With the 2022 Philippine National and Local Elections (NLE) right around the corner, cybersecurity threats are becoming prevalent. As electoral processes are facilitated through electronic mediums, worries abound that Comelec could once again be subject to a cyberattack, especially in light of the March 2016 cyberattack that extracted public data from Comelec’s website.
Learning from the past
Following the 2016 breach, Comelec has since made improvements to its systems to decrease the likelihood of another breach. “Knowing such an attack was possible prompted a series of hardening measures to be undertaken,” Comelec Spokesperson James Jimenez says. For instance, interactive elements of the website, such as the precinct finder, are no longer accessible as they provide a pathway to access voter information unavailable to the public.
Furthermore, the website was transferred from Comelec databases to the Department of Information and Communications’ (DICT) facilities. “It is now subjected to the protection of active defenses that are operated and maintained by the DICT,” Jimenez assures. Subsequently, Comelec has also limited the amount of data collected during voter registration. With voter data now in the hands of the DICT, Comelec can focus directly on the country’s electoral systems.
Comparison and contrast
In the United States (US)—and like in many other countries—voting systems are online but are not connected to the broader internet. On the other hand, the Philippines’ automated election system utilizes paper ballots.
Aside from being a primary source document, paper ballots are employed by Comelec to avoid instances of tampering because most of the country’s population is not technologically proficient. “In our experience, an electronic voting system is very difficult for the majority of Filipino voters to deal with,” Jimenez elaborates.
Currently, Comelec does not plan to imitate the US electoral system because “there is no uniform standard of capability in terms of addressing the system,” Jimenez posits. Although Filipinos in urban areas are relatively tech-savvy, those in rural communities tend not to be and face more issues with connectivity.
Protecting the votes
If a cyberattack were to occur during the 2022 elections, those behind it might attempt to alter important information, such as the total number of votes for candidates. However, Jimenez assures that such an attack is unlikely to take place or to succeed, given the precautions put in place by Comelec.
For one, given the use of physical ballots that can be referred back to, the system has a ‘recountability’ advantage that cannot be found with electronic systems. Having recountability means that the Comelec is able to count the votes again in case there is any doubt about the outcome of the elections.
As for the tallying process itself, he explains that multiple iterations of the vote tallies are sent to the central server and that these iterations begin when a precinct releases its results. Then, all the results in that precinct’s municipality are consolidated and sent to Comelec’s servers. The municipal results are then canvassed at a provincial and city level and then at a national level. This means that if there are any discrepancies in the vote counts, they would be evident, making it easier to isolate questionable data.
Moreover, even before any of the results are sent to the central server, the individual precinct results are transmitted to a live website. “[This is] so that at the very first instance, when results are first generated, the public is immediately aware of those results,” he posits.
In the event that this website is overwhelmed due to a distributed denial-of-service attack—a cyberattack used to take down a website by overwhelming it with increased traffic—Comelec also has mirror websites on standby. Considering all of these processes, it would be difficult to manipulate information without it being noticed. Jimenez notes, however, that this does not mean that the system is entirely unreachable.
“Anyone telling you that a system cannot be hacked is lying or doesn’t know what they’re talking about,” he avers. However, since Comelec uses the AES-256 encryption standard—the most secure encryption method in the world—it would take would-be attackers vast resources, time, and knowledge to break through.
What lies ahead
As of the moment, improvements on the voting system are being pilot tested to allow an additional log of votes to be disseminated. With this, the election results would be verified through transmitted election returns and voting logs generated at the precinct.
The traditional and current voting system involves indelible ink stamps to prevent vote duplication, as well as “quick counting” of ballots for immediate publicizing of results. But with the integration of transmitted election returns and voting logs, Comelec would be able to verify voting results more efficiently. “If we can improve this system, we will probably roll it out full scale in 2025,” Jimenez illustrates.
He adds that another way Comelec could improve the country’s election systems is the inclusion of a voter verification component, which would allow precincts to conduct live verification of a voter’s identity on election day. This can safeguard the system from questionable voters.
Additionally, since printed pictures are currently the basis of biometric information, the said process can also prevent predicaments where one vote is in place of someone else—confirming the voter’s identity.
Incorporating these features in the Philippines’ voting system can prevent cyberattacks, as well as avoid identity theft. With the enhancement of the current automated voting systems, the amount of cyberattacks and questionable voters can be decreased during the upcoming May 9 voting day.
However, regardless of the augmentations to the system, Jimenez opines, “It’s imperfect, and it can be improved.” Its current state can reduce cyberattacks to a significant degree, but the possibility of it happening again still remains. Nevertheless, these attacks can be intercepted and stopped with proper cyber defense measures.