Mon | Aug 21, 2017

Voters' data safe from hackers - EOJ

Published:Sunday | December 6, 2015 | 12:00 AM
Fisher
A voter undergoing electronic identification before being given a ballot.
1
2

The Electoral Office of Jamaica (EOJ) has admitted that it does not have funds in its budget to purchase hardware and software to counter cybersecurity threats, but says it is still confident that systems are in place to protect its data from hackers.

"The EOJ is cognisant of the risks associated with cyber-attacks. We have in place various levels of hardware and software designed to prevent intrusion. Also, there are several levels of isolated networks," Director of Elections Orette Fisher told The Sunday Gleaner in an emailed response to questions.

A series of spectacular cyber-attacks drew headlines around the world since the start of the year, and analysts say the situation will only worsen next year as hackers use more advanced techniques to infiltrate networks.

With the EOJ housing sensitive data on the more than 1.8 million persons on the voters' list, there have been concerns that it could attract hackers come election day, but Fisher says the EOJ will be able to handle a possible cyberattack.

"The possibility of the impending election being compromised by a cyberattack is not a legitimate fear as the core elements for an election are still manually based. At polling stations in which electronic equipment is used to assist in identifying voters, each unit stands alone and is not linked to any network," said Fisher.

"Additionally, the data is public data available for viewing at post offices or the offices of the returning officers. This reduces the risk of cyberattack," added Fisher.

 

Worst-case scenario

 

If the EOJ were to become the victim of a cyberattack, a worst-case scenario could see a delay in the printing of the voters' list, given the length of time it would take to restore data from its backup system.

Dean Smith, a former assistant director of information systems at the EOJ, has also expressed confidence in the ability of the EOJ to manage its cybersecurity risks.

According to Smith, the primary database system being used by the EOJ is very secure, and the office operates a batch process which reduces the risk of cyberattacks.

Concerns about the possibility of this kind of cyberattack were raised in a 2012 information systems review of the Electoral Commission of Jamaica (ECJ) conducted by the auditor general.

The auditor general found that the ECJ did not have a system in place to monitor the activities of privileged users and administrators to ensure that they were not abusing or misusing their access rights.

The review identified 21 user accounts with administrator privileges on the ECJ's network and found that passwords associated with these accounts were not changed periodically.

The ECJ had committed to addressing these and other weaknesses uncovered by the review.

While the core elements of an election are still manually based, the EOJ has been moving towards more computer-based methods for conducting elections.

In March, the agency issued a contract for $2.4 million to Oracle Caribbean Inc for the database which will be used to match fingerprints for electors.

Oracle is an international enterprise solutions provider whose security controls are not considered to be as robust as that of other systems.

In a white paper released this year, Oracle implored users of its systems to safeguard against possible attacks by implementing hardware and software to counter such attacks.