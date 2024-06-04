The failures in the State Elections Commission (SEC) web page could have been avoided with a simple system of system protection, which allegedly was not installed the night of the New Progressive Party (PNP) and Popular Democratic Party (PPD) primaries.

Antonio Ramos Guardiola, chief executive of the Puerto Rico Innovation and Technology Service (PRITS) confirmed to El Nuevo Día that the SEC manages its own computer system, as established by law. However, due to the collapse of the electoral results page, they asked PRITS for advice. The official reiterated that the agency he directs could only give advice to the SEC, and not intervene with the system.

“There are different types of prevention mechanisms, such as the virtual firewall that is placed between the client and the server where the results would be. There are other types of tools that help prevent this. Which one is used or which one would be used is a discretion of the SEC. We are here to provide support,” he said, adding that the SEC does have these protection systems.

When they were ask why the failure occurred, if the SEC has the protection programs, he answered that “what happens is that it is one thing to have the tool available and another thing to use it. In this case, the application was not implemented and that is what caused this to happen”.

On Sunday night, when the country was waiting for the results of the primaries, the SEC web page stopped working. According to what was reported by this media, throughout the afternoon and night of the primaries, the disclosure of the vote count was interrupted by the intermittency of the official page.

SEC Alternate President, Jessika Padilla Rivera said early Monday in a press conference that the SEC’s external page continued to receive what she described as cyber attacks. According to what she said, at 11:30 p.m. on Sunday she was confirmed that these attacks were continuing.

“What we decided was to keep the page on the intranet so that the press can have the official result,” she said, indicating that this situation did not affect other systems of the commission. “Not that we were told yesterday (Sunday) afternoon. Tomorrow (Tuesday) we will resume work with the different components of the investigation to provide an official result of what happened”.

Meanwhile, Ramos Guardiola reiterated that the only thing that was affected was the part of reporting the numbers to the citizens, but that this did not affect the counting of votes.

He mentioned that the only part affected was “the system to publish the results to the citizens. That is why the SEC continued transmitting the results live”.

Autonomy of the CEE systems is questioned

These missteps should not be considered as a “normal” part of the process, especially when there are alternatives to avoid these gaps in reporting electoral results to the country.

Giancarlo González Ascar, former government IT director, stated that these cracks are not normal.

“No. It is an embarrassment. One must be prepared for everything. For me it is an embarrassment and a clear example of how a robust and well-coordinated digital structure can have serious consequences. The commission must have a solid scaffolding, with a defined organized structure and coordination with PRITS,” he said.

González Ascar compared these systems to the chain of events that keep other elements of a country operating, such as roads or bridges.

“This is the equivalent of the De Diego Expressway falling down, no one can get there and there is no working traffic light. Who is responsible? It’s not just the engineer who designed the road or the bridge,” he said. “There has to be a scaffolding capable of responding and that’s the structure I don’t see in the SEC.”

González Ascar, creator of the Urbital mobile application, recalled that the SEC should have a redundancy system, or an alternative to offer the voting information.

“They have said that the page received 8 million information requests per second. That means it is a ‘denial of service attack’. They claim it was malicious because it contrasts with the usual traffic, which they say is 7,000 requests per second,” he said. “What I would question is why they didn’t anticipate those peaks during the primaries. You have to wonder what went wrong. These systems are supposed to have automatic scalability so that when they increase the peaks, they increase the capacity to scale and handle that load. There are essential mechanisms to guarantee this and it seems to me that they did not have those controls well implemented.”

According to the technology expert, the SEC should integrate with government systems through PRITS to improve its response during the general elections next November.

“The SEC has always operated as a separate entity because it is not part of the central government and I understand that. But, in my three years as chief information technology officer (CIO), I never interacted with the SEC, never met with the chief technology officer or the director to talk about systems,” he said. “I have never seen collaboration between staff at the SEC and other internal agencies in the government that could help improve data management and system capability. It operates well in isolation and to me it’s an enigma.”

Avoiding similar incidents in the general election, he opined, is going to require upgrading the SEC’s infrastructure.

“I don’t know if they’re going to change vendors or implement new policies. Those things may take time. But it’s important to see how they responded to the ‘hack,’ what the response time was. I would like to see specific details of the response,” he asserted. “I’d like to see what actions they took after they detected it or how they communicated it. From there you can bring in recommendations from other experts who can tell you where the error was and you can prepare better.”

