NONE! This is the answer to the floating question in our previous column (Part 2): Does COMELEC have an information security policy?
It follows that if there’s no information security policy in a particular organization, then its operational procedures and practices are not at par with information technology (IT) best practices and/or international standards.
To cite some major incidents to validate the absence of information security policy in the COMELEC’s implementation of the Automated Election System (AES) in 2010, 2013 and 2016 national and local elections, the ‘in-securities’ discovered by AES Watch should have been resolved with the following simple but yet effective actions:
*Early planning. It has been observed that the COMELEC would habitually start the AES project late or a few months before the elections affecting preparations for the complex and humongous project. Because it was always late, most of the critical milestones were either completed late (e.g., training of Board of Election Inspectors (BEIs) and Board of Canvassers (BOCs)) or not accomplished (e.g., source code review). Further, the tardiness caused emergency procurements in 2010, like the P30 million worth of UV lamps to replace the PCOS’ defective feature in detecting fake ballots. However, the lamps were not even used.
AES Watch had always advised the COMELEC to prepare two years before the elections to properly complete the project and comply with all the provisions of RA 9369, or the AES Law. But they never listened!
*Project management. The COMELEC should have organized a project team composed of independent, experienced and skilled IT professionals who would have ensured smooth AES implementation. Part of their job would have been the auditing of the project activities of Smartmatic.
*Proper coordination and appointment of compliance officer. The technical provisions of RA 9369should have been complied with proper coordination with the Department of Science & Technology (DOST), Department of Trade & Industry and the Department of Justice like the correct interpretation of digital signatures vis RA 8792 (the e-Commerce Act). Had there been an appointed compliance officer and strict adherence with internal guidelines and procedures regarding compliance with statutory laws and mandates of regulatory bodies, the digital certificates of BEIs and BOCs would have been used in the past NLEs. Incidentally, the DOST offered to provide digital certificates, but the COMELEC didn’t bother to listen and instead followed what Smartmatic told them to do.
To expound, it’s stipulated in RA 9369 that “The election returns (ERs)/certificates of canvass (COCs) transmitted electronically and digitally signed shall be considered as official election results and shall be used as the basis for the canvassing of votes/proclamation of a candidate.” Considering that the ERs and COCs were not digitally signed in the past NLEs, the proclaimed winning candidates then were technically void!
*Comprehensive User Acceptance Test (UAT) certification. The disaster that happened during the Final Testing & Sealing (FTS) of 76,000 PCOS machines on May 3, 2010, manifested the absence of operating guidelines and procedures related to best practices in conducting UAT certification. The disaster was all about the malfunctioning of all the PCOS machines; that is, for example, in Makati, the votes of Binay and Mercado went to Genuino. The inaccuracy of PCOS machines alerted COMELEC to replace all the 76,000 compact flash (CF) cards in a matter of a few days before the May 10, 2010 elections.
Months before the FTS, the international certifying body tapped by the COMELEC, Systest Labs, Inc. (SLI), warned the poll body already to address several compensating controls before using the PCOS machines. COMELEC didn’t comply!
What were some of the issues about recalling those defective CF cards with new CF cards with alleged “running” system? It is next to impossible to do the recalling, conducting the UAT again and installing the reprogrammed CF cards. First, transporting the cards to and from the precincts would take at least seven days while the conduct of UAT could last at least 14 days (i.e., debugging and testing). Thus, to use the debugged program of PCOS machines on May 10 was a joke! The only logical solution here should have been the compliance of the COMELEC to address the compensating controls raised by SLI, the conduct of comprehensive UAT of all the machines, and project management. The expectation then was that all the machines were working before the FTS.
*Extensive database administration. Maintenance of the databases should have been regularly performed. One error would mean disaster.
Just to recall what happened during the Joint Congressional Canvassing Committee hearing on May 26, 2010, at the Batasang Pambansa hall. Senator Juan Ponce Enrile asked why the computer servers at the BP and PICC had 256 million and 150 million registered voters, respectively, though in fact, the registered voters at that time was only 51.3 million. Under oath, Cesar Flores of Smartmatic replied, “Error in application!” It means that the canvassing system had a problem then.
(To be continued)