Australian Democracy at Risk Because of Legacy IT

This weekend, 16.4 million Australians who are enrolled to vote will decide on which of the two major political parties will form the national Government for the next four years.

As a logistical exercise, it might not be as challenging as the Indian or Indonesian elections. It may not be the drama of Indonesia, where more than 250 electoral officials reportedly died from exhaustion.

But it is still a significant logistical exercise. And it differs from many elections in that voting is compulsory in Australia.

Democracy’s Cyber Reckoning

The Australian voting system in use on the weekend is around 30 years old. Elements of it are seemingly unchanged from the birth of Australian national democracy. The nation began with Federation in 1901.

Just as modern democracy needs to be concerned with cyber attacks and manipulation through social media channels, the core voting systems have become vulnerable. Their integrity is now questioned.

In advance of the poll, Prime Minister Scott Morrison announced in February 2019 that the major political parties had suffered cyber attacks alongside the Parliament House computer networks. He said that a "sophisticated state actor instigated them."

Only four nations are believed to be capable of such an attack: China, Russia, Israel and the US. Security agencies, Morrison said, had “acted decisively to confront it.”

At the last Australian election in 2016, an investigation by the National Audit Office found that the Australian Electoral Commission (AEC) misled the public about the security of its data. It failed to ensure that it had not been compromised.

The audit also revealed at the Australian Signals Directorate, the spy agency which is increasingly charged with policing cybercrime, warned the AEC that it was unlikely to fix the problems in advance of the polls.

In 2016 for the first time, a third party was contracted to digitally scan and count all of the votes in the Australian Senate. But when it became clear that there were problems with this implementation, a late decision was also made to cross check all ballots manually. This decision cost as much as AUD 8.6 million, according to the audit office.

“The level of IT security risk accepted by the AEC on behalf of the Australian Government and the extent of the noncompliance with the Australian IT security framework was not transparent,” the audit report said.

Slow Response

After the 2016 election, there was talk from all political parties on the need for electronic voting. It was only eight days after the event that the true electoral picture emerged. But even though the parties agreed that electronic voting would be faster and more secure, there was quibbling over the potential cost.

The AEC, like many Government agencies, moves very slowly. In October it began seeking industry advice on how to modernize its current systems and issued a request for information (RFI) documents to the IT industry.

At the moment, the AEC runs 93 systems and supporting subsystems which deliver services to citizens and political parties and support the electoral process.

The ultimate aim is to implement a new integrated electoral roll and election management system to replace the legacy. But this will take several more decades to do. It may only be by the late 2020s that the new infrastructure is in place.

In the meantime, this means significant cost of maintaining the legacy systems. Most are bespoke because there was no commercial off the shelf products available at the time to meet the legislative requirements.

“These systems and associated subsystems have been developed incrementally over time to deliver new business requirements and improve the connection between business systems and databases," the RFI documents state, before going on to reassure the reader that while the systems may be old, they are still capable of processing large volumes of data and are reliable for the “short term.”

The picture which emerges is of a patched-up collection of old systems connected over the years, a little like the plumbing of an old building which has been continually added onto piece by piece.

Unsecured Future

The way forward is bound to be painstaking. After the RFI process, the AEC will conduct a procurement process. Then the Government needs to allocate the funds, and the system needs to be designed, developed, acquired and implemented.

In the meantime, even the AEC is warning that the risk of cyber attack in elections is increasing.

“Even unsuccessful cyber attacks can impact on the public perception of the integrity of the business process,” the AEC’s documents say.

All of which adds another element of uncertainty to a democratic process which is losing public confidence at a rapid pace.

Not only are people suspicious of politicians, but they are losing trust in the integrity of the systems which count the votes and deliver the outcomes.