Urgent action beyond just buying new equipment is needed to shore up the cybersecurity of Australia’s electoral system, the Opposition’s cyber spokesperson Gai Brodtmann says.
In a submission to an ongoing inquiry into the security of elections, the outgoing shadow assistant minister for cybersecurity Ms Brodtmann said there is a need for “reform and modernisation” of the Australian Electoral Commission’s IT systems and electoral processes in order to “maintain the integrity of our elections”.
“With the federal election looming against the backdrop of cyber hacks on the electoral systems of the United States and France, and the DDoS attacks on the 2016 Census, I welcome this timely and important inquiry,” Ms Brodtmann said in the submission.
“While voting in Australia is paper-based, our national voter registration databases are not. We must ensure Australia’s databases are protected from any kind of breach or manipulation.
“We need to recognise the acquisition of new equipment and systems alone will not alone automatically assure the cybersecurity of our electoral systems.”
Ms Brodtmann made two main recommendations: for Australia’s election system to be classified as a “critical infrastructure sector” under the Trusted Information Sharing Network, and directing the AEC to comply with the Australian Signals Directorate’s cybersecurity standards.
The Trusted Information Sharing Network is the primary national engagement mechanism for “resilience building initiatives” on critical infrastructure.
It defines critical infrastructure as “physical facilities, supply chains, information technologies and communication networks, which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation, or affect Australia’s ability to conduct national defence and ensure national security”.
Ms Brodtmann said Australia’s election systems fit into this definition, and listing it as such would “overlay the appropriate scrutiny and assurance mechanisms to assure the Australian people of the cyber resilience of their democracy”.
“Our election systems and infrastructure are the very foundation of our democracy. They underpin trust in the way we govern ourselves, and our values,” she said.
“They are vital to the ‘social wellbeing’ and cohesion of the nation. Unfortunately, however, they are not yet recognised as critical infrastructure in Australia.”
It is not currently clear whether the AEC already complies with the ASD’s mandatory cybersecurity standards as it hasn’t been audited, she said.
“What is clear from this year’s ANAO review of the AEC’s procurement of services is the organisation only applies on a quarter of the applicable controls for IT security risks and does not have sufficiently cyber secure supply chains,” Ms Brodtmann said.
Ms Brodtmann announced earlier this month that she would not contesting her seat at the next election due to personal reasons, saying her role had been an “enormous honour and privilege and brought [her] inestimable pride and joy,”
“I have also loved influencing, shaping and developing policy, particularly on national and cyber security, women’s health and empowerment, small business, public service and administration and Norfolk Island,” she said.