“A scientifically rigorous analysis and not just a hacking or cracking contest should be done on the Automated Election System (AES),” said Rick Bahague, the National Coordinator of the Computer Professionals' Union (CPU) as a response on a statement issued by Sen. Allan Cayetano which proposed an amount of Php 100 million to a person who can successfully hack the AES.
Bahague stresses the need to address the issues on insider threats, software programming limitations, network vulnerabilities and voter verifiable audit-trail in order to assure the Filipinos the credibility, reliability and integrity of the AES.
“Instead of awarding the Php 100 million to the successful hacker of the AES, Sen. Cayetano should propose that this budget be allotted to gather and mobilize Filipino computer scientists and professionals to asses the AES's security, accessibility, usability, reliability, accuracy and protection of ballot secrecy,” adds Bahague. “We are not trying to catch a fugitive such that a reward money is needed.”
The AutoMagic Election System, a paper published by CPU (www.cp-union.com), cites a “Top to Bottom Review” of the AES conducted by the State of California in 2007. The review required a scientifically rigorous analysis of its AES including: analysis and testing of security features; review and analysis of relevant source code for the AES software and firmware; review of the vendor’s system documentation and specifications; independent examinations and testing of the certified and similar versions of the system; review of available data related to the actual deployment and implementation of the system; and testing and observation to evaluate accessibility features for voters with disabilities and alternative language requirements.
This kind of review would require collaboration between vendors, the COMELEC and third party reviewers.
CPU states that a transparent, credible, fair and accurate AES can only be achieved if the following are considered: technical assessments on the AES; the AES should be reviewed by a large number of outside security experts with knowledge in computer security and cryptography; and the source code of the system should be open and available to the public. Furthermore, the AES should have voter-verifiable audit trails for reference. It should accurately capture the voters’ intent to actual tally. The AES should be secured such that ballot secrecy is protected and tampering is made difficult. It should be able to effectively handle a large number of voters and it should release report faster than the manual elections.
“AES should be analyzed following appropriate test plans to point out its vulnerabilities but even with a good system, a trusted agency that runs the elections is a prerequisite for it being transparent, fair and credible,” concludes Bahague.
The Computer Professionals' Union (CPU) is a nationwide organization of computer professionals, students and enthusiasts working in advancing information and communications technology for the people.
