The Manila Times : AES security and source code concerns

6 October 2021

By Lito Averia | The Manila Times

"IN the real world, 'yung (the) security by obscurity has never worked." This was a concern raised by Sen. Risa Hontiveros at the joint congressional oversight committee on the automated election system (JCOC-AES) hearing, held last Sept. 15, 2021, as she asked questions about the source codes of the various software used with the automated election system (AES) and their review.

Security by obscurity is an approach where secrecy and confidentiality of a system's internal design architecture is enforced.

Obscurity is the opposite of transparency.

The idea behind security by obscurity relies on the hope that, if a system's security design and its flaws remain hidden, it is less likely that the system will be exploited by a hacker. Security by obscurity does not guarantee that the system will not be hacked. Among the first steps that a hacker takes is to discover the security flaws of a system. Security by obscurity only means that the hacker will take longer to find the system's vulnerabilities and delay the hacker from proceeding further.

In the same JCOC-AES hearing, election commissioner Marlon S. Casquejo confirmed that the software of the AES will become government property through the Commission on Elections (Comelec). If that is the case, said Senator Hontiveros, does it mean that the source code of the AES software can be released to anybody for review? In response, commissioner Casquejo said that the release depends on security concerns and considerations and that the Comelec en banc will have to decide on the matter.

The source codes of the various AES software have been reviewed prior to the conduct of the elections in 2010, 2016 and 2019 and has resulted in recommendations to improve the software. The AES source code was not reviewed for the 2013 elections due to the impasse between the AES supplier, Smartmatic, and Dominion Voting Systems, the developer of the software used with the precinct count optical scan (PCOS). Smartmatic then developed its own software for its vote counting machine (VCM) which was used starting in 2016.

The conduct of the local source code review is not going to be anything different for the 2022 national and local elections as the source codes continue to be under wraps and the review limited to interested parties and groups based in the National Capital Region. Participation by programmers and software analysts and designers from other regions is not possible since it would require physical presence at the venue of the review.

The poll body has once again issued rules on the conduct of the local source code review. It said rules have been adjusted to include health and safety protocols.

Commissioner Casquejo explained that Smartmatic will lead the conduct of the review and that there will be two types of review: "One is the guided review wherein the provider will be presenting each component of the source code. That will be the three months' review. The second phase of the review would be the unguided. So, it's up to the reviewer to look at any source code and review it." Prior to this, Senator Hontiveros raised a concern that it would be impossible to review the source code if it is being read only off the screen.

As in the past, only a read-only copy of the source code will be provided for the 2022 local source code review activity. With the read-only copy rule, the code reviewer is limited to simply reading the code.

For Comelec, the source code review is a transparency measure which seeks to ensure that the source code does not include any malicious code or any code that could potentially impact the election results.

Source code review by peers is a common practice in software development which seeks to improve the quality of the software by reducing the number of defects or vulnerabilities that may be detected in the process. To meet this objective, it is desirable that there be high coverage of the different parts of the software under review.

With millions of lines of code to read through, the six-month period allocated for the source code review is not enough. Code reviewers, who participated in previous source code review activities, choose specific parts of the source code to review manually, an indication that not all of the source code is covered.

Static code analysis tools may be used to uncover programming weaknesses, such as coding errors, undefined variables and potential security vulnerabilities, and save time in the review process.

The AES software is still covered by copyright, meaning, the vendor retains ownership of the software and the Comelec was granted a license to use it. This is the basis for the restrictions such as the provision of read-only copy of the source code. When ownership of the software is finally transferred to the government through the Comelec, will the poll body open up the source code for review in a manner that will allow interested groups to freely review it? Unlikely perhaps, and not until there is a shift to the type of software licensing, from proprietary to open source. Software that is covered by an open source license is open for public review and is free to be copied, changed and redistributed.

The National Citizens' Movement for Free Elections has proposed a shift to open source licensing of the election software, a growing trend worldwide. Shifting to open source licensing will open up opportunities for other interested individuals and groups to participate in the review of the election software.