MANILA, Philippines – A ranking official of the Department of Information and Communications Technology (DICT) told lawmakers on Friday, January 28, that his cybercrime agency believes that the “system” of the Philippines’ election software provider Smartmatic has been “compromised.”
But DICT Undersecretary Cezar Mancao withheld proof he supposedly had when he attended the joint congressional hearing on the automated election system, which tackled a report of an alleged data breach of Comelec servers in early January.
“There was no hacking in the Comelec servers, because they are offline,” Cybercrime Investigation and Coordination Center (CICC) chief Mancao said, echoing preliminary findings of DICT and the Comelec. “[But] on the contractor of the Comelec, Smartmatic, we believe their system is compromised.”
“We have identified the group that claimed, and we have sufficient artifacts this time that we can reveal in discretion, in an executive session,” he added.
However, Comelec Commissioner Marlon Casquejo, who was in the same hearing, insisted that even if Smartmatic’s system was compromised, the Comelec would have been unaffected, because the data allegedly stolen was not yet available online.
“The participation of the provider is providing the software itself. We do not give them sensitive information,” Casquejo said. “In the event there are hacking incidents in our provider, we are pretty much sure that the election is still intact.”
Senator Francis Tolentino also warned that the preemptive release of serious claims without substantial proof may just cause more harm than good.
“We refrain from issuing statements that would be speculative, probably would just fan the fire of some individuals that may affect the preparations for the 2022 elections,” Tolentino said.
Rappler sought the side of Dr. William Yu, chief technology officer of poll watchdog Parish Pastoral Council for Responsible Voting for another perspective on CICC’s new claim. Yu said that the course of investigation that the CICC followed was a “reasonable path” to take.
“It seems some information was allegedly leaked and the CICC is exploring all angles. So they are not just looking at Comelec personnel and systems but also its supplier ecosystem,” Yu wrote in an email to Rappler.
“On our end, it is comforting to get confirmation that the data presented does not involve the current election system and that the current memory room was assessed by the NBI,” he added.
On January 27, the National Privacy Commission (NPC) said it was summoning “a third-party provider of the Comelec possibly involved in the issue to appear in a hearing,” although the NPC refused to disclose which company it was.
Smartmatic has bagged the most Comelec contracts since the Philippines shifted to automated elections in 2010. The firm claims it is 100% privately-owned and has no ties to political groups.
While allegations of election irregularities through the years damaged the credibility of Smartmatic, random manual audits of the 2016 and 2019 elections – where independent auditors manually tallied votes and compared the results with machine tallies – yielded an accuracy rate of over 99%.
For the 2022 polls, Smartmatic has secured deals worth P3.1 billion, including the contract to provide the Comelec with the automated election software.
What was the hearing about?
The congressional hearing followed a January 10 Manila Bulletin report of an alleged hacking into the Comelec’s servers, with hackers supposedly stealing 60 gigabytes’ worth of sensitive election-related data.
Manila Bulletin tech editor Art Samaniego has stood by his team’s story, claiming it was based on screenshots and a 44-page PDF file, among other things. But the Bulletin’s methodology in verifying the screenshots remained unclear.
The poll body has since pointed out loopholes in the report, including the claim that the PINs and passwords of vote-counting machines were stolen by hackers.
The Comelec and Bulletin’s recollection of events were reiterated by their representatives during Friday’s congressional hearing.
“We will not give any information from the outsider, that’s what our practice is. It is offline, and it is located in a very secure memory configuration room,” Casquejo told lawmakers on Friday.
“The only way you can hack it is not through cyber attack, but you have to enter that room, and then input the two passwords by our supervisors, and you have to pass all those securities before you can enter that room,” he added.
The National Bureau of Investigation already inspected the Comelec warehouse in Laguna on Saturday, January 15, and said it was “convinced” no data breach of the Comelec servers happened.
The Comelec, DICT, CICC, and watchdogs also attended a January 18 meeting, in which all parties were in consensus that no hacking of the Comelec servers took place.
In 2016, the poll body grappled with a major hacking incident two months before the polls, with hackers leaking a voter records database online.
The scandal, now known as “Comeleak,” is considered the biggest leak of personal data in Philippine history, and among the biggest breaches of a government-held database in the world. – Rappler.com