Last of 4 parts
TO continue on how to resolve the “in-securities” discovered by Automated Election System (AES) Watch in the 2010, 2013 and 2016 national and local elections (NLEs), such should have been resolved with the following simple yet effective actions:
Application of change management control. The two notable incidents in the 2013 and 2016 elections at the command center of the Parish Pastoral Council for Responsible Voting(PPCRV) at the Pope Pius XII Center were classical cases of the absence of change management control, to wit —
1. Alteration 1 due to “formatting error.” On May 13, 2013, at around 8 p.m., an hour after precincts had closed during the 2013 midterm elections, the PPCRV admitted the wrong senatorial count. They decided to stop its partial and unofficial count of the senatorial race due to the erroneous results that were released. PPCRV said that the results were too high vis the actual number of voters in the precincts. Hence, Smartmatic’s Marlon Garcia corrected the script file in the transparency server room to resolve the “formatting error”; that is, the error wascausing double counts (https://www.youtube.com/watch?v=seKDJPBUICE). For whatever explanation they had in 2010, one mind-boggling fact then was the 12 million votes counted out of 1,418 precincts when in fact, the maximum number of voters per precinct at that time was only 1,000 voters. The “formatting error” was not doubling the count, but rather multiplying the count more than eight times.
2. Alteration 2 due to changing of character “?” to “ñ.” On the night of May 9, 2016, Marlon Garcia did it again! He tweaked the script of the transparency server to correct the spelling of candidates’ names by changing a character “?”in the names of candidates with “ñ.” Though said change appeared to be “cosmetic,” Commissioner Rowena Guanzon stressed, “Smartmatic, in my opinion, has breached our protocol. And for that, they should be liable! They should be liable to the Commission on Elections. They should be liable to the people of the Philippines. They were not supposed to change anything without our knowledge and permission!”(https://www.youtube.com/watch?v=CfMDOA2BTIM).
The above alterations lacked the necessary change management control that would have minimized the risks associated, say, with suspicions related to tampering of election results. The goal of change management is to follow standard procedures in managing change requests (i.e., the resolution of “formatting error” and the changing of character “?” to “ñ”). That means, the requests should have gone through, and should have been authorized by, the COMELEC en banc. Unfortunately, the two cases of alterations missed the proper change management control. Incidentally, the change management process should not be confused with organizational change management as the latter addresses the people side due to the impact of new processes and changes in organizational structure.
The unauthorized cases of alterations would have been resolved also by comprehensive User Acceptance Test (UAT) certification of the transparency server. The “formatting error” and the changing of “?” should have been detected months before the 2013 and 2016 NLEs, respectively. Had there been extensive testing of the transparency server before the actual elections, the tweaking of script files would have been prevented.
Access to critical servers by high-ranking officials only. In my 10-year experience in the banking industry, the practice then, and presumably still being practiced today, was that the 16-digit password for the automated tellering machine (ATM) server was divided into two parts; that is, the first eight digits are keyed in by the vice president (VP) for branch banking and the other half by the VP for internal audit. The accountability, in this regard, is assigned to top-ranking officials. No change in the ATM system could be executed unless the two VPs are around.
In the above case of alteration 2 involving the changing of character “?” to “ñ,” the password access to the transparency server was not assigned to top COMELEC officials. It was noted that a COMELEC IT person provided Mr. Garcia with part of the password that allowed the Smartmatic to access the transparency server.
Institutionalization of problem management. The two alteration cases above were manifestations of poor problem escalation and problem resolution procedures, or these could simply be called problem management. Upon knowing the problems related to “formatting error” and changing of “?” characters, it would have been better if these issues had been resolved by a problem management team composed of representatives from the technical evaluation committee headed by the Department of Science and Technology and independent technical experts and auditors. The actual problem resolution was only done by Mr. Garcia and nobody knew what he really did when he changed the scripts in 2013 and 2016.
And to end this four-part series on this subject, let me share some good news. Last week, COMELEC announced that they are seeking ISO 27001 certification related to information security management system. That appears to be a good move which would secure the AES implementation in the 2019 elections. On how serious the COMELEC is about this plan is something that we have to pray.