Hacking elections not easy, IT expert says

by Jasmin Romero, ABS-CBN News

Posted at Feb 07 2013 08:45 PM | Updated as of Feb 08 2013 04:45 AM

MANILA, Philippines - Hacking is now the common word some senators and critics of the automated elections are using to raise concerns on the May 13 polls.

Senator Alan Peter Payetano, chairman of the joint congressional oversight committee on the automated elections, has revealed that poll operators are now offering their services to politicians in exchange for P5 million.

To counter this, Cayetano proposed hiring hackers to see if the automated polls can be corrupted.

"Bakit hindi tayo mag-offer ng P5 million or P10 million kapag maipakita ninyo na kaya ninyong dayain ang sistema?" Cayetano asked.

But can the automated polls be hacked?

Lawyer Ivan Uy, former secretary for information and communications technology and former chairman of the Comelec advisory council, told ABS-CBN News that the automated election system can be corrupted.

However, it won't be as easy as hacking a government website.

"It is a question of resources of the perpetrators: how much resources do they have? To what extent do you want to hack it? Do you want to disrupt, or to delay? Are you looking at a replacing data or changing data, information and so on?" he said.

"Kung sinasabi nating madelay lang, napakadali. There are many ways of hacking into a system. Just like a bank, we have security systems placed in the bank pero kung ang purpose nyo ay manggulo lang-- shoot a bank or throw an explosive there, nanggulo lang, you were able to disrupt the securty system,"  Uy added.

"Pero kung ang objective nyo ay manakaw ang pera sa bangko, that's a completely different matter. You need planning to do that," he said.

"Same thing with the election system, there are so many security features there, and the easiest security feature that could be most vulnerable will be when you try to disrupt it," he added.

Uy believes that not many hackers are sophisticated enough to penetrate the automated system.

"I have not seen capability where they (hackers) can penetrate a hardened system, where they can do decryption of information that would require a different level of resources, like computers that will do number crunching-- that would cost several billion of dollars, so only governments probably with necessary financial resources would be able to fund that kind of hacking," he said.

"As far as I have seen, many of the hackers who hacked our government sites are not very sophisticated. They downloaded  programs that are already available on the web and they just used them. Many of our government sites hardly have any security in the first place," he explained.

"Not to mention the cooperation, you need cooperation within the Comelec, [people] who are doing the transmission, people providing the technology like Smartmatic. That's not easy getting everybody to work together to perpetrate an activity like that," he added.

Another way

Despite the large resources needed to hack into the system, Uy revealed that a hacker doesn't really need to acquire those to penetrate the system.

He refused to divulge details for security reasons but gave a hint on what he considered as the weakest link in the whole system -- people.

This is why the Comelec, despite having a successful automated elections 3 years ago, must remain vigilant as election operators and candidates now understand how the system worked the last time, and may now be looking for counter-measures to defeat security features.

Uy, however, believes the Comelec could have minimized the glitches discovered during the mock elections and would have avoided the heavy flak thrown at them, if they have done it a bit differently.

"Normally, you don't want to do a mock testing without fixing all the different issues yet. For instance, iyung machines nung hindi nag-feed ng paper. Sana prior to the mock elections, nagkaroon na ng testing ng mga equipment. That way, the issues will be minimal," he said.

"You don't get the equipment out of the box that has not been used for the past 3 years and suddenly plug it in and expect everything will go smoothly," Uy added. "Dapat sana inayos muna ang lahat ng mga bugs, tinesting muna ang lahat ng mga machines and software bago tayo nagka-mock elections."

Uy believes it is better to stage another mock elections a month from now to regain the public confidence on the automated polls.

Encryption

To fully secure the automated polls, Uy proposed that the Comelec, Smartmatic, and even political parties have their own encryption sytem.

"Iyung encryption, ibig sabihin parang nilagyan mo ng padlock yung balota at may susi ng pang lock at pagbukas ng padlock. Kung iisa lang ang padlock sa ballot box at kung sino ang may hawak ng susi ng padlock na yan, siya ang pwedeng mag alter ng laman ng ballot box," he said.

"Kaya kung makikita mo, bakit yung mga ballot box na dine-deploy may multiple locks, para di lang iisang tao ang maaring magbukas. Importante, ang Comelec may sariling padlock," Uy said.

"Since we are talking about locks, at di naman ganun kamahal ang mga locks na iyon, why don't we have locks by all the major parties? So whatever the transmission is, it is encrypted by 4 encryptions: Smartmatic's encryption, Comelec's encryption and the two parties' encryption," he added.

"That way, walang pwedeng magsabi na nakompromiso ang data kasi sila lang naman ang may susi doon. Kahit i-unlock ng tatlo at hindi ina-unlock ng ika-4, di nila magagalaw ang resulta," he added. "Kailangan lahat silang mag-unlock noon."