17jun27 – Moderate appetite of ‘commissioners’
POSTSCRIPT / June 27, 2017 / Tuesday
INSTEAD of inventing another Voter’s ID and cooking up new juicy contracts, the Commission on Elections may want to pay priority attention to improving the country’s Automated Election System so as to nip possible problems in the 2019 and 2022 polls before they occur.
The Comelec can focus, for instance, on fast-tracking delivery of 24 million IDs containing voter’s biometrics data — before eyeing another P150-million contract for three million “enhanced” IDs that will result in two identification cards for millions of voters.
We understand that the harvest season in the Comelec comes around only every three years, but with galloping government expenses, we beg the “commissioners” to heed the Jun Lozada admonition on the need to moderate the appetite.
The poll body can take advantage of the gap between the elections last year and the upcoming 2019 and 2022 polls to tighten the loose bolts — instead of later justifying “emergency” contracts for last-minute updating of the poll system and its myriad requirements.
Law and technical experts familiar with the scandalous fumbles of the 2016 elections – a battle royal over the vice presidency is still raging before the Presidential Electoral Tribunal — can be engaged this early to plug the leaks at least costs.
The “commissioners” need not worry. Anyway, Smartmatic – a favored suki – will soon be around with another multibillion-peso deal for hardware, software, supplies and services. Will the bonanza be split again into packages small enough not to attract much attention?
Meantime, we invite the Comelec and the Congress to pick up some ideas contributed in the hearings in the US Senate (never mind the inquiry in the US House of Representatives) on the Russian hacking of their 2016 presidential elections.
Unlike in the Philippines where only one Automated Election System (AES) is used nationwide, American states use one of two technologies. More states use Optical Scan ballots (as in the Philippines), where the voter fills out a paper ballot that is then scanned and the votes counted by a computer.
In the other system called DRE (Direct-Recording Electronic), voters interact directly with a computer, instead of marking a paper OS ballot and feeding it into the computer. In the DRE system, where there are no paper ballots, the electronically inputted votes are stored in computer memory.
With its Precinct Count Optical Scan (PCOS) voting-counting machines in the 2010 Philippine elections tagged by critics as “Hocus-Pocus,” Smartmatic renamed its 2016 setup as SAES-1800plus, but continued to use an optical scanner that received the ballots and counted the votes.
The software used in 2016 was Smartmatic’s Election Management System (EMS), an application that generated all the data needed to prepare and conduct an election, from candidates’ nominations, to device configuration and ballot design.
• Learn from hacking of US polls
IN ITS hearing on June 21, the US Senate intelligence committee was told by J. Alex Halderman, a professor of computer science at the University of Michigan, that both the Optical Scan (à la PCOS) voting and the DRE systems suffer from security problems.
Halderman told the committee, led by Sen. Richard Burr (R-NC), chairman, and Sen. Mark R. Warner (D-Va), vice chairman, that with their old technology, both systems are vulnerable to hacking as was shown in the Russian interference in the US elections last year.
The expert witness said he was familiar with the tampering of election systems, because he himself has developed ways to attack many of them as part of his research into election security threats. He recalled:
“Ten years ago, I was part of the first academic team to conduct a comprehensive security analysis of a DRE voting machine. We examined what was at that time the most widely used touch-screen DRE in the country, and spent months probing it for vulnerabilities.
“What we found was disturbing: we could reprogram the machine to invisibly cause any candidate to win. We also created malicious software—vote-stealing code—that could spread from machine-to-machine like a computer virus, and silently change the election outcome.”
He added: “Cybersecurity experts have studied a wide range of US voting machines—including both DREs and optical scanners—and in every single case, they have found severe vulnerabilities that would allow attackers to sabotage machines and to alter votes.”
“Before every election, voting machines need to be programmed with the design of the ballot… This programming is created on a desktop computer called an Election Management System, or EMS, and then transferred to voting machines using USB sticks or memory cards. (The same thing done by Smartmatic in 2010 and 2016.– fdp)
“These systems are generally run by IT personnel or by private contractors. Unfortunately, election management systems are not adequately protected, and they are not always properly isolated from the Internet. Attackers who compromise an EMS can spread vote-stealing malware to large numbers of machines.”
One of Halderman’s recommendations is to replace obsolete and vulnerable voting machines, such as paperless systems, with optical scanners and paper ballots (like what Smartmatic has prescribed — fdp). He said “paper provides a resilient physical record of the vote that simply can’t be compromised by a cyberattack.”
He also suggested a consistent and regular audit to ensure that election results are accurate, by inspecting enough of the paper ballots to tell whether the computer results are right. These “risk-limiting audits,” he said, may seem low-tech but are reliable and cost-effective.
The Comelec, if it wants, can repulse attacks on the integrity of Philippine elections before they occur. But it will need the help of other parties, including the Congress.
(First published in The Philippine STAR of June 27, 2017)
* * *