Cybersecurity risk to NSW Electoral Commission unanswered weeks out from council elections
By Kelly FullerSix weeks out from the New South Wales local government elections, the state government has been asked to explain why it has not provided its electoral commission with $22 million to fix "urgent" cyber security risks.
Key points:
- In March, the NSW Electoral Commission warned its cybersecurity settings did not meet expected standards
- It says it needs $22 million to respond to the cybersecurity improvements
- The NSW local government elections are scheduled for December 4
In documents tabled to the parliament in March, the NSW Electoral Commission revealed it had warned the government about the situation.
"Lack of adequate investment in the cybersecurity of NSW electoral systems and personnel over time has meant that the commission does not comply, and cannot comply in the immediate future, with the NSW public sector's mandatory cybersecurity policies," the documents said.
"The Commission also does not meet the ACSC's (Australian Centre for Cyber Securities) Essential 8 standards for cybersecurity."
The statement also outlined how it had not been successful in its previous three funding proposals to address the issue.
It warned the risks were significant, saying:
"Although the overall risk of cyber breaches to commission systems are considered to be lower for a local government election, because the national security implications of such elections are also lower, the scale of these elections and planned introduction of iVote means the threat level remains significant."
The document detailed the improvements and upgrades needed to mitigate risks and exposures to both external and 50 internally-developed business systems.
Seven months on, no funding decision
In Tuesday's budget estimates hearings, the Minister for Digital and Minister for Customer Service Victor Dominello was questioned about the situation by Labor's Adam Searle.
"Given the — in my words — the alarming evidence given by the electoral commissioner earlier this year about his agency's complete lack of preparedness on the cybersecurity front, it doesn't sound like this issue is being attended to by the government you are part of by any degree of alarm or urgency," Mr Searle said.
"The suggestion that the government is not taking this seriously couldn't be further from the truth, we realise how important it is," Mr Dominello responded.
"I appreciate your questions, but at the same time we have got to make sure when we are investing in cyber or any other digital asset it is invested wisely."
Digital NSW department staff revealed the cost of the upgrade would be $22 million and told the hearing they were working with the electoral commission on a business case for the project.
The staff said they were waiting on the commission to respond to an assurance and review process before they could proceed.
Mr Searle reminded the minister the agency had already had three attempts at seeking additional funding.
"This is not the first time the electoral commissioner has given evidence about what appears to be the systematic underfunding of his agency," Mr Searle said.
"A lack of cybersecurity around the integrity of our electoral system, in seven months the government has not even been able to allocate the money, it seems to be a pretty poor process."
Mr Dominello said the commission and Cyber Security NSW needed to resolve a series of questions.
"Now I am not saying it's the commission's fault. Maybe they are complying and ticking every box but maybe they are not," the minister said.
He agreed to take the matter on notice.
Mr Searle said the government must act resolutely and swiftly to address the issue before the December 4 local government elections and five state by-elections.
"It's a terrible dereliction of their duty," he said.
"We must do all we can to maintain the integrity of electoral processes because the outcome of elections must be valid and have social licence, with public support, for the integrity of electoral processes and their outcomes."
Commission provided advice on cost savings
In June, council elections were delayed for the second year in a row when the government postponed the poll to December in response to the pandemic.
In September, additional documents tabled in state parliament showed the delays would cost taxpayers $146 million.
The papers also revealed the NSW Electoral Commission believed it could have saved the state $54 million had the government agreed to a fully online and postal election.
Commissioner John Schmidt proposed the measures in July 2020 in response to the risks associated with COVID-19, but the government opted not to adopt the measures.
Nominations opened this week
Council election nominations opened on Monday for 124 local governments across the state.
Candidates have until November 3 to lodge their nomination.
Last week, the parliament passed new COVID-19 safety measures for the elections including preventing candidates from handing out election material within 100 metres of the polling place or pre-polling place.
Wingecarribee, Central Coast, Balranald, and Central Darling councils are not holding elections because they are in administration.