Strategic Threat Intelligence Approach to e-voting in NSW 2015 election
Clinton Firth, CSC & Ian Brightwell, NSW Electoral Commission
NSW Electoral Commission (NSWEC) is an e-voting leader in Australia, and one of the few jurisdictions in world using internet voting on an ongoing basis for parliamentary elections. The nature of remote e-voting systems is such that a hybrid packed and bespoke approach is required in order to provide a system in which the electors can have confidence. Given the high profile of elections in general and with the added dimension of adopting new technological advances e-voting provides a great target and opportunity for cyber attackers.
Elections are unique in that the voting transaction must be secret while the electoral process must be transparent. It is this tension between secrecy and transparency which makes the development and operation of e-voting such a unique challenge. This challenge creates a set of security risks which the NSWEC decided needed a threat focused approach to support the design and implementation of NSWEC’s iVote application.
CSC assisted the NSWEC through the provision of its Strategic Threat Assessment consulting offering. CSC believes that the use of intelligence by militaries of the world during war has been a long known way to successfully combat an enemy and is critical to the success of any operation. With the ever increasing rate of global Cyber warfare targeted at organisations and government agencies, the traditional means of forming an IT security strategy and implementing controls is becoming a failing and outdated strategy. These traditional approaches are focused on broad defensive measures based on standards, compliance or perceived best practices that are not aligned to today’s complex landscape of Cyber warfare. Instead NSWEC first assessed their threat landscape and understood who the threat actors are including their capability and malicious intent towards the upcoming state election.
Intimate knowledge of relevant threats has enabled NSWEC to create an effective IT security strategy that is focused, efficient and relevant. The strategy includes monitoring of the threat actors for changes in their capability or intent, along with adaptive security posturing to respond to such changes or an incident. This has provided confidence in the security of e-voting, assurance to the commissioner and government and ultimately integrity in the voting which is core to our democracy.