By Nelson Celis | The Manila Times
THE 2018 draft of the automated election system (AES) law proposes to change the Technical Evaluation Committee (TEC) to Technical Evaluation and Certification Committee (TECC). It also proposes to create a credible Project Management Office (PMO). Why?
In the amended AES law of 2007 (Republic Act 9369), the TEC shall certify, through an established international certification entity (ICE) to be chosen by the Comelec from the recommendations of the Comelec Advisory Council (CAC), not later than three months before the date (February) of the electoral exercises, categorically stating that the AES is operating properly, securely and accurately. The AES Watch observed that this provision of the law was complied with in the past three national and local elections, and in this year’s elections. Comelec consistently tapped SLI Global Solutions (formerly SysTest Labs) then. Though SLI was suspended under the US Election Assistance Commission accreditation program, it did its part but somehow the TEC failed to follow its recommendations. For example, in 2010, the TEC neglected to address the compensating controls resulting in no test certifications to show that all the 82,000 PCOS machines had 99.9995 percent accuracy rating, that the integration testing was successful from the PCOS machines up to the national consolidation and canvassing system (i.e., including the testing of all telecommunications facilities and digital signing), that the source code is kept in escrow at the Bangko Sentral ng Pilipinas (BSP), and that the source code reviewed is one and the same as that used by the equipment, etc. Such TEC failure happened not only in 2010 but was also repeated in the succeeding elections. For this 2019 elections, Comelec selected Pro V&V Inc.
Back in 2006, when the technical working group (TWG) from the Philippine Computer Society was drafting the revisions of the 1997 AES law (RA 8436), they brainstormed that the ICE would be a good idea as an independent certifying body to evaluate the integrity of the AES from the precinct count to the national canvass. There was also a suggestion before to tap competent local auditing firms, some of which had partnerships with the Big 4 international auditing firms, notwithstanding the possibility of being able to get the Commission on Audit. The TWG conceptualized the independent body as patterned after the best practices of the ATM consortia in accepting the usage of the ATM apps of a particular bank, specifically in using pre-designed test scripts to instill discipline of accuracy in every assessment. Thus, there’s no question for everyone to conveniently withdraw cash in any ATM whenever, wherever, anytime — that’s because we trust the ATM system! Finally, with ICE, the TWG even presumed that Comelec would come up with the long-awaited Implementing Rules and Regulations (IRR) that had been delayed for almost 10 years after the ratification of RA 9369. Unfortunately, it never happened…until now!
Since the expectations from the ICE didn’t materialize in the last three national elections, the 2018 draft proposes that the TEC be changed to TECC. This time, the three months and the ICE are removed and the AES Board (read Part 4 of this series) intervention is endorsed. The proposed provision states: “The TECC shall certify the AES using the AES Board approved evaluation and certification process. The certification process shall start immediately following the award of the contract to the AES provider and shall be completed not later than six (6) months before the date of the electoral exercise, categorically stating that the AES, including its hardware, software, network, telecommunications, power, and all other system components resources, and facilities which shall include all the minimum system capabilities and/or security features provided for in Section 8 of this Act, is operating properly, securely, and accurately.”
Who are the members of the TECC and what are their primary functions? The 2018 draft proposes that Comelec, in collaboration with the chairman of the ASE board, shall establish an independent ad hoc TECC composed of a representative each from the Comelec, the Department of Information and Communications Technology and the Department of Science and Technology (DOST), who shall act as chairman of the TECC. The primary task of the TECC is to design, adopt, and develop the evaluation and certification processes (ECPs) for the AES taking into consideration existing best practices and standards in AES. The ECPs shall be subjected to review and enhancements taking into consideration advancements in AES technologies after each election. All ECPs developed by the TECC shall be submitted to the AES board for approval. And to ensure that the entirety of the AES is certified 6 months before the elections, the TECC shall be immediately convened not later than 30 days after the effectivity of the amended RA 9369.
As in the existing six provisions of RA9369, Section 11 vis TEC, it is proposed that the TECC document the evaluation and certification of all components of the AES but with the following revisions: 1) Instead of successful conduct of a field testing process followed by a mock election event in one or more cities/municipalities,…it is proposed to have successful conduct of a laboratory accuracy testing and certification of each voting machine before their field deployment and a field-testing process followed by a mock election event in one or more cities/municipalities; 2) Instead of the successful completion of audit on the accuracy, functionality and security controls of the AES software,…it is proposed to have successful completion of audit on the accuracy, functionality and security controls of the AES software, hardware and communications systems; 3) Instead of the successful completion of a source code review,.. it is proposed to have successful completion of full source code review and testing of all the AES components; (4) Instead of a certification that the source code is kept in escrow with the BSP… it is proposed that the certification or certifications of the fully reviewed source codes of all the AES components are kept in escrow with the BSP; 5) Instead of a certification that the source code reviewed is one and the same as that used by the equipment,…it is proposed that the certifications of the source codes reviewed are one and the same as those that are actually used by the equipment during the elections; and, 6) Instead of the development, provisioning and operationalization of a continuity plan to cover risks to the AES at all points in the process such that a failure of elections, whether at voting, counting or consolidation, may be avoided,…it is proposed that the development, provisioning and operationalization of a continuity plan to cover risks to the AES at all points in the process such that electoral fraud, sabotage and/or a failure of elections, whether at voting, counting or consolidation, may be avoided.
The foregoing proposed revisions are clearer and easy to interpret if ever Comelec has no intention to promulgate the pending IRR of the AES law for the past 22 years…and still counting!
Inasmuch as our national automated elections entail complete inter-connectivity and continuity of AES operations and to strengthen the TECC’s function, a new provision is proposed; that is, the successful conduct by the Comelec of an inventory and the quality of telecommunications facilities and power resources nationwide. In this regard, the 2017 TWG found this inventory very critical as none was reported in the past three elections! What about for this coming 2019 elections?
As detailed in the 2018 draft, the TECC shall closely coordinate with a credible PMO. Let’s further analyze why such PMO is a critical success factor to a genuine AES law compliance.
Kung Hei Fat Choi!
(To be continued)