How will cheating be done in the coming 2010 election?

The Information Systems Security Society of the Philippines (ISSSP) believes that massive cheating in the 2010 elections will not be done through electronics means as people have anticipated. The systems and their underlying technology are technically sound and have gone through rigorous testing. The vulnerability is not in the technology but rather, in the policies and the people that will be running the technology. If these are not properly secured, political warlords and unscrupulous individuals may sabotage the automated system, forcing manual elections, which may result to massive cheating.

This was the consensus arrived at during the ISSSP’s 3rd and final forum on Securing the 2010 election at the Intercontinental Hotel last April 16. The ISSSP is an association composed of around 300 IT security professionals in the country whose primary concern is to create awareness on the threats to the automated election systems and how to address or mitigate the risks involved. The first forum on ensuring the 2010 election sponsored by ISSSP was held in 2008 and the second in 2009.

Indeed, a lot of people have come to believe that elections will be rigged through electronic means. In fact, some sectors of the IT community and civil society have pushed for the parallel manual count. The scheme is designed to serve as a validation for the automated results and not to return to the manual process as some people have claimed or opined. But in reality this move and other uncertainties on the AES, as aptly written by one columnist, is borne out of distrust for the Comelec’s capability to undertake honest, orderly, and peaceful elections in the past.

What they fail to appreciate is while it is possible to cheat electronically, there could be insurmountable hurdles for this to be a likely scenario. One is the investments not only in financial terms but in technical terms as well. That is, a cheater will have to hire seasoned IT experts with a greater love for money than for country, to compromise the system. It will also require months of preparatory planning and coordinative effort and in total secrecy. Add to this, the possible difficulty of execution. Thus, the easiest and fastest way, and perhaps cost-effective manner with guaranteed results to cheat, is to enable a manual mode.

The politicians who have cheated in the past will continue to cheat as it is in their nature to cheat. And since they know how to cheat in a manual election process, their one logical recourse is to change the election, at least in their locality, from automated to manual, where they will have the means and the power to tamper with people’s votes.

But how does one sabotage or force an automated election to default back to its manual processes?

In some areas where there are no electricity or communication lines, or those that cannot be reached with and by the PCOS machines, the election will be done manually. That is already a bonus for some cheating candidates. According to the Comelec, manual election may be conducted in at the most 30% of the total number of precincts.

For the scheming political warlords, one way of converting their automated precinct to manual is to use force and intimidation to prevent, by whatever means, the use or operation of the PCOS machines in their respective precincts.

Comelec and the AFP-PNP will just have to make sure that the automated precincts are not converted into manual polling places through political dictates and lawless subterfuge. Thus, the authorities should make sure that the polling place is secured, and that no suspicious characters are given the opportunity to sabotage the PCOS or the ballot boxes, or bring undue fear and harm to the voting public.

The easiest way to cheat manually in this election is to get hold of the ballots, mark them and then feed them to the PCOS machines. In the past elections, filling up ballots was time consuming and required a number of trusted followers to write the names of candidates using different handwritings. Today’s ballots can be marked easily, by the hundreds, in minutes, using a trained accomplish to black-mark ovals with no need to change handwriting.

When Comelec contracted Smartmatic-TIM, it was not to rig or cheat on the election process. The intention was to facilitate the process, thru automation, to ensure clean and honest elections. But why the negative issues? It is the obvious question of credibility, which Comelec has lost in the past elections and has not been able to regain since. To compound this situation, Comelec has failed in their responsibility to convincingly assure the public that the automated system is safe, secured and reliable.

It is still the credibility of Comelec and Smartmatic-TIM that is the issue, not that of the automation process.

Smartmatic-TIM, in spite of its claimed IT-Election experience and expertise, has not visibly addressed the expected resistance-to-change factor that threatens any attempt at change, especially one of this size and proportion. Their change management strategy was nowhere to be seen or felt. Like the IT change agents of old, they were remiss in convening enough influential business, political, media and IT personalities to help them sway people’s thinking about the safeguards and security provisions inherent in their automated solution.

The purpose of the Parallel Manual Count and the Random Manual Audit

A parallel manual count is not going to prevent cheating nor is it intended to prevent one. Although it is true that some private companies resort to a parallel run or count when they convert to a computerized or automated system, the main purpose of such parallel run or test is simply to check if the results of the automated system is going to be the same as that of the old, manual system. And in most cases, this is done to assure the owners or company executives that the computerized system is as reliable as their original manual system.

Today, with most business owners and executives already aware of the benefits and reliability of automation, the question is no longer whether the system will work, but whether the system will continue to work when subjected to external as well as internal threats and vulnerabilities.

The election system is not a difficult system to program from an IT perspective. It is difficult to implement though since it will continually be under threat and subjected to the dictates of political leaders, local and/or national. The more important issue is whether the system was designed to withstand the pounding of muscles, muzzles and money on its doors.

To answer this question, the random manual audit may provide an answer.

In the random manual audit as required in the law and already agreed to by Comelec, five (5) precincts per legislative district will be subjected to a manual counting of the ballots as against that of the PCOS printout.

