The National Audit Office of Australia recently pointed out to the Australian Electoral Commission (AEC), that they didn’t conform to the basic cyber security requirements, during the 2016 federal elections. While spending $27.2 million for acquiring automatic ballot scanning technology, the AEC didn’t pay much heed to the compliance part. Adding to the woes, they decided to count the ballots by hand after Signals Directorate raised security concerns, thereby adding more than $6 million to the expenses.
The AEC is said to have taken the risk due to time constraints. Auditor-General Grant Hehir commented, “Insufficient attention was paid to ensuring the AEC could identify whether the system had been compromised. The level of IT security risk accepted by the AEC on behalf of the Australian Government and the extent of the non-compliance with the Australian Government IT security framework, was not transparent. The wording used in some of the internal records and published materials would generate confidence in the security of the system whereas the underlying assessments indicated significant risk.”
However, Electoral Commissioner, Tom Rodgers maintained his confidence in the integrity of the data, saying, “A review by the Australian Signals Directorate and the implementation of eight mitigation measures to address their 19 recommendations, provided me with added assurance that the risk of the data being tampered with was understood.”
This comes after the recent concern shown by Australia’s Cyber Security Research Centre (CSRC) in the country’s weak cyber security standards.