More than 50 electoral systems in NSW require “urgent” cyber security fixes, the state’s electoral commissioner has warned in a rare appeal for additional government funding ahead of the next election.
In a frank submission [pdf] to parliament as part of budget estimates, John Schmidt revealed significant funding constraints have meant the NSW Electoral Commission is unable to meet it cyber security obligations.
It makes the commission one of the numerous state government agencies struggling to comply with NSW cyber security policy, including the recommended baseline cyber security mitigation strategies, known as the Essential Eight.
“Lack of adequate investment in the cyber security of NSW electoral systems and personnel has meant that the commission does not comply, and cannot comply in the immediate future, with the NSW public sector’s mandatory cyber security policies,” Schmidt said.
“The commission also does not meet the Australian Cyber Security Centre’s Essential Eight standards for cyber security.”
Schmidt said the commission had repeatedly asked for “specific funding to “defend the integrity of the state’s electoral system against cyber security threats”, but that the last three proposals had been knocked back.
“The commission was not successful in its previous three funding proposals to address this issue, other than for a small amount of ‘seed funding’ to develop a further business case (which was subsequently not approved) and the costs of hosting iVote at the 2019 state election,” he said.
Last year, an audit revealed that the commission made 13 separate funding proposals totalling $33.8 million in 2019-20, but only saw an $8.4 million increase – or a quarter of total funding requested – due to a NSW Treasury cap on requests.
Schmidt said the commission had again sought funding in the lead up to this year’s state budget to uplift is cyber security posture, with an Essential Eight “target maturity of at least two” planned before the state election in March 2023.
The 2021 budget proposal also asks for funding to resolve “ongoing cyber security issues with existing legacy systems” and ensure ‘security by design’ principles are included in the design and development of all new systems.
Improved identity access management to ensure appropriate levels of access, as is the use of an external cyber security operations centres – like the Australian Electoral Commission deployed at the last federal election – to improve incident identification and management.
In the long-term, the commission is also “seeking budget funding to mitigate the risks with its dependency on the more than 50 internally-developed business systems that are critical to the delivery of every election”.
“These systems require urgent updates for cyber security, reliability and supportability reasons,” Schmidt said.
“Only with additional funding now can the commission ensure these systems are capable of delivering the 2023 state general election, as well undertake longer-term critical system planning to protect them into the future.”
Additional funding would allow the commission to resolve “known issues within existing applications to extend their life so that they will be more reliable during delivery of [the 2023 state election]”, as well as reduce complexity around data architecture and data management.
Schmidt added that the commission was dependent on a “number of bespoke and ageing core systems that were not designed with a security focus in mind and have limited support available” at a time when threats were increasing.
He said “system issues” during the 2019 state election had “directly impacted voters voting at early voting centres”, but did not mention the iVote registration system issued that the commission faced one day out from polling.
Last year, the NSW Audit Office recommended that the government urgently improve its cyber security resilience after the majority of agencies reported low levels of maturity under the Essential Eight for a third straight year.
In response, the government has kicked off a number of cyber security uplift programs, including at NSW Police and the Department of Communities and Justice which have received $56 million over three years to secure their systems.
Service NSW also recently received $5 million to upgrade its cyber defence in the wake of an email account compromise attack that exposed 736GB of data to unknown attackers, including the personal information of 103,000 customers.
The government has set aside a total of $240 million over three years as part of the state’s $1.6 billion digital restart fund for cyber security initiatives, including $60 million to expand the remit and staffing levels of Cyber Security NSW.
A NSW parliament inquiry last month asked that the government review its cyber security policy to give agencies greater clarity around mandatory standards, as well as move Cyber Security NSW to the Department of Premier and Cabinet.