Will this number (sample size) be enough to check if there is a weakness or security breach in the PCOS system? The answer is yes. Random sampling is an internationally acceptable process of determining near-to-real occurrences or statistical incidence. And that is the one reason it was prescribed in the automation law. The only question is whether the selection of the precincts will be done in a truly random fashion.

The random process of selecting the precincts for the audit is what our Comelec, and the election partners of Comelec should insist on. This way, Comelec can show to the Filipino people that theirs is the intention to help in the audit and find out if the automated process indeed had a weakness or vulnerability that was breached. A discrepancy that may result from the random manual audit does not mean that Comelec or any of its partners cheated. It merely means there are weaknesses in the PCOS system and that remediation is in quick order.

If the parallel manual count and the random manual audit are not preventive measures in securing the 2010 election, what is? As mentioned earlier, the automation process itself is difficult to rig or tamper with. Not that it cannot be tampered with; but it will be easier for our unmindful politicians and those with vested interests to cheat in the old and effective way rather than to risk failure in trying to cheat electronically. The automated process is new and unfamiliar to our current crop of politicians. They will choose the easier, manual way if given a choice. We are also not aware of any political team that has resorted to tapping IT experts and forming a team to hack or even attempt to cheat the automated process.

It’s not as easy as many non-IT people may think for even an IT person to cursorily tamper with the automated aspect of the election. Not with the given safeguards. And this is what will prevent the uninitiated from attempting to rig or manipulate the computerized aspect of the election.

So, how difficult is it to hack or crack this automated election? Let us count the ways.

First, let’s look for a weakness in the automation process. Let’s examine the process. Unless the process enumerated below has changed, the automated portions of the process according to Comelec are:

	.
1.	The ballot is fed or inserted into the PCOS machine by the voter (after he has marked the ballot accordingly)
2.	The PCOS machine scans the ballot to confirm if it is readable and recognizable.
3.	At the end of the voting day, the PCOS machine processes the ballots and prints out 8 copies of the Election Return (for distribution to the right parties).
4.	The PCOS machine connects to a communications device and simultaneously transmits the result to 3 recipients: the municipal board of canvassers computers, the Comelec national computer, and the Political Parties-KBP computer. And then prints 22 copies more of the Election Return.
5.	The results received by the municipal board of canvassers are consolidated/canvassed and if found correct and complete, the results are then transmitted electronically to the provincial board of canvasser computers.
6.	The results received by the provincial board of canvassers are consolidated /canvassed and if found correct and complete, the results are transmitted electronically to the Comelec national computer.
7.	Note that during all this time the Comelec national computer already has copies of the election returns from the different PCOS machines in each precinct (as a result of step 4) and can do the canvassing independently of the totals canvassed by and received from the provincial computers. So, the first check that Comelec can do is to see if the totals that it receives from the provincial computers tally with the ones that it receives directly from the precincts. Just to make sure their internal checks do have validity.
8.	Comelec will then publish in its website the election returns from each precinct. These precinct results will be seen by the public at the latest, on the day after the voting. Comelec does not wish to publish the totals since the body that is supposed to finalize and formalize the count for the position of President and Vice President is Congress. And Congress will still convene end of May or 21 days after election day.
	.

So, where can electronic cheating or tampering occur? Which step in the process is the most vulnerable to cheating?

The first possible place to cheat is in steps 1 and 2. Here the ballot itself could be tampered or marked and the machine will simply reject the unfavorable ballot. Real ballots can then be substituted later and then fed to the PCOS machine before closing time. The cheating at this stage will be the same as in a manual system: ballots are spoiled or substituted to benefit the cheating politician.

Step 3 is the first chance for a hidden electronic cheat to occur. Here the PCOS machine processes the scanned ballots and is programmed to print an altered election return.

For the PCOS machine to cheat, that means the program or source code would have been tampered already, prior to it being loaded or made available to the PCOS machines. This means the culprit (tamperer) would have been a techie or an IT expert, and one with a reputation for election cheating and creating malicious code. We don’t know that one with such unlikely credentials exists in this country. This means also that Smartmatic and Comelec would have to connive to allow this to happen. Comelec does not have enough IT expertise to allow itself to blindly conspire with Smartmatic to cheat the voting public automation wise.

And even if there has been no real source code review as required by law, it is really inconceivable for Comelec and Smartmatic to allow anyone or any group to tamper with the PCOS program without great risk of being found out. For one, the PCOS program or software is designed to run on a particular precinct based on the number of voters in that precinct. This means each data set or number of voters is going to be different for each PCOS program on any particular machine. This setup is error-prone to start with and therefore more dangerous if tampered with.

In the event that a PCOS machine fails to function correctly, it will be because of a bug or an error in programming of and by Smartmatic and not because of any attempt to cheat. That means the worldwide reputation of Smartmatic goes down the drain for developing a program that does not work, period. If this happens in a grand scale, it’s not because of cheating—but of poor project management on everyone’s part.

