POLL EXEC SAYS P100M hack reward ‘dishonors’ poll automation
Posted April 20, 2009on:
By Anna Valmero
First Posted 12:23:00 04/20/2009
Filed Under: Hacking, Technology (general), Elections
MANILA, Philippines—Senator Allan Peter Cayetano’s proposal to authorize the poll body to reward P100 million to a person who can hack the poll automation system for 2010 “dishonors the automation project,” an official of the poll body said Monday.
Commission on Elections (Comelec) spokesperson James Jimenez said the proposal of offering a wager to anyone who can hack the system “dishonors the poll body’s project of working for a new electoral system.”
In an earlier report, Cayetano said he filed a resolution for Comelec to set aside P100 million from its P11.3 billion automation budget as an incentive to anyone who can convincingly demonstrate the weakness of the automated poll system.
Cayetano added that “Comelec should cancel the contract, save the P11 billion and sue for damages the contractor in the event of such successful hacking.”
Comelec plans to automate the upcoming elections next year by deploying 80,136 precinct count optical scan (PCOS) machines to automate the counting of votes, transmission of election data and canvassing of results.
“The Comelec is open to have the system [program or source code] challenged by ethical hackers who are under contractual obligation to penetrate a system and its source code for the purpose of exposing weaknesses and have these addressed before its implementation,” Jimenez said.
Under a contract, ethical hackers or white hats have an obligation to reveal to Comelec 100 percent of the system weaknesses that they find, including their operation logs, observations and recommendations within a defined period of time, said Jimenez.
Jimenez said adding P100 million as reward to hackers to the mix in the pursuit of exposing and addressing the system’s weakness “becomes a free for all, a competition and the drive for people is money.”
The poll official noted Cayetano’s proposal would surely attract hackers who are mercenaries.
If people do system hacking for the sake of the P100M prize, there is a big possibility they can just show just enough, say 70 percent of the systems’ weaknesses, to bag the reward, then keep critical information to sell later to the highest bidder who wants to control the automation results, said Jimenez.
“Why spend government money on that? At the end of the day, if the system is hacked, what have you proven? Everybody knows no system is completely hack-proof, it is just a matter of time before a system is hacked. With P100M to the mix, hackers will add more systems and even established banking and financial systems will crack under a sustained assault of hackers,” said Jimenez.
“Chairman Jose Melo told me earlier today, if anyone wants to offer the reward it should be the vendors not the Comelec. Let their machines be hacked on their coin and then join the Comelec bidding after,” Jimenez said.
Jimenez noted the concern of some groups that the poll automation system may contain malicious software and codes with pre-programmed instructions to kick in on a specific date so the machines can act to benefit someone, like a candidate.
Citing provisions of Republic Act 9369 or the poll automation law, Jimenez said the Comelec will allow political parties and candidates or their representatives, citizens’ arm or their representatives to examine and test the source code of the poll machines to be implemented.
After the source code review, the code will be kept in escrow at the Bangko Sentral ng Pilipinas to be used later to audit the machines deployed on election day, which involves comparison of pristine code kept at BSP and the actual codes in the machines.
“We have a sovereign responsibility to automate the upcoming elections. While there will always be people who will say something will go wrong and offer recommendations, at the end of the day they will not answer to the people, we at the Comelec will,” said Jimenez.
The Comelec Special Bids and Awards Committee (SBAC) is presently holding the bidding for the machines, with the opening of bids set on April 27 and the technical evaluation of vendor machines set on April 30 to May 8.
The Comelec plans to award the P11.2 billion contract no later than May 22.
There are at least 10 potential bidders for the project, namely Smartmatic-Total Information Management, Avante International Technology Inc., Syrex Corp.-Scantron, DVS Philippines-Samsung, Indra Systems S.A., Sequoia-Universal Storefront Services Co., All Data International Inc., Gilat Satellite Networks Ltd., AMA Group Holdings Corp.-Election Systems and Software International Inc. and Mega Data Corp., SBAC documents showed.