Australia’s election officials brace for interference, both foreign and technological

As Australians gear up for the announcement of a federal election, gratuitous photo shoots, media fluff pieces, acerbic speeches, and even a bit of ukulele playing by long-odds incumbent Prime Minister Scott Morrison have become the order of the day. But behind the scenes, concerned election authorities are debating the potential impact of growing technological dependence and foreign interference in the country’s elections.

Those concerns were writ large in the recent first interim report of the Senate Select Committee on Foreign Interference through Social Media, which took a deep dive into the current climate of social-media manipulation and foreign interference—and came up gasping for breath.

Noting the ongoing inquiries into the 2016 United States presidential election and 2019 UK general election, the committee noted that “it would be naïve to imagine that Australian elections and public debates have not, and will not, be the subject of similar attempts.”

The report notes, “There are a range of foreign governments, organisations and individuals who stand to win or lose from Australia’s political and policy decisions,” adding that “experiences from overseas show us there are some foreign actors who also seek to introduce discord and social conflict as an aim unto itself. … Technological developments mean that these actors have more options than ever before to influence Australia’s processes.”

Who is responsible for elections cyber interference?

It was a stark warning for a heavily egalitarian country where voting is mandatory and orderly elections are emotionally linked to the universal availability of a strong participatory democracy.

To preserve this order, the committee warned, “Government must approach the problem of foreign interference through social media with urgency and seriousness in order to create the institutional architecture needed … unfortunately, the government’s actions so far have fallen short of this.”

With no clear lines of responsibility for evaluating or dealing with cyber threats to Australia’s elections and a Counter Foreign Interference Strategy that is “five dot points and six supporting sentences on a webpage. There is nothing specific relating to foreign interference via social media.”

Asked which agency would be responsible for responding to a foreign disinformation campaign, for example, Department of Home Affairs suggested the Australian Electoral Commission (AEC) would be responsible—but the AEC said its enabling legislation would not give it any basis for such a response.

There were even questions about whether the government should or could report a detected attempt at foreign interference, due to strict caretaker conventions that prevent policy announcements during a formal election campaign.

Noting ASIO projections that espionage and foreign interference “will supplant terrorism as Australia’s principal security concern over the next five years,” the committee advised the government to “clearly delegate lead accountability for cyber-enabled foreign interference to a single entity”.

This should be supported by “appropriate, transparent, and nonpolitical institutional mechanisms for publicly communicating cyber-enabled foreign interference in our elections”, the committee advised, adding that social-media platforms should be given “clear requirements and pathways” to report suspected foreign interference.

“At present, should a social-media platform identify foreign interference, it is optional for them to report it to government.”

Rebooting online voting in Australia

For all the confusion around potential cyber interference in Australia’s still-unannounced election—which can happen no later than 21 May—authorities are still working to recover from the disastrous failure of the iVote online-voting system during the recent New South Wales local government elections.

Despite feting iVote as a solution for socially distanced voting, the system’s architectural failures brought it to its knees during November 2021’s local government elections.

“Performance issues” meant that “a number of electors who successfully registered for iVote did not receive their security credentials and were not able to cast a vote using iVote,” the NSW Electoral Commission (NSWEC) recently admitted in a statement that also said it would suspend use of iVote until it has had “extensive reconfiguration and testing”.

That reconfiguration—which includes a focus on integration testing to ensure smooth interoperability with other NSWEC systems—would be difficult to achieve in the short term due to limited funding, limited specialist resources, and a lack of the backup support necessary for iVote to be used in any elections before the 2023 state elections.

With the validity of three local-government election results now being questioned in the NSW Supreme Court, the NSWEC admitted it is “neither feasible nor appropriate to approve the use of iVote again until those actions are completed”.

Possible election security lessons from the United States

Whether from the broad challenges of feared cyber intrusions, or from the very clear technological failures that interrupted the operation of a formal election, the risks attending Australian elections have never been greater—or the stakes higher.

The situation echoes the significant and ongoing work being done in the United States to ensure the integrity of that country’s election—a goal that, former US Cybersecurity and Infrastructure Security Agency (CISA) assistant director Bob Kolasky recently noted, is one of the agency’s key priorities.

“No issue has been more important to us in the last several years,” he said during a panel session during the agency’s latest Cyber Summit, “than making sure we do whatever we can to bring the weight of the federal government behind state and local election officials, to ensure the integrity and security of our democracy and elections. The disciplines of election administration and cybersecurity have had to merge—and while that merger takes time, I think we have collectively made a lot of progress.”

Kyle Ardoin, secretary of state for the US state of Louisiana and current head of the National Association of Secretaries of State, welcomed the strong support on the cyber front since the Obama administration designated election systems as critical infrastructure in 2017. “We’re working to harden our systems, and continue to make sure our registration system is protected, and utilising MSSPs to watch on a 24x7x365 basis to watch what attacks are occurring on our system,” Ardoin said. “Our Fusion Centre is extremely well prepared to provide us with information and have done so—and that’s what we need around the country.”

Collaboration, he added, is crucial to ensure widespread compliance and security for voting integrity. “When someone is attacked, it ought not be a shameful thing; It ought to be something that they report to someone else, so the information can get around—and not be an embarrassing situation. The reality is that we’ve got to all work together to protect each other.”