So, the question here should be: “Has Comelec and Smartmatic checked and have they done enough testing to ensure that this error-prone approach to configuring their program differently per precinct will work on E-day?” Hope they did so.

The risk is just too high to cheat on the source code level. And riskier when one will not be able to test fully how the cheat code will work out on the field, in 80,000 differently configured PCOS machines, and with every machine timed to start and end at the same time on this one single immovable day.

So, there will be no cheating in step 3 of the automated process, only sheer incompetence, if ever a PCOS machine or two fails.

By the way, if the PCOS machine fails and the replacement machine for some reason is not available, the election turns manual.

Let’s now look at the weaknesses, if any in step 4. We are looking for electronic weaknesses or points of failure, right? In step 3, the PCOS machine prints the election return for the precinct. These are the totals of the votes cast per candidate in the precinct. And only after printing will the same data or file be transmitted electronically to 3 receiving computers. The fact that the PCOS machine prints 8 copies before it sends the election results is a plus factor and strength of the system since it already creates a verifiable audit of what it will send. And after it sends the data, it prints an additional 22 copies for distribution to interested parties.

In the extremely improbable chance that the data is intercepted or changed in transit, the trail (printed election returns) it leaves will clearly show any tampering that may have happened during transmission, if any.

But what really are the odds of the transmission being intercepted for purposes of changing its content? Practically nil. Since the PCOS already printed 8 copies, prior to transmitting the election results, and another 22 copies after it sends the results, there will be no need to intercept the transmission other than to prevent data from being transmitted. But then, even if transmission is temporarily halted, Comelec can still, either transmit at a later time, say a few hours, or even a day after, with no real damage caused to the automated process.

To intercept the transmission of one precinct during the short window of time that the precinct decides to send its data is a gargantuan task from an IT resource perspective. Note that the precincts will be scattered all over the archipelago and will be transmitting briefly at different times from 6:00 pm to midnight of May 10 or to any time of the following day if a problem in transmission occurs.

It will be faster, easier and cheaper for a candidate to simply buy votes or prevent people from voting than to electronically tamper with the transmission of the results on a per precinct basis.

So, no cheating will be done in step 4. It just doesn’t make financial sense to do it at this step of the automated process.

Let’s now go to step 5, when the election returns are passed on to the municipal canvassers and then transmitted to the provincial canvassers. Again, at this point, the canvassers can only manipulate the data manually and not electronically. To tamper with it at this step merely delays the process. Note that the original election returns have been printed in 30 copies already and electronic copies have been transmitted or sent to the Comelec national computer and to the KBP computers. The only thing the canvassers can do is make notations on what may appear as wrong or questionable entries in the election returns they receive.

Step 6 is also not going to be subjected to electronic sabotage using the same logic in step 5. Note that the reason dagdag-bawas can be done in a manual system is because the manually produced certificate of canvass is very difficult to cross-check against the election returns. In a computerized system, the matching and checking can be done electronically so any error or questionable totals can be traced back to its original election return in minutes. If any cheating will be done at all, it will not be in the electronic side of the system.

Step 7 is crucial. This assumes that the Smartmatic system will be able to do the reconciliation of the submitted certificate of canvass from the municipal and provincial level and the grand totals that Comelec will compute based on the election returns from the PCOS in the precincts. And we just have to assume that Comelec has fully tested this part of the system. If not, then the dagdag-bawas can be done at this point wholesale.

Wholesale cheating by whom? Only by somebody who understands computers and the Smartmatic automated system. In a manual system, anyone with authority and guts can use his position to influence people to cheat or help cheat in the election. In a computerized system, for cheating to happen, the act must be premeditated, planned and carried out by people who know and understand computers. And since the system of Smartmatic is as confidential and as secured as they claim it to be, any result, whether right, wrong or questionable, can only be traced back to Smartmatic’s protected program.

As announced during the last ISSSP forum, there is one security provision that Comelec will do to ensure that the election results are credible. And that is Step 8. Let’s hope that Comelec realizes that the only way they can convince the public that everything is above board is if they can promptly publish the election results, per precinct, on their website—for all the world to see.

We understand that Comelec will not publish the official totals of the candidates unless they are ready to proclaim the winners. And specifically not the totals for the presidential and vice-presidential candidates since it is only Congress that can proclaim the winning candidates for the top two positions in the land.

But for as long as the results per precincts are made available on the web, the Filipino people will be able to check the results at their convenience. I am sure that NAMFREL will use the web results to validate their own count. And so will the PPCRV, and every other political party who would have received one of the 30 copies printed by the PCOS machines or have access to the files transmitted to the KBP computers.

And we know that we will be among the many, who, without any copy to start with, will undertake the painstakingly difficult task of downloading the results as they appear on the web and do our own tally, as fast as we can, to see, unofficially, who will become the country’s next president and vice president.

So, how will cheating be done in this 2010 automated election? The same way we’ve always done it before—manually; through guns, goons and gold.

As for the automated election process, it is a security professional’s dogma that there is no 100% security. However, evaluating the system completely on its technical merits, it should be safe to say that it’s relatively secure… for now.