.

The briefings were called for by Prime Minister Malcolm Turnbull in the wake of widespread accusations of Russia meddling in the US national vote.

"You can have flaws in the hardware that provide vulnerabilities, flaws in the software, and as I often say is the biggest vulnerability is the warmware, the humans making mistake, or taking information as Edward Snowden did," Turnbull said at the time.

He also pointed to the ASD’s “very good” cyber principles as a means to “practise good cyber hygiene”.

The government has since been considering whether to give the political parties additional resource to defend against cyber intrusion on a needs basis, according the Australian Financial Review.

Each party will receive up to $75,000 to help work towards implementing either ASD’s top 4 or essential eight cyber mitigation strategies “to at least maturity level 3”.

However there is an expectation that “the top 4 should only be implemented if implementation of the essential eight is not feasible”.

The essential eight are now considered the baseline for cyber security by the ASD, but there is acknowledgement that this can be difficult “depend[ing] on the scale of IT infrastructure and security challenges faced”.

Funding is expected to be spent on security assessments or technical investigations into the cyber security posture of systems or health checks against the top four or essential eight, rather than third party commercial software solutions.

Political parties, unlike government agencies, currently aren't required to implement the top four. They’re also not covered by the Privacy Act.

This is despite systems like the Liberal party's Feedback database - or newer i360 campaign monitoring tool - and Labor's Campaign Central software increasingly being used to target voters and reduce the legwork for campaign volunteers.

These systems hold basic personal data from electoral roles like names, addresses, and phone numbers, as well as other information sourced by the party such as data scraped from social media.

The Australian Electoral Commission is also in the process of examining its core electoral systems to identify any vulnerabilities ahead of the next federal election.